Question1: Which of the following provides the BEST evidence that a selected risk treatment plan is effective?
Question2: The PRIMARY purpose of using control metrics is to evaluate the:
Question3: Risk aggregation in a complex organization will be MOST successful when:
Question4: An organization's Internet-facing server was successfully attacked because the server did not have the latest security patches. The risk associated with poor patch management had been documented in the risk register and accepted. Who should be accountable for any related losses to the organization?
Question5: Which of the following provides the MOST useful information for developing key risk indicators (KRIs)?
Question6: A risk practitioner has been asked to evaluate the adoption of a third-party blockchain integration platform based on the value added by the platform and the organization's risk appetite. Which of the following is the risk practitioner's BEST course of action?
Question7: Which of the following is MOST important to the effective monitoring of key risk indicators (KRIS)?
Question8: Which of the following should be considered FIRST when assessing risk associated with the adoption of emerging technologies?
Question9: In order to determining a risk is under-controlled the risk practitioner will need to
Question10: Which of the following is the MOST useful information for a risk practitioner when planning response activities after risk identification?
Question11: During the creation of an organization's IT risk management program, the BEST time to identify key risk indicators (KRIs) is while:
Question12: An IT license audit has revealed that there are several unlicensed copies of co be to:
Question13: Which of the following is the MOST important reason to create risk scenarios?
Question14: Which of the following is the PRIMARY objective of a risk awareness program?
Question15: An organization has updated its acceptable use policy to mitigate the risk of employees disclosing confidential information. Which of the following is the BEST way to reinforce the effectiveness of this policy?
Question16: Which of the following is the BEST way to determine software license compliance?
Question17: After an annual risk assessment is completed, which of the following would be MOST important to communicate to stakeholders?
Question18: Which of the following is a crucial component of a key risk indicator (KRI) to ensure appropriate action is taken to mitigate risk?
Question19: Who should be responsible for determining which stakeholders need to be involved in the development of a risk scenario?
Question20: Mapping open risk issues to an enterprise risk heat map BEST facilitates:
Question21: When a risk practitioner is determining a system's criticality. it is MOST helpful to review the associated:
Question22: Which of the following BEST enables detection of ethical violations committed by employees?
Question23: An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner's FIRST course of action?
Question24: The PRIMARY goal of a risk management program is to:
Question25: Which of the following is MOST important to update following a change in organizational risk appetite and tolerance?
Question26: An organization must make a choice among multiple options to respond to a risk. The stakeholders cannot agree and decide to postpone the decision. Which of the following risk responses has the organization adopted?
Question27: An organization has been made aware of a newly discovered critical vulnerability in a regulatory reporting system. Which of the following is the risk practitioner's BEST course of action?
Question28: Management has required information security awareness training to reduce the risk associated with credential compromise. What is the BEST way to assess the effectiveness of the training?
Question29: Well-developed, data-driven risk measurements should be:
Question30: Which of the following is the GREATEST benefit of having a mature enterprise architecture (EA) in place?
Question31: A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?
Question32: Which of the following is the GREATEST risk of relying on artificial intelligence (Al) within heuristic security systems?
Question33: When using a third party to perform penetration testing, which of the following is the MOST important control to minimize operational impact?
Question34: Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?
Question35: Which of the following approaches BEST identifies information systems control deficiencies?
Question36: Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?
Question37: Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior BEST represents:
Question38: A risk practitioner is organizing a training session lo communicate risk assessment methodologies to ensure a consistent risk view within the organization Which of the following i< the MOST important topic to cover in this training?
Question39: Which of the following techniques is MOST helpful when quantifying the potential loss impact of cyber risk?
Question40: Which of the following risk activities is BEST facilitated by enterprise architecture (EA)?
Question41: An organization uses a web application hosted by a cloud service that is populated by data sent to the vendor via email on a monthly basis. Which of the following should be the FIRST consideration when analyzing the risk associated with the application?
Question42: Which of the following is the BEST control to detect an advanced persistent threat (APT)?
Question43: Which of the following should be of GREATEST concern to a risk practitioner when determining the effectiveness of IT controls?
Question44: A highly regulated organization acquired a medical technology startup company that processes sensitive personal information with weak data protection controls. Which of the following is the BEST way for the acquiring company to reduce its risk while still enabling the flexibility needed by the startup company?
Question45: Which of the following will BEST communicate the importance of risk mitigation initiatives to senior management?
Question46: Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?
Question47: A data center has recently been migrated to a jurisdiction where heavy fines will be imposed should leakage of customer personal data occur. Assuming no other changes to the operating environment, which factor should be updated to reflect this situation as an input to scenario development for this particular risk event?
Question48: The BEST metric to monitor the risk associated with changes deployed to production is the percentage of:
Question49: Which of the following is the MOST important objective of embedding risk management practices into the initiation phase of the project management life cycle?
Question50: Who is the MOST appropriate owner for newly identified IT risk?
Question51: The PRIMARY reason for establishing various Threshold levels for a set of key risk indicators (KRIs) is to:
Question52: After the implementation of internal of Things (IoT) devices, new risk scenarios were identified. What is the PRIMARY reason to report this information to risk owners?
Question53: Which of the following will BEST ensure that information security risk factors are mitigated when developing in-house applications?
Question54: A risk assessment indicates the residual risk associated with a new bring your own device (BYOD) program is within organizational risk tolerance. Which of the following should the risk practitioner recommend be done NEXT?
Question55: Which of the following would be- MOST helpful to understand the impact of a new technology system on an organization's current risk profile?
Question56: Which of the following provides The BEST information when determining whether to accept residual risk of a critical system to be implemented?
Question57: An organization plans to migrate sensitive information to a public cloud infrastructure. Which of the following is the GREATEST security risk in this scenario?
Question58: Which of the following is the PRIMARY reason for an organization to ensure the risk register is updated regularly?
Question59: Which of the following is MOST helpful in providing an overview of an organization's risk management program?
Question60: Which of the following information is MOST useful to a risk practitioner for developing IT risk scenarios?
Question61: Which of the following provides the BEST evidence that robust risk management practices are in place within an organization?
Question62: A risk practitioner discovers that an IT operations team manager bypassed web filtering controls by using a mobile device, in violation of the network security policy. Which of the following should the risk practitioner do FIRST?
Question63: Which of the following provides the MOST useful information when determining if a specific control should be implemented?
Question64: Which of the following is the MOST critical factor to consider when determining an organization's risk appetite?
Question65: Which of the following should be a risk practitioner's GREATEST concern upon learning of failures in a data migration activity?
Question66: To reduce costs, an organization is combining the second and third tines of defense in a new department that reports to a recently appointed C-level executive. Which of the following is the GREATEST concern with this situation?
Question67: Within the three lines of defense model, the responsibility for managing risk and controls resides with:
Question68: An insurance company handling sensitive and personal information from its customers receives a large volume of telephone requests and electronic communications daily. Which of the following is MOST important to include in a risk awareness training session for the customer service department?
Question69: What is the MOST important consideration when aligning IT risk management with the enterprise risk management (ERM) framework?
Question70: Which of the following is the BEST way to identify changes to the risk landscape?
Question71: Which of the following should be determined FIRST when a new security vulnerability is made public?
Question72: Which of the following provides the MOST useful input to the development of realistic risk scenarios?
Question73: An organization has decided to outsource a web application, and customer data will be stored in the vendor's public cloud. To protect customer data, it is MOST important to ensure which of the following?
Question74: During implementation of an intrusion detection system (IDS) to monitor network traffic, a high number of alerts is reported. The risk practitioner should recommend to:
Question75: A risk practitioner is assisting with the preparation of a report on the organization s disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile?
Question76: An organization has asked an IT risk practitioner to conduct an operational risk assessment on an initiative to outsource the organization's customer service operations overseas. Which of the following would MOST significantly impact management's decision?
Question77: What should a risk practitioner do FIRST when a shadow IT application is identified in a business owner's business impact analysis (BIA)?
Question78: Following a significant change to a business process, a risk practitioner believes the associated risk has been reduced. The risk practitioner should advise the risk owner to FIRST
Question79: Which of the following is the BEST key performance indicator (KPI) to measure the maturity of an organization's security incident handling process?
Question80: What is the PRIMARY reason an organization should include background checks on roles with elevated access to production as part of its hiring process?
Question81: A hospital recently implemented a new technology to allow virtual patient appointments. Which of the following should be the risk practitioner's FIRST course of action?
Question82: A service provider is managing a client's servers. During an audit of the service, a noncompliant control is discovered that will not be resolved before the next audit because the client cannot afford the downtime required to correct the issue. The service provider's MOST appropriate action would be to:
Question83: Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management?
Question84: A risk assessment has revealed that the probability of a successful cybersecurity attack is increasing. The potential loss could exceed the organization's risk appetite. Which of the following ould be the MOST effective course of action?
Question85: Which of the following would be a risk practitioner'$ BEST recommendation to help ensure cyber risk is assessed and reflected in the enterprise-level risk profile?
Question86: The FIRST task when developing a business continuity plan should be to:
Question87: The effectiveness of a control has decreased. What is the MOST likely effect on the associated risk?
Question88: Which of the following BEST indicates how well a web infrastructure protects critical information from an attacker?
Question89: Which of the following should be the risk practitioner s FIRST course of action when an organization has decided to expand into new product areas?
Question90: Which of the following approaches will BEST help to ensure the effectiveness of risk awareness training?
Question91: Which of the following is the MOST important benefit of key risk indicators (KRIs)'
Question92: When creating a separate IT risk register for a large organization, which of the following is MOST important to consider with regard to the existing corporate risk 'register?
Question93: The MOST important consideration when selecting a control to mitigate an identified risk is whether:
Question94: A risk practitioner has been asked by executives to explain how existing risk treatment plans would affect risk posture at the end of the year. Which of the following is MOST helpful in responding to this request?
Question95: The MAIN purpose of conducting a control self-assessment (CSA) is to:
Question96: A penetration test reveals several vulnerabilities in a web-facing application. Which of the following should be the FIRST step in selecting a risk response?
Question97: The PRIMARY reason for prioritizing risk scenarios is to:
Question98: Which of the following is the MOST important outcome of a business impact analysis (BIA)?
Question99: Which of the following BEST enables the development of a successful IT strategy focused on business risk mitigation?
Question100: Which of the following statements describes the relationship between key risk indicators (KRIs) and key control indicators (KCIs)?
Question101: A risk practitioner shares the results of a vulnerability assessment for a critical business application with the business manager. Which of the following is the NEXT step?
Question102: Which of the following BEST measures the efficiency of an incident response process?
Question103: An organization recently experienced a cyber attack that resulted in the loss of confidential customer data.
Which of the following is the risk practitioner's BEST recommendation after recovery steps have been completed?
Question104: Which of the following is the BEST method to identify unnecessary controls?
Question105: A multinational organization is considering implementing standard background checks to' all new employees A KEY concern regarding this approach
Question106: A risk practitioner is reporting on an increasing trend of ransomware attacks in the industry. Which of the following information is MOST important to include to enable an informed response decision by key stakeholders?
Question107: Which of the following is the PRIMARY role of the board of directors in corporate risk governance?
Question108: Which of the following is a risk practitioner's BEST recommendation to address an organization's need to secure multiple systems with limited IT resources?
Question109: Which of the following is MOST helpful in identifying gaps between the current and desired state of the IT risk environment?
Question110: Which of the following will BEST help to improve an organization's risk culture?
Question111: An organization has provided legal text explaining the rights and expected behavior of users accessing a system from geographic locations that have strong privacy regulations. Which of the following control types has been applied?
Question112: Which of the following is the MOST effective way to mitigate identified risk scenarios?
Question113: Which of the following is the MOST important component in a risk treatment plan?
Question114: An organization moved its payroll system to a Software as a Service (SaaS) application. A new data privacy regulation stipulates that data can only be processed within the country where it is collected. Which of the following should be done FIRST when addressing this situation?
Question115: Which of the following is the PRIMARY consideration when establishing an organization's risk management methodology?
Question116: An application development team has a backlog of user requirements for a new system that will process insurance claim payments for customers. Which of the following should be the MOST important consideration for a risk-based review of the user requirements?
Question117: What is the MAIN benefit of using a top-down approach to develop risk scenarios?
Question118: The implementation of a risk treatment plan will exceed the resources originally allocated for the risk response. Which of the following should be the risk owner's NEXT action?
Question119: Which of the following is the BEST way to help ensure risk will be managed properly after a business process has been re-engineered?
Question120: Who is BEST suited to provide information to the risk practitioner about the effectiveness of a technical control associated with an application?
Question121: Improvements in the design and implementation of a control will MOST likely result in an update to:
Question122: Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?
Question123: An organization uses one centralized single sign-on (SSO) control to cover many applications. Which of the following is the BEST course of action when a new application is added to the environment after testing of the SSO control has been completed?
Question124: Which of the following is the ULTIMATE objective of utilizing key control indicators (KCIs) in the risk management process?
Question125: Which of the following is the BEST recommendation to address recent IT risk trends that indicate social engineering attempts are increasing in the organization?
Question126: Recovery the objectives (RTOs) should be based on
Question127: Which of the following stakeholders define risk tolerance for an enterprise?
Question128: Which of the following emerging technologies is frequently used for botnet distributed denial of service (DDoS) attacks?
Question129: An organization has decided to implement a new Internet of Things (loT) solution. Which of the following should be done FIRST when addressing security concerns associated with this new technology?
Question130: A risk practitioner is performing a risk assessment of recent external advancements in quantum computing.
Which of the following would pose the GREATEST concern for the risk practitioner?
Question131: An organization is developing a risk universe to create a holistic view of its overall risk profile. Which of the following is the GREATEST barrier to achieving the initiative's objectives?
Question132: An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy. Which of the following is the BEST risk response?
Question133: Which of the following roles should be assigned accountability for monitoring risk levels?
Question134: Which of the following is MOST important for a risk practitioner to update when a software upgrade renders an existing key control ineffective?
Question135: Print jobs containing confidential information are sent to a shared network printer located in a secure room.
Which of the following is the BEST control to prevent the inappropriate disclosure of confidential information?
Question136: During an IT department reorganization, the manager of a risk mitigation action plan was replaced. The new manager has begun implementing a new control after identifying a more effective option. Which of the following is the risk practitioner's BEST course of action?
Question137: An organization has raised the risk appetite for technology risk. The MOST likely result would be:
Question138: Which of the following is the BEST way to support communication of emerging risk?
Question139: A risk practitioner has just learned about new malware that has severely impacted industry peers worldwide data loss?
Question140: Which of the following is the MOST important reason to link an effective key control indicator (KCI) to relevant key risk indicators (KRIs)?
Question141: A risk practitioners PRIMARY focus when validating a risk response action plan should be that risk response:
Question142: Which of the following is a risk practitioner's BEST course of action upon learning that a control under internal review may no longer be necessary?
Question143: After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?

Question144: An organization's business gap analysis reveals the need for a robust IT risk strategy. Which of the following should be the risk practitioner's PRIMARY consideration when participating in development of the new strategy?
Question145: Which of the following is the MOST important consideration for the board and senior leadership regarding the organization's approach to risk management for emerging technologies?
Question146: Reviewing which of the following BEST helps an organization gain insight into its overall risk profile?
Question147: An organization's board of directors is concerned about recent data breaches in the news and wants to assess its exposure to similar scenarios. Which of the following is the BEST course of action?
Question148: Which of the following would BEST provide early warning of a high-risk condition?
Question149: Which of the following is MOST important to determine when assessing the potential risk exposure of a loss event involving personal data?
Question150: A control process has been implemented in response to a new regulatory requirement, but has significantly reduced productivity. Which of the following is the BEST way to resolve this concern?
Question151: A risk practitioner has been asked to propose a risk acceptance framework for an organization. Which of the following is the MOST important consideration for the risk practitioner to address in the framework?
Question152: An organization has operations in a location that regularly experiences severe weather events. Which of the following would BEST help to mitigate the risk to operations?
Question153: Which of the following BEST enables a risk practitioner to identify the consequences of losing critical resources due to a disaster?
Question154: Which of the following should be the GREATEST concern to a risk practitioner when process documentation is incomplete?
Question155: A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?
Question156: Which of the following statements BEST illustrates the relationship between key performance indicators (KPIs) and key control indicators (KCIs)?
Question157: Which of the following is MOST important to the effectiveness of key performance indicators (KPIs)?
Question158: Which of the following would be a weakness in procedures for controlling the migration of changes to production libraries?
Question159: A risk practitioner has been asked to evaluate the adoption of a third-party blockchain integration platform based on the value added by the platform and the organization's risk appetite. Which of the following is the risk practitioner's BEST course of action?
Question160: Which of the following BEST enables the timely detection of changes in the security control environment?
Question161: Which of the following is the PRIMARY objective of maintaining an information asset inventory?
Question162: An organization wants to launch a campaign to advertise a new product Using data analytics, the campaign can be targeted to reach potential customers. Which of the following should be of GREATEST concern to the risk practitioner?
Question163: An organization's IT department wants to complete a proof of concept (POC) for a security tool. The project lead has asked for approval to use the production data for testing purposes as it will yield the best results.
Which of the following is the risk practitioner's BEST recommendation?
Question164: An organization is moving its critical assets to the cloud. Which of the following is the MOST important key performance indicator (KPI) to include in the service level agreement (SLA)?
Question165: Which of the following BEST helps to identify significant events that could impact an organization?
Question166: Which of the following is the BEST approach for an organization in a heavily regulated industry to comprehensively test application functionality?
Question167: Which of the following BEST enables risk-based decision making in support of a business continuity plan (BCP)?
Question168: Which of the following is MOST important to update when an organization's risk appetite changes?
Question169: Which of the following would be the BEST justification to invest in the development of a governance, risk, and compliance (GRC) solution?
Question170: An internal audit report reveals that not all IT application databases have encryption in place. Which of the following information would be MOST important for assessing the risk impact?
Question171: The purpose of requiring source code escrow in a contractual agreement is to:
Question172: A recent big data project has resulted in the creation of an application used to support important investment decisions. Which of the following should be of GREATEST concern to the risk practitioner?
Question173: The analysis of which of the following will BEST help validate whether suspicious network activity is malicious?
Question174: A risk practitioner is reviewing a vendor contract and finds there is no clause to control privileged access to the organization's systems by vendor employees. Which of the following is the risk practitioner's BEST course of action?
Question175: Which of the following would MOST likely result in updates to an IT risk appetite statement?
Question176: The MAJOR reason to classify information assets is
Question177: Which of the following scenarios presents the GREATEST risk of noncompliance with data privacy best practices?
Question178: In an organization dependent on data analytics to drive decision-making, which of the following would BEST help to minimize the risk associated with inaccurate data?
Question179: An organization has an internal control that requires all access for employees be removed within 15 days of their termination date. Which of the following should the risk practitioner use to monitor adherence to the 15-day threshold?
Question180: Which of the following controls are BEST strengthened by a clear organizational code of ethics?
Question181: When establishing leading indicators for the information security incident response process it is MOST important to consider the percentage of reported incidents:
Question182: Which of the following is MOST helpful to review when identifying risk scenarios associated with the adoption of Internet of Things (loT) technology in an organization?
Question183: A business impact analysis (BIA) enables an organization to determine appropriate IT risk mitigation actions by:
Question184: A failure in an organization s IT system build process has resulted in several computers on the network missing the corporate endpoint detection and response (EDR) software. Which of the following should be the risk practitioner's IMMEDIATE concern?
Question185: Which of the following is the PRIMARY benefit of consistently recording risk assessment results in the risk register?
Question186: Which of the following will MOST improve stakeholders' understanding of the effect of a potential threat?
Question187: Which of the following is MOST helpful in preventing risk events from materializing?
Question188: An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan.
Which of the following is the risk practitioner's BEST course of action?
Question189: A large organization is replacing its enterprise resource planning (ERP) system and has decided not to deploy the payroll module of the new system. Instead, the current payroll system will continue to be used. Of the following, who should own the risk if the ERP and payroll system fail to operate as expected?
Question190: Which of the following is the PRIMARY reason to establish the root cause of an IT security incident?
Question191: Several network user accounts were recently created without the required management approvals. Which of the following would be the risk practitioner's BEST recommendation to address this situation?
Question192: Which strategy employed by risk management would BEST help to prevent internal fraud?
Question193: An organization has four different projects competing for funding to reduce overall IT risk. Which project should management defer?

Question194: Which of the following will MOST likely change as a result of the decrease in risk appetite due to a new privacy regulation?
Question195: An organization has just implemented changes to close an identified vulnerability that impacted a critical business process. What should be the NEXT course of action?
Question196: An IT organization is replacing the customer relationship management (CRM) system. Who should own the risk associated with customer data leakage caused by insufficient IT security controls for the new system?
Question197: Which of the following is the MOST common concern associated with outsourcing to a service provider?
Question198: To help ensure all applicable risk scenarios are incorporated into the risk register, it is MOST important to review the:
Question199: Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?
Question200: Which of the following would be a risk practitioners' BEST recommendation for preventing cyber intrusion?
Question201: Which of the following is the PRIMARY reason to use key control indicators (KCIs) to evaluate control operating effectiveness?
Question202: Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?
Question203: During testing, a risk practitioner finds the IT department's recovery time objective (RTO) for a key system does not align with the enterprise's business continuity plan (BCP). Which of the following should be done NEXT?
Question204: Which of the following activities is PRIMARILY the responsibility of senior management?
Question205: Who is BEST suited to determine whether a new control properly mitigates data loss risk within a system?
Question206: Which of the following sources is MOST relevant to reference when updating security awareness training materials?
Question207: The head of a business operations department asks to review the entire IT risk register. Which of the following would be the risk manager s BEST approach to this request before sharing the register?
Question208: Which of the following is necessary to enable an IT risk register to be consolidated with the rest of the organization's risk register?
Question209: Which of the following BEST supports the management of identified risk scenarios?
Question210: Read" rights to application files in a controlled server environment should be approved by the:
Question211: Which of the following will help ensure the elective decision-making of an IT risk management committee?
Question212: The risk associated with inadvertent disclosure of database records from a public cloud service provider (CSP) would MOST effectively be reduced by:
Question213: Which of the following would be the GREATEST challenge when implementing a corporate risk framework for a global organization?
Question214: Which of the following is MOST important to include in a risk assessment of an emerging technology?
Question215: Which of the following BEST enables a proactive approach to minimizing the potential impact of unauthorized data disclosure?
Question216: A risk practitioner is defining metrics for security threats that were not identified by antivirus software. Which type of metric is being developed?
Question217: Which of the following would BEST help minimize the risk associated with social engineering threats?
Question218: Which of the following is the BEST way to determine whether system settings are in alignment with control baselines?
Question219: Which of the following is MOST important for a risk practitioner to ensure once a risk action plan has been completed?
Question220: When reviewing a business continuity plan (BCP). which of the following would be the MOST significant deficiency?
Question221: After the announcement of a new IT regulatory requirement, it is MOST important for a risk practitioner to;
Question222: Which of the following is the BEST way to determine whether new controls mitigate security gaps in a business system?
Question223: What is the PRIMARY purpose of a business impact analysis (BIA)?
Question224: In a public company, which group is PRIMARILY accountable for ensuring sufficient attention and resources are applied to the risk management process?
Question225: Which of the following activities BEST facilitates effective risk management throughout the organization?
Question226: Which of the following describes the relationship between risk appetite and risk tolerance?
Question227: Which of the following management actions will MOST likely change the likelihood rating of a risk scenario related to remote network access?
Question228: A MAJOR advantage of using key risk indicators (KRis) is that (hey
Question229: Which of The following should be of GREATEST concern for an organization considering the adoption of a bring your own device (BYOD) initiative?
Question230: Which of the following should be the FIRST course of action if the risk associated with a new technology is found to be increasing?
Question231: It is MOST important that security controls for a new system be documented in:
Question232: Which of the following trends would cause the GREATEST concern regarding the effectiveness of an organization's user access control processes? An increase in the:
Question233: An organization is considering allowing users to access company data from their personal devices. Which of the following is the MOST important factor when assessing the risk?
Question234: A large organization needs to report risk at all levels for a new centralized visualization project to reduce cost and improve performance. Which of the following would MOST effectively represent the overall risk of the project to senior management?
Question235: Which of the following would BEST indicate to senior management that IT processes are improving?
Question236: Which of the following is the PRIMARY purpose of periodically reviewing an organization's risk profile?
Question237: An organization's risk register contains a large volume of risk scenarios that senior management considers overwhelming. Which of the following would BEST help to improve the risk register?
Question238: After mapping generic risk scenarios to organizational security policies, the NEXT course of action should be to:
Question239: Which of the following BEST helps to balance the costs and benefits of managing IT risk?
Question240: The MOST important reason to aggregate results from multiple risk assessments on interdependent information systems is to:
Question241: Within the three lines of defense model, the accountability for the system of internal control resides with:
Question242: During a review of the asset life cycle process, a risk practitioner identified several unreturned and unencrypted laptops belonging to former employees. Which of the following is the GREATEST concern with this finding?
Question243: An organization wants to grant remote access to a system containing sensitive data to an overseas third party.
Which of the following should be of GREATEST concern to management?
Question244: A key risk indicator (KRI) indicates a reduction in the percentage of appropriately patched servers. Which of the following is the risk practitioner's BEST course of action?
Question245: Which of the following is the BEST method for determining an enterprise's current appetite for risk?
Question246: Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?
Question247: Which of the following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?
Question248: Which of the following activities is a responsibility of the second line of defense?
Question249: An organization recently received an independent security audit report of its cloud service provider that indicates significant control weaknesses. What should be done NEXT in response to this report?
Question250: During a risk assessment, the risk practitioner finds a new risk scenario without controls has been entered into the risk register. Which of the following is the MOST appropriate action?
Question251: Who should be accountable for ensuring effective cybersecurity controls are established?
Question252: What is the BEST information to present to business control owners when justifying costs related to controls?
Question253: During a risk assessment, a key external technology supplier refuses to provide control design and effectiveness information, citing confidentiality concerns. What should the risk practitioner do NEXT?
Question254: What should a risk practitioner do FIRST when vulnerability assessment results identify a weakness in an application?
Question255: Which of the following is the PRIMARY purpose of a risk register?
Question256: Which key performance efficiency IKPI) BEST measures the effectiveness of an organization's disaster recovery program?
Question257: A key risk indicator (KRI) threshold has reached the alert level, indicating data leakage incidents are highly probable. What should be the risk practitioner's FIRST course of action?
Question258: An organization has built up its cash reserves and has now become financially able to support additional risk while meeting its objectives. What is this change MOST likely to impact?
Question259: Which of the following should be the PRIMARY focus of a risk owner once a decision is made to mitigate a risk?
Question260: The BEST key performance indicator (KPI) to measure the effectiveness of the security patching process is the percentage of patches installed:
Question261: A PRIMARY function of the risk register is to provide supporting information for the development of an organization's risk:
Question262: The acceptance of control costs that exceed risk exposure MOST likely demonstrates:
Question263: Who should be PRIMARILY responsible for establishing an organization's IT risk culture?
Question264: A review of an organization s controls has determined its data loss prevention {DLP) system is currently failing to detect outgoing emails containing credit card data. Which of the following would be MOST impacted?
Question265: A risk practitioner is reviewing the status of an action plan to mitigate an emerging IT risk and finds the risk level has increased. The BEST course of action would be to:
Question266: An organization has recently been experiencing frequent data corruption incidents. Implementing a file corruption detection tool as a risk response strategy will help to:
Question267: An organization is implementing internet of Things (loT) technology to control temperature and lighting in its headquarters. Which of the following should be of GREATEST concern?
Question268: Which of the following will BEST help to ensure the continued effectiveness of the IT risk management function within an organization experiencing high employee turnover?
Question269: An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following is the risk practitioner s BEST course of action?
Question270: When reviewing a risk response strategy, senior management's PRIMARY focus should be placed on the:
Question271: An audit reveals that there are changes in the environment that are not reflected in the risk profile. Which of the following is the BEST course of action?
Question272: Which of the following is the MOST likely reason an organization would engage an independent reviewer to assess its IT risk management program?
Question273: Continuous monitoring of key risk indicators (KRIs) will:
Question274: Which of the following should be management's PRIMARY consideration when approving risk response action plans?
Question275: The BEST metric to demonstrate that servers are configured securely is the total number of servers:
Question276: The PRIMARY reason for periodically monitoring key risk indicators (KRIs) is to:
Question277: Implementing which of the following will BEST help ensure that systems comply with an established baseline before deployment?
Question278: Which of the following is the MOST important information to cover a business continuity awareness Ira nine, program for all employees of the organization?
Question279: Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited.
Which of the following would be the BEST response to this scenario?
Question280: An organization's IT team has proposed the adoption of cloud computing as a cost-saving measure for the business. Which of the following should be of GREATEST concern to the risk practitioner?
Question281: Which of the following is MOST important for an organization to update following a change in legislation requiring notification to individuals impacted by data breaches?
Question282: An organization is planning to move its application infrastructure from on-premises to the cloud. Which of the following is the BEST course of the actin to address the risk associated with data transfer if the relationship is terminated with the vendor?
Question283: An organization operates in an environment where the impact of ransomware attacks is high, with a low likelihood. After quantifying the impact of the risk associated with ransomware attacks exceeds the organization's risk appetite and tolerance, which of the following is the risk practitioner's BEST recommendation?
Question284: Which of the following is the GREATEST benefit to an organization when updates to the risk register are made promptly after the completion of a risk assessment?
Question285: It was discovered that a service provider's administrator was accessing sensitive information without the approval of the customer in an Infrastructure as a Service (laaS) model. Which of the following would BEST protect against a future recurrence?
Question286: Which of the following is the GREATEST risk associated with the transition of a sensitive data backup solution from on-premise to a cloud service provider?
Question287: An organization has allowed several employees to retire early in order to avoid layoffs Many of these employees have been subject matter experts for critical assets Which type of risk is MOST likely to materialize?
Question288: Which of the following should be the MOST important consideration when performing a vendor risk assessment?
Question289: An effective control environment is BEST indicated by controls that:
Question290: The MOST effective approach to prioritize risk scenarios is by:
Question291: A change management process has recently been updated with new testing procedures. What is the NEXT course of action?
Question292: A risk practitioner has identified that the agreed recovery time objective (RTO) with a Software as a Service (SaaS) provider is longer than the business expectation. Which ot the following is the risk practitioner's BEST course of action?
Question293: An organization has outsourced its billing function to an external service provider. Who should own the risk of customer data leakage caused by the service provider?
Question294: Which of the following should be the PRIMARY consideration when assessing the risk of using Internet of Things (loT) devices to collect and process personally identifiable information (PII)?
Question295: A risk practitioner identifies an increasing trend of employees copying company information unrelated to their job functions to USB drives. Which of the following elements of the risk register should be updated to reflect this observation?
Question296: A PRIMARY advantage of involving business management in evaluating and managing risk is that management:
Question297: Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?
Question298: Which of the following BEST enables the risk profile to serve as an effective resource to support business objectives?
Question299: Which of the following would MOST likely cause management to unknowingly accept excessive risk?
Question300: Which of the following is MOST helpful in developing key risk indicator (KRl) thresholds?
Question301: When developing risk treatment alternatives for a Business case, it is MOST helpful to show risk reduction based on:
Question302: Which of the following would BEST indicate to senior management that IT processes are improving?
Question303: Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?
Question304: Which of the following is the BEST metric to demonstrate the effectiveness of an organization's patch management process?
Question305: A risk practitioner observes that hardware failure incidents have been increasing over the last few months.
However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:
Question306: A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?
Question307: An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system. The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:
Question308: Which of the following is the MOST useful indicator to measure the efficiency of an identity and access management process?
Question309: All business units within an organization have the same risk response plan for creating local disaster recovery plans. In an effort to achieve cost effectiveness, the BEST course of action would be to:
Question310: Which of the following is the BEST key control indicator (KCI) for a vulnerability management program?
Question311: Which of the following is the MOST important objective of regularly presenting the project risk register to the project steering committee?
Question312: What should be the PRIMARY driver for periodically reviewing and adjusting key risk indicators (KRIs)?
Question313: An organization practices the principle of least privilege. To ensure access remains appropriate, application owners should be required to review user access rights on a regular basis by obtaining:
Question314: Which of the following facilitates a completely independent review of test results for evaluating control effectiveness?
Question315: Which of the following key risk indicators (KRIs) is MOST effective for monitoring risk related to a bring your own device (BYOD) program?
Question316: Warning banners on login screens for laptops provided by an organization to its employees are an example of which type of control?
Question317: Senior management wants to increase investment in the organization's cybersecurity program in response to changes in the external threat landscape. Which of the following would BEST help to prioritize investment efforts?
Question318: When testing the security of an IT system, il is MOST important to ensure that;
Question319: Which of the following is the BEST way to mitigate the risk to IT infrastructure availability?
Question320: Which of the following is the BEST method for identifying vulnerabilities?
Question321: An organization has experienced several incidents of extended network outages that have exceeded tolerance.
Which of the following should be the risk practitioner's FIRST step to address this situation?
Question322: Which of the following provides the BEST measurement of an organization's risk management maturity level?
Question323: Which of the following will BEST help an organization select a recovery strategy for critical systems?
Question324: An organization has agreed to a 99% availability for its online services and will not accept availability that falls below 98.5%. This is an example of:
Question325: A failed IT system upgrade project has resulted in the corruption of an organization's asset inventory database.
Which of the following controls BEST mitigates the impact of this incident?
Question326: Which of the following is the MOST important consideration when determining whether to accept residual risk after security controls have been implemented on a critical system?
Question327: Which of the following is the BEST method to mitigate the risk of an unauthorized employee viewing confidential data in a database''
Question328: Which of the following BEST helps to identify significant events that could impact an organization?
Vulnerability analysis
Question329: Who is accountable for risk treatment?
Question330: A control owner identifies that the organization's shared drive contains personally identifiable information (Pll) that can be accessed by all personnel. Which of the following is the MOST effective risk response?
Question331: Which of the following BEST indicates effective information security incident management?
Question332: Which of the following should be the PRIMARY focus of an independent review of a risk management process?
Question333: Which of the following is the BEST key performance indicator (KPI) to measure how effectively risk management practices are embedded in the project management office (PMO)?
Question334: Which of the following is the BEST key performance indicator (KPI) to measure the ability to deliver uninterrupted IT services?
Question335: Which of the following is MOST effective against external threats to an organizations confidential information?
Question336: Which of the following is the MOST important consideration for protecting data assets m a Business application system?
Question337: Which of the following is MOST helpful when prioritizing action plans for identified risk?
Question338: Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?
Question339: Which of the following would be MOST helpful when estimating the likelihood of negative events?
Question340: An organization has experienced a cyber-attack that exposed customer personally identifiable information (Pll) and caused extended outages of network services. Which of the following stakeholders are MOST important to include in the cyber response team to determine response actions?
Question341: Which of the following is the GREATEST benefit of analyzing logs collected from different systems?
Question342: The PRIMARY reason for tracking the status of risk mitigation plans is to ensure:
Question343: An internally developed payroll application leverages Platform as a Service (PaaS) infrastructure from the cloud. Who owns the related data confidentiality risk?
Question344: Which of the following is the BEST way to ensure adequate resources will be allocated to manage identified risk?
Question345: Which of the following would be MOST beneficial as a key risk indicator (KRI)?
Question346: Which of the following would present the GREATEST challenge when assigning accountability for control ownership?
Question347: What information is MOST helpful to asset owners when classifying organizational assets for risk assessment?
Question348: Which of the following BEST indicates the effective implementation of a risk treatment plan?
Question349: Winch of the following can be concluded by analyzing the latest vulnerability report for the it infrastructure?
Question350: Which of the following is the GREATEST concern associated with business end users developing their own applications on end user spreadsheets and database programs?
Question351: Which of the following BEST enforces access control for an organization that uses multiple cloud technologies?
Question352: Which of the following should be the PRIMARY basis for deciding whether to disclose information related to risk events that impact external stakeholders?
Question353: Which of the following should be the PRIMARY consideration when assessing the risk of using Internet of Things (loT) devices to collect and process personally identifiable information (Pll)?
Question354: Prudent business practice requires that risk appetite not exceed:
Question355: An organization is considering outsourcing user administration controls tor a critical system. The potential vendor has offered to perform quarterly sett-audits of its controls instead of having annual independent audits.
Which of the following should be of GREATEST concern to me risk practitioner?
Question356: A rule-based data loss prevention {DLP) tool has recently been implemented to reduce the risk of sensitive data leakage. Which of the following is MOST likely to change as a result of this implementation?
Question357: Which of the following should be the starting point when performing a risk analysis for an asset?
Question358: Which of the following will BEST help to ensure that information system controls are effective?
Question359: Which of the following is the MAIN benefit to an organization using key risk indicators (KRIs)?
Question360: Which of the following provides the MOST useful information when developing a risk profile for management approval?
Question361: An organization is planning to outsource its payroll function to an external service provider Which of the following should be the MOST important consideration when selecting the provider?
Question362: Which of the following is the PRIMARY accountability for a control owner?
Question363: Reviewing historical risk events is MOST useful for which of the following processes within the risk management life cycle?
Question364: Which of the following methods is the BEST way to measure the effectiveness of automated information security controls prior to going live?
Question365: Which of the following would be the GREATEST concern for an IT risk practitioner when an employees.....
Question366: Which of the following is MOST important when developing risk scenarios?
Question367: Whether the results of risk analyses should be presented in quantitative or qualitative terms should be based PRIMARILY on the:
Question368: Which of the following is the MOST important characteristic of an effective risk management program?
Question369: The PRIMARY benefit of classifying information assets is that it helps to:
Question370: The percentage of unpatched systems is a:
Question371: Which of the following is MOST important for an organization to have in place when developing a risk management framework?
Question372: Which of the following is the PRIMARY role of a data custodian in the risk management process?
Question373: The risk associated with data loss from a website which contains sensitive customer information is BEST owned by:
Question374: Which of the following is a PRIMARY benefit of engaging the risk owner during the risk assessment process?
Question375: An organization automatically approves exceptions to security policies on a recurring basis. This practice is MOST likely the result of:
Question376: An organization has recently updated its disaster recovery plan (DRP). Which of the following would be the GREATEST risk if the new plan is not tested?
Question377: Which of the following is the GREATEST risk associated with the use of data analytics?
Question378: Which of the following is MOST important when conducting a post-implementation review as part of the system development life cycle (SDLC)?
Question379: Which of the following is the MOST important data source for monitoring key risk indicators (KRIs)?
Question380: Which of the following situations would BEST justify escalation to senior management?
Question381: An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:
Question382: From a business perspective, which of the following is the MOST important objective of a disaster recovery test?
Question383: Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?
Question384: In an organization with a mature risk management program, which of the following would provide the BEST evidence that the IT risk profile is up to date?
Question385: A department has been granted an exception to bypass the existing approval process for purchase orders. The risk practitioner should verify the exception has been approved by which of the following?
Question386: Determining if organizational risk is tolerable requires:
Question387: Which of the following would be MOST helpful to a risk practitioner when ensuring that mitigated risk remains within acceptable limits?
Question388: Which of the following is the BEST indicator of the effectiveness of IT risk management processes?
Question389: Which of the following is MOST important when discussing risk within an organization?
Question390: From a risk management perspective, the PRIMARY objective of using maturity models is to enable:
Question391: When formulating a social media policy lo address information leakage, which of the following is the MOST important concern to address?
Question392: Which element of an organization's risk register is MOST important to update following the commissioning of a new financial reporting system?
Question393: Which of the following BEST confirms the existence and operating effectiveness of information systems controls?
Question394: Which of the following should be an element of the risk appetite of an organization?
Question395: When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:
Question396: Which of the following will BEST mitigate the risk associated with IT and business misalignment?
Question397: Which of the following criteria is MOST important when developing a response to an attack that would compromise data?
Question398: When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?
Question399: A financial institution has identified high risk of fraud in several business applications. Which of the following controls will BEST help reduce the risk of fraudulent internal transactions?
Question400: Which of the following would BEST facilitate the maintenance of data classification requirements?
Question401: Of the following, whose input is ESSENTIAL when developing risk scenarios for the implementation of a third-party mobile application that stores customer data?
Question402: When developing risk scenario using a list of generic scenarios based on industry best practices, it is MOST imported to:
Question403: Which of the following BEST prevents control gaps in the Zero Trust model when implementing in the environment?
Question404: Which of the following would be of MOST concern to a risk practitioner reviewing risk action plans for documented IT risk scenarios?
Question405: A segregation of duties control was found to be ineffective because it did not account for all applicable functions when evaluating access. Who is responsible for ensuring the control is designed to effectively address risk?
Question406: Which of the following is the BEST way to determine the potential organizational impact of emerging privacy regulations?
Question407: An organization has initiated a project to launch an IT-based service to customers and take advantage of being the first to market. Which of the following should be of GREATEST concern to senior management?
Question408: Which of the following is the GREATEST risk associated with inappropriate classification of data?
Question409: An organization's risk management team wants to develop IT risk scenarios to show the impact of collecting and storing credit card information. Which of the following is the MOST comprehensive approach to capture this scenario?
Question410: Which of the following provides the MOST helpful reference point when communicating the results of a risk assessment to stakeholders?
Question411: Which of the following is the BEST way to identify changes in the risk profile of an organization?
Question412: An enterprise has taken delivery of software patches that address vulnerabilities in its core business software.
Prior to implementation, which of the following is the MOST important task to be performed?
Question413: An unauthorized individual has socially engineered entry into an organization's secured physical premises.
Which of the following is the BEST way to prevent future occurrences?
Question414: Which of the following is MOST important to review when evaluating the ongoing effectiveness of the IT risk register?
Question415: Which of the following is the PRIMARY reason to update a risk register with risk assessment results?
Question416: Because of a potential data breach, an organization has decided to temporarily shut down its online sales order system until sufficient controls can be implemented. Which risk treatment has been selected?
Question417: Which of the following is the PRIMARY factor in determining a recovery time objective (RTO)?
Question418: A vulnerability assessment of a vendor-supplied solution has revealed that the software is susceptible to cross-site scripting and SQL injection attacks. Which of the following will BEST mitigate this issue?
Question419: Which of the following is the GREATEST concern when establishing key risk indicators (KRIs)?
Question420: Which of the following is the BEST way to manage the risk associated with malicious activities performed by database administrators (DBAs)?
Question421: When developing a new risk register, a risk practitioner should focus on which of the following risk management activities?
Question422: A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?
Question423: The BEST way for an organization to ensure that servers are compliant to security policy is to review:
Question424: A third-party vendor has offered to perform user access provisioning and termination. Which of the following control accountabilities is BEST retained within the organization?
Question425: A company has recently acquired a customer relationship management (CRM) application from a certified software vendor. Which of the following will BE ST help lo prevent technical vulnerabilities from being exploded?
Question426: An organization's recovery team is attempting to recover critical data backups following a major flood in its data center. However, key team members do not know exactly what steps should be taken to address this crisis. Which of the following is the MOST likely cause of this situation?
Question427: Which of the following is the MOST important criteria for selecting key risk indicators (KRIs)?
Question428: Which of the following is the MOST important benefit of reporting risk assessment results to senior management?
Question429: During the initial risk identification process for a business application, it is MOST important to include which of the following stakeholders?
Question430: Legal and regulatory risk associated with business conducted over the Internet is driven by:
Question431: Which of the following is the MOST appropriate action when a tolerance threshold is exceeded?
Question432: Which of the following is the MOST important course of action for a risk practitioner when reviewing the results of control performance monitoring?
Question433: An incentive program is MOST likely implemented to manage the risk associated with loss of which organizational asset?
Question434: An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action?
Question435: The software version of an enterprise's critical business application has reached end-of-life and is no longer supported by the vendor. IT has decided to develop an in-house replacement application. Which of the following should be the PRIMARY concern?
Question436: Which of the following is the BEST approach when a risk treatment plan cannot be completed on time?
Question437: To help identify high-risk situations, an organization should:
Question438: Which of the following is MOST likely to introduce risk for financial institutions that use blockchain?
Question439: Which of the following should be the GREATEST concern for an organization that uses open source software applications?
Question440: Which of the following BEST protects an organization against breaches when using a software as a service (SaaS) application?
Question441: Which of the following is the GREATEST risk associated with inappropriate classification of data?
Question442: A migration from an in-house developed system to an external cloud-based solution is affecting a previously rated key risk scenario related to payroll processing. Which part of the risk register should be updated FIRST?
Question443: Who is MOST important lo include in the assessment of existing IT risk scenarios?
Question444: An IT control gap has been identified in a key process. Who would be the MOST appropriate owner of the risk associated with this gap?
Question445: Which of the following is MOST important for a risk practitioner to consider when evaluating plans for changes to IT services?
Question446: An audit reveals that several terminated employee accounts maintain access. Which of the following should be the FIRST step to address the risk?
Question447: Which of the following would MOST likely cause a risk practitioner to change the likelihood rating in the risk register?
Question448: Which of the following should be included in a risk scenario to be used for risk analysis?
Question449: Which of the following is the BEST course of action for a system administrator who suspects a colleague may be intentionally weakening a system's validation controls in order to pass through fraudulent transactions?
Question450: Which of the following is the MOST effective way to help ensure an organization's current risk scenarios are relevant?
Question451: A maturity model will BEST indicate:
Question452: Which of the following is MOST helpful to management when determining the resources needed to mitigate a risk?
Question453: Establishing and organizational code of conduct is an example of which type of control?
Question454: A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:
Question455: Which of the following would be a risk practitioner's GREATEST concern with the use of a vulnerability scanning tool?
Question456: Which type of indicators should be developed to measure the effectiveness of an organization's firewall rule set?
Question457: The operational risk associated with attacks on a web application should be owned by the individual in charge of:
Question458: Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?
Question459: IT stakeholders have asked a risk practitioner for IT risk profile reports associated with specific departments to allocate resources for risk mitigation. The BEST way to address this request would be to use:
Question460: Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?
Question461: Which of the following will BEST help to ensure new IT policies address the enterprise's requirements?
Question462: When updating a risk register with the results of an IT risk assessment, the risk practitioner should log:
Question463: The acceptance of control costs that exceed risk exposure is MOST likely an example of:
Question464: An organization is concerned that a change in its market situation may impact the current level of acceptable risk for senior management. As a result, which of the following is MOST important to reevaluate?
Question465: Which of the following is BEST used to aggregate data from multiple systems to identify abnormal behavior?
Question466: Which of the following would qualify as a key performance indicator (KPI)?
Question467: Which of the following should be used as the PRIMARY basis for evaluating the state of an organization's cloud computing environment against leading practices?
Question468: Which of the following is the PRIMARY purpose of creating and documenting control procedures?
Question469: The PRIMARY benefit associated with key risk indicators (KRls) is that they:
Question470: When communicating changes in the IT risk profile, which of the following should be included to BEST enable stakeholder decision making?
Question471: A recent regulatory requirement has the potential to affect an organization's use of a third party to supply outsourced business services. Which of the following is the BEST course of action?
Question472: A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?
Question473: Which of the following is the MOST important objective of establishing an enterprise risk management (ERM) function within an organization?
Question474: Which of the following is MOST important when developing key risk indicators (KRIs)?
Question475: Which of the following is MOST important when developing key performance indicators (KPIs)?
Question476: Which of the following would be considered a vulnerability?
Question477: Which of the following provides the BEST evidence that risk mitigation plans have been implemented effectively?
Question478: A payroll manager discovers that fields in certain payroll reports have been modified without authorization.
Which of the following control weaknesses could have contributed MOST to this problem?
Question479: Which group has PRIMARY ownership of reputational risk stemming from unethical behavior within the organization?
Question480: Following a review of a third-party vendor, it is MOST important for an organization to ensure:
Question481: A risk owner should be the person accountable for:
Question482: Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability management process?
Question483: An organization is adopting block chain for a new financial system. Which of the following should be the GREATEST concern for a risk practitioner evaluating the system's production readiness?
Question484: The PRIMARY reason for periodic penetration testing of Internet-facing applications is to:
Question485: The MAIN purpose of reviewing a control after implementation is to validate that the control:
Question486: Which of the following would be MOST helpful when communicating roles associated with the IT risk management process?
Question487: The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overall continuity planning process is to:
Question488: Which of the following is MOST useful when communicating risk to management?
Question489: Which of the following is the BEST indicator of executive management's support for IT risk mitigation efforts?
Question490: A risk practitioner has received an updated enterprise risk management (ERM) report showing that residual risk is now within the organization's defined appetite and tolerance levels. Which of the following is the risk practitioner's BEST course of action?
Question491: The objective of aligning mitigating controls to risk appetite is to ensure that:
Question492: it was determined that replication of a critical database used by two business units failed. Which of the following should be of GREATEST concern1?
Question493: Which of the following BEST supports ethical IT risk management practices?
Question494: To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:
Question495: When evaluating a number of potential controls for treating risk, it is MOST important to consider:
Question496: The risk to an organization's reputation due to a recent cybersecurity breach is PRIMARILY considered to be:
Question497: Which of the following is MOST important to ensure when continuously monitoring the performance of a client-facing application?
Question498: An application runs a scheduled job that compiles financial data from multiple business systems and updates the financial reporting system. If this job runs too long, it can delay financial reporting. Which of the following is the risk practitioner's BEST recommendation?
Question499: Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?
Question500: Which of the following would BEST enable a risk-based decision when considering the use of an emerging technology for data processing?
Question501: An organization has implemented a preventive control to lock user accounts after three unsuccessful login attempts. This practice has been proven to be unproductive, and a change in the control threshold value has been recommended. Who should authorize changing this threshold?
Question502: Which of the following is the PRIMARY benefit of stakeholder involvement in risk scenario development?
Question503: Which of the following proposed benefits is MOST likely to influence senior management approval to reallocate budget for a new security initiative?
Question504: A control for mitigating risk in a key business area cannot be implemented immediately. Which of the following is the risk practitioner's BEST course of action when a compensating control needs to be applied?
Question505: Which of the following events is MOST likely to trigger the need to conduct a risk assessment?
Question506: Which of the following will BEST quantify the risk associated with malicious users in an organization?
Question507: Which of the following should be the MAIN consideration when validating an organization's risk appetite?
Question508: Which stakeholders are PRIMARILY responsible for determining enterprise IT risk appetite?
Question509: Which of the following is the MOST important step to ensure regulatory requirements are adequately addressed within an organization?
Question510: Which of the following is MOST important to consider before determining a response to a vulnerability?
Question511: Which of the following is the BEST way to mitigate the risk associated with fraudulent use of an enterprise's brand on Internet sites?
Question512: Which of the following should management consider when selecting a risk mitigation option?
Question513: Which of the following is the GREATEST benefit of a three lines of defense structure?
Question514: An organization has been notified that a disgruntled, terminated IT administrator has tried to break into the corporate network. Which of the following discoveries should be of GREATEST concern to the organization?
Question515: Which of the following observations from a third-party service provider review would be of GREATEST concern to a risk practitioner?
Question516: Which of the following will BEST help ensure that risk factors identified during an information systems review are addressed?
Question517: Of the following, who is BEST suited to assist a risk practitioner in developing a relevant set of risk scenarios?
Question518: Which of the following is the MOST effective way to incorporate stakeholder concerns when developing risk scenarios?
Question519: Which of the following would BEST help secure online financial transactions from improper users?
Question520: Which of the following should be the PRIMARY input when designing IT controls?
Question521: Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?
Question522: Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?
Question523: Who should be responsible for approving the cost of controls to be implemented for mitigating risk?
Question524: Which of the following is the BEST way to promote adherence to the risk tolerance level set by management?
Question525: A risk practitioner is reviewing accountability assignments for data risk in the risk register. Which of the following would pose the GREATEST concern?
Question526: Which of the following is the MAIN reason for analyzing risk scenarios?
Question527: Which of the following MUST be assessed before considering risk treatment options for a scenario with significant impact?
Question528: Which of the following should a risk practitioner do NEXT after learning that Internet of Things (loT) devices installed in the production environment lack appropriate security controls for sensitive data?
Question529: Which of the following is the MOST effective control to ensure user access is maintained on a least-privilege basis?
Question530: Which of the following is the MAIN reason to continuously monitor IT-related risk?
Question531: For a large software development project, risk assessments are MOST effective when performed:
Question532: Which of the following would provide the MOST useful information to a risk owner when reviewing the progress of risk mitigation?
Question533: A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:
Question534: Which of the following should be a risk practitioner's MOST important consideration when developing IT risk scenarios?
Question535: The PRIMARY purpose of using a framework for risk analysis is to:
Question536: Which of the following is MOST important for senior management to review during an acquisition?
Question537: An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack?
Question538: Which of the following should an organization perform to forecast the effects of a disaster?
Question539: Which of the following is the BEST method for assessing control effectiveness?
Question540: A risk practitioner has been asked to evaluate a new cloud-based service to enhance an organization's access management capabilities. When is the BEST time for the risk practitioner to provide opinions on control strength?
Question541: Which of the following actions should a risk practitioner do NEXT when an increased industry trend of external cyber attacks is identified?
Question542: A contract associated with a cloud service provider MUST include:
Question543: The PRIMARY benefit of maintaining an up-to-date risk register is that it helps to:
Question544: Which of the following BEST represents a critical threshold value for a key control indicator (KCI)?
Question545: For no apparent reason, the time required to complete daily processing for a legacy application is approaching a risk threshold. Which of the following activities should be performed FIRST?
Question546: While reviewing the risk register, a risk practitioner notices that different business units have significant variances in inherent risk for the same risk scenario. Which of the following is the BEST course of action?
Question547: Which of the following is a KEY outcome of risk ownership?
Question548: Which of the following BEST facilitates the development of relevant risk scenarios?
Question549: An organization has initiated a project to implement an IT risk management program for the first time. The BEST time for the risk practitioner to start populating the risk register is when:
Question550: Which of the following is MOST important to communicate to senior management during the initial implementation of a risk management program?
Question551: IT risk assessments can BEST be used by management:
Question552: Days before the realization of an acquisition, a data breach is discovered at the company to be acquired. For the accruing organization, this situation represents which of the following?
Question553: Which of the following would be MOST relevant to stakeholders regarding ineffective control implementation?
Question554: Which of the following is the BEST indication of the effectiveness of a business continuity program?
Question555: A global organization has implemented an application that does not address all privacy requirements across multiple jurisdictions. Which of the following risk responses has the organization adopted with regard to privacy requirements?
Question556: Which of the following is performed after a risk assessment is completed?
Question557: When implementing an IT risk management program, which of the following is the BEST time to evaluate current control effectiveness?
Question558: When prioritizing risk response, management should FIRST:
Question559: An organization has granted a vendor access to its data in order to analyze customer behavior. Which of the following would be the MOST effective control to mitigate the risk of customer data leakage?
Question560: Reviewing which of the following BEST helps an organization gam insight into its overall risk profile''
Question561: IT disaster recovery point objectives (RPOs) should be based on the:
Question562: Which of the following is the MOST important requirement for monitoring key risk indicators (KRls) using log analysis?
Question563: Which of the following is MOST useful for measuring the existing risk management process against a desired state?
Question564: Risk acceptance of an exception to a security control would MOST likely be justified when:
Question565: Which of the following would BEST assist in reconstructing the sequence of events following a security incident across multiple IT systems in the organization's network?
Question566: Which of the following practices BEST mitigates risk related to enterprise-wide ethical decision making in a multi-national organization?
Question567: Which of the following should a risk practitioner do FIRST to support the implementation of governance around organizational assets within an enterprise risk management (ERM) program?
Question568: Which of the following is the MOST important document regarding the treatment of sensitive data?
Question569: Which of the following is the MOST relevant information to include in a risk management strategy?
Question570: An organization has detected unauthorized logins to its client database servers. Which of the following should be of GREATEST concern?
Question571: Which of the following is MOST important for management to consider when deciding whether to invest in an IT initiative that exceeds management's risk appetite?
Question572: Which of the following is the MOST important consideration when sharing risk management updates with executive management?
Question573: Which of the following BEST provides an early warning that network access of terminated employees is not being revoked in accordance with the service level agreement (SLA)?
Question574: A new regulator/ requirement imposes severe fines for data leakage involving customers' personally identifiable information (Pll). The risk practitioner has recommended avoiding the risk. Which of the following actions would BEST align with this recommendation?
Question575: When classifying and prioritizing risk responses, the areas to address FIRST are those with:
Question576: Which of the following BEST enables an organization to determine whether risk management is aligned with its goals and objectives?
Question577: The BEST way to justify the risk mitigation actions recommended in a risk assessment would be to:
Question578: While reviewing an organization's monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially Which of the following would be the BEST approach for the risk practitioner to take?
Question579: Which of the following is the PRIMARY reason to perform ongoing risk assessments?
Question580: Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?
Question581: Reviewing which of the following provides the BEST indication of an organizations risk tolerance?
Question582: Which types of controls are BEST used to minimize the risk associated with a vulnerability?
Question583: The PRIMARY objective of collecting information and reviewing documentation when performing periodic risk analysis should be to:
Question584: Which of the following risk scenarios would be the GREATEST concern as a result of a single sign-on implementation?
Question585: Which of the following is MOST helpful in determining the effectiveness of an organization's IT risk mitigation efforts?
Question586: A bank wants to send a critical payment order via email to one of its offshore branches. Which of the following is the BEST way to ensure the message reaches the intended recipient without alteration?
Question587: Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)?
Question588: Zero Trust architecture is designed and deployed with adherence to which of the following basic tenets?
Question589: Which of the following deficiencies identified during a review of an organization's cybersecurity policy should be of MOST concern?
Question590: Which of the following would be of GREATEST concern to a risk practitioner reviewing current key risk indicators (KRIs)?
Question591: A risk practitioner has collaborated with subject matter experts from the IT department to develop a large list of potential key risk indicators (KRIs) for all IT operations within the organization of the following, who should review the completed list and select the appropriate KRIs for implementation?
Question592: Which of the following would BEST facilitate the implementation of data classification requirements?
Question593: Which of the following is MOST important to the effectiveness of a senior oversight committee for risk monitoring?
Question594: To communicate the risk associated with IT in business terms, which of the following MUST be defined?
Question595: Which of the following observations would be GREATEST concern to a risk practitioner reviewing the implementation status of management action plans?
Question596: When documenting a risk response, which of the following provides the STRONGEST evidence to support the decision?
Question597: A newly incorporated enterprise needs to secure its information assets From a governance perspective which of the following should be done FIRST?
Question598: WhichT5f the following is the MOST effective way to promote organization-wide awareness of data security in response to an increase in regulatory penalties for data leakage?
Question599: Which of the following should be a risk practitioner's PRIMARY focus when tasked with ensuring organization records are being retained for a sufficient period of time to meet legal obligations?
Question600: Which of the following is the BEST key performance indicator (KPI) for determining how well an IT policy is aligned to business requirements?
Question601: A large organization recently restructured the IT department and has decided to outsource certain functions.
What action should the control owners in the IT department take?
Question602: Of the following, who is responsible for approval when a change in an application system is ready for release to production?
Question603: A risk practitioner has discovered a deficiency in a critical system that cannot be patched. Which of the following should be the risk practitioner's FIRST course of action?
Question604: An online payment processor would be severely impacted if the fraud detection system has an outage. Which of the following is the BEST way to address this risk?
Question605: The PRIMARY focus of an ongoing risk awareness program should be to:
Question606: Which of the following controls will BEST detect unauthorized modification of data by a database administrator?
Question607: Which of the following is the GREATEST concern if user acceptance testing (UAT) is not conducted when implementing a new application?
Question608: A risk practitioner has been notified that an employee sent an email in error containing customers' personally identifiable information (Pll). Which of the following is the risk practitioner's BEST course of action?
Question609: Accountability for a particular risk is BEST represented in a:
Question610: Which of the following presents the GREATEST privacy risk related to personal data processing for a global organization?
Question611: Which of the following is the result of a realized risk scenario?
Question612: Which of the following s MOST likely to deter an employee from engaging in inappropriate use of company owned IT systems?
Question613: The PRIMARY purpose of IT control status reporting is to:
Question614: Which of the following would BEST enable mitigation of newly identified risk factors related to internet of Things (loT)?
Question615: Which of the following should be a risk practitioner's NEXT step after learning of an incident that has affected a competitor?
Question616: A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?
Question617: An organization allows programmers to change production systems in emergency situations. Which of the following is the BEST control?
Question618: Which of the following BEST mitigates reputational risk associated with disinformation campaigns against an organization?
Question619: An organization recently implemented a cybersecurity awareness program that includes phishing simulation exercises for all employees. What type of control is being utilized?
Question620: Which of the following is the PRIMARY reason to establish the root cause of an IT security incident?
Question621: Which of the following practices MOST effectively safeguards the processing of personal data?
Question622: After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?
Question623: The BEST key performance indicator (KPI) for monitoring adherence to an organization's user accounts provisioning practices is the percentage of:
Question624: Which of the following is the MOST important reason to revisit a previously accepted risk?
Question625: Within the three lines of defense model, the PRIMARY responsibility for ensuring risk mitigation controls are properly configured belongs with:
Question626: Sensitive data has been lost after an employee inadvertently removed a file from the premises, in violation of organizational policy. Which of the following controls MOST likely failed?
Question627: Which of the following is the MOST important consideration when selecting either a qualitative or quantitative risk analysis?
Question628: Which of the following is the PRIMARY reason for monitoring activities performed in a production database environment?
Question629: Which of the following is the MOST comprehensive resource for prioritizing the implementation of information systems controls?
Question630: Which of the following is the MOST important consideration when sharing risk management updates with executive management?
Question631: An organization is concerned that its employees may be unintentionally disclosing data through the use of social media sites. Which of the following will MOST effectively mitigate tins risk?
Question632: Which of the following is the BEST method to track asset inventory?
Question633: Which of the following would BEST help to ensure that identified risk is efficiently managed?
Question634: Which of the following is the PRIMARY benefit of integrating risk and security requirements in an organization's enterprise architecture (EA)?
Question635: Which of the following is a detective control?
Question636: A poster has been displayed in a data center that reads. "Anyone caught taking photographs in the data center may be subject to disciplinary action." Which of the following control types has been implemented?
Question637: Which of the following is a KEY responsibility of the second line of defense?
Question638: An organization recently implemented a machine learning-based solution to monitor IT usage and analyze user behavior in an effort to detect internal fraud. Which of the following is MOST likely to be reassessed as a result of this initiative?
Question639: A key performance indicator (KPI) shows that a process is operating inefficiently, even though no control issues were noted during the most recent risk assessment. Which of the following should be done FIRST?
Question640: Risk management strategies are PRIMARILY adopted to:
Question641: An organization is conducting a review of emerging risk. Which of the following is the BEST input for this exercise?
Question642: Which of the following is the MOST effective key performance indicator (KPI) for change management?
Question643: A management team is on an aggressive mission to launch a new product to penetrate new markets and overlooks IT risk factors, threats, and vulnerabilities. This scenario BEST demonstrates an organization's risk:
Question644: Which of the following should be of MOST concern to a risk practitioner reviewing the system development life cycle (SDLC)?
Question645: Which of the following indicates an organization follows IT risk management best practice?
Question646: When a high-risk security breach occurs, which of the following would be MOST important to the person responsible for managing the incident?
Question647: Calculation of the recovery time objective (RTO) is necessary to determine the:
Question648: The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:
Question649: Which of the following is the BEST method to ensure a terminated employee's access to IT systems is revoked upon departure from the organization?
Question650: What is the BEST recommendation to reduce the risk associated with potential system compromise when a vendor stops releasing security patches and updates for a business-critical legacy system?
Question651: An organization is planning to acquire a new financial system. Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?
Question652: The PRIMARY benefit of conducting a risk workshop using a top-down approach instead of a bottom-up approach is the ability to:
Question653: The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner s BEST recommendation?
Question654: Which of the following is the GREATEST risk associated with the misclassification of data?
Question655: Which of the following controls BEST enables an organization to ensure a complete and accurate IT asset inventory?
Question656: Which of the following is the GREATEST benefit of using IT risk scenarios?
Question657: Which of the following MUST be updated to maintain an IT risk register?
Question658: Which of the following should be a risk practitioner's NEXT action after identifying a high probability of data loss in a system?
Question659: It is MOST appropriate for changes to be promoted to production after they are:
Question660: The PRIMARY objective for selecting risk response options is to:
Question661: An organization operates in an environment where reduced time-to-market for new software products is a top business priority. Which of the following should be the risk practitioner's GREATEST concern?
Question662: Controls should be defined during the design phase of system development because:
Question663: Which of the following would be MOST important for a risk practitioner to provide to the internal audit department during the audit planning process?
Question664: An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk practitioner do FIRST?
Question665: Which of the following should be initiated when a high number of noncompliant conditions are observed during review of a control procedure?
Question666: An organization has completed a risk assessment of one of its service providers. Who should be accountable for ensuring that risk responses are implemented?
Question667: The MAIN reason for creating and maintaining a risk register is to:
Question668: Which of the following activities should only be performed by the third line of defense?
Question669: Which of the following is the BEST source for identifying key control indicators (KCIs)?
Question670: Which of the following is MOST important to promoting a risk-aware culture?
Question671: Which of the following is MOST important to include in a Software as a Service (SaaS) vendor agreement?
Question672: Which of the following is the MOST important consideration when performing a risk assessment of a fire suppression system within a data center?
Question673: Which of the following is MOST important when defining controls?
Question674: Which of the following should be the PRIMARY input to determine risk tolerance?
Question675: Which of the following will BEST help in communicating strategic risk priorities?
Question676: Which of the following would be the BEST key performance indicator (KPI) for monitoring the effectiveness of the IT asset management process?
Question677: The GREATEST benefit of including low-probability, high-impact events in a risk assessment is the ability to:
Question678: Which of the following would require updates to an organization's IT risk register?
Question679: Which of the following offers the SIMPLEST overview of changes in an organization's risk profile?
Question680: Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?
Question681: Which of the following should be done FIRST when information is no longer required to support business objectives?
Question682: Which of the following BEST enables an organization to determine whether external emerging risk factors will impact the organization's risk profile?
Question683: Which of the following is the MOST important consideration when developing an organization's risk taxonomy?
Question684: Which of the following is the MOST effective control to maintain the integrity of system configuration files?
Question685: What is MOST important for the risk practitioner to understand when creating an initial IT risk register?
Question686: Which of the following is MOST important for an organization to consider when developing its IT strategy?
Question687: A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner s NEXT step? r
Question688: Key control indicators (KCls) help to assess the effectiveness of the internal control environment PRIMARILY by:
Question689: When presenting risk, the BEST method to ensure that the risk is measurable against the organization's risk appetite is through the use of a:
Question690: One of an organization's key IT systems cannot be patched because the patches interfere with critical business application functionalities. Which of the following would be the risk practitioner's BEST recommendation?
Question691: Which of the following is the BEST indication of an effective risk management program?
Question692: A department allows multiple users to perform maintenance on a system using a single set of credentials. A risk practitioner determined this practice to be high-risk. Which of the following is the MOST effective way to mitigate this risk?
Question693: An organization is unable to implement a multi-factor authentication requirement until the next fiscal year due to budget constraints. Consequently, a policy exception must be submitted. Which of the following is MOST important to include in the analysis of the exception?
Question694: Which of the following is a drawback in the use of quantitative risk analysis?
Question695: Which of the following scenarios represents a threat?
Question696: Business management is seeking assurance from the CIO that IT has a plan in place for early identification of potential issues that could impact the delivery of a new application Which of the following is the BEST way to increase the chances of a successful delivery'?
Question697: The PRIMARY objective of testing the effectiveness of a new control before implementation is to:
Question698: The MOST important reason to monitor key risk indicators (KRIs) is to help management:
Question699: Who is MOST likely to be responsible for the coordination between the IT risk strategy and the business risk strategy?
Question700: Which of the following is the BEST way to protect sensitive data from administrators within a public cloud?
Question701: Which of the following is the BEST recommendation to senior management when the results of a risk and control assessment indicate a risk scenario can only be partially mitigated?
Question702: Which of the following would be the result of a significant increase in the motivation of a malicious threat actor?
Question703: Which of the following criteria associated with key risk indicators (KRIs) BEST enables effective risk monitoring?
Question704: An organization's internal audit department is considering the implementation of robotics process automation (RPA) to automate certain continuous auditing tasks. Who would own the risk associated with ineffective design of the software bots?
Question705: Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?
Question706: Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?
Question707: Which of the following should a risk practitioner do FIRST when an organization decides to use a cloud service?
Question708: Which of the following is the BEST way to assess the effectiveness of an access management process?
Question709: A newly enacted information privacy law significantly increases financial penalties for breaches of personally identifiable information (Pll). Which of the following will MOST likely outcome for an organization affected by the new law?
Question710: Which of the following is the MOST important update for keeping the risk register current?
Question711: A risk practitioner notices a trend of noncompliance with an IT-related control. Which of the following would BEST assist in making a recommendation to management?
Question712: Which of the following will BEST support management repotting on risk?
Question713: Which organizational role should be accountable for ensuring information assets are appropriately classified?
Question714: It is MOST important for a risk practitioner to have an awareness of an organization s processes in order to:
Question715: An IT risk practitioner has been asked to regularly report on the overall status and effectiveness of the IT risk management program. Which of the following is MOST useful for this purpose?
Question716: Which of the following is the MOST important consideration for effectively maintaining a risk register?
Question717: An external security audit has reported multiple findings related to control noncompliance. Which of the following would be MOST important for the risk practitioner to communicate to senior management?
Question718: Using key risk indicators (KRIs) to illustrate changes in the risk profile PRIMARILY helps to:
Question719: Which of the following is the PRIMARY responsibility of the first line of defense related to computer-enabled fraud?
Question720: A key risk indicator (KRI) that incorporates data from external open-source threat intelligence sources has shown changes in risk trend data. Which of the following is MOST important to update in the risk register?
Question721: Which of the following is MOST important to determine as a result of a risk assessment?
Question722: Which of the following poses the GREATEST risk to an organization's operations during a major it transformation?