EMT Practice Test

1. Question Content...


Question List

Question1: Which of the following is the BEST key performance indicator (KPI) for determining how well an IT policy is aligned to business requirements?

Question2: Which of the following methods is the BEST way to measure the effectiveness of automated information security controls prior to going live?

Question3: Which of the following provides The MOST useful information when determining a risk management program's maturity level?

Question4: Which of the following is the BEST way to identify changes in the risk profile of an organization?

Question5: An organization has raised the risk appetite for technology risk. The MOST likely result would be:

Question6: WhichT5f the following is the MOST effective way to promote organization-wide awareness of data security in response to an increase in regulatory penalties for data leakage?

Question7: Which of the following controls will BEST detect unauthorized modification of data by a database administrator?

Question8: Which of the following is the MOST effective control to maintain the integrity of system configuration files?

Question9: Which of the following is the BEST indicator of the effectiveness of a control?

Question10: Which of the following BEST indicates the risk appetite and tolerance level (or the risk associated with business interruption caused by IT system failures?

Question11: Which of We following is the MOST effective control to address the risk associated with compromising data privacy within the cloud?

Question12: A newly incorporated enterprise needs to secure its information assets From a governance perspective which of the following should be done FIRST?

Question13: A risk practitioner observes that the fraud detection controls in an online payment system do not perform as expected. Which of the following will MOST likely change as a result?

Question14: Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?

Question15: Which of the following criteria for assigning owners to IT risk scenarios provides the GREATEST benefit to an organization?

Question16: Which of the following is the MOST important document regarding the treatment of sensitive data?

Question17: An organization has used generic risk scenarios to populate its risk register. Which of the following presents the GREATEST challenge to assigning of the associated risk entries?

Question18: The BEST way to determine the likelihood of a system availability risk scenario is by assessing the:

Question19: An organization is concerned that a change in its market situation may impact the current level of acceptable risk for senior management. As a result, which of the following is MOST important to reevaluate?

Question20: Which of the following BEST confirms the existence and operating effectiveness of information systems controls?

Question21: Which of the following is MOST helpful in preventing risk events from materializing?

Question22: A failure in an organization s IT system build process has resulted in several computers on the network missing the corporate endpoint detection and response (EDR) software. Which of the following should be the risk practitioner's IMMEDIATE concern?

Question23: Which of the following is the BEST approach for an organization in a heavily regulated industry to comprehensively test application functionality?

Question24: Who should be responsible for implementing and maintaining security controls?

Question25: Which of the following would BEST assist in reconstructing the sequence of events following a security incident across multiple IT systems in the organization's network?

Question26: Which of the following is the BEST approach for selecting controls to minimize risk?

Question27: An organization has decided to postpone the assessment and treatment of several risk scenarios because stakeholders are unavailable. As a result of this decision, the risk associated with these new entries has been;

Question28: When reviewing the business continuity plan (BCP) of an online sales order system, a risk practitioner notices that the recovery time objective (RTO) has a shorter lime than what is defined in the disaster recovery plan (DRP). Which of the following is the BEST way for the risk practitioner to address this concern?

Question29: An organization has agreed to a 99% availability for its online services and will not accept availability that falls below 98.5%. This is an example of:

Question30: Which of the following is the MOST useful information for prioritizing risk mitigation?

Question31: Which of the following provides the BEST evidence that robust risk management practices are in place within an organization?

Question32: Which of the following is the PRIMARY objective of providing an aggregated view of IT risk to business management?

Question33: The MOST effective approach to prioritize risk scenarios is by:

Question34: Which of the following is the MOST important factor when deciding on a control to mitigate risk exposure?

Question35: Prudent business practice requires that risk appetite not exceed:

Question36: An organization retains footage from its data center security camera for 30 days when the policy requires 90- day retention The business owner challenges whether the situation is worth remediating Which of the following is the risk manager s BEST response'

Question37: A key risk indicator (KRI) indicates a reduction in the percentage of appropriately patched servers. Which of the following is the risk practitioner's BEST course of action?

Question38: When evaluating a number of potential controls for treating risk, it is MOST important to consider:

Question39: Which of the following should be considered FIRST when assessing risk associated with the adoption of emerging technologies?

Question40: Which of the following is the MOST important criteria for selecting key risk indicators (KRIs)?

Question41: Which of the following would be MOST helpful to a risk practitioner when ensuring that mitigated risk remains within acceptable limits?

Question42: What should be the PRIMARY consideration related to data privacy protection when there are plans for a business initiative to make use of personal information?

Question43: Which of the following emerging technologies is frequently used for botnet distributed denial of service (DDoS) attacks?

Question44: Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:

Question45: Which of the following BEST reduces the likelihood of fraudulent activity that occurs through use of a digital wallet?

Question46: An organization automatically approves exceptions to security policies on a recurring basis. This practice is MOST likely the result of:

Question47: When an organization is having new software implemented under contract, which of the following is key to controlling escalating costs?

Question48: Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?

Question49: Which of the following BEST helps to mitigate risk associated with excessive access by authorized users?

Question50: Management has required information security awareness training to reduce the risk associated with credential compromise. What is the BEST way to assess the effectiveness of the training?

Question51: Which of the following BEST enables an organization to determine whether external emerging risk factors will impact the organization's risk profile?

Question52: Which of the following would MOST likely cause a risk practitioner to change the likelihood rating in the risk register?

Question53: Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?

Question54: The maturity of an IT risk management program is MOST influenced by:

Question55: Which of the following would BEST enable mitigation of newly identified risk factors related to internet of Things (loT)?

Question56: An organization has operations in a location that regularly experiences severe weather events. Which of the following would BEST help to mitigate the risk to operations?

Question57: A legacy application used for a critical business function relies on software that has reached the end of extended support Which of the following is the MOST effective control to manage this application?

Question58: Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?

Question59: Which of the following provides the MOST useful information to determine risk exposure following control implementations?

Question60: During a risk assessment of a financial institution, a risk practitioner discovers that tellers can initiate and approve transactions of significant value. This team is also responsible for ensuring transactions are recorded and balances are reconciled by the end of the day. Which of the following is the risk practitioner's BEST recommendation to mitigate the associated risk?

Question61: An organization's senior management is considering whether to acquire cyber insurance. Which of the following is the BEST way for the risk practitioner to enable management's decision?

Question62: Which of the following BEST enables an organization to address new risk associated with an Internet of Things (IoT) solution?

Question63: A migration from an in-house developed system to an external cloud-based solution is affecting a previously rated key risk scenario related to payroll processing. Which part of the risk register should be updated FIRST?

Question64: Which of the following is the PRIMARY reason to adopt key control indicators (KCIs) in the risk monitoring and reporting process?

Question65: Which of the following is MOST important to sustainable development of secure IT services?

Question66: Which of the following is the MOST important for an organization to have in place to ensure IT asset protection?

Question67: An organization's risk management team wants to develop IT risk scenarios to show the impact of collecting and storing credit card information. Which of the following is the MOST comprehensive approach to capture this scenario?

Question68: A risk practitioner learns that the organization s industry is experiencing a trend of rising security incidents.
Which of the following is the BEST course of action?

Question69: A service provider is managing a client's servers. During an audit of the service, a noncompliant control is discovered that will not be resolved before the next audit because the client cannot afford the downtime required to correct the issue. The service provider's MOST appropriate action would be to:

Question70: Which of the following is MOST important to ensure risk management practices are effective at all levels within the organization?

Question71: A new risk practitioner finds that decisions for implementing risk response plans are not being made. Which of the following would MOST likely explain this situation?

Question72: A risk practitioner implemented a process to notify management of emergency changes that may not be approved. Which of the following is the BEST way to provide this information to management?

Question73: When assessing the maturity level of an organization's risk management framework, which of the following should be of GREATEST concern to a risk practitioner?

Question74: An organization wants to grant remote access to a system containing sensitive data to an overseas third party.
Which of the following should be of GREATEST concern to management?

Question75: Which of the following is the PRIMARY risk management responsibility of the second line of defense?

Question76: Which of the following is the PRIMARY reason to perform periodic vendor risk assessments?

Question77: Which of these documents is MOST important to request from a cloud service provider during a vendor risk assessment?

Question78: Which of the following provides the MOST reliable evidence to support conclusions after completing an information systems controls assessment?

Question79: Which of the following is the MOST essential characteristic of a good IT risk scenario?

Question80: An organizational policy requires critical security patches to be deployed in production within three weeks of patch availability. Which of the following is the BEST metric to verify adherence to the policy?

Question81: Which of the following presents the GREATEST privacy risk related to personal data processing for a global organization?

Question82: A department has been granted an exception to bypass the existing approval process for purchase orders. The risk practitioner should verify the exception has been approved by which of the following?

Question83: Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?

Question84: Which of the following is the MOST important consideration when sharing risk management updates with executive management?

Question85: What is the PRIMARY reason to periodically review key performance indicators (KPIs)?

Question86: Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?

Question87: A penetration testing team discovered an ineffectively designed access control. Who is responsible for ensuring the control design gap is remediated?

Question88: An organization has asked an IT risk practitioner to conduct an operational risk assessment on an initiative to outsource the organization's customer service operations overseas. Which of the following would MOST significantly impact management's decision?

Question89: An organization is measuring the effectiveness of its change management program to reduce the number of unplanned production changes. Which of the following would be the BEST metric to determine if the program is performing as expected?

Question90: Which of the following is MOST important for a risk practitioner to ensure once a risk action plan has been completed?

Question91: A multinational organization is considering implementing standard background checks to' all new employees A KEY concern regarding this approach

Question92: Which of the following BEST enables a risk practitioner to identify the consequences of losing critical resources due to a disaster?

Question93: Which of the following is the GREATEST risk of relying on artificial intelligence (Al) within heuristic security systems?

Question94: An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan.
Which of the following is the risk practitioner's BEST course of action?

Question95: An information security audit identified a risk resulting from the failure of an automated control Who is responsible for ensuring the risk register is updated accordingly?

Question96: Which of the following is the GREATEST risk associated with the transition of a sensitive data backup solution from on-premise to a cloud service provider?

Question97: An organization has allowed several employees to retire early in order to avoid layoffs Many of these employees have been subject matter experts for critical assets Which type of risk is MOST likely to materialize?

Question98: It is MOST important for a risk practitioner to have an awareness of an organization s processes in order to:

Question99: Which of the following is the MOST important element of a successful risk awareness training program?

Question100: Which of the following is MOST important for management to consider when deciding whether to invest in an IT initiative that exceeds management's risk appetite?

Question101: Which of the following is a risk practitioner's BEST course of action upon learning that regulatory authorities have concerns with an emerging technology the organization is considering?

Question102: Which of the following statements BEST describes risk appetite?

Question103: Which of the following should be the FIRST consideration when a business unit wants to use personal information for a purpose other than for which it was originally collected?

Question104: An organization has completed a project to implement encryption on all databases that host customer data.
Which of the following elements of the risk register should be updated the reflect this change?

Question105: Which of the following is the MOST important key performance indicator (KPI) for monitoring the user access management process?

Question106: An organization is planning to outsource its payroll function to an external service provider Which of the following should be the MOST important consideration when selecting the provider?

Question107: Which of the following is the MAIN benefit to an organization using key risk indicators (KRIs)?

Question108: Which of the following will MOST improve stakeholders' understanding of the effect of a potential threat?

Question109: Which of the following contributes MOST to the effective implementation of risk responses?

Question110: A risk practitioner recently discovered that personal information from the production environment is required for testing purposes in non-production environments. Which of the following is the BEST recommendation to address this situation?

Question111: Which of the following BEST prevents control gaps in the Zero Trust model when implementing in the environment?

Question112: A new policy has been published to forbid copying of data onto removable media. Which type of control has been implemented?

Question113: Which of the following is the MOST important reason to create risk scenarios?

Question114: Which of the following is the BEST method for assessing control effectiveness against technical vulnerabilities that could be exploited to compromise an information system?

Question115: Which of the following BEST indicates how well a web infrastructure protects critical information from an attacker?

Question116: An organization's financial analysis department uses an in-house forecasting application for business projections. Who is responsible for defining access roles to protect the sensitive data within this application?

Question117: A global organization is planning to collect customer behavior data through social media advertising. Which of the following is the MOST important business risk to be considered?

Question118: Establishing and organizational code of conduct is an example of which type of control?

Question119: Which of the following should be considered FIRST when creating a comprehensive IT risk register?

Question120: Which of the following is the BEST way to support communication of emerging risk?

Question121: Which of the following is MOST critical to the design of relevant risk scenarios?

Question122: An organization operates in an environment where the impact of ransomware attacks is high, with a low likelihood. After quantifying the impact of the risk associated with ransomware attacks exceeds the organization's risk appetite and tolerance, which of the following is the risk practitioner's BEST recommendation?

Question123: Which of the following is the MOST important consideration when selecting either a qualitative or quantitative risk analysis?

Question124: A risk practitioner has learned that an effort to implement a risk mitigation action plan has stalled due to lack of funding. The risk practitioner should report that the associated risk has been:

Question125: Which of the following is the MOST effective way for a large and diversified organization to minimize risk associated with unauthorized software on company devices?

Question126: Which of the following should a risk practitioner do NEXT after learning that Internet of Things (loT) devices installed in the production environment lack appropriate security controls for sensitive data?

Question127: Which element of an organization's risk register is MOST important to update following the commissioning of a new financial reporting system?

Question128: Which of the following should be the HIGHEST priority when developing a risk response?

Question129: Which of the following would BEST facilitate the implementation of data classification requirements?

Question130: When an organization's business continuity plan (BCP) states that it cannot afford to lose more than three hours of a critical application's data, the three hours is considered the application's:

Question131: The GREATEST benefit of including low-probability, high-impact events in a risk assessment is the ability to:

Question132: Which of the following BEST reduces the risk associated with the theft of a laptop containing sensitive information?

Question133: Which of the following is MOST important to update when an organization's risk appetite changes?

Question134: Which of the following is the PRIMARY reason to update a risk register with risk assessment results?

Question135: Which of the following should be the PRIMARY consideration when implementing controls for monitoring user activity logs?

Question136: Which of the following provides The BEST information when determining whether to accept residual risk of a critical system to be implemented?

Question137: Which of the following criteria associated with key risk indicators (KRIs) BEST enables effective risk monitoring?

Question138: An organization needs to send files to a business partner to perform a quality control audit on the organization' s record-keeping processes. The files include personal information on the organization's customers. Which of the following is the BEST recommendation to mitigate privacy risk?

Question139: Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?

Question140: When reviewing a report on the performance of control processes, it is MOST important to verify whether the:

Question141: In order to determining a risk is under-controlled the risk practitioner will need to

Question142: Which of the following should be the PRIMARY input when designing IT controls?

Question143: When using a third party to perform penetration testing, which of the following is the MOST important control to minimize operational impact?

Question144: When reporting to senior management on changes in trends related to IT risk, which of the following is MOST important?

Question145: Which of the following tasks should be completed prior to creating a disaster recovery plan (DRP)?

Question146: In addition to the risk exposure, which of the following is MOST important for senior management to understand prior to approving the use of artificial intelligence (Al) solutions?

Question147: Which of the following is the GREATEST concern associated with business end users developing their own applications on end user spreadsheets and database programs?

Question148: Which of the following is the MOST important enabler of effective risk management?

Question149: Which of the following is the PRIMARY reason to conduct risk assessments at periodic intervals?

Question150: Which of the following scenarios represents a threat?

Question151: Which of the following should be the PRIMARY focus of an IT risk awareness program?

Question152: Which of the following should be used as the PRIMARY basis for evaluating the state of an organization's cloud computing environment against leading practices?

Question153: Which of the following s MOST likely to deter an employee from engaging in inappropriate use of company owned IT systems?

Question154: An organization is preparing to transfer a large number of customer service representatives to the sales department. Of the following, who is responsible for mitigating the risk associated with residual system access?

Question155: Which of the following BEST enables a proactive approach to minimizing the potential impact of unauthorized data disclosure?

Question156: Which of the following BEST enables risk-based decision making in support of a business continuity plan (BCP)?

Question157: Which of the following would BEST mitigate an identified risk scenario?

Question158: Which of the following is a risk practitioner's BEST recommendation to help reduce IT risk associated with scheduling overruns when starting a new application development project?

Question159: Which of the following is the BEST indicator of an effective IT security awareness program?

Question160: Which of the following should be done FIRST upon learning that the organization will be affected by a new regulation in its industry?

Question161: The PRIMARY benefit of maintaining an up-to-date risk register is that it helps to:

Question162: Which of the following will BEST help to ensure the continued effectiveness of the IT risk management function within an organization experiencing high employee turnover?

Question163: Which of the following is the BEST way to determine the value of information assets for risk management purposes?

Question164: Which of the following should be the risk practitioner s FIRST course of action when an organization has decided to expand into new product areas?

Question165: Which of the following should be the MOST important consideration when determining controls necessary for a highly critical information system?

Question166: Which of the following is the PRIMARY objective of aggregating the impact of IT risk scenarios and reflecting the results in the enterprise risk register?

Question167: When developing a response plan to address security incidents regarding sensitive data loss, it is MOST important

Question168: Which of the following is MOST helpful to understand the consequences of an IT risk event?

Question169: A risk practitioner has established that a particular control is working as desired, but the annual cost of maintenance has increased and now exceeds the expected annual loss exposure. The result is that the control is:

Question170: Which of the following should be a risk practitioner's PRIMARY focus when tasked with ensuring organization records are being retained for a sufficient period of time to meet legal obligations?

Question171: During a risk treatment plan review, a risk practitioner finds the approved risk action plan has not been completed However, there were other risk mitigation actions implemented. Which of the fallowing is the BEST course of action?

Question172: Which of the following is the PRIMARY accountability for a control owner?

Question173: Which of the following BEST measures the impact of business interruptions caused by an IT service outage?

Question174: The PRIMARY reason for tracking the status of risk mitigation plans is to ensure:

Question175: Which of the following is the GREATEST concern associated with redundant data in an organization's inventory system?

Question176: Which stakeholders are PRIMARILY responsible for determining enterprise IT risk appetite?

Question177: The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overall continuity planning process is to:

Question178: While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the:

Question179: IT disaster recovery point objectives (RPOs) should be based on the:

Question180: Which of the following is necessary to enable an IT risk register to be consolidated with the rest of the organization's risk register?

Question181: Which of the following is MOST effective in continuous risk management process improvement?

Question182: Which of the following would be a risk practitioners' BEST recommendation for preventing cyber intrusion?

Question183: An organization has contracted with a cloud service provider to support the deployment of a new product. Of the following, who should own the associated risk?

Question184: Winch of the following key control indicators (KCIs) BEST indicates whether security requirements are identified and managed throughout a project He cycle?

Question185: A control owner responsible for the access management process has developed a machine learning model to automatically identify excessive access privileges. What is the risk practitioner's BEST course of action?

Question186: Which of the following presents the GREATEST challenge to managing an organization's end-user devices?

Question187: Which of the following is the BEST method to track asset inventory?

Question188: An organization's stakeholders are unable to agree on appropriate risk responses. Which of the following would be the BEST course of action?

Question189: A chief information officer (CIO) has identified risk associated with shadow systems being maintained by business units to address specific functionality gaps in the organization'senterprise resource planning (ERP) system. What is the BEST way to reduce this risk going forward?

Question190: Calculation of the recovery time objective (RTO) is necessary to determine the:

Question191: A failed IT system upgrade project has resulted in the corruption of an organization's asset inventory database.
Which of the following controls BEST mitigates the impact of this incident?

Question192: The FIRST task when developing a business continuity plan should be to:

Question193: The MAJOR reason to classify information assets is

Question194: Which of the following is MOST important when identifying an organization's risk exposure associated with Internet of Things (loT) devices?

Question195: An organization has detected unauthorized logins to its client database servers. Which of the following should be of GREATEST concern?

Question196: A multinational company needs to implement a new centralized security system. The risk practitioner has identified a conflict between the organization's data-handling policy and local privacy regulations. Which of the following would be the BEST recommendation?

Question197: When assigning control ownership, it is MOST important to verify that the owner has accountability for:

Question198: Which of the following is the MOST important concern when assigning multiple risk owners for an identified risk?

Question199: A risk practitioner wants to identify potential risk events that affect the continuity of a critical business process. Which of the following should the risk practitioner do FIRST?

Question200: An organization has just implemented changes to close an identified vulnerability that impacted a critical business process. What should be the NEXT course of action?

Question201: Which of the following is MOST helpful in providing a high-level overview of current IT risk severity*?

Question202: it was determined that replication of a critical database used by two business units failed. Which of the following should be of GREATEST concern1?

Question203: A rule-based data loss prevention {DLP) tool has recently been implemented to reduce the risk of sensitive data leakage. Which of the following is MOST likely to change as a result of this implementation?

Question204: Which of the following is the PRIMARY reason for an organization to include an acceptable use banner when users log in?

Question205: Who should be responsible for determining which stakeholders need to be involved in the development of a risk scenario?

Question206: Which of the following is MOST important to the effectiveness of a senior oversight committee for risk monitoring?

Question207: A risk practitioner has been asked to evaluate a new cloud-based service to enhance an organization's access management capabilities. When is the BEST time for the risk practitioner to provide opinions on control strength?

Question208: Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?

Question209: An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following should be the risk practitioner's NEXT course of action?

Question210: An organization is participating in an industry benchmarking study that involves providing customer transaction records for analysis Which of the following is the MOST important control to ensure the privacy of customer information?

Question211: Who is the BEST person to the employee personal data?

Question212: A violation of segregation of duties is when the same:

Question213: A control for mitigating risk in a key business area cannot be implemented immediately. Which of the following is the risk practitioner's BEST course of action when a compensating control needs to be applied?

Question214: When developing risk treatment alternatives for a Business case, it is MOST helpful to show risk reduction based on:

Question215: A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner s NEXT step? r

Question216: Which of the following is PRIMARILY responsible for providing assurance to the board of directors and senior management during the evaluation of a risk management program implementation?

Question217: The BEST indicator of the risk appetite of an organization is the

Question218: Which of the following BEST informs decision-makers about the value of a notice and consent control for the collection of personal information?

Question219: Which of the following is MOST useful when performing a quantitative risk assessment?

Question220: Which of the following statements describes the relationship between key risk indicators (KRIs) and key control indicators (KCIs)?

Question221: Which of the following is the MOST important benefit of reporting risk assessment results to senior management?

Question222: Which of the following MOST effectively limits the impact of a ransomware attack?

Question223: Which of the following is the FIRST step when developing a business case to drive the adoption of a risk remediation project by senior management?

Question224: Which of the following will BEST support management repotting on risk?

Question225: Which of the following BEST enables an organization to address risk associated with technical complexity?

Question226: The BEST way to validate that a risk treatment plan has been implemented effectively is by reviewing:

Question227: Which of the following would MOST likely drive the need to review and update key performance indicators (KPIs) for critical IT assets?

Question228: An organization has decided to outsource a web application, and customer data will be stored in the vendor's public cloud. To protect customer data, it is MOST important to ensure which of the following?

Question229: Which of the following is the BEST response when a potential IT control deficiency has been identified?

Question230: Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?

Question231: Which of the following will BEST ensure that controls adequately support business goals and objectives?

Question232: Which of the following analyses is MOST useful for prioritizing risk scenarios associated with loss of IT assets?

Question233: Real-time monitoring of security cameras implemented within a retail store is an example of which type of control?

Question234: A failure in an organization's IT system build process has resulted in several computers on the network missing the corporate endpoint detection and response (EDR) software. Which of the following should be the risk practitioner's IMMEDIATE concern?

Question235: The BEST key performance indicator (KPI) to measure the effectiveness of the security patching process is the percentage of patches installed:

Question236: Which of the following is MOST important for an organization that wants to reduce IT operational risk?

Question237: Which of the following is the BEST evidence that risk management is driving business decisions in an organization?

Question238: Which of the following would prompt changes in key risk indicator {KRI) thresholds?

Question239: Which of the following is the BEST approach for obtaining management buy-in to implement additional IT controls?

Question240: A trusted third-party service provider has determined that the risk of a client's systems being hacked is low.
Which of the following would be the client's BEST course of action?

Question241: Which of the following would BEST help an enterprise prioritize risk scenarios?

Question242: IT risk assessments can BEST be used by management:

Question243: Which of the following risk management practices BEST facilitates the incorporation of IT risk scenarios into the enterprise-wide risk register?

Question244: Which of the following BEST promotes commitment to controls?

Question245: A monthly payment report is generated from the enterprise resource planning (ERP) software to validate data against the old and new payroll systems. What is the BEST way to mitigate the risk associated with data integrity loss in the new payroll system after data migration?

Question246: Concerned about system load capabilities during the month-end close process, management requires monitoring of the average time to complete tasks and monthly reporting of the findings. What type of measure has been established?

Question247: Which of the following is the MOST important consideration when prioritizing risk response?

Question248: When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?

Question249: Which of the following is MOST likely to introduce risk for financial institutions that use blockchain?

Question250: Which of the following should be done FIRST when developing a data protection management plan?

Question251: Which of the following is the BEST approach when a risk treatment plan cannot be completed on time?

Question252: A risk practitioner observed Vial a high number of pokey exceptions were approved by senior management.
Which of the following is the risk practitioner's BEST course of action to determine root cause?

Question253: A risk assessment has revealed that the probability of a successful cybersecurity attack is increasing. The potential loss could exceed the organization's risk appetite. Which of the following ould be the MOST effective course of action?

Question254: The BEST key performance indicator (KPI) to measure the effectiveness of a vendor risk management program is the percentage of:

Question255: Which of the following is MOST important to review when determining whether a potential IT service provider's control environment is effective?

Question256: Which of the following is the PRIMARY advantage of having a single integrated business continuity plan (BCP) rather than each business unit developing its own BCP?

Question257: A risk practitioner notices that a particular key risk indicator (KRI) has remained below its established trigger point for an extended period of time. Which of the following should be done FIRST?

Question258: During the creation of an organization's IT risk management program, the BEST time to identify key risk indicators (KRIs) is while:

Question259: The risk appetite for an organization could be derived from which of the following?

Question260: Which of the following activities BEST facilitates effective risk management throughout the organization?

Question261: After entering a large number of low-risk scenarios into the risk register, it is MOST important for the risk practitioner to:

Question262: Which of the following statements in an organization's current risk profile report is cause for further action by senior management?

Question263: In the three lines of defense model, a PRIMARY objective of the second line is to:

Question264: Which of the following is the BEST method to maintain a common view of IT risk within an organization?

Question265: Which of the following is the BEST way to ensure ongoing control effectiveness?

Question266: Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior BEST represents:

Question267: Which of the following actions should a risk practitioner do NEXT when an increased industry trend of external cyber attacks is identified?

Question268: Who is MOST appropriate to be assigned ownership of a control

Question269: Following the implementation of an Internet of Things (loT) solution, a risk practitioner identifies new risk factors with impact to existing controls. Which of the following is MOST important to include in a report to stakeholders?

Question270: A risk practitioner has become aware of production data being used in a test environment. Which of the following should be the practitioner's PRIMARY concern?

Question271: After undertaking a risk assessment of a production system, the MOST appropriate action is fcr the risk manager to

Question272: While conducting an organization-wide risk assessment, it is noted that many of the information security policies have not changed in the past three years. The BEST course of action is to:

Question273: Which of the following is the BEST approach to mitigate the risk associated with a control deficiency?

Question274: Which of the following scenarios presents the GREATEST risk of noncompliance with data privacy best practices?

Question275: Which of the following is the MOST important benefit of implementing a data classification program?

Question276: Which of the following is the MOST critical factor to consider when determining an organization's risk appetite?

Question277: Which of the following is the BEST method to mitigate the risk of an unauthorized employee viewing confidential data in a database''

Question278: Which of the following is MOST important to the effectiveness of key performance indicators (KPIs)?

Question279: Which of the following is the BEST indicator of the effectiveness of a control monitoring program?

Question280: Which of the following practices would be MOST effective in protecting personality identifiable information (Ptl) from unauthorized access m a cloud environment?

Question281: Which of the following is a PRIMARY benefit of engaging the risk owner during the risk assessment process?

Question282: Which of the following would be the BEST key performance indicator (KPI) for monitoring the effectiveness of the IT asset management process?

Question283: An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented in procedure manuals for use by the part-time employees. Which of the following BEST describes this situation?

Question284: When an organization's disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment options is being applied?

Question285: In order to efficiently execute a risk response action plan, it is MOST important for the emergency response team members to understand:

Question286: Which of the following is the MOST important reason for a risk practitioner to continuously monitor a critical security transformation program?

Question287: A bank recently incorporated blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner's BEST course of action?

Question288: An IT department has provided a shared drive for personnel to store information to which all employees have access. Which of the following parties is accountable for the risk of potential loss of confidential information?

Question289: Because of a potential data breach, an organization has decided to temporarily shut down its online sales order system until sufficient controls can be implemented. Which risk treatment has been selected?

Question290: When classifying and prioritizing risk responses, the areas to address FIRST are those with:

Question291: Which of the following is the PRIMARY objective of maintaining an information asset inventory?

Question292: The MOST effective way to increase the likelihood that risk responses will be implemented is to:

Question293: During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:

Question294: Which of the following would be of GREATEST assistance when justifying investment in risk response strategies?

Question295: During a risk assessment, a key external technology supplier refuses to provide control design and effectiveness information, citing confidentiality concerns. What should the risk practitioner do NEXT?

Question296: Which of the following is MOST important for successful incident response?

Question297: Which of the following is the BEST way to validate the results of a vulnerability assessment?

Question298: Which of the following BEST enables effective IT control implementation?

Question299: Which of the following controls BEST helps to ensure that transaction data reaches its destination?

Question300: Which of the following is MOST important for an organization to update following a change in legislation requiring notification to individuals impacted by data breaches?

Question301: Who is BEST suited to provide information to the risk practitioner about the effectiveness of a technical control associated with an application?

Question302: Which of the following is a KEY consideration for a risk practitioner to communicate to senior management evaluating the introduction of artificial intelligence (Al) solutions into the organization?

Question303: Which of the following is the MAIN purpose of monitoring risk?

Question304: Which of the following is the MOST cost-effective way to test a business continuity plan?

Question305: Who is BEST suited to provide objective input when updating residual risk to reflect the results of control effectiveness?

Question306: Which of the following poses the GREATEST risk to an organization's operations during a major it transformation?

Question307: Which of the following BEST enables the identification of trends in risk levels?

Question308: Which of the following should an organization perform to forecast the effects of a disaster?

Question309: Risk management strategies are PRIMARILY adopted to:

Question310: Which of the following should be the PRIMARY focus of a disaster recovery management (DRM) framework and related processes?

Question311: Who should have the authority to approve an exception to a control?

Question312: Which of the following is the GREATEST benefit to an organization when updates to the risk register are made promptly after the completion of a risk assessment?

Question313: A risk practitioner discovers that an IT operations team manager bypassed web filtering controls by using a mobile device, in violation of the network security policy. Which of the following should the risk practitioner do FIRST?

Question314: When determining the accuracy of a key risk indicator (KRI), it is MOST important that the indicator:

Question315: Which of the following should a risk practitioner do FIRST to support the implementation of governance around organizational assets within an enterprise risk management (ERM) program?

Question316: Which of the following is a PRIMARY reason for considering existing controls during initial risk assessment?

Question317: A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:

Question318: Which of the following is the BEST recommendation when a key risk indicator (KRI) is generating an excessive volume of events?

Question319: Which of the following will BEST help an organization evaluate the control environment of several third- party vendors?

Question320: Which of the following is MOST important for a risk practitioner to update when a software upgrade renders an existing key control ineffective?

Question321: Which of the following should be the starting point when performing a risk analysis for an asset?

Question322: Which of the following should be done FIRST when developing an initial set of risk scenarios for an organization?

Question323: Which of the following is MOST helpful when prioritizing action plans for identified risk?

Question324: The PRIMARY goal of a risk management program is to:

Question325: Which of the following is a risk practitioner's BEST recommendation regarding disaster recovery management (DRM) for Software as a Service (SaaS) providers?

Question326: Which of the following would MOST likely cause management to unknowingly accept excessive risk?

Question327: An application development team has a backlog of user requirements for a new system that will process insurance claim payments for customers. Which of the following should be the MOST important consideration for a risk-based review of the user requirements?

Question328: Which of the following should be the PRIMARY consideration when assessing the risk of using Internet of Things (loT) devices to collect and process personally identifiable information (PII)?

Question329: The PRIMARY purpose of IT control status reporting is to:

Question330: A highly regulated organization acquired a medical technology startup company that processes sensitive personal information with weak data protection controls. Which of the following is the BEST way for the acquiring company to reduce its risk while still enabling the flexibility needed by the startup company?

Question331: An organization is conducting a review of emerging risk. Which of the following is the BEST input for this exercise?

Question332: An organization has allowed its cyber risk insurance to lapse while seeking a new insurance provider. The risk practitioner should report to management that the risk has been:

Question333: An organization outsources the processing of us payroll data A risk practitioner identifies a control weakness at the third party trial exposes the payroll data. Who should own this risk?

Question334: An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk practitioner do FIRST?

Question335: After the review of a risk record, internal audit questioned why the risk was lowered from medium to low.
Which of the following is the BEST course of action in responding to this inquiry?

Question336: Which of the following is the MOST important success factor when introducing risk management in an organization?

Question337: Which of the following is MOST important to ensure when reviewing an organization's risk register?

Question338: Reviewing which of the following BEST helps an organization gain insight into its overall risk profile?

Question339: Which of the following provides the MOST useful information when determining if a specific control should be implemented?

Question340: An organization striving to be on the leading edge in regard to risk monitoring would MOST likely implement:

Question341: Which of the following is the PRIMARY reason to establish the root cause of an IT security incident?

Question342: Which of the following is the BEST way to determine the potential organizational impact of emerging privacy regulations?

Question343: A business impact analysis (BIA) enables an organization to determine appropriate IT risk mitigation actions by:

Question344: Mitigating technology risk to acceptable levels should be based PRIMARILY upon:

Question345: Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?

Question346: Which of the following should be the PRIMARY recipient of reports showing the progress of a current IT risk mitigation project?

Question347: Which of the following BEST enables the integration of IT risk management across an organization?

Question348: The head of a business operations department asks to review the entire IT risk register. Which of the following would be the risk manager s BEST approach to this request before sharing the register?

Question349: Of the following, who is responsible for approval when a change in an application system is ready for release to production?

Question350: To minimize the risk of a potential acquisition being exposed externally, an organization has selected a few key employees to be engaged in the due diligence process. A member of the due diligence team realizes a close acquaintance is a high-ranking IT professional at a subsidiary of the company about to be acquired.
What is the BEST course of action for this team member?

Question351: Which of the following is the BEST approach for performing a business impact analysis (BIA) of a supply-chain management application?

Question352: Which of the following BEST enforces access control for an organization that uses multiple cloud technologies?

Question353: When a high number of approved exceptions are observed during a review of a control procedure, an organization should FIRST initiate a review of the:

Question354: The PRIMARY objective for selecting risk response options is to:

Question355: When outsourcing a business process to a cloud service provider, it is MOST important to understand that:

Question356: A risk practitioner has collaborated with subject matter experts from the IT department to develop a large list of potential key risk indicators (KRIs) for all IT operations within the organization of the following, who should review the completed list and select the appropriate KRIs for implementation?

Question357: An organization is analyzing the risk of shadow IT usage. Which of the following is the MOST important input into the assessment?

Question358: Which of the following is the BEST way to mitigate the risk associated with fraudulent use of an enterprise's brand on Internet sites?

Question359: Which of the following provides the MOST comprehensive information when developing a risk profile for a system?

Question360: A control owner has completed a year-long project To strengthen existing controls. It is MOST important for the risk practitioner to:

Question361: A poster has been displayed in a data center that reads. "Anyone caught taking photographs in the data center may be subject to disciplinary action." Which of the following control types has been implemented?

Question362: Who is responsible for IT security controls that are outsourced to an external service provider?

Question363: Which of the following is MOST important when conducting a post-implementation review as part of the system development life cycle (SDLC)?

Question364: An organization's board of directors is concerned about recent data breaches in the news and wants to assess its exposure to similar scenarios. Which of the following is the BEST course of action?

Question365: Which of the following should be the FIRST course of action if the risk associated with a new technology is found to be increasing?

Question366: A MAJOR advantage of using key risk indicators (KRis) is that (hey

Question367: Which of the following is the PRIMARY benefit of identifying and communicating with stakeholders at the onset of an IT risk assessment?

Question368: Which of the following techniques is MOST helpful when quantifying the potential loss impact of cyber risk?

Question369: It is MOST important that security controls for a new system be documented in:

Question370: To help ensure the success of a major IT project, it is MOST important to:

Question371: Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner?

Question372: The cost of maintaining a control has grown to exceed the potential loss. Which of the following BEST describes this situation?

Question373: Which of the following should be included in a risk assessment report to BEST facilitate senior management's understanding of the results?

Question374: A highly regulated enterprise is developing a new risk management plan to specifically address legal and regulatory risk scenarios What should be done FIRST by IT governance to support this effort?

Question375: Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?

Question376: Which of the following BEST reduces the probability of laptop theft?

Question377: After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?

Question378: It was discovered that a service provider's administrator was accessing sensitive information without the approval of the customer in an Infrastructure as a Service (laaS) model. Which of the following would BEST protect against a future recurrence?

Question379: Who should be responsible for approving the cost of controls to be implemented for mitigating risk?

Question380: An IT risk practitioner has been asked to regularly report on the overall status and effectiveness of the IT risk management program. Which of the following is MOST useful for this purpose?

Question381: An organization delegates its data processing to the internal IT team to manage information through its applications. Which of the following is the role of the internal IT team in this situation?

Question382: Deviation from a mitigation action plan's completion date should be determined by which of the following?

Question383: Which of the following would be MOST helpful when estimating the likelihood of negative events?

Question384: Which of the following is MOST important to understand when developing key risk indicators (KRIs)?

Question385: Which of the following would be MOST useful to senior management when determining an appropriate risk response?

Question386: Which of the following is the MOST important topic to cover in a risk awareness training program for all staff?

Question387: An organization is concerned that its employees may be unintentionally disclosing data through the use of social media sites. Which of the following will MOST effectively mitigate tins risk?

Question388: Due to a change in business processes, an identified risk scenario no longer requires mitigation. Which of the following is the MOST important reason the risk should remain in the risk register?

Question389: Which of the following information is MOST useful to a risk practitioner for developing IT risk scenarios?

Question390: Which of the following provides the BEST evidence that a selected risk treatment plan is effective?

Question391: Which of the following is a PRIMARY objective of privacy impact assessments (PIAs)?

Question392: Risk appetite should be PRIMARILY driven by which of the following?

Question393: Which of the following will BEST mitigate the risk associated with IT and business misalignment?

Question394: An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk practitioner do FIRST?

Question395: Which of the following BEST reduces the likelihood of fraudulent activity that occurs through use of a digital wallet?

Question396: Which of the following is an IT business owner's BEST course of action following an unexpected increase in emergency changes?

Question397: Which of the following is the GREATEST concern related to the monitoring of key risk indicators (KRIs)?

Question398: For a large software development project, risk assessments are MOST effective when performed:

Question399: The PRIMARY reason for establishing various Threshold levels for a set of key risk indicators (KRIs) is to:

Question400: Performing a background check on a new employee candidate before hiring is an example of what type of control?

Question401: Quantifying the value of a single asset helps the organization to understand the:

Question402: Which of the following is the MOST critical consideration when awarding a project to a third-party service provider whose servers are located offshore?

Question403: Within the three lines of defense model, the PRIMARY responsibility for ensuring risk mitigation controls are properly configured belongs with:

Question404: The PRIMARY reason for communicating risk assessment results to data owners is to enable the:

Question405: Which of the following BEST mitigates ethical risk?

Question406: Which of the following methods would BEST contribute to identifying obscure risk scenarios?

Question407: Which of the following is the MOST important data source for monitoring key risk indicators (KRIs)?

Question408: Which of the following is MOST important when developing key performance indicators (KPIs)?

Question409: Which of the following is the BEST approach for determining whether a risk action plan is effective?

Question410: During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?

Question411: Risk mitigation is MOST effective when which of the following is optimized?

Question412: Which of the following BEST mitigates the risk of violating privacy laws when transferring personal information lo a supplier?

Question413: An organization has outsourced its billing function to an external service provider. Who should own the risk of customer data leakage caused by the service provider?

Question414: Which of the following would provide the MOST helpful input to develop risk scenarios associated with hosting an organization's key IT applications in a cloud environment?

Question415: Which stakeholder is MOST important to include when defining a risk profile during me selection process for a new third party application'?

Question416: Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?

Question417: What is the MAIN benefit of using a top-down approach to develop risk scenarios?

Question418: Which of the following is the GREATEST impact of implementing a risk mitigation strategy?

Question419: The risk to an organization's reputation due to a recent cybersecurity breach is PRIMARILY considered to be:

Question420: Which of the following would BEST help an enterprise define and communicate its risk appetite?

Question421: A risk practitioner has been asked to assess the risk associated with a new critical application used by a financial process team that the risk practitioner was a member of two years ago. Which of the following is the GREATEST concern with this request?

Question422: A risk practitioner has reviewed new international regulations and realizes the new regulations will affect the organization. Which of the following should be the risk practitioner's NEXT course of action?

Question423: In which of the following system development life cycle (SDLC) phases should controls be incorporated into system specifications?

Question424: Which of the following is the BEST indication that an organization's risk management program has not reached the desired maturity level?

Question425: Which of the following is MOST important for managing ethical risk?

Question426: Which of the following is the PRIMARY purpose of a risk register?

Question427: Which of the following would be the BEST recommendation if the level of risk in the IT risk profile has decreased and is now below management's risk appetite?

Question428: Which of the following would BEST help minimize the risk associated with social engineering threats?

Question429: Which of the following BEST facilitates the identification of appropriate key performance indicators (KPIs) for a risk management program?

Question430: Which of the following is the MOST important responsibility of a risk owner?

Question431: An organization is planning to move its application infrastructure from on-premises to the cloud. Which of the following is the BEST course of the actin to address the risk associated with data transfer if the relationship is terminated with the vendor?

Question432: Which of the following would BEST facilitate the maintenance of data classification requirements?

Question433: After the implementation of internal of Things (IoT) devices, new risk scenarios were identified. What is the PRIMARY reason to report this information to risk owners?

Question434: Which of the following is MOST important to determine when assessing the potential risk exposure of a loss event involving personal data?

Question435: Following a review of a third-party vendor, it is MOST important for an organization to ensure:

Question436: Which of the following would be the GREATEST challenge when implementing a corporate risk framework for a global organization?

Question437: An organization has made a decision to purchase a new IT system. During when phase of the system development life cycle (SDLC) will identified risk MOST likely lead to architecture and design trade-offs?

Question438: A risk practitioner has been notified that an employee sent an email in error containing customers' personally identifiable information (Pll). Which of the following is the risk practitioner's BEST course of action?

Question439: Which of the following provides the BEST evidence that risk responses have been executed according to their risk action plans?

Question440: Which of the following is the MOST important consideration when determining whether to accept residual risk after security controls have been implemented on a critical system?

Question441: A recent regulatory requirement has the potential to affect an organization's use of a third party to supply outsourced business services. Which of the following is the BEST course of action?

Question442: While reviewing the risk register, a risk practitioner notices that different business units have significant variances in inherent risk for the same risk scenario. Which of the following is the BEST course of action?

Question443: Who should be accountable for authorizing information system access to internal users?

Question444: A third-party vendor has offered to perform user access provisioning and termination. Which of the following control accountabilities is BEST retained within the organization?

Question445: What is the BEST approach for determining the inherent risk of a scenario when the actual likelihood of the risk is unknown?

Question446: Which of the following is the MOST important reason to link an effective key control indicator (KCI) to relevant key risk indicators (KRIs)?

Question447: An enterprise has taken delivery of software patches that address vulnerabilities in its core business software.
Prior to implementation, which of the following is the MOST important task to be performed?

Question448: Which of the following would BEST enable a risk-based decision when considering the use of an emerging technology for data processing?

Question449: A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session?

Question450: Which of the following is the PRIMARY reason to engage business unit managers in risk management processes'?

Question451: Which of the following is the PRIMARY reason for conducting peer reviews of risk analysis?

Question452: Which of the following is MOST important for a risk practitioner to consider when evaluating plans for changes to IT services?

Question453: Which of the following is the BEST indication of an effective risk management program?

Question454: A risk practitioner's BEST guidance to help an organization develop relevant risk scenarios is to ensure the scenarios are:

Question455: Which of the following is the BEST control to minimize the risk associated with scope creep in software development?

Question456: Which of the following is the MOST important step to ensure regulatory requirements are adequately addressed within an organization?

Question457: Which of the following is the PRIMARY responsibility of the first line of defense related to computer- enabled fraud?

Question458: An organization has opened a subsidiary in a foreign country. Which of the following would be the BEST way to measure the effectiveness of the subsidiary's IT systems controls?

Question459: A hospital recently implemented a new technology to allow virtual patient appointments. Which of the following should be the risk practitioner's FIRST course of action?

Question460: An organization is considering outsourcing user administration controls tor a critical system. The potential vendor has offered to perform quarterly sett-audits of its controls instead of having annual independent audits.
Which of the following should be of GREATEST concern to me risk practitioner?

Question461: Which organizational role should be accountable for ensuring information assets are appropriately classified?

Question462: Which of the following observations from a third-party service provider review would be of GREATEST concern to a risk practitioner?

Question463: A risk practitioner is assisting with the preparation of a report on the organization s disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile?

Question464: Which of the following should a risk practitioner recommend FIRST when an increasing trend of risk events and subsequent losses has been identified?

Question465: A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?

Question466: Which of the following statements BEST illustrates the relationship between key performance indicators (KPIs) and key control indicators (KCIs)?

Question467: Which of the following should be done FIRST when a new risk scenario has been identified

Question468: Which of the following is MOST commonly compared against the risk appetite?

Question469: A risk practitioners PRIMARY focus when validating a risk response action plan should be that risk response:

Question470: Which of the following should be the MOST important consideration for senior management when developing a risk response strategy?

Question471: Which of the following would be MOST helpful in assessing the risk associated with data loss due to human vulnerabilities?

Question472: Which of the following key risk indicators (KRIs) is MOST effective for monitoring risk related to a bring your own device (BYOD) program?

Question473: The MAIN purpose of a risk register is to:

Question474: During an acquisition, which of the following would provide the MOST useful input to the parent company's risk practitioner when developing risk scenarios for the post-acquisition phase?

Question475: The purpose of requiring source code escrow in a contractual agreement is to:

Question476: Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?

Question477: Who should be accountable for ensuring effective cybersecurity controls are established?

Question478: To implement the MOST effective monitoring of key risk indicators (KRIs), which of the following needs to be in place?

Question479: Which of the following events is MOST likely to trigger the need to conduct a risk assessment?

Question480: Which of the following is the MOST relevant information to include in a risk management strategy?

Question481: An organization uses one centralized single sign-on (SSO) control to cover many applications. Which of the following is the BEST course of action when a new application is added to the environment after testing of the SSO control has been completed?

Question482: Who should be accountable for monitoring the control environment to ensure controls are effective?

Question483: Which of the following BEST helps to balance the costs and benefits of managing IT risk?

Question484: Which of the following controls are BEST strengthened by a clear organizational code of ethics?

Question485: Which of the following roles would provide the MOST important input when identifying IT risk scenarios?

Question486: Which of the following will BEST quantify the risk associated with malicious users in an organization?

Question487: An IT control gap has been identified in a key process. Who would be the MOST appropriate owner of the risk associated with this gap?

Question488: When testing the security of an IT system, il is MOST important to ensure that;

Question489: Which of the following is the BEST way for an organization to enable risk treatment decisions?

Question490: Well-developed, data-driven risk measurements should be:

Question491: Which of the following is the MOST important objective from a cost perspective for considering aggregated risk responses in an organization?

Question492: A maturity model is MOST useful to an organization when it:

Question493: Which of the following is the BEST way to help ensure risk will be managed properly after a business process has been re-engineered?

Question494: Which of the following is the GREATEST risk associated with the misclassification of data?

Question495: An organization's HR department has implemented a policy requiring staff members to take a minimum of five consecutive days leave per year to mitigate the risk of malicious insider activities. Which of the following is the BEST key performance indicator (KPI) of the effectiveness of this policy?

Question496: Which of the following is the MOST important course of action for a risk practitioner when reviewing the results of control performance monitoring?

Question497: Which of the following data would be used when performing a business impact analysis (BIA)?

Question498: Which of the following will be MOST effective in uniquely identifying the originator of electronic transactions?

Question499: Which of the following methods is an example of risk mitigation?

Question500: Which of the following is the PRIMARY consideration when establishing an organization's risk management methodology?

Question501: Which of the following is the MOST effective way to help ensure future risk levels do not exceed the organization's risk appetite?

Question502: Which of the following is the BEST metric to demonstrate the effectiveness of an organization's change management process?

Question503: Which of the following potential scenarios associated with the implementation of a new database technology presents the GREATEST risk to an organization?

Question504: Which of the following would BEST help identify the owner for each risk scenario in a risk register?

Question505: As pan of business continuity planning, which of the following is MOST important to include m a business impact analysis (BlA)?

Question506: Which of the following should be the PRIMARY input to determine risk tolerance?

Question507: What is the MOST important consideration when selecting key performance indicators (KPIs) for control monitoring?

Question508: Which of the following is the MOST important component in a risk treatment plan?

Question509: Which of the following is MOST helpful in aligning IT risk with business objectives?

Question510: An organization is considering adopting artificial intelligence (AI). Which of the following is the risk practitioner's MOST important course of action?

Question511: The PRIMARY advantage of involving end users in continuity planning is that they:

Question512: Which of the following is the MOST important benefit of key risk indicators (KRIs)'

Question513: Which of the following would provide the MOST objective assessment of the effectiveness of an organization's security controls?

Question514: During testing, a risk practitioner finds the IT department's recovery time objective (RTO) for a key system does not align with the enterprise's business continuity plan (BCP). Which of the following should be done NEXT?

Question515: A risk practitioner is MOST likely to use a SWOT analysis to assist with which risk process?

Question516: When a high-risk security breach occurs, which of the following would be MOST important to the person responsible for managing the incident?

Question517: A risk practitioner notes control design changes when comparing risk response to a previously approved action plan. Which of the following is MOST important for the practitioner to confirm?

Question518: An organization has updated its acceptable use policy to mitigate the risk of employees disclosing confidential information. Which of the following is the BEST way to reinforce the effectiveness of this policy?

Question519: A risk practitioner has been notified of a social engineering attack using artificial intelligence (AI) technology to impersonate senior management personnel. Which of the following would BEST mitigate the impact of such attacks?

Question520: Which of the following BEST balances the costs and benefits of managing IT risk*?

Question521: Which of the following is the BEST method to ensure a terminated employee's access to IT systems is revoked upon departure from the organization?

Question522: Which of the following is the BEST indication of a mature organizational risk culture?

Question523: Which of the following BEST enables effective risk-based decision making?

Question524: When formulating a social media policy lo address information leakage, which of the following is the MOST important concern to address?

Question525: Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?

Question526: Improvements in the design and implementation of a control will MOST likely result in an update to:

Question527: The PRIMARY purpose of vulnerability assessments is to:

Question528: An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:

Question529: The MAIN goal of the risk analysis process is to determine the:

Question530: What is a risk practitioner's BEST approach to monitor and measure how quickly an exposure to a specific risk can affect the organization?

Question531: Which of the following is MOST important to the effective monitoring of key risk indicators (KRIS)?

Question532: Which of the following would be a weakness in procedures for controlling the migration of changes to production libraries?

Question533: Which of the following is MOST important to understand when determining an appropriate risk assessment approach?

Question534: Which of the following is the BEST indicator of executive management's support for IT risk mitigation efforts?

Question535: Which of the following controls would BEST reduce the likelihood of a successful network attack through social engineering?

Question536: Sensitive data has been lost after an employee inadvertently removed a file from the premises, in violation of organizational policy. Which of the following controls MOST likely failed?

Question537: Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability management process?

Question538: Which of the following BEST enables the timely detection of changes in the security control environment?

Question539: What is MOST important for the risk practitioner to understand when creating an initial IT risk register?

Question540: Which of the following is the PRIMARY purpose for ensuring senior management understands the organization's risk universe in relation to the IT risk management program?

Question541: Which of the following would present the GREATEST challenge when assigning accountability for control ownership?

Question542: Which of the following is BEST used to aggregate data from multiple systems to identify abnormal behavior?

Question543: Which of the following is the MOST important consideration when implementing ethical remote work monitoring?

Question544: Which of the blowing is MOST important when implementing an organization s security policy?

Question545: An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack?

Question546: Which of the following could BEST detect an in-house developer inserting malicious functions into a web- based application?

Question547: What is the PRIMARY reason an organization should include background checks on roles with elevated access to production as part of its hiring process?

Question548: Which of the following is the MOST common concern associated with outsourcing to a service provider?

Question549: The PRIMARY objective of the board of directors periodically reviewing the risk profile is to help ensure:

Question550: Which of the following should be accountable for ensuring that media containing financial information are adequately destroyed per an organization's data disposal policy?

Question551: Which of the following would be MOST helpful to a risk owner when making risk-aware decisions?

Question552: An organization has initiated a project to implement an IT risk management program for the first time. The BEST time for the risk practitioner to start populating the risk register is when:

Question553: When reviewing a risk response strategy, senior management's PRIMARY focus should be placed on the:

Question554: A service organization is preparing to adopt an IT control framework to comply with the contractual requirements of a new client. Which of the following would be MOST helpful to the risk practitioner?

Question555: Which of the following, who should be PRIMARILY responsible for performing user entitlement reviews?

Question556: Which of the following would be the GREATEST concern related to data privacy when implementing an Internet of Things (loT) solution that collects personally identifiable information (Pll)?

Question557: Which of the following is MOST important for the organization to consider before implementing a new in-house developed artificial intelligence (Al) solution?

Question558: Which of the following is the GREATEST advantage of implementing a risk management program?

Question559: Which of the following is the MOST effective way to help ensure future risk levels do not exceed the organization's risk appetite?

Question560: Which of the following is MOST important for effective communication of a risk profile to relevant stakeholders?

Question561: To help ensure all applicable risk scenarios are incorporated into the risk register, it is MOST important to review the:

Question562: A recent internal risk review reveals the majority of core IT application recovery time objectives (RTOs) have exceeded the maximum time defined by the business application owners. Which of the following is MOST likely to change as a result?

Question563: The acceptance of control costs that exceed risk exposure is MOST likely an example of:

Question564: Who is PRIMARILY accountable for identifying risk on a daily basis and ensuring adherence to the organization's policies?

Question565: Which of the following is MOST important to determine as a result of a risk assessment?

Question566: Which of the following would be considered a vulnerability?

Question567: Which of the following is the MOST important course of action to foster an ethical, risk-aware culture?

Question568: Following a significant change to a business process, a risk practitioner believes the associated risk has been reduced. The risk practitioner should advise the risk owner to FIRST

Question569: An organization recently implemented an automated interface for uploading payment files to its banking system to replace manual processing. Which of the following elements of the risk register is MOST appropriate for the risk practitioner to update to reflect the improved control?

Question570: Which of the following is the GREATEST benefit when enterprise risk management (ERM) provides oversight of IT risk management?

Question571: Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?

Question572: Which of the following would be MOST helpful when communicating roles associated with the IT risk management process?

Question573: The risk associated with an asset before controls are applied can be expressed as:

Question574: A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?

Question575: Which of the following is MOST important to identify when developing generic risk scenarios?

Question576: What should be the PRIMARY objective for a risk practitioner performing a post-implementation review of an IT risk mitigation project?

Question577: Which of the following BEST measures the efficiency of an incident response process?

Question578: When prioritizing risk response, management should FIRST:

Question579: A risk practitioner shares the results of a vulnerability assessment for a critical business application with the business manager. Which of the following is the NEXT step?

Question580: Which of the following is the MAIN reason to continuously monitor IT-related risk?

Question581: An organization discovers significant vulnerabilities in a recently purchased commercial off-the-shelf software product which will not be corrected until the next release. Which of the following is the risk manager's BEST course of action?

Question582: A risk practitioner is reporting on an increasing trend of ransomware attacks in the industry. Which of the following information is MOST important to include to enable an informed response decision by key stakeholders?

Question583: Which of the following is the PRIMARY reason for logging in a production database environment?

Question584: After several security incidents resulting in significant financial losses, IT management has decided to outsource the security function to a third party that provides 24/7 security operation services. Which risk response option has management implemented?

Question585: Which of the following is the MOST significant indicator of the need to perform a penetration test?

Question586: Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?

Question587: Which of the following is the PRIMARY benefit of stakeholder involvement in risk scenario development?

Question588: Which types of controls are BEST used to minimize the risk associated with a vulnerability?

Question589: An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following is the risk practitioner s BEST course of action?

Question590: Before assigning sensitivity levels to information it is MOST important to:

Question591: Which of the following stakeholders define risk tolerance for an enterprise?

Question592: Which of the following provides the MOST up-to-date information about the effectiveness of an organization's overall IT control environment?

Question593: Which of the following is MOST helpful in identifying new risk exposures due to changes in the business environment?

Question594: A large organization is replacing its enterprise resource planning (ERP) system and has decided not to deploy the payroll module of the new system. Instead, the current payroll system will continue to be used. Of the following, who should own the risk if the ERP and payroll system fail to operate as expected?

Question595: Which of the following is the MOST critical element to maximize the potential for a successful security implementation?

Question596: Which of the following controls will BEST mitigate risk associated with excessive access privileges?

Question597: Which of the following will help ensure the elective decision-making of an IT risk management committee?

Question598: Which of the following is the BEST risk management approach for the strategic IT planning process?

Question599: Which of the following will BEST communicate the importance of risk mitigation initiatives to senior management?

Question600: Which of the following is the PRIMARY purpose of periodically reviewing an organization's risk profile?

Question601: A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?

Question602: An organization has experienced a cyber-attack that exposed customer personally identifiable information (Pll) and caused extended outages of network services. Which of the following stakeholders are MOST important to include in the cyber response team to determine response actions?

Question603: Winch of the following is the BEST evidence of an effective risk treatment plan?

Question604: Which of the following is the BEST indication that key risk indicators (KRIs) should be revised?

Question605: The PRIMARY reason for a risk practitioner to review business processes is to:

Question606: Which of the following will be the GREATEST concern when assessing the risk profile of an organization?

Question607: An organization is developing a risk universe to create a holistic view of its overall risk profile. Which of the following is the GREATEST barrier to achieving the initiative's objectives?

Question608: Which of the following should be done FIRST when information is no longer required to support business objectives?

Question609: Which of the following is the MOST important update for keeping the risk register current?

Question610: Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?

Question611: Which of the following is the BEST way for a risk practitioner to verify that management has addressed control issues identified during a previous external audit?

Question612: Which of the following is the PRIMARY risk management responsibility of the third line of defense?

Question613: A risk practitioner has identified that the agreed recovery time objective (RTO) with a Software as a Service (SaaS) provider is longer than the business expectation. Which ot the following is the risk practitioner's BEST course of action?

Question614: A risk practitioner has observed that risk owners have approved a high number of exceptions to the information security policy. Which of the following should be the risk practitioner's GREATEST concern?

Question615: Which of the following BEST helps to identify significant events that could impact an organization?
Vulnerability analysis

Question616: Which of the following is the MOST effective way to reduce potential losses due to ongoing expense fraud?

Question617: Which of the following is the BEST course of action for a system administrator who suspects a colleague may be intentionally weakening a system's validation controls in order to pass through fraudulent transactions?

Question618: Which of the following would be of GREATEST concern to a risk practitioner reviewing current key risk indicators (KRIs)?

Question619: Which of the following provides the BEST assurance of the effectiveness of vendor security controls?

Question620: Which of the following is the MAIN reason for analyzing risk scenarios?

Question621: An organization is planning to engage a cloud-based service provider for some of its data-intensive business processes. Which of the following is MOST important to help define the IT risk associated with this outsourcing activity?

Question622: During the control evaluation phase of a risk assessment, it is noted that multiple controls are ineffective.
Which of the following should be the risk practitioner's FIRST course of action?

Question623: Which of the following is the GREATEST concern when using artificial intelligence (AI) language models?

Question624: Which of the following issues found during the review of a newly created disaster recovery plan (DRP) should be of MOST concern?

Question625: A risk practitioner is performing a risk assessment of recent external advancements in quantum computing.
Which of the following would pose the GREATEST concern for the risk practitioner?

Question626: Which of the following will BEST help ensure that risk factors identified during an information systems review are addressed?

Question627: When of the following standard operating procedure (SOP) statements BEST illustrates appropriate risk register maintenance?

Question628: Which of the following is the BEST way to manage the risk associated with malicious activities performed by database administrators (DBAs)?

Question629: An organization is making significant changes to an application. At what point should the application risk profile be updated?

Question630: Analyzing trends in key control indicators (KCIs) BEST enables a risk practitioner to proactively identify impacts on an organization's:

Question631: Which of the following provides the MOST useful information when developing a risk profile for management approval?

Question632: The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:

Question633: Which of the following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?

Question634: The PRIMARY reason a risk practitioner would be interested in an internal audit report is to:

Question635: Which organization is implementing a project to automate the purchasing process, including the modification of approval controls. Which of the following tasks is lie responsibility of the risk practitioner*?

Question636: Which of the following proposed benefits is MOST likely to influence senior management approval to reallocate budget for a new security initiative?

Question637: Which of the following is MOST helpful to review when identifying risk scenarios associated with the adoption of Internet of Things (loT) technology in an organization?

Question638: Which of the following will BEST help to improve an organization's risk culture?

Question639: Which of the following is the BEST recommendation to senior management when the results of a risk and control assessment indicate a risk scenario can only be partially mitigated?

Question640: Business management is seeking assurance from the CIO that IT has a plan in place for early identification of potential issues that could impact the delivery of a new application Which of the following is the BEST way to increase the chances of a successful delivery'?

Question641: Which of the following indicates an organization follows IT risk management best practice?

Question642: Which of the following is the GREATEST benefit of using IT risk scenarios?

Question643: A contract associated with a cloud service provider MUST include:

Question644: The BEST way to test the operational effectiveness of a data backup procedure is to:

Question645: An audit reveals that several terminated employee accounts maintain access. Which of the following should be the FIRST step to address the risk?

Question646: The MOST important measure of the effectiveness of risk management in project implementation is the percentage of projects:

Question647: Which of the following deficiencies identified during a review of an organization's cybersecurity policy should be of MOST concern?

Question648: Which of the following is the MOST important consideration when communicating the risk associated with technology end-of-life to business owners?

Question649: Which of the following should be of MOST concern to a risk practitioner reviewing the system development life cycle (SDLC)?

Question650: Which of the following is the MOST important requirement for monitoring key risk indicators (KRls) using log analysis?

Question651: Which of the following will BEST help in communicating strategic risk priorities?

Question652: The MOST important reason for implementing change control procedures is to ensure:

Question653: A risk assessment indicates the residual risk associated with a new bring your own device (BYOD) program is within organizational risk tolerance. Which of the following should the risk practitioner recommend be done NEXT?

Question654: Which of the following is the FIRST step in risk assessment?

Question655: Which of the following is MOST important to consider before determining a response to a vulnerability?

Question656: When of the following is the MOST significant exposure when an application uses individual user accounts to access the underlying database?

Question657: Which of the following is MOST important to enable well-informed cybersecurity risk decisions?

Question658: From a business perspective, which of the following is the MOST important objective of a disaster recovery test?

Question659: Which of the following is the PRIMARY benefit of using an entry in the risk register to track the aggregate risk associated with server failure?

Question660: The BEST metric to demonstrate that servers are configured securely is the total number of servers:

Question661: A recent big data project has resulted in the creation of an application used to support important investment decisions. Which of the following should be of GREATEST concern to the risk practitioner?

Question662: Which of the following is the MOST important information to cover a business continuity awareness Ira nine, program for all employees of the organization?

Question663: Which of the following is a risk practitioner's BEST recommendation upon learning that an employee inadvertently disclosed sensitive data to a vendor?

Question664: An organization operates in an environment where reduced time-to-market for new software products is a top business priority. Which of the following should be the risk practitioner's GREATEST concern?

Question665: Which of the following is the MOST useful input when developing risk scenarios?

Question666: Which of the following should be the PRIMARY objective of a risk awareness training program?

Question667: Of the following, who is accountable for ensuing the effectiveness of a control to mitigate risk?

Question668: Which of the following should be the PRIMARY focus of an independent review of a risk management process?

Question669: A MAJOR advantage of using key risk indicators (KRIs) is that they:

Question670: Senior management wants to increase investment in the organization's cybersecurity program in response to changes in the external threat landscape. Which of the following would BEST help to prioritize investment efforts?

Question671: Which of the following BEST indicates the efficiency of a process for granting access privileges?

Question672: Which of the following is MOST helpful in determining the effectiveness of an organization's IT risk mitigation efforts?

Question673: Which of the following should be of GREATEST concern lo a risk practitioner reviewing the implementation of an emerging technology?

Question674: Which of the following is the PRIMARY reason to ensure policies and standards are properly documented within the risk management process?

Question675: Of the following, who should be responsible for determining the inherent risk rating of an application?

Question676: Which of the following is MOST important to communicate to senior management during the initial implementation of a risk management program?

Question677: Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?

Question678: An organization has restructured its business processes, and the business continuity plan (BCP) needs to be revised accordingly. Which of the following should be identified FIRST?

Question679: Which component of a software inventory BEST enables the identification and mitigation of known vulnerabilities?

Question680: Who is accountable for authorizing application access in a cloud Software as a Service (SaaS) solution?

Question681: An organization has an internal control that requires all access for employees be removed within 15 days of their termination date. Which of the following should the risk practitioner use to monitor adherence to the 15-day threshold?

Question682: The PRIMARY purpose of using a framework for risk analysis is to:

Question683: An organization uses a biometric access control system for authentication and access to its server room.
Which control type has been implemented?

Question684: Which of the following is MOST important for mitigating ethical risk when establishing accountability for control ownership?

Question685: When presenting risk, the BEST method to ensure that the risk is measurable against the organization's risk appetite is through the use of a:

Question686: An effective control environment is BEST indicated by controls that:

Question687: An organization has implemented a system capable of comprehensive employee monitoring. Which of the following should direct how the system is used?

Question688: An online payment processor would be severely impacted if the fraud detection system has an outage. Which of the following is the BEST way to address this risk?

Question689: Which of the following is the BEST Key control indicator KCO to monitor the effectiveness of patch management?

Question690: The effectiveness of a control has decreased. What is the MOST likely effect on the associated risk?

Question691: Which of the following is the MOST important technology control to reduce the likelihood of fraudulent payments committed internally?

Question692: What should a risk practitioner do FIRST upon learning a risk treatment owner has implemented a different control than what was specified in the IT risk action plan?

Question693: Which of the following is the GREATEST benefit for an organization with a strong risk awareness culture?

Question694: Which of the following is the BEST way to detect zero-day malware on an end user's workstation?

Question695: Which of the following key performance indicators (KPis) would BEST measure me risk of a service outage when using a Software as a Service (SaaS) vendors

Question696: An unauthorized individual has socially engineered entry into an organization's secured physical premises.
Which of the following is the BEST way to prevent future occurrences?

Question697: An organization must make a choice among multiple options to respond to a risk. The stakeholders cannot agree and decide to postpone the decision. Which of the following risk responses has the organization adopted?

Question698: Which of the following is the BEST way to determine whether system settings are in alignment with control baselines?

Question699: Which of the following is MOST helpful to management when determining the resources needed to mitigate a risk?

Question700: The PRIMARY advantage of implementing an IT risk management framework is the:

Question701: Of the following, who is BEST suited to assist a risk practitioner in developing a relevant set of risk scenarios?

Question702: An organization is considering allowing users to access company data from their personal devices. Which of the following is the MOST important factor when assessing the risk?

Question703: Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an antivirus program?

Question704: IT stakeholders have asked a risk practitioner for IT risk profile reports associated with specific departments to allocate resources for risk mitigation. The BEST way to address this request would be to use:

Question705: Which of the following would be MOST beneficial as a key risk indicator (KRI)?

Question706: An organization's risk register contains a large volume of risk scenarios that senior management considers overwhelming. Which of the following would BEST help to improve the risk register?

Question707: Which of the following is the MOST effective way to help ensure an organization's current risk scenarios are relevant?

Question708: Who should be responsible for strategic decisions on risk management?

Question709: Which of the following is the BEST way to mitigate the risk to IT infrastructure availability?

Question710: Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?

Question711: Which of the following should be initiated when a high number of noncompliant conditions are observed during review of a control procedure?

Question712: Key risk indicators (KRIs) are MOST useful during which of the following risk management phases?

Question713: An organization's Internet-facing server was successfully attacked because the server did not have the latest security patches. The risk associated with poor patch management had been documented in the risk register and accepted. Who should be accountable for any related losses to the organization?

Question714: An organization plans to migrate sensitive information to a public cloud infrastructure. Which of the following is the GREATEST security risk in this scenario?

Question715: Which of the following is a risk practitioner's BEST course of action if a risk assessment identifies a risk that is extremely unlikely but would have a severe impact should it occur?

Question716: During a post-implementation review for a new system, users voiced concerns about missing functionality.
Which of the following is the BEST way for the organization to avoid this situation in the future?

Question717: Which of the following is the BEST method for identifying vulnerabilities?

Question718: A business unit is implementing a data analytics platform to enhance its customer relationship management (CRM) system primarily to process data that has been provided by its customers. Which of the following presents the GREATEST risk to the organization's reputation?

Question719: When is the BEST to identify risk associated with major project to determine a mitigation plan?

Question720: A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:

Question721: Which of the following is the BEST indication of the effectiveness of a business continuity program?

Question722: Which of the following is the MOST important reason to restrict access to the risk register on a need-to-know basis?

Question723: A key risk indicator (KRI) is reported to senior management on a periodic basis as exceeding thresholds, but each time senior management has decided to take no action to reduce the risk. Which of the following is the MOST likely reason for senior management's response?

Question724: Which of the following is the BEST way to determine software license compliance?

Question725: Which of the following is the result of a realized risk scenario?

Question726: What should a risk practitioner do FIRST when a shadow IT application is identified in a business owner's business impact analysis (BIA)?

Question727: Before implementing instant messaging within an organization using a public solution, which of the following should be in place to mitigate data leakage risk?

Question728: Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management?

Question729: Which of the following is the GREATEST risk associated with the use of data analytics?

Question730: A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

Question731: Which risk response strategy could management apply to both positive and negative risk that has been identified?

Question732: Which of the following is MOST important to compare against the corporate risk profile?

Question733: Which of the following roles should be assigned accountability for monitoring risk levels?

Question734: An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:

Question735: When preparing a risk status report for periodic review by senior management, it is MOST important to ensure the report includes

Question736: Which of the following would be of MOST concern to a risk practitioner reviewing risk action plans for documented IT risk scenarios?

Question737: Which of the following is MOST important when defining controls?

Question738: The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner s BEST recommendation?

Question739: An organization's control environment is MOST effective when:

Question740: A global organization is considering the acquisition of a competitor. Senior management has requested a review of the overall risk profile from the targeted organization. Which of the following components of this review would provide the MOST useful information?

Question741: In an organization with a mature risk management program, which of the following would provide the BEST evidence that the IT risk profile is up to date?

Question742: When performing a risk assessment of a new service to support a core business process, which of the following should be done FIRST to ensure continuity of operations?

Question743: The MOST important reason to aggregate results from multiple risk assessments on interdependent information systems is to:

Question744: A risk register BEST facilitates which of the following risk management functions?

Question745: From a risk management perspective, the PRIMARY objective of using maturity models is to enable:

Question746: Optimized risk management is achieved when risk is reduced:

Question747: Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?

Question748: Read" rights to application files in a controlled server environment should be approved by the:

Question749: Which of the following BEST provides an early warning that network access of terminated employees is not being revoked in accordance with the service level agreement (SLA)?

Question750: An organization maintains independent departmental risk registers that are not automatically aggregated.
Which of the following is the GREATEST concern?

Question751: A risk practitioner has been asked to evaluate the adoption of a third-party blockchain integration platform based on the value added by the platform and the organization's risk appetite. Which of the following is the risk practitioner's BEST course of action?

Question752: The PRIMARY benefit of selecting an appropriate set of key risk indicators (KRIs) is that they:

Question753: Which of the following process controls BEST mitigates the risk of an employee issuing fraudulent payments to a vendor?

Question754: Controls should be defined during the design phase of system development because:

Question755: A robotic process automation (RPA) project has implemented new robots to enhance the efficiency of a sales business process. Which of the following provides the BEST evidence that the new controls have been implemented successfully?

Question756: Which of the following is the BEST method to track asset inventory?

Question757: Which of the following is the PRIMARY reason for sharing risk assessment reports with senior stakeholders?

Question758: During a risk assessment, the risk practitioner finds a new risk scenario without controls has been entered into the risk register. Which of the following is the MOST appropriate action?

Question759: The PRIMARY benefit of conducting a risk workshop using a top-down approach instead of a bottom-up approach is the ability to:

Question760: Which of the following is MOST helpful in defining an early-warning threshold associated with insufficient network bandwidth''?

Question761: Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited.
Which of the following would be the BEST response to this scenario?

Question762: The BEST way for an organization to ensure that servers are compliant to security policy is to review:

Question763: Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?

Question764: An internally developed payroll application leverages Platform as a Service (PaaS) infrastructure from the cloud. Who owns the related data confidentiality risk?

Question765: An organization's business gap analysis reveals the need for a robust IT risk strategy. Which of the following should be the risk practitioner's PRIMARY consideration when participating in development of the new strategy?

Question766: Which of the following should be of GREATEST concern to a risk practitioner when determining the effectiveness of IT controls?

Question767: An organization is implementing Zero Trust architecture to improve its security posture. Which of the following is the MOST important input to develop the architecture?

Question768: Which of the following is the ULTIMATE objective of utilizing key control indicators (KCIs) in the risk management process?

Question769: Which of the following is the BEST source for identifying key control indicators (KCIs)?

Question770: An organization has four different projects competing for funding to reduce overall IT risk. Which project should management defer?

Question771: Which of the following is the PRIMARY reason for monitoring activities performed in a production database environment?

Question772: To mitigate the risk of using a spreadsheet to analyze financial data, IT has engaged a third-party vendor to deploy a standard application to automate the process. Which of the following parties should own the risk associated with calculation errors?