Question1: Which of the following is the PRIMARY reason to establish the root cause of an IT security incident?
Question2: Read" rights to application files in a controlled server environment should be approved by the:
Question3: A control owner identifies that the organization's shared drive contains personally identifiable information (Pll) that can be accessed by all personnel. Which of the following is the MOST effective risk response?
Question4: An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy. Which of the following is the BEST risk response?
Question5: Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security?
Question6: Which of the following would BEST help minimize the risk associated with social engineering threats?
Question7: In a public company, which group is PRIMARILY accountable for ensuring sufficient attention and resources are applied to the risk management process?
Question8: IT risk assessments can BEST be used by management:
Question9: Which of the following will provide the BEST measure of compliance with IT policies?
Question10: Which of the following should be of GREATEST concern when reviewing the results of an independent control assessment to determine the effectiveness of a vendor's control environment?
Question11: Which of the following is the MOST important outcome of a business impact analysis (BIA)?
Question12: When developing risk scenario using a list of generic scenarios based on industry best practices, it is MOST imported to:
Question13: To help ensure all applicable risk scenarios are incorporated into the risk register, it is MOST important to review the:
Question14: Which of the following presents the GREATEST challenge for an IT risk practitioner who wants to report on trends in historical IT risk levels?
Question15: Which of the following is the PRIMARY benefit of consistently recording risk assessment results in the risk register?
Question16: Which of the following is the PRIMARY objective of maintaining an information asset inventory?
Question17: An information system for a key business operation is being moved from an in-house application to a Software as a Service (SaaS) vendor. Which of the following will have the GREATEST impact on the ability to monitor risk?
Question18: Which of the following is the MOST important consideration when communicating the risk associated with technology end-of-life to business owners?
Question19: In an organization that allows employee use of social media accounts for work purposes, which of the following is the BEST way to protect company sensitive information from being exposed?
Question20: The PRIMARY purpose of IT control status reporting is to:
Question21: A risk practitioner has collaborated with subject matter experts from the IT department to develop a large list of potential key risk indicators (KRIs) for all IT operations within the organization of the following, who should review the completed list and select the appropriate KRIs for implementation?
Question22: A risk practitioner recently discovered that sensitive data from the production environment is required for testing purposes in non-production environments. Which of the following i the BEST recommendation to address this situation?
Question23: Which of the following BEST mitigates ethical risk?
Question24: An enterprise has taken delivery of software patches that address vulnerabilities in its core business software.
Prior to implementation, which of the following is the MOST important task to be performed?
Question25: Which of the following provides the BEST evidence that risk responses have been executed according to their risk action plans?
Question26: Which of the following would MOST likely cause a risk practitioner to reassess risk scenarios?
Question27: Which of the following is the PRIMARY objective for automating controls?
Question28: It was discovered that a service provider's administrator was accessing sensitive information without the approval of the customer in an Infrastructure as a Service (laaS) model. Which of the following would BEST protect against a future recurrence?
Question29: An organization recently configured a new business division Which of the following is MOST likely to be affected?
Question30: When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:
Question31: The PRIMARY focus of an ongoing risk awareness program should be to:
Question32: Which of the following BEST enables the development of a successful IT strategy focused on business risk mitigation?
Question33: An organization wants to transfer risk by purchasing cyber insurance. Which of the following would be MOST important for the risk practitioner to communicate to senior management for contract negotiation purposes?
Question34: Which of the following is the BEST approach to mitigate the risk associated with a control deficiency?
Question35: Who should be responsible for determining which stakeholders need to be involved in the development of a risk scenario?
Question36: Which of the following is MOST essential for an effective change control environment?
Question37: Which of the following is MOST important when considering risk in an enterprise risk management (ERM) process?
Question38: After the review of a risk record, internal audit questioned why the risk was lowered from medium to low.
Which of the following is the BEST course of action in responding to this inquiry?
Question39: During an IT department reorganization, the manager of a risk mitigation action plan was replaced. The new manager has begun implementing a new control after identifying a more effective option. Which of the following is the risk practitioner's BEST course of action?
Question40: Which of the following provides the MOST important information to facilitate a risk response decision?
Question41: Which of the following would MOST likely cause management to unknowingly accept excessive risk?
Question42: Which of the following is the result of a realized risk scenario?
Question43: The BEST key performance indicator (KPI) to measure the effectiveness of the security patching process is the percentage of patches installed:
Question44: A risk practitioner learns that the organization s industry is experiencing a trend of rising security incidents.
Which of the following is the BEST course of action?
Question45: A management team is on an aggressive mission to launch a new product to penetrate new markets and overlooks IT risk factors, threats, and vulnerabilities. This scenario BEST demonstrates an organization's risk:
Question46: Performing a background check on a new employee candidate before hiring is an example of what type of control?
Question47: A risk practitioner observes that hardware failure incidents have been increasing over the last few months.
However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:
Question48: Which of the following BEST enables a risk practitioner to understand management's approach to organizational risk?
Question49: Which of the following presents the GREATEST privacy risk related to personal data processing for a global organization?
Question50: The MOST essential content to include in an IT risk awareness program is how to:
Question51: Which type of cloud computing deployment provides the consumer the GREATEST degree of control over the environment?
Question52: An organization plans to migrate sensitive information to a public cloud infrastructure. Which of the following is the GREATEST security risk in this scenario?
Question53: What should be the PRIMARY driver for periodically reviewing and adjusting key risk indicators (KRIs)?
Question54: An IT department has organized training sessions to improve user awareness of organizational information security policies. Which of the following is the BEST key performance indicator (KPI) to reflect effectiveness of the training?
Question55: Which of the following would BEST help an enterprise prioritize risk scenarios?
Question56: The BEST way to improve a risk register is to ensure the register:
Question57: Which of the following should be the HIGHEST priority when developing a risk response?
Question58: Which of the following is MOST important when discussing risk within an organization?
Question59: Which of the following should be included in a risk scenario to be used for risk analysis?
Question60: If preventive controls cannot be Implemented due to technology limitations, which of the following should be done FIRST to reduce risk7
Question61: An internal audit report reveals that a legacy system is no longer supported Which of the following is the risk practitioner's MOST important action before recommending a risk response'
Question62: Which of the following is MOST important for the organization to consider before implementing a new in-house developed artificial intelligence (Al) solution?
Question63: Which of the following is MOST important to include in a Software as a Service (SaaS) vendor agreement?
Question64: Which of the following is the BEST indicator of the effectiveness of a control action plan's implementation?
Question65: Which group has PRIMARY ownership of reputational risk stemming from unethical behavior within the organization?
Question66: Which of the following should be the PRIMARY consideration when implementing controls for monitoring user activity logs?
Question67: Which of the following controls would BEST reduce the likelihood of a successful network attack through social engineering?
Question68: Which of the following is the MOST important information to be communicated during security awareness training?
Question69: Which of the following is the BEST measure of the effectiveness of an employee deprovisioning process?
Question70: A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?
Question71: An organization is moving its critical assets to the cloud. Which of the following is the MOST important key performance indicator (KPI) to include in the service level agreement (SLA)?
Question72: Which of the following is the MAIN benefit to an organization using key risk indicators (KRIs)?
Question73: Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management?
Question74: Which stakeholders are PRIMARILY responsible for determining enterprise IT risk appetite?
Question75: An organization has decided to outsource a web application, and customer data will be stored in the vendor's public cloud. To protect customer data, it is MOST important to ensure which of the following?
Question76: Which of the following should be the risk practitioner's FIRST course of action when an organization plans to adopt a cloud computing strategy?
Question77: Which of the following is the BEST way to mitigate the risk to IT infrastructure availability?
Question78: Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?
Question79: A recent big data project has resulted in the creation of an application used to support important investment decisions. Which of the following should be of GREATEST concern to the risk practitioner?
Question80: The BEST way to justify the risk mitigation actions recommended in a risk assessment would be to:
Question81: Business areas within an organization have engaged various cloud service providers directly without assistance from the IT department. What should the risk practitioner do?
Question82: When preparing a risk status report for periodic review by senior management, it is MOST important to ensure the report includes
Question83: Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?
Question84: Which of the following is the MOST useful information an organization can obtain from external sources about emerging threats?
Question85: During a risk assessment, the risk practitioner finds a new risk scenario without controls has been entered into the risk register. Which of the following is the MOST appropriate action?
Question86: An organization recently implemented new technologies that enable the use of robotic process automation.
Which of the following is MOST important to reassess?
Question87: All business units within an organization have the same risk response plan for creating local disaster recovery plans. In an effort to achieve cost effectiveness, the BEST course of action would be to:
Question88: An organization has outsourced its billing function to an external service provider. Who should own the risk of customer data leakage caused by the service provider?
Question89: Which of the following is MOST important to determine when assessing the potential risk exposure of a loss event involving personal data?
Question90: A risk practitioner has just learned about new malware that has severely impacted industry peers worldwide data loss?
Question91: Which of the following is the BEST approach when a risk treatment plan cannot be completed on time?
Question92: Which of the following would present the MOST significant risk to an organization when updating the incident response plan?
Question93: An organization has introduced risk ownership to establish clear accountability for each process. To ensure effective risk ownership, it is MOST important that:
Question94: A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?
Question95: Which of the following should be the PRIMARY input to determine risk tolerance?
Question96: Which of the following is the BEST indicator of an effective IT security awareness program?
Question97: The risk appetite for an organization could be derived from which of the following?
Question98: Which of the following is MOST important when conducting a post-implementation review as part of the system development life cycle (SDLC)?
Question99: Which of the following is MOST important to consider when determining the value of an asset during the risk identification process?
Question100: Which of the following BEST enables a risk practitioner to identify the consequences of losing critical resources due to a disaster?
Question101: Which of the following is the MOST important consideration when sharing risk management updates with executive management?
Question102: Which of the following would BEST help to address the risk associated with malicious outsiders modifying application data?
Question103: Which of the following is the PRIMARY benefit of integrating risk and security requirements in an organization's enterprise architecture (EA)?
Question104: When classifying and prioritizing risk responses, the areas to address FIRST are those with:
Question105: A risk practitioner is reviewing a vendor contract and finds there is no clause to control privileged access to the organization's systems by vendor employees. Which of the following is the risk practitioner's BEST course of action?
Question106: Which of the following is MOST important to review when evaluating the ongoing effectiveness of the IT risk register?
Question107: Which of the following is the BEST method to track asset inventory?
Question108: The analysis of which of the following will BEST help validate whether suspicious network activity is malicious?
Question109: The MAIN purpose of conducting a control self-assessment (CSA) is to:
Question110: Which of the following BEST reduces the probability of laptop theft?
Question111: An organization is adopting block chain for a new financial system. Which of the following should be the GREATEST concern for a risk practitioner evaluating the system's production readiness?
Question112: An organization has received notification that it is a potential victim of a cybercrime that may have compromised sensitive customer data. What should be The FIRST course of action?
Question113: A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:
Question114: Which of the following offers the SIMPLEST overview of changes in an organization's risk profile?
Question115: An organization has been made aware of a newly discovered critical vulnerability in a regulatory reporting system. Which of the following is the risk practitioner's BEST course of action?
Question116: A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?
Question117: Which of the following is the BEST method for assessing control effectiveness?
Question118: During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?
Question119: Which of the following can be used to assign a monetary value to risk?
Question120: The risk associated with inadvertent disclosure of database records from a public cloud service provider (CSP) would MOST effectively be reduced by:
Question121: Which of the following would be a risk practitioner's GREATEST concern with the use of a vulnerability scanning tool?
Question122: When establishing an enterprise IT risk management program, it is MOST important to:
Question123: Which of the following approaches to bring your own device (BYOD) service delivery provides the BEST protection from data loss?
Question124: Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?
Question125: An organization recently implemented an automated interface for uploading payment files to its banking system to replace manual processing. Which of the following elements of the risk register is MOST appropriate for the risk practitioner to update to reflect the improved control?
Question126: Which of the following is MOST important when identifying an organization's risk exposure associated with Internet of Things (loT) devices?
Question127: Which of the following is the GREATEST concern when establishing key risk indicators (KRIs)?
Question128: Which of the following is the PRIMARY reason to perform ongoing risk assessments?
Question129: When determining the accuracy of a key risk indicator (KRI), it is MOST important that the indicator:
Question130: Which of the following is the MOST important input when developing risk scenarios?
Question131: Which of the following actions should a risk practitioner do NEXT when an increased industry trend of external cyber attacks is identified?
Question132: When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?
Question133: The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner s BEST recommendation?
Question134: The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for.
Question135: Which of the following BEST facilitates the identification of appropriate key performance indicators (KPIs) for a risk management program?
Question136: Which of the following is the MOST important benefit of reporting risk assessment results to senior management?
Question137: An incentive program is MOST likely implemented to manage the risk associated with loss of which organizational asset?
Question138: Which of the following provides the BEST measurement of an organization's risk management maturity level?
Question139: Which of the following scenarios is MOST important to communicate to senior management?
Question140: Which of the following is the BEST way to quantify the likelihood of risk materialization?
Question141: Which of the following is MOST helpful to understand the consequences of an IT risk event?
Question142: The BEST reason to classify IT assets during a risk assessment is to determine the:
Question143: Which of the following will BEST communicate the importance of risk mitigation initiatives to senior management?
Question144: A risk practitioner is organizing a training session lo communicate risk assessment methodologies to ensure a consistent risk view within the organization Which of the following i< the MOST important topic to cover in this training?
Question145: Which of the following is the MAIN benefit to an organization using key risk indicators (KRIs)?
Question146: The annualized loss expectancy (ALE) method of risk analysis:
Question147: In addition to the risk register, what should a risk practitioner review to develop an understanding of the organization's risk profile?
Question148: Which of the following is MOST important for mitigating ethical risk when establishing accountability for control ownership?
Question149: When performing a risk assessment of a new service to support a ewe Business process. which of the following should be done FRST10 ensure continuity of operations?
Question150: What should a risk practitioner do FIRST upon learning a risk treatment owner has implemented a different control than what was specified in the IT risk action plan?
Question151: A risk assessment has identified increased losses associated with an IT risk scenario. It is MOST important for the risk practitioner to:
Question152: Which of the following is MOST important for successful incident response?
Question153: A software developer has administrative access to a production application. Which of the following should be of GREATEST concern to a risk practitioner?
Question154: An organization recently experienced a cyber attack that resulted in the loss of confidential customer data.
Which of the following is the risk practitioner's BEST recommendation after recovery steps have been completed?
Question155: Which of the following will BEST help to improve an organization's risk culture?
Question156: An organization has allowed several employees to retire early in order to avoid layoffs Many of these employees have been subject matter experts for critical assets Which type of risk is MOST likely to materialize?
Question157: The PRIMARY objective of the board of directors periodically reviewing the risk profile is to help ensure:
Question158: Which of the following is the PRIMARY reason for an organization to include an acceptable use banner when users log in?
Question159: Which of the following should a risk practitioner recommend FIRST when an increasing trend of risk events and subsequent losses has been identified?
Question160: After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?

Question161: Which of the following is the PRIMARY benefit of stakeholder involvement in risk scenario development?
Question162: An effective control environment is BEST indicated by controls that:
Question163: When outsourcing a business process to a cloud service provider, it is MOST important to understand that:
Question164: Which of the following is the BEST criterion to determine whether higher residual risk ratings in the risk register should be accepted?
Question165: Which of the following would MOST likely result in updates to an IT risk appetite statement?
Question166: An organization must make a choice among multiple options to respond to a risk. The stakeholders cannot agree and decide to postpone the decision. Which of the following risk responses has the organization adopted?
Question167: Which of the following should be the PRIMARY basis for prioritizing risk responses?
Question168: Which of the following would BEST enable a risk practitioner to embed risk management within the organization?
Question169: Which of the following BEST facilitates the development of effective IT risk scenarios?
Question170: Which type of indicators should be developed to measure the effectiveness of an organization's firewall rule set?
Question171: In an organization dependent on data analytics to drive decision-making, which of the following would BEST help to minimize the risk associated with inaccurate data?
Question172: An organization striving to be on the leading edge in regard to risk monitoring would MOST likely implement:
Question173: Reviewing which of the following provides the BEST indication of an organizations risk tolerance?
Question174: A risk practitioner has been asked to evaluate a new cloud-based service to enhance an organization's access management capabilities. When is the BEST time for the risk practitioner to provide opinions on control strength?
Question175: Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?
Question176: Which of the following will BEST ensure that information security risk factors are mitigated when developing in-house applications?
Question177: Which of the following is MOST effective against external threats to an organizations confidential information?
Question178: Which of the following will BEST help ensure that risk factors identified during an information systems review are addressed?
Question179: Which of the following is the MOST important objective from a cost perspective for considering aggregated risk responses in an organization?
Question180: Which of the following is MOST important to ensure when reviewing an organization's risk register?
Question181: Which of the following should be used as the PRIMARY basis for evaluating the state of an organization's cloud computing environment against leading practices?
Question182: An organization has established a contract with a vendor that includes penalties for loss of availability. Which risk treatment has been adopted by the organization?
Question183: Which of the following is the MOST appropriate key risk indicator (KRI) for backup media that is recycled monthly?
Question184: Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?
Question185: A recent internal risk review reveals the majority of core IT application recovery time objectives (RTOs) have exceeded the maximum time defined by the business application owners. Which of the following is MOST likely to change as a result?
Question186: Which of the following will BEST support management repotting on risk?
Question187: Which of the following is the BEST response when a potential IT control deficiency has been identified?
Question188: A risk practitioner has reviewed new international regulations and realizes the new regulations will affect the organization. Which of the following should be the risk practitioner's NEXT course of action?
Question189: After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:
Question190: Which of the following BEST mitigates the risk of sensitive personal data leakage from a software development environment?
Question191: Which of the following BEST facilitates the mitigation of identified gaps between current and desired risk environment states?
Question192: Which of the following is the MOST useful information for a risk practitioner when planning response activities after risk identification?
Question193: Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:
Question194: A PRIMARY advantage of involving business management in evaluating and managing risk is that management:
Question195: Which of the following risk register elements is MOST likely to be updated if the attack surface or exposure of an asset is reduced?
Question196: WhichT5f the following is the MOST effective way to promote organization-wide awareness of data security in response to an increase in regulatory penalties for data leakage?
Question197: A contract associated with a cloud service provider MUST include:
Question198: An organization's financial analysis department uses an in-house forecasting application for business projections. Who is responsible for defining access roles to protect the sensitive data within this application?
Question199: An internal audit report reveals that not all IT application databases have encryption in place. Which of the following information would be MOST important for assessing the risk impact?
Question200: Which of the following is the GREATEST benefit of a three lines of defense structure?
Question201: Which of the following BEST confirms the existence and operating effectiveness of information systems controls?
Question202: Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?
Question203: A risk practitioner learns that a risk owner has been accepting gifts from a supplier of IT products. Some of these IT products are used to implement controls and to mitigate risk to acceptable levels. Which of the following should the risk practitioner do FIRST?
Question204: A rule-based data loss prevention {DLP) tool has recently been implemented to reduce the risk of sensitive data leakage. Which of the following is MOST likely to change as a result of this implementation?
Question205: A deficient control has been identified which could result in great harm to an organization should a low frequency threat event occur. When communicating the associated risk to senior management the risk practitioner should explain:
Question206: The FIRST task when developing a business continuity plan should be to:
Question207: Which of the following is a risk practitioner's MOST important responsibility in managing risk acceptance that exceeds risk tolerance?
Question208: Which of the following would be MOST helpful when communicating roles associated with the IT risk management process?
Question209: Which of the following is the BEST course of action to help reduce the probability of an incident recurring?
Question210: Which of the following would be the BEST key performance indicator (KPI) for monitoring the effectiveness of the IT asset management process?
Question211: Which of the following could BEST detect an in-house developer inserting malicious functions into a web-based application?
Question212: Which element of an organization's risk register is MOST important to update following the commissioning of a new financial reporting system?
Question213: An organization operates in a jurisdiction where heavy fines are imposed for leakage of customer data. Which of the following provides the BEST input to assess the inherent risk impact?
Question214: Who should be responsible for strategic decisions on risk management?
Question215: Which of the following is MOST helpful in developing key risk indicator (KRl) thresholds?
Question216: Which of the following should be implemented to BEST mitigate the risk associated with infrastructure updates?
Question217: The MAJOR reason to classify information assets is
Question218: The MAIN purpose of having a documented risk profile is to:
Question219: Which of the following is the BEST method for assessing control effectiveness against technical vulnerabilities that could be exploited to compromise an information system?
Question220: Which of the following provides the BEST evidence that risk mitigation plans have been implemented effectively?
Question221: A chief information officer (CIO) has identified risk associated with shadow systems being maintained by business units to address specific functionality gaps in the organization's enterprise resource planning (ERP) system. What is the BEST way to reduce this risk going forward?
Question222: Which of the following proposed benefits is MOST likely to influence senior management approval to reallocate budget for a new security initiative?
Question223: Which of the following is BEST used to aggregate data from multiple systems to identify abnormal behavior?
Question224: Which of the following is a KEY outcome of risk ownership?
Question225: Which of the following would BEST enable a risk-based decision when considering the use of an emerging technology for data processing?
Question226: Which of the following risk register updates is MOST important for senior management to review?
Question227: A business unit has decided to accept the risk of implementing an off-the-shelf, commercial software package that uses weak password controls. The BEST course of action would be to:
Question228: An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner's FIRST course of action?
Question229: It is MOST important that security controls for a new system be documented in:
Question230: Reviewing historical risk events is MOST useful for which of the following processes within the risk management life cycle?
Question231: Which of the following criteria is MOST important when developing a response to an attack that would compromise data?
Question232: Which of the following would be MOST helpful to a risk owner when making risk-aware decisions?
Question233: The PRIMARY benefit of conducting a risk workshop using a top-down approach instead of a bottom-up approach is the ability to:
Question234: An organizations chief technology officer (CTO) has decided to accept the risk associated with the potential loss from a denial-of-service (DoS) attack. In this situation, the risk practitioner's BEST course of action is to:
Question235: The PRIMARY benefit of using a maturity model is that it helps to evaluate the:
Question236: Which of the following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?
Question237: Which of the following is the BEST way to identify changes in the risk profile of an organization?
Question238: Which of the following BEST enables risk-based decision making in support of a business continuity plan (BCP)?
Question239: Which of the following is the BEST way to determine whether new controls mitigate security gaps in a business system?
Question240: An organization's risk tolerance should be defined and approved by which of the following?
Question241: While reviewing the risk register, a risk practitioner notices that different business units have significant variances in inherent risk for the same risk scenario. Which of the following is the BEST course of action?
Question242: Senior management has asked a risk practitioner to develop technical risk scenarios related to a recently developed enterprise resource planning (ERP) system. These scenarios will be owned by the system manager.
Which of the following would be the BEST method to use when developing the scenarios?
Question243: An application development team has a backlog of user requirements for a new system that will process insurance claim payments for customers. Which of the following should be the MOST important consideration for a risk-based review of the user requirements?
Question244: Which of the following issues found during the review of a newly created disaster recovery plan (DRP) should be of MOST concern?
Question245: During an acquisition, which of the following would provide the MOST useful input to the parent company's risk practitioner when developing risk scenarios for the post-acquisition phase?
Question246: The BEST key performance indicator (KPI) to measure the effectiveness of a backup process would be the number of:
Question247: The PRIMARY reason for tracking the status of risk mitigation plans is to ensure:
Question248: An upward trend in which of the following metrics should be of MOST concern?
Question249: Which of the following should be accountable for ensuring that media containing financial information are adequately destroyed per an organization's data disposal policy?
Question250: A failure in an organization s IT system build process has resulted in several computers on the network missing the corporate endpoint detection and response (EDR) software. Which of the following should be the risk practitioner's IMMEDIATE concern?
Question251: Which of the following is MOST important to consider before determining a response to a vulnerability?
Question252: Which of the following BEST enables an organization to determine whether external emerging risk factors will impact the organization's risk profile?
Question253: Vulnerabilities have been detected on an organization's systems. Applications installed on these systems will not operate if the underlying servers are updated. Which of the following is the risk practitioner's BEST course of action?
Question254: An organization's risk register contains a large volume of risk scenarios that senior management considers overwhelming. Which of the following would BEST help to improve the risk register?
Question255: Which of the following is the BEST way to detect zero-day malware on an end user's workstation?
Question256: A newly incorporated enterprise needs to secure its information assets From a governance perspective which of the following should be done FIRST?
Question257: Following a review of a third-party vendor, it is MOST important for an organization to ensure:
Question258: Which of the following is the MOST important success factor when introducing risk management in an organization?
Question259: In response to the threat of ransomware, an organization has implemented cybersecurity awareness activities.
The risk practitioner's BEST recommendation to further reduce the impact of ransomware attacks would be to implement:
Question260: The BEST key performance indicator (KPI) to measure the effectiveness of a vendor risk management program is the percentage of:
Question261: Which of the following BEST represents a critical threshold value for a key control indicator (KCI)?
Question262: Which of the following would be MOST important for a risk practitioner to provide to the internal audit department during the audit planning process?
Question263: An organization has experienced a cyber-attack that exposed customer personally identifiable information (Pll) and caused extended outages of network services. Which of the following stakeholders are MOST important to include in the cyber response team to determine response actions?
Question264: Implementing which of the following will BEST help ensure that systems comply with an established baseline before deployment?
Question265: Which of the following should be done FIRST when developing a data protection management plan?
Question266: What is a risk practitioner's BEST approach to monitor and measure how quickly an exposure to a specific risk can affect the organization?
Question267: The PRIMARY benefit of conducting continuous monitoring of access controls is the ability to identify:
Question268: After an annual risk assessment is completed, which of the following would be MOST important to communicate to stakeholders?
Question269: Which of the following risk management practices BEST facilitates the incorporation of IT risk scenarios into the enterprise-wide risk register?
Question270: Which of the following would present the GREATEST challenge for a risk practitioner during a merger of two organizations?
Question271: Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:
Question272: A control owner has completed a year-long project To strengthen existing controls. It is MOST important for the risk practitioner to:
Question273: Key risk indicators (KRIs) are MOST useful during which of the following risk management phases?
Question274: What is the PRIMARY reason to periodically review key performance indicators (KPIs)?
Question275: Which of the following is the BEST way to assess the effectiveness of an access management process?
Question276: Which of the following BEST informs decision-makers about the value of a notice and consent control for the collection of personal information?
Question277: Which of the following provides the BEST evidence that risk responses are effective?
Question278: Which of the following is MOST important to review when an organization needs to transition the majority of its employees to remote work during a crisis?
Question279: Which of the following will BEST help to ensure that information system controls are effective?
Question280: Which of the following would be MOST useful when measuring the progress of a risk response action plan?
Question281: A risk practitioner is involved in a comprehensive overhaul of the organizational risk management program.
Which of the following should be reviewed FIRST to help identify relevant IT risk scenarios?
Question282: Which of the following is the BEST recommendation when a key risk indicator (KRI) is generating an excessive volume of events?
Question283: Which of the following is the PRIMARY benefit of using an entry in the risk register to track the aggregate risk associated with server failure?
Question284: Which of the following should be an element of the risk appetite of an organization?
Question285: The BEST key performance indicator (KPI) for monitoring adherence to an organization's user accounts provisioning practices is the percentage of:
Question286: An organization has agreed to a 99% availability for its online services and will not accept availability that falls below 98.5%. This is an example of:
Question287: Which of the following is the BEST indication of the effectiveness of a business continuity program?
Question288: Which of the following is the GREATEST benefit to an organization when updates to the risk register are made promptly after the completion of a risk assessment?
Question289: When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?
Question290: Which of the following management actions will MOST likely change the likelihood rating of a risk scenario related to remote network access?
Question291: An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan.
Which of the following is the risk practitioner's BEST course of action?
Question292: Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?
Question293: The PRIMARY benefit of classifying information assets is that it helps to:
Question294: Which of the following should be of MOST concern to a risk practitioner reviewing an organization risk register after the completion of a series of risk assessments?
Question295: Which of the following would BEST prevent an unscheduled application of a patch?
Question296: The PRIMARY reason a risk practitioner would be interested in an internal audit report is to:
Question297: An organization's stakeholders are unable to agree on appropriate risk responses. Which of the following would be the BEST course of action?
Question298: During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:
Question299: Which of the following is the MOST important reason to create risk scenarios?
Question300: An IT control gap has been identified in a key process. Who would be the MOST appropriate owner of the risk associated with this gap?
Question301: Which of the following should be the MOST important consideration when determining controls necessary for a highly critical information system?
Question302: Which of the following is the PRIMARY reason to use key control indicators (KCIs) to evaluate control operating effectiveness?
Question303: The operational risk associated with attacks on a web application should be owned by the individual in charge of:
Question304: Which of the following should be considered when selecting a risk response?
Question305: Which of the following should be included in a risk assessment report to BEST facilitate senior management's understanding of the results?
Question306: Which of the following is the BEST method to track asset inventory?
Question307: Which of the following is the GREATEST benefit of centralizing IT systems?
Question308: Which of the following tools is MOST effective in identifying trends in the IT risk profile?
Question309: What is the PRIMARY purpose of a business impact analysis (BIA)?
Question310: Which of the following is the MOST important consideration for the board and senior leadership regarding the organization's approach to risk management for emerging technologies?
Question311: What is the MOST important consideration when aligning IT risk management with the enterprise risk management (ERM) framework?
Question312: Who is MOST likely to be responsible for the coordination between the IT risk strategy and the business risk strategy?
Question313: Which of the following BEST indicates the effectiveness of anti-malware software?
Question314: The BEST criteria when selecting a risk response is the:
Question315: Which of the following is the MOST important reason to validate that risk responses have been executed as outlined in the risk response plan''
Question316: Which of the blowing is MOST important when implementing an organization s security policy?
Question317: A root because analysis indicates a major service disruption due to a lack of competency of newly hired IT system administrators Who should be accountable for resolving the situation?
Question318: Which of the following BEST supports the management of identified risk scenarios?
Question319: Which of the following s MOST likely to deter an employee from engaging in inappropriate use of company owned IT systems?
Question320: An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?
Question321: An organization has been notified that a disgruntled, terminated IT administrator has tried to break into the corporate network. Which of the following discoveries should be of GREATEST concern to the organization?
Question322: When developing risk treatment alternatives for a Business case, it is MOST helpful to show risk reduction based on:
Question323: An organization's HR department has implemented a policy requiring staff members to take a minimum of five consecutive days leave per year to mitigate the risk of malicious insider activities. Which of the following is the BEST key performance indicator (KPI) of the effectiveness of this policy?
Question324: An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:
Question325: A risk owner has identified a risk with high impact and very low likelihood. The potential loss is covered by insurance. Which of the following should the risk practitioner do NEXT?
Question326: Which of the following is the GREATEST benefit when enterprise risk management (ERM) provides oversight of IT risk management?
Question327: Which of the following is the MOST effective way to incorporate stakeholder concerns when developing risk scenarios?
Question328: Who is BEST suited to determine whether a new control properly mitigates data loss risk within a system?
Question329: Which of the following BEST supports ethical IT risk management practices?
Question330: Which of the following should be the starting point when performing a risk analysis for an asset?
Question331: Which of the following BEST indicates that an organization has implemented IT performance requirements?
Question332: Which of the following is MOST useful when communicating risk to management?
Question333: Which of the following is the PRIMARY objective of establishing an organization's risk tolerance and appetite?
Question334: Which of the following is the BEST method to identify unnecessary controls?
Question335: Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?
Question336: Which of the following would be MOST beneficial as a key risk indicator (KRI)?
Question337: Which of the following would be MOST useful to senior management when determining an appropriate risk response?
Question338: Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?
Question339: If concurrent update transactions to an account are not processed properly, which of the following will MOST likely be affected?
Question340: Which of the following BEST indicates that an organizations risk management program is effective?
Question341: Which of the following should be the PRIMARY focus of a risk owner once a decision is made to mitigate a risk?
Question342: Which of the following is the PRIMARY responsibility of the first line of defense related to computer-enabled fraud?
Question343: Which of the following activities is PRIMARILY the responsibility of senior management?
Question344: An organization has procured a managed hosting service and just discovered the location is likely to be flooded every 20 years. Of the following, who should be notified of this new information FIRST.
Question345: Which of the following would prompt changes in key risk indicator {KRI) thresholds?
Question346: Which of the following would provide the MOST helpful input to develop risk scenarios associated with hosting an organization's key IT applications in a cloud environment?
Question347: Which of the following should be a risk practitioner's NEXT step after learning of an incident that has affected a competitor?
Question348: Which of the following is the BEST method to mitigate the risk of an unauthorized employee viewing confidential data in a database''
Question349: Which of the following should management consider when selecting a risk mitigation option?
Question350: What should a risk practitioner do FIRST when a shadow IT application is identified in a business owner's business impact analysis (BIA)?
Question351: Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?
Question352: Which of the following should be the PRIMARY objective of a risk awareness training program?
Question353: Which of the following provides the MOST useful information to determine risk exposure following control implementations?
Question354: Which of the following is the BEST way to promote adherence to the risk tolerance level set by management?
Question355: Following an acquisition, the acquiring company's risk practitioner has been asked to update the organization's IT risk profile What is the MOST important information to review from the acquired company to facilitate this task?
Question356: Which of the following is the MOST important benefit of key risk indicators (KRIs)'
Question357: The PRIMARY benefit associated with key risk indicators (KRls) is that they:
Question358: Which of the following can be interpreted from a single data point on a risk heat map?
Question359: Which of the following is the MOST effective control to maintain the integrity of system configuration files?
Question360: A key risk indicator (KRI) threshold has reached the alert level, indicating data leakage incidents are highly probable. What should be the risk practitioner's FIRST course of action?
Question361: An organization's IT department wants to complete a proof of concept (POC) for a security tool. The project lead has asked for approval to use the production data for testing purposes as it will yield the best results.
Which of the following is the risk practitioner's BEST recommendation?
Question362: An organization plans to implement a new Software as a Service (SaaS) speech-to-text solution Which of the following is MOST important to mitigate risk associated with data privacy?
Question363: What should be the PRIMARY objective for a risk practitioner performing a post-implementation review of an IT risk mitigation project?
Question364: Which of the following is a risk practitioner's BEST course of action upon learning that regulatory authorities have concerns with an emerging technology the organization is considering?
Question365: Which of the following criteria associated with key risk indicators (KRIs) BEST enables effective risk monitoring?
Question366: What is the PRIMARY reason an organization should include background checks on roles with elevated access to production as part of its hiring process?
Question367: Which of the following would be the BEST way for a risk practitioner to validate the effectiveness of a patching program?
Question368: Which of the following is MOST important to promoting a risk-aware culture?
Question369: The PRIMARY objective of a risk identification process is to:
Question370: Which of the following data would be used when performing a business impact analysis (BIA)?
Question371: A department has been granted an exception to bypass the existing approval process for purchase orders. The risk practitioner should verify the exception has been approved by which of the following?
Question372: Which of The following BEST represents the desired risk posture for an organization?
Question373: Which of the following should be a risk practitioner's GREATEST concern upon learning of failures in a data migration activity?
Question374: Which of the following MUST be updated to maintain an IT risk register?
Question375: Which of the following is the BEST indication that key risk indicators (KRls) should be revised?
Question376: Which of the following is the GREATEST benefit of analyzing logs collected from different systems?
Question377: The PRIMARY advantage of involving end users in continuity planning is that they:
Question378: Which of the following BEST indicates whether security awareness training is effective?
Question379: Which of the following is the BEST approach for selecting controls to minimize risk?
Question380: Which of the following facilitates a completely independent review of test results for evaluating control effectiveness?
Question381: An organization is concerned that its employees may be unintentionally disclosing data through the use of social media sites. Which of the following will MOST effectively mitigate tins risk?
Question382: Which of the following is a KEY consideration for a risk practitioner to communicate to senior management evaluating the introduction of artificial intelligence (Al) solutions into the organization?
Question383: Which of the following is the MOST important key performance indicator (KPI) to monitor the effectiveness of disaster recovery processes?
Question384: Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?
Question385: Which of the following controls will BEST detect unauthorized modification of data by a database administrator?
Question386: Controls should be defined during the design phase of system development because:
Question387: Which of the following is the BEST indication of an improved risk-aware culture following the implementation of a security awareness training program for all employees?
Question388: Which of these documents is MOST important to request from a cloud service provider during a vendor risk assessment?
Question389: A risk practitioner is reviewing the status of an action plan to mitigate an emerging IT risk and finds the risk level has increased. The BEST course of action would be to:
Question390: A bank wants to send a critical payment order via email to one of its offshore branches. Which of the following is the BEST way to ensure the message reaches the intended recipient without alteration?
Question391: After migrating a key financial system to a new provider, it was discovered that a developer could gain access to the production environment. Which of the following is the BEST way to mitigate the risk in this situation?
Question392: Which of the following is the MOST important course of action for a risk practitioner when reviewing the results of control performance monitoring?
Question393: Which of the following BEST balances the costs and benefits of managing IT risk*?
Question394: An organization has decided to commit to a business activity with the knowledge that the risk exposure is higher than the risk appetite. Which of the following is the risk practitioner's MOST important action related to this decision?
Question395: A company has recently acquired a customer relationship management (CRM) application from a certified software vendor. Which of the following will BE ST help lo prevent technical vulnerabilities from being exploded?
Question396: Who should be accountable for monitoring the control environment to ensure controls are effective?
Question397: Which of the following is the BEST course of action for a system administrator who suspects a colleague may be intentionally weakening a system's validation controls in order to pass through fraudulent transactions?
Question398: Which of the following represents a vulnerability?
Question399: A cote data center went offline abruptly for several hours affecting many transactions across multiple locations. Which of the to" owing would provide the MOST useful information to determine mitigating controls?
Question400: Which of the following should be the FIRST step when a company is made aware of new regulatory requirements impacting IT?
Question401: When implementing an IT risk management program, which of the following is the BEST time to evaluate current control effectiveness?
Question402: From a business perspective, which of the following is the MOST important objective of a disaster recovery test?
Question403: Which of the following should be management's PRIMARY consideration when approving risk response action plans?
Question404: Which of the following is MOST helpful in aligning IT risk with business objectives?
Question405: A poster has been displayed in a data center that reads. "Anyone caught taking photographs in the data center may be subject to disciplinary action." Which of the following control types has been implemented?
Question406: The PRIMARY objective of testing the effectiveness of a new control before implementation is to:
Question407: Which of the following is MOST important requirement to include in a Software as a Service (SaaS) vendor contract to ensure data is protected?
Question408: Which of the following is MOST helpful in preventing risk events from materializing?
Question409: Which of the following is MOST influential when management makes risk response decisions?
Question410: Which of the following BEST promotes commitment to controls?
Question411: Which of the following provides the MOST useful information to assess the magnitude of identified deficiencies in the IT control environment?
Question412: Which of the following will help ensure the elective decision-making of an IT risk management committee?
Question413: Which of the following is MOST important for a multinational organization to consider when developing its security policies and standards?
Question414: An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner's FIRST course of action?
Question415: Which of the following is the MOST important consideration when developing risk strategies?
Question416: For no apparent reason, the time required to complete daily processing for a legacy application is approaching a risk threshold. Which of the following activities should be performed FIRST?
Question417: After undertaking a risk assessment of a production system, the MOST appropriate action is fcr the risk manager to
Question418: What should a risk practitioner do FIRST when vulnerability assessment results identify a weakness in an application?
Question419: A risk practitioner has discovered a deficiency in a critical system that cannot be patched. Which of the following should be the risk practitioner's FIRST course of action?
Question420: The MAIN reason for prioritizing IT risk responses is to enable an organization to:
Question421: A key risk indicator (KRI) is reported to senior management on a periodic basis as exceeding thresholds, but each time senior management has decided to take no action to reduce the risk. Which of the following is the MOST likely reason for senior management's response?
Question422: Which of the following is the MOST important consideration when multiple risk practitioners capture risk scenarios in a single risk register?
Question423: Who is the MOST appropriate owner for newly identified IT risk?
Question424: Who should be responsible for approving the cost of controls to be implemented for mitigating risk?
Question425: Which of the following is MOST important for a risk practitioner to consider when evaluating plans for changes to IT services?
Question426: An organization has granted a vendor access to its data in order to analyze customer behavior. Which of the following would be the MOST effective control to mitigate the risk of customer data leakage?
Question427: Which of the following would be of MOST concern to a risk practitioner reviewing risk action plans for documented IT risk scenarios?
Question428: A risk practitioner observed Vial a high number of pokey exceptions were approved by senior management.
Which of the following is the risk practitioner's BEST course of action to determine root cause?
Question429: A risk practitioner is defining metrics for security threats that were not identified by antivirus software. Which type of metric is being developed?
Question430: Which of the following is the MOST relevant information to include in a risk management strategy?
Question431: A recent regulatory requirement has the potential to affect an organization's use of a third party to supply outsourced business services. Which of the following is the BEST course of action?
Question432: During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?
Question433: Who is accountable for risk treatment?
Question434: Which of the following is the BEST approach when a risk treatment plan cannot be completed on time?
Question435: Which of the following roles would provide the MOST important input when identifying IT risk scenarios?
Question436: Which of the following resources is MOST helpful when creating a manageable set of IT risk scenarios?
Question437: Which of the following scenarios is MOST likely to cause a risk practitioner to request a formal risk acceptance sign-off?
Question438: A control owner responsible for the access management process has developed a machine learning model to automatically identify excessive access privileges. What is the risk practitioner's BEST course of action?
Question439: Which of the following would present the GREATEST challenge when assigning accountability for control ownership?
Question440: Which of the following is the BEST key performance indicator (KPI) to measure the maturity of an organization's security incident handling process?
Question441: Which of the following is a risk practitioner's BEST recommendation to help reduce IT risk associated with scheduling overruns when starting a new application development project?
Question442: Which of the following would provide the MOST useful input when evaluating the appropriateness of risk responses?
Question443: Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?
Question444: An organization is preparing to transfer a large number of customer service representatives to the sales department. Of the following, who is responsible for mitigating the risk associated with residual system access?
Question445: Which of the following trends would cause the GREATEST concern regarding the effectiveness of an organization's user access control processes? An increase in the:
Question446: Which of the following would BEST mitigate the risk associated with reputational damage from inappropriate use of social media sites by employees?
Question447: To define the risk management strategy which of the following MUST be set by the board of directors?
Question448: An organization operates in an environment where reduced time-to-market for new software products is a top business priority. Which of the following should be the risk practitioner's GREATEST concern?
Question449: Which of the following is MOST helpful in identifying gaps between the current and desired state of the IT risk environment?
Question450: Which of the following is MOST helpful in providing an overview of an organization's risk management program?
Question451: Which of the following is the GREATEST concern when an organization uses a managed security service provider as a firewall administrator?
Question452: An internally developed payroll application leverages Platform as a Service (PaaS) infrastructure from the cloud. Who owns the related data confidentiality risk?
Question453: An IT risk practitioner is evaluating an organization's change management controls over the last six months.
The GREATEST concern would be an increase in:
Question454: Which of the following BEST mitigates the risk associated with inadvertent data leakage by users who work remotely?
Question455: Which of the following should be the PRIMARY focus of an IT risk awareness program?
Question456: Which of the following is the MOST important topic to cover in a risk awareness training program for all staff?
Question457: The BEST metric to monitor the risk associated with changes deployed to production is the percentage of:
Question458: Which of the following has the GREATEST influence on an organization's risk appetite?
Question459: Which of the following should be the PRIMARY focus of a disaster recovery management (DRM) framework and related processes?
Question460: Which of the following is the BEST recommendation of a risk practitioner for an organization that recently changed its organizational structure?
Question461: Which of the following should be the PRIMARY consideration when assessing the risk of using Internet of Things (loT) devices to collect and process personally identifiable information (PII)?
Question462: A global organization is planning to collect customer behavior data through social media advertising. Which of the following is the MOST important business risk to be considered?
Question463: Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?
Question464: Which of the following analyses is MOST useful for prioritizing risk scenarios associated with loss of IT assets?
Question465: Which of the following would be MOST helpful when estimating the likelihood of negative events?
Question466: Which of the following is the BEST way to support communication of emerging risk?
Question467: For a large software development project, risk assessments are MOST effective when performed:
Question468: Which of the following provides the MOST comprehensive information when developing a risk profile for a system?
Question469: Prior to selecting key performance indicators (KPIs), itis MOST important to ensure:
Question470: An organization has just started accepting credit card payments from customers via the corporate website.
Which of the following is MOST likely to increase as a result of this new initiative?
Question471: An online payment processor would be severely impacted if the fraud detection system has an outage. Which of the following is the BEST way to address this risk?
Question472: Which of the following statements BEST illustrates the relationship between key performance indicators (KPIs) and key control indicators (KCIs)?
Question473: In order to efficiently execute a risk response action plan, it is MOST important for the emergency response team members to understand:
Question474: The PRIMARY purpose of a maturity model is to compare the:
Question475: Which of the following is the GREATEST benefit of using IT risk scenarios?
Question476: Which of the following is the BEST method to maintain a common view of IT risk within an organization?
Question477: The head of a business operations department asks to review the entire IT risk register. Which of the following would be the risk manager s BEST approach to this request before sharing the register?
Question478: The BEST indication that risk management is effective is when risk has been reduced to meet:
Question479: Which of the following is MOST helpful in identifying new risk exposures due to changes in the business environment?
Question480: Which of the following should be management's PRIMARY focus when key risk indicators (KRIs) begin to rapidly approach defined thresholds?
Question481: An organization has just implemented changes to close an identified vulnerability that impacted a critical business process. What should be the NEXT course of action?
Question482: A global company s business continuity plan (BCP) requires the transfer of its customer information....
event of a disaster. Which of the following should be the MOST important risk consideration?
Question483: Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?
Question484: Which of the following should be a risk practitioner's NEXT action after identifying a high probability of data loss in a system?
Question485: Which of the following is the MOST important document regarding the treatment of sensitive data?
Question486: Which of the following is the BEST key control indicator (KCI) for risk related to IT infrastructure failure?
Question487: Which of the following provides the BEST evidence that a selected risk treatment plan is effective?
Question488: An IT department has provided a shared drive for personnel to store information to which all employees have access. Which of the following parties is accountable for the risk of potential loss of confidential information?
Question489: Which of the following is the MOST important consideration for protecting data assets m a Business application system?
Question490: The BEST indicator of the risk appetite of an organization is the
Question491: An organization has an approved bring your own device (BYOD) policy. Which of the following would BEST mitigate the security risk associated with the inappropriate use of enterprise applications on the devices?
Question492: Which of the following is the PRIMARY objective of risk management?
Question493: Which of the following should be the PRIMARY input when designing IT controls?
Question494: It is MOST important for a risk practitioner to have an awareness of an organization s processes in order to:
Question495: Which of the following is MOST important to identify when developing top-down risk scenarios?
Question496: Which of the following is the BEST key performance indicator (KPI) for a server patch management process?
Question497: Which of the following BEST protects an organization against breaches when using a software as a service (SaaS) application?
Question498: Which of the following methods would BEST contribute to identifying obscure risk scenarios?
Question499: A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?
Question500: Which of the following is MOST important to the integrity of a security log?
Question501: After identifying new risk events during a project, the project manager s NEXT step should be to:
Question502: A new policy has been published to forbid copying of data onto removable media. Which type of control has been implemented?
Question503: A change management process has recently been updated with new testing procedures. What is the NEXT course of action?
Question504: An organization is implementing robotic process automation (RPA) to streamline business processes. Given that implementation of this technology is expected to impact existing controls, which of the following is the risk practitioner's BEST course of action?
Question505: Which of the following is the MOST important consideration when determining whether to accept residual risk after security controls have been implemented on a critical system?
Question506: The BEST way to obtain senior management support for investment in a control implementation would be to articulate the reduction in:
Question507: Before assigning sensitivity levels to information it is MOST important to:
Question508: The BEST way to demonstrate alignment of the risk profile with business objectives is through:
Question509: A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption. Which of the following would be the MOST effective approach to mitigate the risk associated with data loss?
Question510: The maturity of an IT risk management program is MOST influenced by:
Question511: Which of the following events is MOST likely to trigger the need to conduct a risk assessment?
Question512: Which of the following would be the GREATEST concern related to data privacy when implementing an Internet of Things (loT) solution that collects personally identifiable information (Pll)?
Question513: Which of the following MUST be assessed before considering risk treatment options for a scenario with significant impact?
Question514: Who should be PRIMARILY responsible for establishing an organization's IT risk culture?
Question515: Which of the following observations would be GREATEST concern to a risk practitioner reviewing the implementation status of management action plans?
Question516: Which of the following is the PRIMARY reason for an organization to ensure the risk register is updated regularly?
Question517: Which of the following provides The BEST information when determining whether to accept residual risk of a critical system to be implemented?
Question518: Which of the following is necessary to enable an IT risk register to be consolidated with the rest of the organization's risk register?
Question519: Which of the following should be the GREATEST concern to a risk practitioner when process documentation is incomplete?
Question520: An organization has made a decision to purchase a new IT system. During when phase of the system development life cycle (SDLC) will identified risk MOST likely lead to architecture and design trade-offs?
Question521: Which of the following would BEST help to ensure that identified risk is efficiently managed?
Question522: An organization is implementing encryption for data at rest to reduce the risk associated with unauthorized access. Which of the following MUST be considered to assess the residual risk?
Question523: A risk practitioner notices that a particular key risk indicator (KRI) has remained below its established trigger point for an extended period of time. Which of the following should be done FIRST?
Question524: The purpose of requiring source code escrow in a contractual agreement is to:
Question525: A risk practitioner shares the results of a vulnerability assessment for a critical business application with the business manager. Which of the following is the NEXT step?
Question526: Which of the following is the MOST important consideration when sharing risk management updates with executive management?
Question527: Which of the following is the BEST indicator of the effectiveness of IT risk management processes?
Question528: Which strategy employed by risk management would BEST help to prevent internal fraud?
Question529: An organization has initiated a project to implement an IT risk management program for the first time. The BEST time for the risk practitioner to start populating the risk register is when:
Question530: Upon learning that the number of failed back-up attempts continually exceeds the current risk threshold, the risk practitioner should:
Question531: Which of the following is the BEST course of action when an organization wants to reduce likelihood in order to reduce a risk level?
Question532: Which of the following should be the PRIMARY driver for an organization on a multi-year cloud implementation to publish a cloud security policy?
Question533: Which of the following provides the BEST assurance of the effectiveness of vendor security controls?
Question534: An organization delegates its data processing to the internal IT team to manage information through its applications. Which of the following is the role of the internal IT team in this situation?
Question535: Which of the following should be the MAIN consideration when validating an organization's risk appetite?
Question536: A hospital recently implemented a new technology to allow virtual patient appointments. Which of the following should be the risk practitioner's FIRST course of action?
Question537: Which stakeholder is MOST important to include when defining a risk profile during me selection process for a new third party application'?
Question538: Which of the following is the MAIN reason for documenting the performance of controls?
Question539: Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?
Question540: Reviewing which of the following would provide the MOST useful information when preparing to evaluate the effectiveness of existing controls?
Question541: Legal and regulatory risk associated with business conducted over the Internet is driven by:
Question542: Which of the following statements describes the relationship between key risk indicators (KRIs) and key control indicators (KCIs)?
Question543: Which of the following is the BEST control to detect an advanced persistent threat (APT)?
Question544: A financial institution has identified high risk of fraud in several business applications. Which of the following controls will BEST help reduce the risk of fraudulent internal transactions?
Question545: Who is BEST suited to provide objective input when updating residual risk to reflect the results of control effectiveness?
Question546: Which of the following is the MOST significant indicator of the need to perform a penetration test?
Question547: Which of the following potential scenarios associated with the implementation of a new database technology presents the GREATEST risk to an organization?
Question548: An organization is developing a risk universe to create a holistic view of its overall risk profile. Which of the following is the GREATEST barrier to achieving the initiative's objectives?
Question549: Which of the following would BEST facilitate the implementation of data classification requirements?
Question550: An IT risk practitioner has been asked to regularly report on the overall status and effectiveness of the IT risk management program. Which of the following is MOST useful for this purpose?
Question551: Which of the following BEST enables the integration of IT risk management across an organization?
Question552: Which of the following is the BEST recommendation to address recent IT risk trends that indicate social engineering attempts are increasing in the organization?
Question553: Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?
Question554: Which of the following is the PRIMARY reason to ensure policies and standards are properly documented within the risk management process?
Question555: The MAIN purpose of reviewing a control after implementation is to validate that the control:
Question556: Which of the following is the BEST method for determining an enterprise's current appetite for risk?
Question557: Which of the following is MOST important for an organization that wants to reduce IT operational risk?
Question558: An audit reveals that there are changes in the environment that are not reflected in the risk profile. Which of the following is the BEST course of action?
Question559: Which of the following is the MOST important step to ensure regulatory requirements are adequately addressed within an organization?
Question560: An organization has established workflows in its service desk to support employee reports of security-related concerns. Which of the following is the MOST efficient approach to analyze these concerns?
Question561: Who is MOST important lo include in the assessment of existing IT risk scenarios?
Question562: Which of the following should be a risk practitioner's PRIMARY focus when tasked with ensuring organization records are being retained for a sufficient period of time to meet legal obligations?
Question563: An organization is implementing internet of Things (loT) technology to control temperature and lighting in its headquarters. Which of the following should be of GREATEST concern?
Question564: Which of the following stakeholders are typically included as part of a line of defense within the three lines of defense model?
Question565: Which of the following would MOST likely require a risk practitioner to update the risk register?
Question566: Which of the following should be the FIRST consideration when establishing a new risk governance program?
Question567: Which of the following is a risk practitioner's BEST course of action upon learning that a control under internal review may no longer be necessary?
Question568: Which of the following is the GREATEST concern associated with the transmission of healthcare data across the internet?
Question569: Improvements in the design and implementation of a control will MOST likely result in an update to:
Question570: The PRIMARY reason for establishing various Threshold levels for a set of key risk indicators (KRIs) is to:
Question571: Which of the following would MOST effectively reduce the potential for inappropriate exposure of vulnerabilities documented in an organization's risk register?
Question572: The PRIMARY reason for prioritizing risk scenarios is to:
Question573: Which of the following is the MOST effective way to reduce potential losses due to ongoing expense fraud?
Question574: A large organization recently restructured the IT department and has decided to outsource certain functions.
What action should the control owners in the IT department take?
Question575: Which of the following is the PRIMARY reason to update a risk register with risk assessment results?
Question576: Which of the following, who should be PRIMARILY responsible for performing user entitlement reviews?
Question577: The PRIMARY reason for periodic penetration testing of Internet-facing applications is to:
Question578: Which of the following is the MOST important foundational element of an effective three lines of defense model for an organization?
Question579: An organization's internal audit department is considering the implementation of robotics process automation (RPA) to automate certain continuous auditing tasks. Who would own the risk associated with ineffective design of the software bots?
Question580: A third-party vendor has offered to perform user access provisioning and termination. Which of the following control accountabilities is BEST retained within the organization?
Question581: Which of the following BEST indicates the risk appetite and tolerance level (or the risk associated with business interruption caused by IT system failures?
Question582: Once a risk owner has decided to implement a control to mitigate risk, it is MOST important to develop:
Question583: When of the following standard operating procedure (SOP) statements BEST illustrates appropriate risk register maintenance?
Question584: Which of the following will MOST likely change as a result of the decrease in risk appetite due to a new privacy regulation?
Question585: Which of the following is the GREATEST benefit of updating the risk register to include outcomes from a risk assessment?
Question586: Which of the following is the PRIMARY objective of aggregating the impact of IT risk scenarios and reflecting the results in the enterprise risk register?
Question587: After entering a large number of low-risk scenarios into the risk register, it is MOST important for the risk practitioner to:
Question588: Which of the following should a risk practitioner do NEXT after learning that Internet of Things (loT) devices installed in the production environment lack appropriate security controls for sensitive data?
Question589: The PRIMARY benefit of selecting an appropriate set of key risk indicators (KRIs) is that they:
Question590: During the initial risk identification process for a business application, it is MOST important to include which of the following stakeholders?
Question591: Which of the following is MOST useful for measuring the existing risk management process against a desired state?
Question592: Which of the following BEST assists in justifying an investment in automated controls?
Question593: Which of the following will BEST help to ensure the continued effectiveness of the IT risk management function within an organization experiencing high employee turnover?
Question594: Which of the following is the MOST important consideration when performing a risk assessment of a fire suppression system within a data center?
Question595: Analyzing trends in key control indicators (KCIs) BEST enables a risk practitioner to proactively identify impacts on an organization's:
Question596: The BEST way to determine the likelihood of a system availability risk scenario is by assessing the:
Question597: Which of the following is the MOST important responsibility of a risk owner?
Question598: Which of the following is a KEY responsibility of the second line of defense?
Question599: An organization allows programmers to change production systems in emergency situations. Which of the following is the BEST control?
Question600: Which of the following key risk indicators (KRIs) is MOST effective for monitoring risk related to a bring your own device (BYOD) program?
Question601: An organization retains footage from its data center security camera for 30 days when the policy requires
90-day retention The business owner challenges whether the situation is worth remediating Which of the following is the risk manager s BEST response'
Question602: The MOST effective approach to prioritize risk scenarios is by:
Question603: Which of the following would be the GREATEST concern for an IT risk practitioner when an employees.....
Question604: Which of the following is the MOST common concern associated with outsourcing to a service provider?
Question605: When formulating a social media policy lo address information leakage, which of the following is the MOST important concern to address?
Question606: Which of the following would BEST help identify the owner for each risk scenario in a risk register?
Question607: Which of the following deficiencies identified during a review of an organization's cybersecurity policy should be of MOST concern?
Question608: After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?
Question609: The implementation of a risk treatment plan will exceed the resources originally allocated for the risk response. Which of the following should be the risk owner's NEXT action?
Question610: Which of the following should be done FIRST when a new risk scenario has been identified
Question611: An organization is analyzing the risk of shadow IT usage. Which of the following is the MOST important input into the assessment?
Question612: The results of a risk assessment reveal risk scenarios with high impact and low likelihood of occurrence.
Which of the following would be the BEST action to address these scenarios?
Question613: Which of the following resources is MOST helpful to a risk practitioner when updating the likelihood rating in the risk register?
Question614: The MAIN purpose of selecting a risk response is to.
Question615: Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an antivirus program?
Question616: Which of the following is MOST helpful in verifying that the implementation of a risk mitigation control has been completed as intended?
Question617: Which of the following is the BEST approach for an organization in a heavily regulated industry to comprehensively test application functionality?
Question618: An organization's Internet-facing server was successfully attacked because the server did not have the latest security patches. The risk associated with poor patch management had been documented in the risk register and accepted. Who should be accountable for any related losses to the organization?
Question619: A risk practitioner's BEST guidance to help an organization develop relevant risk scenarios is to ensure the scenarios are:
Question620: Which of the following is a risk practitioner's BEST recommendation regarding disaster recovery management (DRM) for Software as a Service (SaaS) providers?
Question621: Which of the following is MOST important for management to consider when deciding whether to invest in an IT initiative that exceeds management's risk appetite?
Question622: Which of the following attributes of a key risk indicator (KRI) is MOST important?
Question623: Which of the following is the BEST way to ensure adequate resources will be allocated to manage identified risk?
Question624: To communicate the risk associated with IT in business terms, which of the following MUST be defined?
Question625: A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:
Question626: Which of The following is the MOST comprehensive input to the risk assessment process specific to the effects of system downtime?
Question627: When documenting a risk response, which of the following provides the STRONGEST evidence to support the decision?