Question1: You are the risk professional of your enterprise. Your enterprise has introduced new systems in many departments. The business requirements that were to be addressed by the new system are still unfulfilled, and the process has been a waste of resources. Even if the system is implemented, it will most likely be underutilized and not maintained making it obsolete in a short period of time. What kind of risk is it?
Question2: Which of the following is MOST important information to review when developing plans for using emerging technologies?
Question3: The MAIN goal of the risk analysis process is to determine the:
Question4: When an organization's disaster recovery plan has a reciprocal agreement, which of the following risk treatment options is being applied?
Question5: Which of the following is the BEST way of managing risk inherent to wireless network?
Question6: David is the project manager of HRC project. He concluded while HRC project is in process that if he adopts e-commerce, his project can be more fruitful. But he did not engaged in electronic commerce (e- commerce) so that he would escape from risk associated with that line of business. What type of risk response had he adopted?
Question7: You are the project manager of the NHH Project. You are working with the project team to create a plan to document the procedures to manage risks throughout the project. This document will define how risks will be identified and quantified. It will also define how contingency plans will be implemented by the project team. What document do you and your team is creating in this scenario?
Question8: The Identify Risk process determines the risks that affect the project and document their characteristics. Why should the project team members be involved in the Identify Risk process?
Question9: A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:
Question10: Which of the following is the BEST indication of a mature organizational risk culture?
Question11: Which of the following is MOST important to the integrity of a security log?
Question12: Accountability for a particular risk is BEST represented in a:
Question13: One of the risk events you've identified is classified as force majeure. What risk response is likely to be used?
Question14: A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?
Question15: During an IT department reorganization, the manager of a risk mitigation action plan was replaced. The new manager has begun implementing a new control after identifying a more effective option. Which of the following is the risk practitioner's BEST course of action?
Question16: Marie has identified a risk event in her project that needs a mitigation response. Her response actually creates a new risk event that must now be analyzed and planned for. What term is given to this newly created risk event?
Question17: When is the BEST to identify risk associated with major project to determine a mitigation plan?
Question18: Risk appetite should be PRIMARILY driven by which of the following?
Question19: Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)?
Question20: The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:
Question21: Vulnerabilities have been detected on an organization's systems. Applications installed on these systems will not operate if the underlying servers are updated. Which of the following is the risk practitioner's BEST course of action?
Question22: Which of the following is the PRIMARY role of a data custodian in the risk management process?
Question23: To which level the risk should be reduced to accomplish the objective of risk management?
Question24: Which of the following come under the management class of controls?
Each correct answer represents a complete solution. (Choose two.)
Question25: Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?
Question26: An application runs a scheduled job that compiles financial data from multiple business systems and updates the financial reporting system. If this job runs too long, it can delay financial reporting. Which of the following is the risk practitioner's BEST recommendation?
Question27: In addition to the risk register, what should a risk practitioner review to develop an understanding of the organization's risk profile?
Question28: Which of the following is the GREATEST benefit of a three lines of defense structure?
Question29: Which of the following would provide the MOST reliable evidence of the effectiveness of security controls implemented for a web application?
Question30: Who is at the BEST authority to develop the priorities and identify what risks and impacts would occur if there were loss of the organization's private information?
Question31: Which of the following would be a risk practitioner's GREATEST concern with the use of a vulnerability scanning tool?
Question32: Which of the following is the BEST course of action to reduce risk impact?
Question33: To mitigate the risk of using a spreadsheet to analyze financial data, IT has engaged a third-party vendor to deploy a standard application to automate the process. Which of the following parties should own the risk associated with calculation errors?
Question34: Which of the following risks is the risk that happen with an important business partner and affects a large group of enterprises within an area or industry?
Question35: What is the PRIMARY need for effectively assessing controls?
Question36: The risk associated with an asset before controls are applied can be expressed as:
Question37: Which of the following is the MOST comprehensive resource for prioritizing the implementation of information systems controls?
Question38: Which of the following provides the MOST comprehensive information when developing a risk profile for a system?
Question39: Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management?
Question40: Which of the following activities would BEST facilitate effective risk management throughout the organization?
Question41: What are the responsibilities of the CRO?
Each correct answer represents a complete solution. Choose three.
Question42: Which of the following is the MOST appropriate action when a tolerance threshold is exceeded?
Question43: Which among the following acts as a trigger for risk response process?
Question44: An organization is considering acquiring a new line of business and wants to develop new IT risk scenarios to guide its decisions. Which of the following would add the MOST value to the new risk scenarios?
Question45: An organization has engaged a third party to provide an Internet gateway encryption service that protects sensitive data uploaded to a cloud service. This is an example of risk:
Question46: Which of the following approaches would BEST help to identify relevant risk scenarios?
Question47: Which of the following is the MOST important objective of the information system control?
Question48: After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?
Question49: You are the project manager of GRT project. You discovered that by bringing on more qualified resources or by providing even better quality than originally planned, could result in reducing the amount of time required to complete the project. If your organization seizes this opportunity it would be an example of what risk response?
Question50: A maturity model is MOST useful to an organization when it:
Question51: Which of the following role carriers will decide the Key Risk Indicator of the enterprise?
Each correct answer represents a part of the solution. Choose two.
Question52: What type of policy would an organization use to forbid its employees from using organizational e-mail for personal use?
Question53: Which of the following elements of a risk register is MOST likely to change as a result of change in management's risk appetite?
Question54: An organization's risk practitioner learns a new third-party system on the corporate network has introduced vulnerabilities that could compromise corporate IT systems. What should the risk practitioner do FIRST?
Question55: An organization maintains independent departmental risk registers that are not automatically aggregated.
Which of the following is the GREATEST concern?
Question56: A software developer has administrative access to a production application. Which of the following should be of GREATEST concern to a risk practitioner?
Question57: Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the corporate risk register?
Question58: Using key risk indicators (KRIs) to illustrate changes in the risk profile PRIMARILY helps to:
Question59: Which of the following is the MOST effective method for indicating that the risk level is approaching a high or unacceptable level of risk?
Question60: Which of the following would present the GREATEST challenge when assigning accountability for control ownership?
Question61: A bank has outsourced its statement printing function to an external service provider. Which of the following is the MOST critical requirement to include in the contract?
Question62: Which of the following provides the MOST useful information when developing a risk profile for management approval?
Question63: A recent vulnerability assessment of a web-facing application revealed several weaknesses. Which of the following should be done NEXT to determine the risk exposure?
Question64: You are the project manager of project for a client. The client has promised your company a bonus, if the project is completed early. After studying the project work, you elect to crash the project in order to realize the early end date. This is an example of what type of risk response?
Question65: Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?
Question66: In which of the following system development life cycle (SDLC) phases should controls be incorporated into system specifications?
Question67: The annualized loss expectancy (ALE) method of risk analysis:
Question68: Which of the following is MOST important for an organization that wants to reduce IT operational risk?
Question69: An organization recently received an independent security audit report of its cloud service provider that indicates significant control weaknesses. What should be done NEXT in response to this report?
Question70: An organization is considering modifying its system to enable acceptance of credit card payments. To reduce the risk of data exposure, which of the following should the organization do FIRST?
Question71: You work as a project manager for BlueWell Inc. You are about to complete the quantitative risk analysis process for your project. You can use three available tools and techniques to complete this process. Which one of the following is NOT a tool or technique that is appropriate for the quantitative risk analysis process?
Question72: Which negative risk response usually has a contractual agreement?
Question73: Which of the following parameters are considered for the selection of risk indicators?
Each correct answer represents a part of the solution. Choose three.
Question74: Which of the following is true for Single loss expectancy (SLE), Annual rate of occurrence (ARO), and Annual loss expectancy (ALE)?
Question75: You are the project manager of your enterprise. You have identified new threats, and then evaluated the ability of existing controls to mitigate risk associated with new threats. You noticed that the existing control is not efficient in mitigating these new risks. What are the various steps you could take in this case?
Each correct answer represents a complete solution. (Choose three.)
Question76: You are the project manager for the NHH project. You are working with your project team to examine the project from four different defined perspectives to increase the breadth of identified risks by including internally generated risks. What risk identification approach are you using in this example?
Question77: Which of the following is the BEST way to identify changes in the risk profile of an organization?
Question78: You are the project manager of GFT project. Your project involves the use of electrical motor. It was stated in its specification that if its temperature would increase to 500 degree Fahrenheit the machine will overheat and have to be shut down for 48 hours. If the machine overheats even once it will delay the project's arrival date. So to prevent this you have decided while creating response that if the temperature of the machine reach 450, the machine will be paused for at least an hour so as to normalize its temperature. This temperature of 450 degrees is referred to as?
Question79: A bank recently incorporated Blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner's BEST course of action?
Question80: Prudent business practice requires that risk appetite not exceed:
Question81: Which of these documents is MOST important to request from a cloud service provider during a vendor risk assessment?
Question82: What should be PRIMARILY responsible for establishing an organization's IT risk culture?
Question83: Which of the following would be an IT business owner's BEST course of action following an unexpected increase in emergency changes?
Question84: Which of the following poses the GREATEST risk to an organization's operations during a major it transformation?
Question85: A risk practitioner is assisting with the preparation of a report on the organization s disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile?
Question86: The BEST control to mitigate the risk associated with project scope creep is to:
Question87: Which of the following is NOT true for Key Risk Indicators?
Question88: What can be determined from the risk scenario chart?

Question89: An organization is considering outsourcing user administration controls tor a critical system. The potential vendor has offered to perform quarterly sett-audits of its controls instead of having annual independent audits. Which of the following should be of GREATEST concern to me risk practitioner?
Question90: You are the project manager of a large construction project. This project will last for 18 months and will cost $750,000 to complete. You are working with your project team, experts, and stakeholders to identify risks within the project before the project work begins. Management wants to know why you have scheduled so many risk identification meetings throughout the project rather than just initially during the project planning. What is the best reason for the duplicate risk identification sessions?
Question91: After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?

Question92: What are the functions of the auditor while analyzing risk?
Each correct answer represents a complete solution. Choose three.
Question93: You are working in Bluewell Inc. which make advertisement Websites. Someone had made unauthorized changes to a your Website. Which of the following terms refers to this type of loss?
Question94: You are the project manager of GHT project. You have initiated the project and conducted the feasibility study. What result would you get after conducting feasibility study?
Each correct answer represents a complete solution. Choose all that apply.
Question95: It is MOST appropriate for changes to be promoted to production after they are;
Question96: An organization has granted a vendor access to its data in order to analyze customer behavior. Which of the following would be the MOST effective control to mitigate the risk of customer data leakage?
Question97: Which of the following would BEST help secure online financial transactions from improper users?
Question98: Which of the following would be of MOST concern to a risk practitioner reviewing risk action plans for documented IT risk scenarios?
Question99: What type of policy would an organization use to forbid its employees from using organizational e-mail for personal use?
Question100: Which of the following contributes MOST to the effective implementation of risk responses?
Question101: Which of the following is the BEST way to mitigate the risk to IT infrastructure availability?
Question102: A deficient control has been identified which could result in great harm to an organization should a low frequency threat event occur. When communicating the associated risk to senior management the risk practitioner should explain:
Question103: The PRIMARY purpose of IT control status reporting is to:
Question104: In the project initiation phase of System Development Life Cycle, there is information on project initiated by which of the following role carriers?
Question105: In an organization dependent on data analytics to drive decision-making, which of the following would BEST help to minimize the risk associated with inaccurate data?
Question106: In an organization dependent on data analytics to drive decision-making, which of the following would BEST help to minimize the risk associated with inaccurate data?
Question107: The PRIMARY benefit associated with key risk indicators (KRIs) is that they:
Question108: Which of the following risk register updates is MOST important for senior management to review?
Question109: Read" rights to application files in a controlled server environment should be approved by the:
Question110: Which of the following is the BEST method for discovering high-impact risk types?
Question111: The PRIMARY benefit of using a maturity model is that it helps to evaluate the:
Question112: Which of the following BEST indicates that an organization has implemented IT performance requirements?
Question113: Which of the following BEST facilitates the development of effective IT risk scenarios?
Question114: The acceptance of control costs that exceed risk exposure is MOST likely an example of:
Question115: Which of the following is MOST helpful in identifying gaps between the current and desired state of the IT risk environment?
Question116: Which of the following will BEST support management reporting on risk?
Question117: An organization's chief technology officer (CTO) has decided to accept the risk associated with the potential loss from a denial-of-service (DoS) attack. In this situation, the risk practitioner's BEST course of action is to:
Question118: Which of the following is the MOST effective inhibitor of relevant and efficient communication?
Question119: After recent updates to the risk register, management has requested that the overall level of residual risk be reduced. Which of the following is the risk practitioner's BEST course of action?
Question120: Participants in a risk workshop have become focused on the financial cost to mitigate risk rather than choosing the most appropriate response. Which of the following is the BEST way to address this type of issue in the long term?
Question121: You work as a project manager for Bluewell Inc. You have identified a project risk. You have then implemented the risk action plan and it turn out to be non-effective. What type of plan you should implement in such case?
Question122: Which of the following risk responses include feedback and guidance from well-qualified risk officials and those internal to the project?
Question123: Which of the following control is used to ensure that users have the rights and permissions they need to perform their jobs, and no more?
Question124: A risk assessment has identified that departments have installed their own WiFi access points on the enterprise network. Which of the following would be MOST important to include in a report to senior management?
Question125: Which of the following would be a risk practitioners BEST recommendation for preventing cyber intrusion?
Question126: A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?
Question127: When does the Identify Risks process take place in a project?
Question128: You are the risk official in Techmart Inc. You are asked to perform risk assessment on the impact of losing a server. For this assessment you need to calculate monetary value of the server. On which of the following bases do you calculate monetary value?
Question129: Who should be accountable for ensuring effective cybersecurity controls are established?
Question130: Which of the following is MOST helpful in aligning IT risk with business objectives?
Question131: Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?
Question132: The PRIMARY reason, a risk practitioner would be interested in an internal audit report is to:
Question133: Which of the following tools is MOST helpful when mapping IT risk management outcomes to organizational objectives?
Question134: Which of the following activities BEST facilitates effective risk management throughout the organization?
Question135: Which of the following should be considered to ensure that risk responses that are adopted are cost- effective and are aligned with business objectives?
Each correct answer represents a part of the solution. Choose three.
Question136: An organization uses a vendor to destroy hard drives. Which of the following would BEST reduce the risk of data leakage?
Question137: While defining the risk management strategies, what are the major parts to be determined first? Each correct answer represents a part of the solution. Choose two.
Question138: Which of the following is the MOST effective way for a large and diversified organization to minimize risk associated with unauthorized software on company devices?
Question139: During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?
Question140: Which of the following is the MOST important aspect to ensure that an accurate risk register is maintained?
Question141: You work as a Project Manager for Company Inc. You have to conduct the risk management activities for a project. Which of the following inputs will you use in the plan risk management process?
Each correct answer represents a complete solution. (Choose three.)
Question142: Suppose you are working in Techmart Inc. which sells various products through its website. Due to some recent losses, you are trying to identify the most important risks to the Website. Based on feedback from several experts, you have come up with a list. You now want to prioritize these risks. Now in which category you would put the risk concerning the modification of the Website by unauthorized parties.
Question143: A risk practitioner observes that the fraud detection controls in an online payment system do not perform as expected. Which of the following will MOST likely change as a result?
Question144: Which of the following approaches BEST identifies information systems control deficiencies?
Question145: An organization practices the principle of least privilege. To ensure access remains appropriate, application owners should be required to review user access rights on a regular basis by obtaining:
Question146: Which of the following is the BEST control to detect an advanced persistent threat (APT)?
Question147: Which of the following processes is described in the statement below?
"It is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions."
Question148: Which of the following would BEST mitigate the risk associated with reputational damage from inappropriate use of social media sites by employees?
Question149: You work as a project manager for BlueWell Inc. You are about to complete the quantitative risk analysis process for your project. You can use three available tools and techniques to complete this process. Which one of the following is NOT a tool or technique that is appropriate for the quantitative risk analysis process?
Question150: Which of the following should be management's PRIMARY consideration when approving risk response action plans?
Question151: Mary is the project manager for the BLB project. She has instructed the project team to assemble, to review the risks. She has included the schedule management plan as an input for the quantitative risk analysis process. Why is the schedule management plan needed for quantitative risk analysis?
Question152: Which element of an organization's risk register is MOST important to update following the commissioning of a new financial reporting system?
Question153: What are the functions of audit and accountability control?
Each correct answer represents a complete solution. (Choose three.)
Question154: Senior management has asked a risk practitioner to develop technical risk scenarios related to a recently developed enterprise resource planning (ERP) system. These scenarios will be owned by the system manager.
Which of the following would be the BEST method to use when developing the scenarios?
Question155: Which of the following is the MOST important responsibility of a risk owner?
Question156: Which of the following is NOT true for effective risk communication?
Question157: Which of the following decision tree nodes have probability attached to their branches?
Question158: When testing the security of an IT system, il is MOST important to ensure that;
Question159: Which of the following will BEST help to ensure key risk indicators (KRIs) provide value to risk owners?
Question160: Which of the following observations from a third-party service provider review would be of GREATEST concern to a risk practitioner?
Question161: Suppose you are working in Company Inc. and you are using risk scenarios for estimating the likelihood and impact of the significant risks on this organization. Which of the following assessment are you doing?
Question162: Which of the following is the BEST indicator of the effectiveness of IT risk management processes?
Question163: Which of the following are the principles of access controls?
Each correct answer represents a complete solution. Choose three.
Question164: You work as a Project Manager for Company Inc. You have to conduct the risk management activities for a project. Which of the following inputs will you use in the plan risk management process?
Each correct answer represents a complete solution. Choose all that apply.
Question165: Which of the following assets are the examples of intangible assets of an enterprise?
Each correct answer represents a complete solution. Choose two.
Question166: An organization is planning to engage a cloud-based service provider for some of its data-intensive business processes. Which of the following is MOST important to help define the IT risk associated with this outsourcing activity?
Question167: Which of the following would present the GREATEST challenge when assigning accountability for control ownership?
Question168: Which of the following is a PRIMARY benefit of engaging the risk owner during the risk assessment process?
Question169: Which of the following is MOST effective against external threats to an organization's confidential information?
Question170: Which of the following are the principles of risk management?
Each correct answer represents a complete solution. Choose three.
Question171: You are the project manager of your enterprise. You have introduced an intrusion detection system for the control. You have identified a warning of violation of security policies of your enterprise. What type of control is an intrusion detection system (IDS)?
Question172: Which of the following is a risk practitioner's BEST recommendation upon learning that an employee inadvertently disclosed sensitive data to a vendor?
Question173: Which of the following are the responsibilities of Enterprise risk committee?
Each correct answer represents a complete solution. Choose three.
Question174: The risk associated with data loss from a website which contains sensitive customer information is BEST owned by:
Question175: The PRIMARY objective for selecting risk response options is to:
Question176: Which of the following BEST enables the identification of trends in risk levels?
Question177: Kelly is the project manager of the NNQ Project for her company. This project will last for one year and has a budget of $350,000. Kelly is working with her project team and subject matter experts to begin the risk response planning process. What are the two inputs that Kelly would need to begin the plan risk response process?
Question178: You are the risk official of your enterprise. Your enterprise takes important decisions without considering risk credential information and is also unaware of external requirements for risk management and integration with enterprise risk management. In which of the following risk management capability maturity levels does your enterprise exists?
Question179: Which among the following is the MOST crucial part of risk management process?
Question180: Which of the following is the BEST indicator of the effectiveness of IT risk management processes?
Question181: Mapping open risk issues to an enterprise risk heat map BEST facilitates:
Question182: What are the requirements for creating risk scenarios? Each correct answer represents a part of the solution. Choose three.
Question183: A risk practitioner recently discovered that personal information from the production environment is required for testing purposes in non-production environments. Which of the following is the BEST recommendation to address this situation?
Question184: Which of the following is the BEST recommendation to address recent IT risk trends that indicate social engineering attempts are increasing in the organization?
Question185: An organization has outsourced a critical process involving highly regulated data to a third party with servers located in a foreign country. Who is accountable for the confidentiality of this data?
Question186: Which of the following is the GREATEST benefit to an organization when updates to the risk register are made promptly after the completion of a risk assessment?
Question187: Which of the following would BEST help to ensure that identified risk is efficiently managed?
Question188: You work as a project manager for BlueWell Inc. You are involved with the project team on the different risk issues in your project. You are using the applications of IRGC model to facilitate the understanding and managing the rising of the overall risks that have impacts on the economy and society. One of your team members wants to know that what the need to use the IRGC is. What will be your reply?
Question189: Which of the following would BEST enable a risk practitioner to embed risk management within the organization?
Question190: When developing risk scenario using a list of generic scenarios based on industry best practices, it is MOST imported to:
Question191: It is MOST important for a risk practitioner to have an awareness of an organization s processes in order to:
Question192: Jenny is the project manager for the NBT projects. She is working with the project team and several subject matter experts to perform the quantitative risk analysis process. During this process she and the project team uncover several risks events that were not previously identified. What should Jenny do with these risk events?
Question193: Which of the following helps ensure compliance with a non-repudiation policy requirement for electronic transactions?
Question194: Which of the following statements BEST describes risk appetite?
Question195: Which of the following guidelines should be followed for effective risk management?
Each correct answer represents a complete solution. Choose three.
Question196: Which of the following control detects problem before it can occur?
Question197: Qualitative risk assessment uses which of the following terms for evaluating risk level?
Each correct answer represents a part of the solution. Choose two.
Question198: Which of the following elements of a risk register is MOST likely to change as a result of change in management's risk appetite?
Question199: Which of the following statements are true for enterprise's risk management capability maturity level 3?
Question200: The PRIMARY benefit associated with key risk indicators (KRls) is that they:
Question201: Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?
Question202: Qualitative risk assessment uses which of the following terms for evaluating risk level?
Each correct answer represents a part of the solution. Choose two.
Question203: A risk practitioner is reviewing the status of an action plan to mitigate an emerging IT risk and finds the risk level has increased. The BEST course of action would be to:
Question204: A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:
Question205: Which of the following should be the PRIMARY basis for prioritizing risk responses?
Question206: The PRIMARY benefit of maintaining an up-to-date risk register is that it helps to:
Question207: You are the project manager of GHT project. You have planned the risk response process and now you are about to implement various controls. What you should do before relying on any of the controls?
Question208: What should be the PRIMARY driver for periodically reviewing and adjusting key risk indicators (KRIs)?
Question209: Print jobs containing confidential information are sent to a shared network printer located in a secure room.
Which of the following is the BEST control to prevent the inappropriate disclosure of confidential information?
Question210: Which of the following is the BEST method to mitigate the risk of an unauthorized employee viewing confidential data in a database''
Question211: Your project is an agricultural-based project that deals with plant irrigation systems. You have discovered a byproduct in your project that your organization could use to make a profit. If your organization seizes this opportunity it would be an example of what risk response?
Question212: You are the project manager of the NHH Project. You are working with the project team to create a plan to document the procedures to manage risks throughout the project. This document will define how risks will be identified and quantified. It will also define how contingency plans will be implemented by the project team. What document do you and your team is creating in this scenario?
Question213: Which of the following should be the PRIMARY focus of an independent review of a risk management process?
Question214: Wendy has identified a risk event in her project that has an impact of $75,000 and a 60 percent chance of happening. Through research, her project team learns that the risk impact can actually be reduced to just $15,000 with only a ten percent chance of occurring. The proposed solution will cost $25,000. Wendy agrees to the $25,000 solution. What type of risk response is this?
Question215: Which of the following methods involves the use of predictive or diagnostic analytical tool for exposing risk factors?
Question216: You work as the project manager for Bluewell Inc. Your project has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks?
Question217: Which of the following is MOST essential for an effective change control environment?
Question218: Which of the following is the MOST effective way to reduce potential losses due to ongoing expense fraud?
Question219: Adrian is a project manager for a new project using a technology that has recently been released and there's relatively little information about the technology. Initial testing of the technology makes the use of it look promising, but there's still uncertainty as to the longevity and reliability of the technology. Adrian wants to consider the technology factors a risk for her project. Where should she document the risks associated with this technology so she can track the risk status and responses?
Question220: Reviewing historical risk events is MOST useful for which of the following processes within the risk management life cycle?
Question221: The BEST key performance indicator (KPI) for monitoring adherence to an organization's user accounts provisioning practices is the percentage of:
Question222: Which of the following is the MOST effective way 10 identify an application backdoor prior to implementation'?
Question223: In which of the following risk management capability maturity levels risk appetite and tolerance are applied only during episodic risk assessments?
Question224: Which of the following controls focuses on operational efficiency in a functional area sticking to management policies?
Question225: Which of the following test is BEST to map for confirming the effectiveness of the system access management process?
Question226: You are the risk professional in Bluewell Inc. A risk is identified and enterprise wants to quickly implement control by applying technical solution that deviates from the company's policies. What you should do?
Question227: You are the project manager for your organization to install new workstations, servers, and cabling throughout a new building, where your company will be moving into. The vendor for the project informs you that the cost of the cabling has increased due to the some reason. This new cost will cause the cost of your project to increase by nearly eight percent. What change control system should the costs be entered into for review?
Question228: After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:
Question229: A risk practitioner shares the results of a vulnerability assessment for a critical business application with the business manager. Which of the following is the NEXT step?
Question230: UESTION NO:
The PRIMARY benefit associated with key risk indicators (KRls) is that they
Question231: You are preparing to complete the quantitative risk analysis process with your project team and several subject matter experts. You gather the necessary inputs including the project's cost management plan.
Why is it necessary to include the project's cost management plan in the preparation for the quantitative risk analysis process?
Question232: Prior to selecting key performance indicators (KPIs), itis MOST important to ensure:
Question233: Your project team has completed the quantitative risk analysis for your project work. Based on their findings, they need to update the risk register with several pieces of information. Which one of the following components is likely to be updated in the risk register based on their analysis?
Question234: Which of the following components ensures that risks are examined for all new proposed change requests in the change control system?
Question235: Which of the following is NOT true for risk management capability maturity level 1?
Question236: You are the project manager of the HGT project in Bluewell Inc. The project has an asset valued at
$125,000 and is subjected to an exposure factor of 25 percent. What will be the Single Loss Expectancy of this project?
Question237: Which of the following is the BEST way to ensure that outsourced service providers comply with the enterprise's information security policy?
Question238: The maturity of an IT risk management program is MOST influenced by:
Question239: Harry is the project manager of HDW project. He has identified a risk that could injure project team members. He does not want to accept any risk where someone could become injured on this project so he hires a professional vendor to complete this portion of the project work. What type of risk response is Harry implementing?
Question240: The MAIN purpose of selecting a risk response is to.
Question241: Which of the following is an acceptable method for handling positive project risk?
Question242: Which of the following is MOST critical to the design of relevant risk scenarios?
Question243: To effectively support business decisions, an IT risk register MUST:
Question244: Which of the following laws applies to organizations handling health care information?
Question245: Which of the following is a risk practitioner's BEST course of action upon learning that a control under internal review may no longer be necessary?
Question246: The BEST criteria when selecting a risk response is the:
Question247: When evaluating enterprise IT risk management, it is MOST important to:
Question248: When prioritizing risk response, management should FIRST:
Question249: You are completing the qualitative risk analysis process with your project team and are relying on the risk management plan to help you determine the budget, schedule for risk management, and risk categories.
You discover that the risk categories have not been created. When the risk categories should have been created?
Question250: Which of the following is the MOST important responsibility of a risk owner?
Question251: You are the product manager in your enterprise. You have identified that new technologies, products and services are introduced in your enterprise time-to-time. What should be done to prevent the efficiency and effectiveness of controls due to these changes?
Question252: To help ensure the success of a major IT project, it is MOST important to:
Question253: Which of the following is NOT true for risk governance?
Question254: An organization has outsourced its lease payment process to a service provider who lacks evidence of compliance with a necessary regulatory standard. Which risk treatment was adopted by the organization?
Question255: Jane, the Director of Sales, contacts you and demands that you add a new feature to the software your project team is creating for the organization. In the meeting she tells you how important the scope change would be. You explain to her that the software is almost finished and adding a change now could cause the deliverable to be late, cost additional funds, and would probably introduce new risks to the project. Jane stands up and says to you, "I am the Director of Sales and this change will happen in the project." And then she leaves the room. What should you do with this verbal demand for a change in the project?
Question256: You are the project manager of RFT project. You have identified a risk that the enterprise's IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become very expensive. To overcome this risk the response adopted is re-architecture of the existing system and purchase of new integrated system. In which of the following risk
prioritization options would this case be categorized?
Question257: Performing a background check on a new employee candidate before hiring is an example of what type of control?
Question258: Which of the following is the BEST way to validate the results of a vulnerability assessment?
Question259: Out of several risk responses, which of the following risk responses is used for negative risk events?
Question260: Who is at the BEST authority to develop the priorities and identify what risks and impacts would occur if there were loss of the organization's private information?
Question261: Which of the following is a risk practitioner's BEST course of action after identifying risk scenarios related to noncompliance with new industry regulations?
Question262: Which of the following is the MAIN reason for analyzing risk scenarios?
Question263: Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?
Question264: Which of the following is the GREATEST benefit of identifying appropriate risk owners?
Question265: An organization is considering allowing users to access company data from their personal devices. Which of the following is the MOST important factor when assessing the risk?
Question266: A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:
Question267: A PRIMARY function of the risk register is to provide supporting information for the development of an organization's risk:
Question268: Which of the following would be the BEST recommendation if the level of risk in the IT risk profile has decreased and is now below management's risk appetite?
Question269: Which of the following are the common mistakes while implementing KRIs?
Each correct answer represents a complete solution. Choose three.
Question270: A management team is on an aggressive mission to launch a new product to penetrate new markets and overlooks IT risk factors, threats, and vulnerabilities. This scenario BEST demonstrates an organization's risk:
Question271: Which of the following establishes mandatory rules, specifications and metrics used to measure compliance against quality, value, etc?
Question272: When developing IT risk scenarios, it is CRITICAL to involve:
Question273: Which of the following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?
Question274: Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior BEST represents:
Question275: You are the risk professional of your enterprise. You need to calculate potential revenue loss if a certain risks occurs. Your enterprise has an electronic (e-commerce) web site that is producing US $1 million of revenue each day, then if a denial of service (DoS) attack occurs that lasts half a day creates how much loss?
Question276: A risk practitioner discovers several key documents detailing the design of a product currently in development have been posted on the Internet. What should be the risk practitioner's FIRST course of action?
Question277: Which of the following would provide the MOST helpful input to develop risk scenarios associated with hosting an organization's key IT applications in a cloud environment?
Question278: The BEST way to test the operational effectiveness of a data backup procedure is to:
Question279: An organization has experienced several incidents of extended network outages that have exceeded tolerance. Which of the following should be the risk practitioner's FIRST step to address this situation?
Question280: Which of the following is the MOST common concern associated with outsourcing to a service provider?
Question281: Which of the following is the GREATEST benefit of analyzing logs collected from different systems?
Question282: During the control evaluation phase of a risk assessment, it is noted that multiple controls are ineffective.
Which of the following should be the risk practitioner's FIRST course of action?
Question283: Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?
Question284: You are the project manager of RFT project. You have identified a risk that the enterprise's IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become very expensive. To overcome this risk, the response adopted is re- architecture of the existing system and purchase of new integrated system. In which of the following risk prioritization options would this case be categorized?
Question285: You work as a Project Manager for Company Inc. You are incorporating a risk response owner to take the job for each agreed-to and funded risk response. On which of the following processes are you working?
Question286: An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?
Question287: What should be PRIMARILY responsible for establishing an organization's IT risk culture?
Question288: Which of the following is MOST important for an organization that wants to reduce IT operational risk?
Question289: Which of the following is the MOST effective method for indicating that the risk level is approaching a high or unacceptable level of risk?
Question290: Which of the following is MOST critical when designing controls?
Question291: Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?
Question292: Jeff works as a Project Manager for www.company.com Inc. He and his team members are involved in the identify risk process. Which of the following
tools & techniques will Jeff use in the identify risk process?
Each correct answer represents a complete solution. Choose all that apply.
Question293: A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?
Question294: Which of the following are the MOST important risk components that must be communicated among all the stakeholders?
Each correct answer represents a part of the solution. Choose three.
Question295: Which of the following is the BEST approach for selecting controls to minimize risk?
Question296: Which of the following is the BEST indication of an effective risk management program?
Question297: Which of the following statements BEST describes policy?
Question298: From a risk management perspective, the PRIMARY objective of using maturity models is to enable:
Question299: Which of the following BEST helps to identify significant events that could impact an organization?
Question300: An enterprise has identified risk events in a project. While responding to these identified risk events, which among the following stakeholders is MOST important for reviewing risk response options to an IT risk.
Question301: You are the project manager for BlueWell Inc. You have noticed that the risk level in your project increases above the risk tolerance level of your enterprise. You have applied several risk response. Now you have to update the risk register in accordance to risk response process. All of the following are included in the risk register except for which item?
Question302: Which of the following should be considered to ensure that risk responses that are adopted are cost-effective and are aligned with business objectives?
Each correct answer represents a part of the solution. Choose three.
Question303: Which of the following presents the GREATEST challenge to managing an organization's end-user devices?
Question304: Which of the following statements are true for risk communication? Each correct answer represents a complete solution. Choose three.
Question305: Which of the following is the greatest risk to reporting?
Question306: Which of the following control is used to ensure that users have the rights and permissions they need to perform their jobs, and no more?
Question307: An IT license audit has revealed that there are several unlicensed copies of co be to:
Question308: Which of the following is the PRIMARY objective for automating controls?
Question309: When prioritizing risk response, management should FIRST:
Question310: When reviewing a business continuity plan (BCP), which of the following would be the MOST significant deficiency?
Question311: Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?
Question312: Which of the following is the BEST key performance indicator (KPI) to measure the ability to deliver uninterrupted IT services?
Question313: Which of the following components of risk scenarios has the potential to generate internal or external threat on an enterprise?
Question314: David is the project manager of HRC project. He concluded while HRC project is in process that if he adopts e-commerce, his project can be more fruitful. But he did not engage in electronic commerce (e- commerce) so that he would escape from risk associated with that line of business. What type of risk response had he adopted?
Question315: Which of the following are true for threats?
Each correct answer represents a complete solution. Choose three.
Question316: Which of the following is MOST important to sustainable development of secure IT services?
Question317: A risk practitioner notices a risk scenario associated with data loss at the organization's cloud provider is assigned to the provider Who should the risk scenario be reassigned to?
Question318: Which of the following would qualify as a key performance indicator (KPI)?
Question319: Which of the following should be PRIMARILY considered while designing information systems controls?
Question320: Which of the following IS processes provide indirect information?
Each correct answer represents a complete solution. Choose three.
Question321: An organization is considering modifying its system to enable acceptance of credit card payments. To reduce the risk of data exposure, which of the following should the organization do FIRST?
Question322: You are the risk official at Bluewell Inc. There are some risks that are posing threat on your enterprise. You are measuring exposure of those risk factors, which has the highest potential, by examining the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline values. Which type of analysis you are performing?
Question323: A risk practitioner learns that the organization s industry is experiencing a trend of rising security incidents. Which of the following is the BEST course of action?
Question324: David is the project manager of the HRC Project. He has identified a risk in the project, which could cause the delay in the project. David does not want this risk event to happen so he takes few actions to ensure that the risk event will not happen. These extra steps, however, cost the project an additional $10,000. What type of risk response has David adopted?
Question325: Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?
Question326: Which of the following BEST indicates the risk appetite and tolerance level (or the risk associated with business interruption caused by IT system failures?
Question327: Which of the following criteria associated with key risk indicators (KRIs) BEST enables effective risk monitoring?
Question328: You are the project manager of GHT project. You identified a risk of noncompliance with regulations due to missing of a number of relatively simple procedures.
The response requires creating the missing procedures and implementing them. In which of the following risk response prioritization should this case be categorized?
Question329: Which of the following management action will MOST likely change the likelihood rating of a risk scenario related to remote network access?
Question330: IT risk assessments can BEST be used by management:
Question331: Which of the following is the way to verify control effectiveness?
Question332: Which of the following data would be used when performing a business impact analysis (BIA)?
Question333: Which of the following is a PRIMARY benefit of engaging the risk owner during the risk assessment process?
Question334: Which of the following criteria is MOST important when developing a response to an attack that would compromise data?
Question335: A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?
Question336: The MOST important reason to aggregate results from multiple risk assessments on interdependent information systems is to:
Question337: Which of the following approaches would BEST help to identify relevant risk scenarios?
Question338: Which of the following is true for Single loss expectancy (SLE), Annual rate of occurrence (ARO), and Annual loss expectancy (ALE)?
Question339: As pan of business continuity planning, which of the following is MOST important to include m a business impact analysis (BlA)?
Question340: Which of the following are risk components of the COSO ERM framework?
Each correct answer represents a complete solution. Choose three.
Question341: You are the project manager of your enterprise. While performing risk management, you are given a task to identify where your enterprise stands in certain practice and also to suggest the priorities for improvements.
Which of the following models would you use to accomplish this task?
Question342: What are the PRIMARY requirements for developing risk scenarios?
Each correct answer represents a part of the solution. Choose two.
Question343: An IT risk practitioner has been asked to regularly report on the overall status and effectiveness of the IT risk management program. Which of the following is MOST useful for this purpose?
Question344: Which of the following establishes mandatory rules, specifications and metrics used to measure compliance against quality, value, etc?
Question345: Which of the following is the most accurate definition of a project risk?
Question346: Which of the following guidelines should be followed for effective risk management?
Each correct answer represents a complete solution. Choose three.
Question347: You are the project manager of RFT project. You have identified a risk that the enterprise's IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become very expensive. To overcome this risk, the response adopted is re- architecture of the existing system and purchase of new integrated system. In which of the following risk prioritization options would this case be categorized?
Question348: You work as a Project Manager for Company Inc. You have to conduct the risk management activities for a project. Which of the following inputs will you use in the plan risk management process?
Each correct answer represents a complete solution. Choose all that apply.
Question349: Which of the following is true for risk management frameworks, standards and practices?
Each correct answer represents a part of the solution. Choose three.
Question350: The BEST metric to monitor the risk associated with changes deployed to production is the percentage of:
Question351: As part of an overall IT risk management plan, an IT risk register BEST helps management:
Question352: An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack?
Question353: An IT risk practitioner is evaluating an organization's change management controls over the last six months. The GREATEST concern would be an increase in:
Question354: An organization's IT infrastructure is running end-of-life software that is not allowed without exception approval. Which of the following would provide the MOST helpful information to justify investing in updated software?
Question355: Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are:
Question356: Which of the following is MOST important to understand when determining an appropriate risk assessment approach?
Question357: You are the program manager for your organization and you are working with Alice, a project manager in her program. Alice calls you and insists you to add a change to program scope. You agree for that the change. What must Alice do to move forward with her change request?
Question358: An organization wants to grant remote access to a system containing sensitive data to an overseas third party.
Which of the following should be of GREATEST concern to management?
Question359: Beth is a project team member on the JHG Project. Beth has added extra features to the project and this has introduced new risks to the project work. The project manager of the JHG project elects to remove the features Beth has added. The process of removing the extra features to remove the risks is called what?
Question360: Which of the following would be MOST useful when measuring the progress of a risk response action plan?
Question361: Implementing which of the following controls would BEST reduce the impact of a vulnerability that has been exploited?
Question362: Which of The following is the MOST relevant information to include in a risk management strategy?
Question363: The following is the snapshot of a recently approved IT risk register maintained by an organization's information security department.

After implementing countermeasures listed in ''Risk Response Descriptions'' for each of the Risk IDs, which of the following component of the register MUST change?
Question364: You are the project manager of GHT project. You and your team have developed risk responses for those risks with the highest threat to or best opportunity for the project objectives. What are the immediate steps you should follow, after planning for risk response process? Each correct answer represents a complete solution. Choose three.
Question365: An IT operations team implements disaster recovery controls based on decisions from application owners regarding the level of resiliency needed. Who is the risk owner in this scenario?
Question366: Which of the following is MOST helpful in identifying loss magnitude during risk analysis of a new system?
Question367: Which of the following provides the BEST evidence that risk responses have been executed according to their risk action plans?
Question368: While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach. Which of the following controls will BEST reduce the risk associated with such a data breach?
Question369: Which of the following is the GREATEST benefit of having a mature enterprise architecture (EA) in place?
Question370: Which of the following is the MOST important benefit of key risk indicators (KRIs)?
Question371: What is the FIRST phase of IS monitoring and maintenance process?
Question372: Before assigning sensitivity levels to information it is MOST important to:
Question373: Which of the following IT key risk indicators (KRIs) provides management with the BEST feedback on IT capacity?
Question374: John is the project manager of the HGH Project for her company. He and his project team have agreed that if the vendor is late by more than ten days they will cancel the order and hire the NBG Company to fulfill the order. The NBG Company can guarantee orders within three days, but the costs of their products are significantly more expensive than the current vendor. What type of response does John adopt here?
Question375: The MOST effective way to increase the likelihood that risk responses will be implemented is to:
Question376: Which of the following BEST provides an early warning that network access of terminated employees is not being revoked in accordance with the service level agreement (SLA)?
Question377: Which of the following is the BEST way of managing risk inherent to wireless network?
Question378: An organization has used generic risk scenarios to populate its risk register. Which of the following presents the GREATEST challenge to assigning of the associated risk entries?
Question379: A key risk indicator (KRI) indicates a reduction in the percentage of appropriately patched servers. Which of the following is the risk practitioner's BEST course of action?
Question380: An IT control gap has been identified in a key process. Who would be the MOST appropriate owner of the risk associated with this gap?
Question381: Which of the following is the BEST course of action when an organization wants to reduce likelihood in order to reduce a risk level?
Question382: The FIRST step for a startup company when developing a disaster recovery plan should be to identify:
Question383: Which of the following is the GREATEST advantage of implementing a risk management program?
Question384: Which of the following is the PRIMARY reason for an organization to include an acceptable use banner when users log in?
Question385: Which of the following processes is described in the statement below?
"It is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions."
Question386: Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?
Question387: The acceptance of control costs that exceed risk exposure MOST likely demonstrates:
Question388: David is the project manager of HRC project. He concluded while HRC project is in process that if he adopts e-commerce, his project can be more fruitful. But he did not engaged in electronic commerce (e-commerce) so that he would escape from risk associated with that line of business. What type of risk response had he adopted?
Question389: Which of the following observations would be GREATEST concern to a risk practitioner reviewing the implementation status of management action plans?
Question390: When updating a risk register with the results of an IT risk assessment, the risk practitioner should log:
Question391: Which of the following is MOST important when developing key risk indicators (KRIs)?
Question392: Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities?
Question393: In response to the threat of ransomware, an organization has implemented cybersecurity awareness activities.
The risk practitioner's BEST recommendation to further reduce the impact of ransomware attacks would be to implement:
Question394: After the review of a risk record, internal audit questioned why the risk was lowered from medium to low.
Which of the following is the BEST course of action in responding to this inquiry?
Question395: An organization has operations in a location that regularly experiences severe weather events. Which of the following would BEST help to mitigate the risk to operations?
Question396: What are the responsibilities of the CRO?
Each correct answer represents a complete solution. Choose three.
Question397: Which of the following role carriers will decide the Key Risk Indicator of the enterprise?
Each correct answer represents a part of the solution. Choose two.
Question398: Suppose you are working in Techmart Inc. which sells various products through its website. Due to some recent losses, you are trying to identify the most important risks to the Website. Based on feedback from several experts, you have come up with a list. You now want to prioritize these risks. Now in which category you would put the risk concerning the modification of the Website by unauthorized parties.
Question399: Which of the following would be of GREATEST assistance when justifying investment in risk response strategies?
Question400: Which of the following facilitates a completely independent review of test results for evaluating control effectiveness?
Question401: A PRIMARY function of the risk register is to provide supporting information for the development of an organization's risk:
Question402: A risk practitioner is reviewing a vendor contract and finds there is no clause to control privileged access to the organization's systems by vendor employees. Which of the following is the risk practitioner's BEST course of action?
Question403: IT disaster recovery point objectives (RPOs) should be based on the:
Question404: Which of the following is the MOST important concern when assigning multiple risk owners for an identified risk?
Question405: An organization has asked an IT risk practitioner to conduct an operational risk assessment on an initiative to outsource the organization's customer service operations overseas. Which of the following would MOST significantly impact management's decision?
Question406: A trusted third party service provider has determined that the risk of a client's systems being hacked is low.
Which of the following would be the client's BEST course of action?
Question407: Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?
Question408: Which of the following is the MOST important key performance indicator (KPI) to establish in the service agreement (SLA) for an outsourced data center?
Question409: Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?
Question410: You are the project manager for your company and a new change request has been approved for your project. This change request, however, has introduced several new risks to the project. You have communicated these risk events and the project stakeholders understand the possible effects these risks could have on your project. You elect to create a mitigation response for the identified risk events. Where will you record the mitigation response?
Question411: Which of the following are parts of SWOT Analysis?
Each correct answer represents a complete solution. (Choose four.)
Question412: An IT department has organized training sessions to improve user awareness of organizational information security policies. Which of the following is the BEST key performance indicator (KPI) to reflect effectiveness of the training?
Question413: Which of the following is the MOST effective control to maintain the integrity of system configuration files?
Question414: Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited. Which of the following would be the BEST response to this scenario?
Question415: When an organization is having new software implemented under contract, which of the following is key to controlling escalating costs?
Question416: Which of the following is an output of risk assessment process?
Question417: You are the project manager of GRT project. You discovered that by bringing on more qualified resources or by providing even better quality than originally planned, could result in reducing the amount of time required to complete the project. If your organization seizes this opportunity, it would be an example of what risk response?
Question418: Which of the following should be management's PRIMARY focus when key risk indicators (KRIs) begin to rapidly approach defined thresholds?
Question419: Which of the following describes the relationship between Key risk indicators (KRIs) and key control indicators (KCIS)?
Question420: John is the project manager of the NHQ Project for his company. His project has 75 stakeholders, some of which are external to the organization. John needs to make certain that he communicates about risk in the most appropriate method for the external stakeholders. Which project management plan will be the best guide for John to communicate to the external stakeholders?
Question421: Which of the following should be the MAIN consideration when validating an organization's risk appetite?
Question422: Which of the following would MOST effectively reduce risk associated with an increase of online transactions on a retailer website?
Question423: When reviewing a report on the performance of control processes, it is MOST important to verify whether the:
Question424: You are the project manager of your enterprise. You have identified several risks. Which of the following responses to risk is considered the MOST appropriate?
Question425: Wendy is about to perform qualitative risk analysis on the identified risks within her project. Which one of the following will NOT help Wendy to perform this project management activity?
Question426: After the review of a risk record, internal audit questioned why the risk was lowered from medium to low. Which of the following is the BEST course of action in responding to this inquiry?
Question427: Which of the following will significantly affect the standard information security governance model?
Question428: Which of the following is the MAIN benefit to an organization using key risk indicators (KRIs)?
Question429: Which of the following vulnerability assessment software can check for weak passwords on the network?
Question430: Which of the following is the GREATEST benefit to an organization when updates to the risk register are made promptly after the completion of a risk assessment?
Question431: Mary is a project manager in her organization. On her current project she is working with her project team and other key stakeholders to identify the risks within the project. She is currently aiming to create a comprehensive list of project risks so she is using a facilitator to help generate ideas about project risks. What risk identification method is Mary likely using?
Question432: You work as the project manager for Bluewell Inc. There has been a delay in your project work that is adversely affecting the project schedule. You decide, with your stakeholders' approval, to fast track the project work to get the project done faster. When you fast track the project, what is likely to increase?
Question433: Which of the following is the MOST important information to be communicated during security awareness training?
Question434: The MOST important reason for implementing change control procedures is to ensure:
Question435: Which of the following is MOST influential when management makes risk response decisions?
Question436: Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?
Question437: When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?
Question438: Which of the following should be the PRIMARY focus of an IT risk awareness program?
Question439: Fred is the project manager of a large project in his organization. Fred needs to begin planning the risk management plan with the project team and key stakeholders. Which plan risk management process tool and technique should Fred use to plan risk management?
Question440: When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?
Question441: What are the functions of audit and accountability control?
Each correct answer represents a complete solution. (Choose three.)
Question442: Which of the following is the MOST important consideration when performing a risk assessment of a fire suppression system within a data center?
Question443: The only output of qualitative risk analysis is risk register updates. When the project manager updates the risk register he will need to include several pieces of information including all of the following except for which one?
Question444: Which of the following is the FIRST step when conducting a business impact analysis (BIA)?
Question445: You are the project manager of GHT project. You have applied certain control to prevent the unauthorized changes in your project. Which of the following control you would have applied for this purpose?
Question446: An organization has four different projects competing for funding to reduce overall IT risk. Which project should management defer?

Question447: An organization has four different projects competing for funding to reduce overall IT risk. Which project should management defer?

Question448: Which of the following is a technique that provides a systematic description of the combination of unwanted occurrences in a system?
Question449: Which of the following is the MOST critical security consideration when an enterprise outsource its major part of IT department to a third party whose servers are in foreign company?
Question450: Which of the following approaches will BEST help to ensure the effectiveness of risk awareness training?
Question451: You are working on a project in an enterprise. Some part of your project requires e-commerce, but your enterprise choose not to engage in e-commerce. This scenario is demonstrating which of the following form?
Question452: Which of the following is the MOST important reason to link an effective key control indicator (KCI) to relevant key risk indicators (KRIs)?
Question453: The PRIMARY goal of a risk management program is to:
Question454: Which of the following is the MOST important objective of embedding risk management practices into the initiation phase of the project management life cycle?
Question455: Which of The following would offer the MOST insight with regard to an organization's risk culture?
Question456: Which of the following is the MOST important course of action for a risk practitioner when reviewing the results of control performance monitoring?
Question457: Which of the following should be the PRIMARY goal of developing information security metrics?
Question458: Which of the following is the PRIMARY reason to establish root cause of an IT security incident?
Question459: Which of the following events refer to loss of integrity?
Each correct answer represents a complete solution. Choose three.
Question460: When confirming whether implemented controls are operating effectively, which of the following is MOST important to review?
Question461: Which of the following is a detective control?
Question462: Which of the following BEST enables a proactive approach to minimizing the potential impact of unauthorized data disclosure?
Question463: An organization has decided to outsource a web application, and customer data will be stored in the vendor's public cloud. To protect customer data, it is MOST important to ensure which of the following?
Question464: An organization retains footage from its data center security camera for 30 days when the policy requires
90-day retention The business owner challenges whether the situation is worth remediating Which of the following is the risk manager s BEST response'
Question465: Which of the following is the HIGHEST risk of a policy that inadequately defines data and system ownership?
Question466: Which of the following control is used to ensure that users have the rights and permissions they need to perform their jobs, and no more?
Question467: You are the risk official of your enterprise. Your enterprise takes important decisions without considering risk credential information and is also unaware of external requirements for risk management and integration with enterprise risk management. In which of the following risk management capability maturity levels does your enterprise exists?
Question468: You are the project manager of your project. You have to analyze various project risks. You have opted for quantitative analysis instead of qualitative risk analysis. What is the MOST significant drawback of using quantitative analysis over qualitative risk analysis?
Question469: A risk assessment indicates the residual risk associated with a new bring your own device (BYOD) program is within organizational risk tolerance. Which of the following should the risk practitioner recommend be done NEXT?
Question470: The effectiveness of a control has decreased. What is the MOST likely effect on the associated risk?
Question471: Which of the following decision tree nodes have probability attached to their branches?
Question472: Which of the following is the MOST important consideration when communicating the risk associated with technology end-of-life to business owners?
Question473: Which of the following roles would provide the MOST important input when identifying IT risk scenarios?
Question474: Which of the following test is BEST to map for confirming the effectiveness of the system access management process?
Question475: What is the MAIN purpose of designing risk management programs?
Question476: When developing a risk awareness training program, which of the following training topics would BEST facilitate a thorough understanding of risk scenarios?
Question477: What is the BEST recommendation to reduce the risk associated with potential system compromise when a vendor stops releasing security patches and updates for a business-critical legacy system?
Question478: You are the IT manager in Bluewell Inc. You identify a new regulation for safeguarding the information processed by a specific type of transaction. What would be the FIRST action you will take?
Question479: A change management process has recently been updated with new testing procedures. The NEXT course of action is to:
Question480: An organization is planning to acquire a new financial system. Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?
Question481: To help ensure the success of a major IT project, it is MOST important to:
Question482: Which of the following processes is described in the statement below?
"It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project."
Question483: When communicating changes in the IT risk profile, which of the following should be included to BEST enable stakeholder decision making?
Question484: Malicious code protection is which type control?
Question485: To define the risk management strategy which of the following MUST be set by the board of directors?
Question486: An organization maintains independent departmental risk registers that are not automatically aggregated.
Which of the following is the GREATEST concern?
Question487: Who should be responsible for implementing and maintaining security controls?
Question488: Which of the following BEST measures the operational effectiveness of risk management capabilities?
Question489: Which of the following are true for quantitative analysis?
Each correct answer represents a complete solution. Choose three.
Question490: Which of the following processes is described in the statement below?
"It is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions."
Question491: Who should have the authority to approve an exception to a control?
Question492: Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?
Question493: Which of the following would provide the MOST objective assessment of the effectiveness of an organization's security controls?
Question494: Which of the following is the way to verify control effectiveness?
Question495: Which of the following provides the MOST useful information for developing key risk indicators (KRIs)?
Question496: Which of the following is the GREATEST concern when using a generic set of IT risk scenarios for risk analysis?
Question497: Which of the following come under the management class of controls?
Each correct answer represents a complete solution. Choose all that apply.
Question498: The BEST control to mitigate the risk associated with project scope creep is to:
Question499: Which of the following BEST helps to balance the costs and benefits of managing IT risk?
Question500: When of the following provides the MOST tenable evidence that a business process control is effective?
Question501: Which of The following should be of GREATEST concern for an organization considering the adoption of a bring your own device (BYOD) initiative?
Question502: An organization is implementing internet of Things (loT) technology to control temperature and lighting in its headquarters. Which of the following should be of GREATEST concern?
Question503: Billy is the project manager of the HAR Project and is in month six of the project. The project is scheduled to last for 18 months.
Management asks Billy how often the project team is participating in risk reassessment in this project.
What should Billy tell management if he's following the best practices for risk management?
Question504: After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?

Question505: Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?
Question506: An application runs a scheduled job that compiles financial data from multiple business systems and updates the financial reporting system. If this job runs too long, it can delay financial reporting. Which of the following is the risk practitioner's BEST recommendation?
Question507: Mapping open risk issues to an enterprise risk heat map BEST facilitates:
Question508: Which of the following will BEST mitigate the risk associated with IT and business misalignment?
Question509: Which of the following is the MOST important consideration when sharing risk management updates with executive management?
Question510: Which key performance efficiency IKPI) BEST measures the effectiveness of an organization's disaster recovery program?
Question511: Which of the following business requirements MOST relates to the need for resilient business and information systems processes?
Question512: When a risk cannot be sufficiently mitigated through manual or automatic controls, which of the following options will BEST protect the enterprise from the potential financial impact of the risk?
Question513: Which of the following BEST enables a risk practitioner to understand management's approach to organizational risk?
Question514: Senior management wants to increase investment in the organization's cybersecurity program in response to changes in the external threat landscape. Which of the following would BEST help to prioritize investment efforts?
Question515: You are the project manager for your organization to install new workstations, servers, and cabling throughout a new building, where your company will be moving into. The vendor for the project informs you that the cost of the cabling has increased due to the some reason. This new cost will cause the cost of your project to increase by nearly eight percent. What change control system should the costs be entered into for review?
Question516: You are the project manager of your enterprise. While performing risk management, you are given a task to identify where your enterprise stands in certain practice and also to suggest the priorities for improvements. Which of the following models would you use to accomplish this task?
Question517: In order to determining a risk is under-controlled the risk practitioner will need to
Question518: Management has required information security awareness training to reduce the risk associated with credential compromise. What is the BEST way to assess the effectiveness of the training?
Question519: There are four inputs to the Monitoring and Controlling Project Risks process. Which one of the following will NOT help you, the project manager, to prepare for risk monitoring and controlling?
Question520: Which of the following serve as the authorization for a project to begin?
Question521: Which of the following is the MOST important reason to maintain key risk indicators (KRIs)?
Question522: Which of the following BEST facilitates the mitigation of identified gaps between current and desired risk environment states?
Question523: Which of the following roles would provide the MOST important input when identifying IT risk scenarios?
Question524: Which of the following is a detective control?
Question525: Which of the following should be a risk practitioner's NEXT action after identifying a high probability of data loss in a system?
Question526: You are preparing to complete the quantitative risk analysis process with your project team and several subject matter experts. You gather the necessary inputs including the project's cost management plan. Why is it necessary to include the project's cost management plan in the preparation for the quantitative risk analysis process?
Question527: Which of the following is the MOST important use of KRIs?
Question528: Which of the following is the BEST way to identify changes to the risk landscape?
Question529: What should a risk practitioner do FIRST when vulnerability assessment results identify a weakness in an application?
Question530: Your project is an agricultural-based project that deals with plant irrigation systems. You have
discovered a byproduct in your project that your organization could use to make a profit. If your organization seizes this opportunity it would be an example of what risk response?
Question531: A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?
Question532: A trusted third party service provider has determined that the risk of a client's systems being hacked is low.
Which of the following would be the client's BEST course of action?
Question533: Which of the following is true for risk evaluation?
Question534: Marie has identified a risk event in her project that needs a mitigation response. Her response actually creates a new risk event that must now be analyzed and planned for. What term is given to this newly created risk event?
Question535: Which of the following would be MOST important for a risk practitioner to provide to the internal audit department during the audit planning process?
Question536: When updating the risk register after a risk assessment, which of the following is MOST important to include?
Question537: Where are all risks and risk responses documented as the project progresses?
Question538: Which of the following is the process of numerically analyzing the effects of identified risks on the overall enterprise's objectives?
Question539: Which of the following is MOST important to understand when determining an appropriate risk assessment approach?
Question540: Which of the following risk responses include feedback and guidance from well-qualified risk officials and those internal to the project?
Question541: Which of the following should be the MOST important consideration when determining controls necessary for a highly critical information system?
Question542: Which of the following would be the BEST recommendation if the level of risk in the IT risk profile has decreased and is now below management's risk appetite?
Question543: You are the project manager for BlueWell Inc. Your current project is a high priority and high profile project within your organization. You want to identify the project stakeholders that will have the most power in relation to their interest on your project. This will help you plan for project risks, stakeholder management, and ongoing communication with the key stakeholders in your project. In this process of stakeholder analysis, what type of a grid or model should you create based on these conditions?
Question544: Which of the following nodes of the decision tree analysis represents the start point of decision tree?
Question545: While considering entity-based risks, which dimension of the COSO ERM framework is being referred?
Question546: A failed IT system upgrade project has resulted in the corruption of an organization's asset inventory database.
Which of the following controls BEST mitigates the impact of this incident?
Question547: Which of the following should be the FIRST consideration when a business unit wants to use personal information for a purpose other than for which it was originally collected?
Question548: Which of the following is the MOST important characteristic of a key risk indicator (KRI) to enable decision-making?
Question549: A bank is experiencing an increasing incidence of customer identity theft. Which of the following is the BEST way to mitigate this risk?
Question550: The number of tickets to rework application code has significantly exceeded the established threshold.
Which of the following would be the risk practitioner's BEST recommendation?
Question551: Which of the following would MOST likely drive the need to review and update key performance indicators (KPIs) for critical IT assets?
Question552: A risk practitioner has learned that an effort to implement a risk mitigation action plan has stalled due to lack of funding. The risk practitioner should report that the associated risk has been:
Question553: You are the Risk Official in Bluewell Inc. You have detected much vulnerability during risk assessment process. What you should do next?
Question554: The PRIMARY reason to have risk owners assigned to entries in the risk register is to ensure:
Question555: You are the project manager for BlueWell Inc. You have noticed that the risk level in your project increases above the risk tolerance level of your enterprise. You have applied several risk responses. Now you have to update the risk register in accordance to risk response process. All of the following are included in the risk register except for which item?
Question556: Which of the following considerations should be taken into account while selecting risk indicators that ensures greater buy-in and ownership?
Question557: John works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks associated to the time allowances for the activities or projects as a whole, with a width of the range indicating the degrees of risk?
Question558: You are the project manager of GHT project. You and your team have developed risk responses for those risks with the highest threat to or best opportunity for the project objectives. What are the immediate steps you should follow, after planning for risk response process? Each correct answer represents a complete solution.
Choose three.
Question559: An organization has completed a risk assessment of one of its service providers. Who should be accountable for ensuring that risk responses are implemented?
Question560: Which of the following is MOST important for a risk practitioner to verify when evaluating the effectiveness of an organization's existing controls?
Question561: Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?
Question562: Which of the following is MOST important to compare against the corporate risk profile?
Question563: Jeff works as a Project Manager for www.company.com Inc. He and his team members are involved in the identify risk process. Which of the following tools & techniques will Jeff use in the identify risk process?
Each correct answer represents a complete solution. (Choose three.)
Question564: Which of the following key risk indicators (KRIs) is MOST effective for monitoring risk related to a bring your own device (BYOD) program?
Question565: Which of the following is MOST important to review when determining whether a potential IT service provider s control environment is effective?
Question566: Which of the following is MOST important to have in place to ensure the effectiveness of risk and security metrics reporting?
Question567: In an organization dependent on data analytics to drive decision-making, which of the following would BEST help to minimize the risk associated with inaccurate data?
Question568: The PRIMARY reason for tracking the status of risk mitigation plans is to ensure:
Question569: Your project team has completed the quantitative risk analysis for your project work. Based on their findings, they need to update the risk register with several pieces of information. Which one of the following components is likely to be updated in the risk register based on their analysis?
Question570: You are the project manager of GHT project. A risk event has occurred in your project and you have identified it. Which of the following tasks you would do in reaction to risk event occurrence? Each correct answer represents a part of the solution. Choose three.
Question571: Which of the following BEST indicates effective information security incident management?
Question572: An organization is considering allowing users to access company data from their personal devices. Which of the following is the MOST important factor when assessing the risk?
Question573: You are working in Bluewell Inc. which make advertisement Websites. Someone had made unauthorized changes to your Website. Which of the following terms refers to this type of loss?
Question574: You work as a Project Manager for Company Inc. You have to conduct the risk management activities for a project. Which of the following inputs will you use in the plan risk management process?
Each correct answer represents a complete solution. (Choose three.)
Question575: Which of the following is the MOST important data attribute of key risk indicators (KRIs)?
Question576: Which of The following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?
Question577: Risk management strategies are PRIMARILY adopted to:
Question578: Which of the following statements is true for risk analysis?
Question579: Risk aggregation in a complex organization will be MOST successful when:
Question580: You are working in an enterprise. Your enterprise is willing to accept a certain amount of risk. What is this risk called?
Question581: Which of the following will be MOST effective to mitigate the risk associated with the loss of company data stored on personal devices?
Question582: During a risk treatment plan review, a risk practitioner finds the approved risk action plan has not been completed However, there were other risk mitigation actions implemented. Which of the fallowing is the BEST course of action?
Question583: Within the three lines of defense model, the accountability for the system of internal control resides with:
Question584: Which of the following aspect of monitoring tool ensures that the monitoring tool has the ability to keep up with the growth of an enterprise?
Question585: Using which of the following one can produce comprehensive result while performing qualitative risk analysis?
Question586: Which of the following would BEST help to ensure that suspicious network activity is identified?
Question587: Which of the following vulnerability assessment software can check for weak passwords on the network?
Question588: Which of the following are the security plans adopted by the organization?
Each correct answer represents a complete solution. (Choose three.)
Question589: An organization has procured a managed hosting service and just discovered the location is likely to be flooded every 20 years. Of the following, who should be notified of this new information FIRST.
Question590: Which of the following represents a vulnerability?
Question591: You work as a project manager for BlueWell Inc. Management has asked you to work with the key project stakeholder to analyze the risk events you have identified in the project. They would like you to analyze the project risks with a goal of improving the project's performance as a whole. What approach can you use to achieve this goal of improving the project's performance through risk analysis with your project stakeholders?
Question592: A risk practitioner has just learned about new done FIRST?
Question593: John is the project manager of the HGH Project for her company. He and his project team have agreed that if the vendor is late by more than ten days they will cancel the order and hire the NBG Company to fulfill the order. The NBG Company can guarantee orders within three days, but the costs of their products are significantly more expensive than the current vendor. What type of response does John adopt here?
Question594: Which of the following would BEST help to ensure that identified risk is efficiently managed?
Question595: Which of the following is a crucial component of a key risk indicator (KRI) to ensure appropriate action is taken to mitigate risk?
Question596: You are working in an enterprise. You enterprise is willing to accept a certain amount of risk. What is this risk called?
Question597: Which of the following is MOST important when developing risk scenarios?
Question598: An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented in procedure manuals for use by the part- time employees. This situation would be considered:
Question599: Henry is the project sponsor of the JQ Project and Nancy is the project manager. Henry has asked Nancy to start the risk identification process for the project, but Nancy insists that the project team be involved in the process. Why should the project team be involved in the risk identification?
Question600: What are the requirements of effectively communicating risk analysis results to the relevant stakeholders?
Each correct answer represents a part of the solution. Choose three.
Question601: You are the project manager of the NGQQ Project for your company. To help you communicate project status to your stakeholders, you are going to create a stakeholder register. All of the following information should be included in the stakeholder register except for which one?
Question602: Which of the following is prepared by the business and serves as a starting point for producing the IT Service Continuity Strategy?
Question603: You are working in an enterprise. You project deals with important files that are stored on the computer. You have identified the risk of the failure of operations. To address this risk of failure, you have guided the system administrator sign off on the daily backup. This scenario is an example of which of the following?
Question604: Which of the following would be MOST helpful when communicating roles associated with the IT risk management process?
Question605: Which of the following role carriers is accounted for analyzing risks, maintaining risk profile, and risk-aware decisions?
Question606: An organization has opened a subsidiary in a foreign country. Which of the following would be the BEST way to measure the effectiveness of the subsidiary's IT systems controls?
Question607: You are the project manager of HJT project. Important confidential files of your project are stored on a computer. Keeping the unauthorized access of this computer in mind, you have placed a hidden CCTV in the room, even on having protection password. Which kind of control CCTV is?
Question608: You are the risk professional of your enterprise. You need to calculate potential revenue loss if a certain risks occurs. Your enterprise has an electronic (e-commerce) web site that is producing US $1 million of revenue each day, then if a denial of service (DoS) attack occurs that lasts half a day creates how much loss?
Question609: Which of the following would BEST facilitate the implementation of data classification requirements?
Question610: After identifying new risk events during a project, the project manager s NEXT step should be to:
Question611: You are the project manager of HFD project. You have identified several project risks. You have adopted alternatives to deal with these risks which do not attempt to reduce the probability of a risk event or its impacts. Which of the following response have you implemented?
Question612: Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?
Question613: Which of the following provides an organization with the MOST insight with regard to operational readiness associated with risk?
Question614: An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action?
Question615: Which of the following is described by the definition given below?
"It is the expected guaranteed value of taking a risk."
Question616: Of the following, who should be responsible for determining the inherent risk rating of an application?
Question617: You are the project manager of GHT project. You have identified a risk event on your current project that could save $670,000 in project costs if it occurs. Your organization is considering hiring a vendor to help establish proper project management techniques in order to assure it realizes these savings. Which of the following statements is TRUE for this risk event?
Question618: You work as a project manager for BlueWell Inc. Your project is using a new material to construct a large warehouse in your city. This new material is cheaper than traditional building materials, but it takes some time to learn how to use the material properly. You have communicated to the project stakeholders that you will be able to save costs by using the new material, but you will need a few extra weeks to complete training to use the materials. This risk response of learning how to use the new materials can also be known as what term?
Question619: Who is at the BEST authority to develop the priorities and identify what risks and impacts would occur if there were loss of the organization's private information?
Question620: Which of the following statements are true for enterprise's risk management capability maturity level 3?
Question621: Which of the following BEST indicates the condition of a risk management program?
Question622: Which of the following are true for threats?
Each correct answer represents a complete solution. Choose three.
Question623: Which of the following is the BEST approach when a risk practitioner has been asked by a business unit manager for special consideration during a risk assessment of a system?
Question624: Improvements in the design and implementation of a control will MOST likely result in an update to:
Question625: Which of the following is the BEST method of creating risk awareness in an organization?
Question626: Which type of cloud computing deployment provides the consumer the GREATEST degree of control over the environment?
Question627: A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?
Question628: FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?
Question629: Which of the following is MOST important for mitigating ethical risk when establishing accountability for control ownership?
Question630: Which of the following BEST measures the operational effectiveness of risk management capabilities?
Question631: Which of the following is the BEST indicator of the effectiveness of IT risk management processes?
Question632: Which of the following role carriers has to account for collecting data on risk and articulating risk?
Question633: After identifying new risk events during a project, the project manager s NEXT step should be to:
Question634: A zero-day vulnerability has been discovered in a globally used brand of hardware server that allows hackers to gain access to affected IT systems. Which of the following is MOST likely to change as a result of this situation?
Question635: The BEST way to determine the likelihood of a system availability risk scenario is by assessing the:
Question636: Which of The following should be the FIRST step when a company is made aware of new regulatory requirements impacting IT?
Question637: Which of the following is true for risk management frameworks, standards and practices?
Each correct answer represents a part of the solution. Choose three.
Question638: Which of the following would provide the MOST comprehensive information for updating an organization's risk register?
Question639: Which of the following provides the MOST useful information to determine risk exposure following control implementations?
Question640: Which of the following is the BEST Key control indicator KCO to monitor the effectiveness of patch management?
Question641: What are the MOST essential attributes of an effective Key control indicator (KCI)?
Question642: Once a risk owner has decided to implement a control to mitigate risk, it is MOST important to develop:
Question643: What are the functions of audit and accountability control?
Each correct answer represents a complete solution. (Choose three.)
Question644: What should be the PRIMARY objective for a risk practitioner performing a post-implementation review of an IT risk mitigation project?
Question645: Which of the following is MOST important when developing risk scenarios?
Question646: When a risk cannot be sufficiently mitigated through manual or automatic controls, which of the following options will BEST protect the enterprise from the potential financial impact of the risk?
Question647: What are the responsibilities of the CRO?
Each correct answer represents a complete solution. Choose three.
Question648: The PRIMARY advantage of involving end users in continuity planning is that they:
Question649: Which of the following would BEST enable a risk-based decision when considering the use of an emerging technology for data processing?
Question650: What are the functions of audit and accountability control?
Each correct answer represents a complete solution. Choose all that apply.
Question651: Which of the following is the STRONGEST indication an organization has ethics management issues?
Question652: What is the PRIMARY need for effectively assessing controls?
Question653: Capability maturity models are the models that are used by the enterprise to rate itself in terms of the least mature level to the most mature level. Which of the following capability maturity levels shows that the enterprise does not recognize the need to consider the risk management or the business impact from IT risk?
Question654: FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?
Question655: Which of the following BEST enables the risk profile to serve as an effective resource to support business objectives?
Question656: An organization delegates its data processing to the internal IT team to manage information through its applications. Which of the following is the role of the internal IT team in this situation?
Question657: An organization has used generic risk scenarios to populate its risk register. Which of the following presents the GREATEST challenge to assigning of the associated risk entries?
Question658: Which of the following is the PRIMARY purpose of periodically reviewing an organization's risk profile?
Question659: A risk practitioners PRIMARY focus when validating a risk response action plan should be that risk response:
Question660: Which of the following is the greatest risk to reporting?
Question661: NIST SP 800-53 identifies controls in three primary classes. What are they?
Question662: Which of the following is the FIRST step when developing a business case to drive the adoption of a risk remediation project by senior management?
Question663: Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?
Question664: Which of the following is necessary to enable an IT risk register to be consolidated with the rest of the organization's risk register?
Question665: Which of the following is the MOST important enabler of effective risk management?
Question666: You are the project manager of a large networking project. During the execution phase the customer requests for a change in the existing project plan. What will be your immediate action?
Question667: Which of the following is the BEST key performance indicator (KPI) to measure how effectively risk management practices are embedded in the project management office (PMO)?
Question668: Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)?
Question669: Which of the following is the PRIMARY purpose of analyzing log data collected from systems?
Question670: Which of the following BEST balances the costs and benefits of managing IT risk*?
Question671: Which of the following is the GREATEST risk associated with the transition of a sensitive data backup solution from on-premise to a cloud service provider?
Question672: Which of the following is the MOST important factor affecting risk management in an organization?
Question673: Which of the following statements describes the relationship between key risk indicators (KRIs) and key control indicators (KCIs)?
Question674: Winch of the following can be concluded by analyzing the latest vulnerability report for the it infrastructure?
Question675: Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?
Question676: Which of the following would BEST ensure that identified risk scenarios are addressed?
Question677: A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session?
Question678: Which of the following will be the GREATEST concern when assessing the risk profile of an organization?
Question679: The BEST key performance indicator (KPI) to measure the effectiveness of the security patching process is the percentage of patches installed:
Question680: During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall.
Which of the following controls has MOST likely been compromised?
Question681: Which of the following practices BEST mitigates risk related to enterprise-wide ethical decision making in a multi-national organization?
Question682: The MAIN reason for creating and maintaining a risk register is to:
Question683: Which of the following BEST enables senior management lo compare the ratings of risk scenarios?
Question684: Which of the following is the MOST important outcome of reviewing the risk management process?
Question685: In which of the following risk management capability maturity levels does the enterprise takes major business decisions considering the probability of loss and the probability of reward? Each correct answer represents a complete solution. Choose two.
Question686: Which of the following is the GREATEST benefit of updating the risk register to include outcomes from a risk assessment?
Question687: Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?
Question688: Which of the following would be the BEST justification to invest in the development of a governance, risk, and compliance (GRC) solution?
Question689: Which of the following is the PRIMARY reason to perform periodic vendor risk assessments?
Question690: An IT control gap has been identified in a key process. Who would be the MOST appropriate owner of the risk associated with this gap?
Question691: Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited. Which of the following would be the BEST response to this scenario?
Question692: Senior management is deciding whether to share confidential data with the organization's business partners.
The BEST course of action for a risk practitioner would be to submit a report to senior management containing the:
Question693: You work as a project manager for BlueWell Inc. You are preparing to plan risk responses for your project with your team. How many risk response types are available for a negative risk event in the project?
Question694: Who is responsible for IT security controls that are outsourced to an external service provider?
Question695: The PRIMARY reason for periodic penetration testing of Internet-facing applications is to:
Question696: Which of the following laws applies to organizations handling health care information?
Question697: The best way to test the operational effectiveness of a data backup procedure is to:
Question698: You work as a project manager for BlueWell Inc. You are involved with the project team on the different risk issues in your project. You are using the applications of IRGC model to facilitate the understanding and managing the rising of the overall risks that have impacts on the economy and society. One of your team members wants to know that what the need to use the IRGC is. What will be your reply?
Question699: Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited.
Which of the following would be the BEST response to this scenario?
Question700: What can be determined from the risk scenario chart?

Question701: Which of the following are risk components of the COSO ERM framework?
Each correct answer represents a complete solution. Choose three.
Question702: Which of the following is MOST important to understand when determining an appropriate risk assessment approach?
Question703: You are the project manager of the GHY Project for your company. You need to complete a project management process that will be on the lookout for new risks, changing risks, and risks that are now outdated.
Which project management process is responsible for these actions?
Question704: An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations?
Question705: Which of the following laws applies to organizations handling health care information?
Question706: Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?
Question707: Which of the following is MOST important for an organization to have in place when developing a risk management framework?
Question708: An organization is planning to acquire a new financial system. Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?
Question709: Which of the following BEST assists in justifying an investment in automated controls?
Question710: Which of the following is MOST important to determine when assessing the potential risk exposure of a loss event involving personal data?
Question711: Which of the following provides the BEST evidence that a selected risk treatment plan is effective?