EMT Practice Test

1. Question Content...


Question List

Question1: Which of the following would qualify as a key performance indicator (KPI)?

Question2: When evaluating a number of potential controls for treating risk, it is MOST important to consider:

Question3: Which of the following is MOST important for a risk practitioner to update when a software upgrade renders an existing key control ineffective?

Question4: When of the following standard operating procedure (SOP) statements BEST illustrates appropriate risk register maintenance?

Question5: Which of the following is MOST important to the effective monitoring of key risk indicators (KRIS)?

Question6: Which of the following will BEST help ensure that risk factors identified during an information systems review are addressed?

Question7: Which of the following can be used to assign a monetary value to risk?

Question8: The risk associated with a high-risk vulnerability in an application is owned by the:

Question9: Which of the following is MOST important when developing risk scenarios?

Question10: An organization is considering outsourcing user administration controls tor a critical system. The potential vendor has offered to perform quarterly sett-audits of its controls instead of having annual independent audits.
Which of the following should be of GREATEST concern to me risk practitioner?

Question11: An organization is measuring the effectiveness of its change management program to reduce the number of unplanned production changes. Which of the following would be the BEST metric to determine if the program is performing as expected?

Question12: A legacy application used for a critical business function relies on software that has reached the end of extended support Which of the following is the MOST effective control to manage this application?

Question13: Which of the following is the BEST way to validate whether controls to reduce user device vulnerabilities have been implemented according to management's action plan?

Question14: Which of the following is the PRIMARY reason to update a risk register with risk assessment results?

Question15: Which of the following is the MOST important element of a successful risk awareness training program?

Question16: Which of the following is the MOST effective way to help ensure future risk levels do not exceed the organization's risk appetite?

Question17: Which of the following is MOST important to consider when determining the value of an asset during the risk identification process?

Question18: Which of the following is the MOST important consideration when performing a risk assessment of a fire suppression system within a data center?

Question19: When classifying and prioritizing risk responses, the areas to address FIRST are those with:

Question20: An IT department has organized training sessions to improve user awareness of organizational information security policies. Which of the following is the BEST key performance indicator (KPI) to reflect effectiveness of the training?

Question21: Which of the following is the BEST evidence that a user account has been properly authorized?

Question22: A risk practitioner wants to identify potential risk events that affect the continuity of a critical business process. Which of the following should the risk practitioner do FIRST?

Question23: Which of the following is the ULTIMATE goal of conducting a privacy impact analysis (PIA)?

Question24: Which of the following is the BEST method to mitigate the risk of an unauthorized employee viewing confidential data in a database''

Question25: A risk assessment has identified increased losses associated with an IT risk scenario. It is MOST important for the risk practitioner to:

Question26: An organization has been experiencing an increasing number of spear phishing attacks Which of the following would be the MOST effective way to mitigate the risk associated with these attacks?

Question27: The PRIMARY reason for prioritizing risk scenarios is to:

Question28: Which of the following scenarios represents a threat?

Question29: Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

Question30: The annualized loss expectancy (ALE) method of risk analysis:

Question31: Which of the following is MOST important when conducting a post-implementation review as part of the system development life cycle (SDLC)?

Question32: Which of the following is the MOST important component of effective security incident response?

Question33: Which of the following criteria associated with key risk indicators (KRIs) BEST enables effective risk monitoring?

Question34: Which of the following roles is PRIMARILY accountable for risk associated with business information protection?

Question35: Which of the following BEST indicates that an organization has implemented IT performance requirements?

Question36: Which risk response strategy could management apply to both positive and negative risk that has been identified?

Question37: Which of the following would provide the MOST helpful input to develop risk scenarios associated with hosting an organization's key IT applications in a cloud environment?

Question38: A MAJOR advantage of using key risk indicators (KRIs) is that they:

Question39: When creating a separate IT risk register for a large organization, which of the following is MOST important to consider with regard to the existing corporate risk 'register?

Question40: Which of the following would BEST provide early warning of a high-risk condition?

Question41: Which of the following would BEST facilitate the maintenance of data classification requirements?

Question42: Winch of the following key control indicators (KCIs) BEST indicates whether security requirements are identified and managed throughout a project He cycle?

Question43: After mapping generic risk scenarios to organizational security policies, the NEXT course of action should be to:

Question44: Which of the following is the BEST criterion to determine whether higher residual risk ratings in the risk register should be accepted?

Question45: Which of the following is the PRIMARY reason to perform ongoing risk assessments?

Question46: Which of the following is the GREATEST risk of relying on artificial intelligence (Al) within heuristic security systems?

Question47: Which of the following presents the GREATEST concern associated with the use of artificial intelligence (Al) systems?

Question48: A maturity model will BEST indicate:

Question49: When reviewing the business continuity plan (BCP) of an online sales order system, a risk practitioner notices that the recovery time objective (RTO) has a shorter lime than what is defined in the disaster recovery plan (DRP). Which of the following is the BEST way for the risk practitioner to address this concern?

Question50: Which of the following would be the BEST way for a risk practitioner to validate the effectiveness of a patching program?

Question51: The BEST way for an organization to ensure that servers are compliant to security policy is to review:

Question52: A software developer has administrative access to a production application. Which of the following should be of GREATEST concern to a risk practitioner?

Question53: While conducting an organization-wide risk assessment, it is noted that many of the information security policies have not changed in the past three years. The BEST course of action is to:

Question54: Which of the following is the BEST indication that key risk indicators (KRls) should be revised?

Question55: Which of the following will BEST help to ensure implementation of corrective action plans?

Question56: Which of the following is the BEST key performance indicator (KPI) to measure the ability to deliver uninterrupted IT services?

Question57: A risk assessment has been completed on an application and reported to the application owner. The report includes validated vulnerability findings that require mitigation. Which of the following should be the NEXT step?

Question58: While reviewing an organization's monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially Which of the following would be the BEST approach for the risk practitioner to take?

Question59: An organization recently implemented an automated interface for uploading payment files to its banking system to replace manual processing. Which of the following elements of the risk register is MOST appropriate for the risk practitioner to update to reflect the improved control?

Question60: Which of the following is MOST important for a risk practitioner to understand about an organization in order to create an effective risk awareness program?

Question61: A new risk practitioner finds that decisions for implementing risk response plans are not being made. Which of the following would MOST likely explain this situation?

Question62: An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner's FIRST course of action?

Question63: Which of the following is MOST helpful in providing a high-level overview of current IT risk severity*?

Question64: Which of the following should be used as the PRIMARY basis for evaluating the state of an organization's cloud computing environment against leading practices?

Question65: A risk assessment indicates the residual risk associated with a new bring your own device (BYOD) program is within organizational risk tolerance. Which of the following should the risk practitioner recommend be done NEXT?

Question66: Which of the following is the BEST indication that an organization's risk management program has not reached the desired maturity level?

Question67: Which of the following should be a risk practitioner's MOST important consideration when developing IT risk scenarios?

Question68: Senior management has requested a risk practitioner's guidance on whether a new technical control requested by a business unit is worth the investment.
Which of the following should be the MOST important consideration before providing input?

Question69: Which of the following BEST reduces the likelihood of fraudulent activity that occurs through use of a digital wallet?

Question70: Which of the following is MOST important to promoting a risk-aware culture?

Question71: Which of the following is the BEST measure of the effectiveness of an employee deprovisioning process?

Question72: A deficient control has been identified which could result in great harm to an organization should a low frequency threat event occur. When communicating the associated risk to senior management the risk practitioner should explain:

Question73: When an organization is having new software implemented under contract, which of the following is key to controlling escalating costs?

Question74: Which of the following is the BEST way to identify changes in the risk profile of an organization?

Question75: When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:

Question76: A risk practitioner has been asked by executives to explain how existing risk treatment plans would affect risk posture at the end of the year. Which of the following is MOST helpful in responding to this request?

Question77: Which of the following is the BEST key performance indicator (KPI) to measure how effectively risk management practices are embedded in the project management office (PMO)?

Question78: Which of the following elements of a risk register is MOST likely to change as a result of change in management's risk appetite?

Question79: Which of the following is the BEST way to determine software license compliance?

Question80: The BEST use of key risk indicators (KRIs) is to provide:

Question81: Which of the following is the GREATEST benefit when enterprise risk management (ERM) provides oversight of IT risk management?

Question82: Which of the following indicates an organization follows IT risk management best practice?

Question83: Which of the following is the MOST effective way to integrate risk and compliance management?

Question84: A violation of segregation of duties is when the same:

Question85: Which of the following is MOST important when determining risk appetite?

Question86: Which of the following is an IT business owner's BEST course of action following an unexpected increase in emergency changes?

Question87: Which of the following methods is an example of risk mitigation?

Question88: Which of the following is necessary to enable an IT risk register to be consolidated with the rest of the organization's risk register?

Question89: Which of the following would be a weakness in procedures for controlling the migration of changes to production libraries?

Question90: Who should be responsible for determining which stakeholders need to be involved in the development of a risk scenario?

Question91: Which of the following is MOST effective against external threats to an organizations confidential information?

Question92: A recent internal risk review reveals the majority of core IT application recovery time objectives (RTOs) have exceeded the maximum time defined by the business application owners. Which of the following is MOST likely to change as a result?

Question93: An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following should be the risk practitioner's NEXT course of action?

Question94: Which of the following is a risk practitioner's BEST course of action after identifying risk scenarios related to noncompliance with new industry regulations?

Question95: Which of the following is the MOST important information to be communicated during security awareness training?

Question96: Who is accountable for risk treatment?

Question97: Which of the following BEST facilitates the mitigation of identified gaps between current and desired risk environment states?

Question98: While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach. Which of the following controls will BES reduce the risk associated with such a data breach?

Question99: Which of the following would be MOST useful to senior management when determining an appropriate risk response?

Question100: Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?

Question101: To minimize the risk of a potential acquisition being exposed externally, an organization has selected a few key employees to be engaged in the due diligence process. A member of the due diligence team realizes a close acquaintance is a high-ranking IT professional at a subsidiary of the company about to be acquired.
What is the BEST course of action for this team member?

Question102: Which of the following is the BEST method to identify unnecessary controls?

Question103: Which of the following would provide the MOST useful information to a risk owner when reviewing the progress of risk mitigation?

Question104: Which of the following would BEST enable mitigation of newly identified risk factors related to internet of Things (loT)?

Question105: Which of the following is the MAIN reason for documenting the performance of controls?

Question106: All business units within an organization have the same risk response plan for creating local disaster recovery plans. In an effort to achieve cost effectiveness, the BEST course of action would be to:

Question107: Which of the following will BEST quantify the risk associated with malicious users in an organization?

Question108: A newly hired risk practitioner finds that the risk register has not been updated in the past year. What is the risk practitioner's BEST course of action?

Question109: Which of the following BEST mitigates the risk associated with inadvertent data leakage by users who work remotely?

Question110: Which of the following is MOST important to determine when assessing the potential risk exposure of a loss event involving personal data?

Question111: A poster has been displayed in a data center that reads. "Anyone caught taking photographs in the data center may be subject to disciplinary action." Which of the following control types has been implemented?

Question112: Which of the following would be MOST helpful to a risk practitioner when ensuring that mitigated risk remains within acceptable limits?

Question113: A third-party vendor has offered to perform user access provisioning and termination. Which of the following control accountabilities is BEST retained within the organization?

Question114: Which of the following provides the MOST mitigation value for an organization implementing new Internet of Things (loT) devices?

Question115: After the implementation of internal of Things (IoT) devices, new risk scenarios were identified. What is the PRIMARY reason to report this information to risk owners?

Question116: When assigning control ownership, it is MOST important to verify that the owner has accountability for:

Question117: Which of the following methods would BEST contribute to identifying obscure risk scenarios?

Question118: Which of the following BEST protects organizational data within a production cloud environment?

Question119: Which of the following roles should be assigned accountability for monitoring risk levels?

Question120: Which of the following is the MOST important consideration when developing risk strategies?

Question121: An organization uses a biometric access control system for authentication and access to its server room.
Which control type has been implemented?

Question122: Which of the following risk register updates is MOST important for senior management to review?

Question123: Which of the following BEST mitigates the risk of violating privacy laws when transferring personal information lo a supplier?

Question124: A business unit is implementing a data analytics platform to enhance its customer relationship management (CRM) system primarily to process data that has been provided by its customers. Which of the following presents the GREATEST risk to the organization's reputation?

Question125: Which of the following BEST indicates the effective implementation of a risk treatment plan?

Question126: A risk register BEST facilitates which of the following risk management functions?

Question127: Which of the following is MOST commonly compared against the risk appetite?

Question128: Which of the following practices MOST effectively safeguards the processing of personal data?

Question129: Which of the following provides the MOST useful information when determining if a specific control should be implemented?

Question130: A management team is on an aggressive mission to launch a new product to penetrate new markets and overlooks IT risk factors, threats, and vulnerabilities. This scenario BEST demonstrates an organization's risk:

Question131: Which of the following risk management practices BEST facilitates the incorporation of IT risk scenarios into the enterprise-wide risk register?

Question132: When determining risk ownership, the MAIN consideration should be:

Question133: When reviewing a report on the performance of control processes, it is MOST important to verify whether the:

Question134: Which of the following potential scenarios associated with the implementation of a new database technology presents the GREATEST risk to an organization?

Question135: Which of the following is the PRIMARY responsibility of a control owner?

Question136: An organization retains footage from its data center security camera for 30 days when the policy requires 90- day retention The business owner challenges whether the situation is worth remediating Which of the following is the risk manager s BEST response'

Question137: Which of the following is the MOST important topic to cover in a risk awareness training program for all staff?

Question138: Senior management has asked the risk practitioner for the overall residual risk level for a process that contains numerous risk scenarios. Which of the following should be provided?

Question139: Which of the following BEST mitigates reputational risk associated with disinformation campaigns against an organization?

Question140: From a risk management perspective, which of the following is the PRIMARY benefit of using automated system configuration validation tools?

Question141: Who is BEST suited to determine whether a new control properly mitigates data loss risk within a system?

Question142: An organization has recently been experiencing frequent data corruption incidents. Implementing a file corruption detection tool as a risk response strategy will help to:

Question143: For no apparent reason, the time required to complete daily processing for a legacy application is approaching a risk threshold. Which of the following activities should be performed FIRST?

Question144: Which of the following is the GREATEST concern when establishing key risk indicators (KRIs)?

Question145: Which of the following is MOST important to understand when developing key risk indicators (KRIs)?

Question146: Which of the following is the PRIMARY reason for an organization to include an acceptable use banner when users log in?

Question147: Management has required information security awareness training to reduce the risk associated with credential compromise. What is the BEST way to assess the effectiveness of the training?

Question148: Which of the following BEST supports the management of identified risk scenarios?

Question149: Who should be accountable for monitoring the control environment to ensure controls are effective?

Question150: Which of the following should be initiated when a high number of noncompliant conditions are observed during review of a control procedure?

Question151: Which of the following is the BEST indication that key risk indicators (KRIs) should be revised?

Question152: An organization is planning to engage a cloud-based service provider for some of its data-intensive business processes. Which of the following is MOST important to help define the IT risk associated with this outsourcing activity?

Question153: Improvements in the design and implementation of a control will MOST likely result in an update to:

Question154: When reviewing a business continuity plan (BCP). which of the following would be the MOST significant deficiency?

Question155: Deviation from a mitigation action plan's completion date should be determined by which of the following?

Question156: Which types of controls are BEST used to minimize the risk associated with a vulnerability?

Question157: Which of the following is MOST important to ensure risk management practices are effective at all levels within the organization?

Question158: An organization has just started accepting credit card payments from customers via the corporate website.
Which of the following is MOST likely to increase as a result of this new initiative?

Question159: Which of the following is the result of a realized risk scenario?

Question160: Which of the following s MOST likely to deter an employee from engaging in inappropriate use of company owned IT systems?

Question161: An organization is subject to a new regulation that requires nearly real-time recovery of its services following a disruption. Which of the following is the BEST way to manage the risk in this situation?

Question162: A vendor's planned maintenance schedule will cause a critical application to temporarily lose failover capabilities. Of the following, who should approve this proposed schedule?

Question163: Which of the following is MOST important for an organization to consider when developing its IT strategy?

Question164: An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?

Question165: The MAIN reason for prioritizing IT risk responses is to enable an organization to:

Question166: Which of the following is MOST important for a risk practitioner to ensure once a risk action plan has been completed?

Question167: Which of the following BEST indicates the effectiveness of anti-malware software?

Question168: A business unit has decided to accept the risk of implementing an off-the-shelf, commercial software package that uses weak password controls. The BEST course of action would be to:

Question169: Which of the following resources is MOST helpful when creating a manageable set of IT risk scenarios?

Question170: Which of the following BEST helps to identify significant events that could impact an organization?
Vulnerability analysis

Question171: An organization is concerned that its employees may be unintentionally disclosing data through the use of social media sites. Which of the following will MOST effectively mitigate tins risk?

Question172: During a recent security framework review, it was discovered that the marketing department implemented a non-fungible token asset program. This was done without following established risk procedures. Which of the following should the risk practitioner do FIRST?

Question173: A key risk indicator (KRI) threshold has reached the alert level, indicating data leakage incidents are highly probable. What should be the risk practitioner's FIRST course of action?

Question174: Which of the following is the BEST key control indicator (KCI) for a vulnerability management program?

Question175: The BEST indication that risk management is effective is when risk has been reduced to meet:

Question176: Which of the following BEST enables senior management lo compare the ratings of risk scenarios?

Question177: A risk action plan has been changed during the risk mitigation effort. Which of the following is MOST important for the risk practitioner to verify?

Question178: An organization planning to transfer and store its customer data with an offshore cloud service provider should be PRIMARILY concerned with:

Question179: Which of the following is the GREATEST benefit to an organization when updates to the risk register are made promptly after the completion of a risk assessment?

Question180: A multinational company needs to implement a new centralized security system. The risk practitioner has identified a conflict between the organization's data-handling policy and local privacy regulations. Which of the following would be the BEST recommendation?

Question181: Which strategy employed by risk management would BEST help to prevent internal fraud?

Question182: Which element of an organization's risk register is MOST important to update following the commissioning of a new financial reporting system?

Question183: Which of the following poses the GREATEST risk to an organization's operations during a major it transformation?

Question184: Which of the following should be a risk practitioner's NEXT step after learning of an incident that has affected a competitor?

Question185: Which of the following is the MOST important consideration when determining the appropriate data retention period throughout the data management life cycle?

Question186: A MAJOR advantage of using key risk indicators (KRis) is that (hey

Question187: Where is the FIRST place a risk practitioner should look to identify accountability for a specific risk?

Question188: The acceptance of control costs that exceed risk exposure is MOST likely an example of:

Question189: A business unit has implemented robotic process automation (RPA) for its repetitive back-office tasks. Which of the following should be the risk practitioner's GREATEST concern?

Question190: A highly regulated enterprise is developing a new risk management plan to specifically address legal and regulatory risk scenarios What should be done FIRST by IT governance to support this effort?

Question191: A control owner has completed a year-long project To strengthen existing controls. It is MOST important for the risk practitioner to:

Question192: Which of the following is the MOST effective way to help ensure an organization's current risk scenarios are relevant?

Question193: Mapping open risk issues to an enterprise risk heat map BEST facilitates:

Question194: Which of the following is the MOST important information to cover a business continuity awareness Ira nine, program for all employees of the organization?

Question195: An organization has decided to implement a new Internet of Things (loT) solution. Which of the following should be done FIRST when addressing security concerns associated with this new technology?

Question196: Which of the following BEST enables the risk profile to serve as an effective resource to support business objectives?

Question197: Which of the following would be MOST helpful in assessing the risk associated with data loss due to human vulnerabilities?

Question198: Which of the following BEST enables an organization to address risk associated with technical complexity?

Question199: After conducting a risk assessment for regulatory compliance, an organization has identified only one possible mitigating control. The cost of the control has been determined to be higher than the penalty of noncompliance. Which of the following would be the risk practitioner's BEST recommendation?

Question200: After several security incidents resulting in significant financial losses, IT management has decided to outsource the security function to a third party that provides 24/7 security operation services. Which risk response option has management implemented?

Question201: Which of the following is the MOST effective way to validate organizational awareness of cybersecurity risk?

Question202: Recent penetration testing of an organization's software has identified many different types of security risks.
Which of the following is the MOST likely root cause for the identified risk?

Question203: A risk practitioner's BEST guidance to help an organization develop relevant risk scenarios is to ensure the scenarios are:

Question204: Which of the following BEST indicates the risk appetite and tolerance level (or the risk associated with business interruption caused by IT system failures?

Question205: The BEST way to demonstrate alignment of the risk profile with business objectives is through:

Question206: A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?

Question207: Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?

Question208: Which of the following is MOST important for managing ethical risk?

Question209: Which of the following is MOST important for a risk practitioner to consider when determining the control requirements for data privacy arising from emerging technologies?

Question210: Which of the following would be a risk practitioner's MOST important action upon learning that an IT control has failed?

Question211: From a risk management perspective, the PRIMARY objective of using maturity models is to enable:

Question212: Which of the following would MOST likely cause a risk practitioner to reassess risk scenarios?

Question213: A risk practitioner has been notified of a social engineering attack using artificial intelligence (Al) technology to impersonate senior management personnel. Which of the following would BEST mitigate the impact of such attacks?

Question214: To reduce costs, an organization is combining the second and third tines of defense in a new department that reports to a recently appointed C-level executive. Which of the following is the GREATEST concern with this situation?

Question215: Which of the following is the GREATEST concern associated with the use of artificial intelligence (AI) language models?

Question216: Which of the following would be considered a vulnerability?

Question217: Which of the following is MOST likely to introduce risk for financial institutions that use blockchain?

Question218: A risk practitioner has established that a particular control is working as desired, but the annual cost of maintenance has increased and now exceeds the expected annual loss exposure. The result is that the control is:

Question219: An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following is the risk practitioner s BEST course of action?

Question220: Owners of technical controls should be PRIMARILY accountable for ensuring the controls are:

Question221: An organization has granted a vendor access to its data in order to analyze customer behavior. Which of the following would be the MOST effective control to mitigate the risk of customer data leakage?

Question222: Which of the following issues found during the review of a newly created disaster recovery plan (DRP) should be of MOST concern?

Question223: When of the following 15 MOST important when developing a business case for a proposed security investment?

Question224: During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:

Question225: The BEST metric to demonstrate that servers are configured securely is the total number of servers:

Question226: Which of the following should be the PRIMARY driver for the prioritization of risk responses?

Question227: Which of the following should be the risk practitioner s FIRST course of action when an organization has decided to expand into new product areas?

Question228: Which stakeholder is MOST important to include when defining a risk profile during me selection process for a new third party application'?

Question229: Which of the following is the MOST likely reason an organization would engage an independent reviewer to assess its IT risk management program?

Question230: Which of the following is the BEST way to help ensure risk will be managed properly after a business process has been re-engineered?

Question231: Which of the following would require updates to an organization's IT risk register?

Question232: As part of an overall IT risk management plan, an IT risk register BEST helps management:

Question233: An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action?

Question234: The BEST way to improve a risk register is to ensure the register:

Question235: A large organization is replacing its enterprise resource planning (ERP) system and has decided not to deploy the payroll module of the new system. Instead, the current payroll system will continue to be used. Of the following, who should own the risk if the ERP and payroll system fail to operate as expected?

Question236: When of the following is the MOST significant exposure when an application uses individual user accounts to access the underlying database?

Question237: Which of the following is the MOST important consideration when communicating the risk associated with technology end-of-life to business owners?

Question238: When a risk practitioner is building a key risk indicator (KRI) from aggregated data, it is CRITICAL that the data is derived from:

Question239: To help ensure all applicable risk scenarios are incorporated into the risk register, it is MOST important to review the:

Question240: In the three lines of defense model, a PRIMARY objective of the second line is to:

Question241: Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior BEST represents:

Question242: An organization has experienced a cyber-attack that exposed customer personally identifiable information (Pll) and caused extended outages of network services. Which of the following stakeholders are MOST important to include in the cyber response team to determine response actions?

Question243: Mitigating technology risk to acceptable levels should be based PRIMARILY upon:

Question244: A segregation of duties control was found to be ineffective because it did not account for all applicable functions when evaluating access. Who is responsible for ensuring the control is designed to effectively address risk?

Question245: Which of the following would BEST indicate to senior management that IT processes are improving?

Question246: Which of the following cloud service models is MOST appropriate for client organizations that want to maximize their control over management of the data life cycle?

Question247: Which of the following BEST enables effective risk-based decision making?

Question248: Which of the following is MOST useful for measuring the existing risk management process against a desired state?

Question249: In addition to the risk exposure, which of the following is MOST important for senior management to understand prior to approving the use of artificial intelligence (Al) solutions?

Question250: Which of the following is the MOST important course of action for a risk practitioner when reviewing the results of control performance monitoring?

Question251: Which of the following is the BEST course of action for a system administrator who suspects a colleague may be intentionally weakening a system's validation controls in order to pass through fraudulent transactions?

Question252: Which of the following should be the PRIMARY consideration when assessing the risk of using Internet of Things (loT) devices to collect and process personally identifiable information (Pll)?

Question253: An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:

Question254: Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?

Question255: Which of the following controls BEST helps to ensure that transaction data reaches its destination?

Question256: In a public company, which group is PRIMARILY accountable for ensuring sufficient attention and resources are applied to the risk management process?

Question257: In which of the following system development life cycle (SDLC) phases should controls be incorporated into system specifications?

Question258: During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?

Question259: Which of the following is the PRIMARY benefit of identifying and communicating with stakeholders at the onset of an IT risk assessment?

Question260: An organization must make a choice among multiple options to respond to a risk. The stakeholders cannot agree and decide to postpone the decision. Which of the following risk responses has the organization adopted?

Question261: When an organization's business continuity plan (BCP) states that it cannot afford to lose more than three hours of a critical application's data, the three hours is considered the application's:

Question262: An organization recently implemented a machine learning-based solution to monitor IT usage and analyze user behavior in an effort to detect internal fraud. Which of the following is MOST likely to be reassessed as a result of this initiative?

Question263: Which of The following should be of GREATEST concern for an organization considering the adoption of a bring your own device (BYOD) initiative?

Question264: Which of the following is the BEST way to support communication of emerging risk?

Question265: Continuous monitoring of key risk indicators (KRIs) will:

Question266: Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an antivirus program?

Question267: Which of the following is the PRIMARY reason to conduct risk assessments at periodic intervals?

Question268: Which of the following BEST supports the communication of risk assessment results to stakeholders?

Question269: Which of the following should be of GREATEST concern to a risk practitioner when determining the effectiveness of IT controls?

Question270: After identifying new risk events during a project, the project manager s NEXT step should be to:

Question271: Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?

Question272: Which of the following would be MOST useful when measuring the progress of a risk response action plan?

Question273: When reporting risk assessment results to senior management, which of the following is MOST important to include to enable risk-based decision making?

Question274: Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?

Question275: A control owner identifies that the organization's shared drive contains personally identifiable information (Pll) that can be accessed by all personnel. Which of the following is the MOST effective risk response?

Question276: A rule-based data loss prevention {DLP) tool has recently been implemented to reduce the risk of sensitive data leakage. Which of the following is MOST likely to change as a result of this implementation?

Question277: The BEST way for management to validate whether risk response activities have been completed is to review:

Question278: Which of the following activities is PRIMARILY the responsibility of senior management?

Question279: Which of the following should be done FIRST upon learning that the organization will be affected by a new regulation in its industry?

Question280: An organization has restructured its business processes, and the business continuity plan (BCP) needs to be revised accordingly. Which of the following should be identified FIRST?

Question281: Which of the following provides The BEST information when determining whether to accept residual risk of a critical system to be implemented?

Question282: The PRIMARY benefit of classifying information assets is that it helps to:

Question283: Which of the following is a risk practitioner's BEST recommendation to address an organization's need to secure multiple systems with limited IT resources?

Question284: Which of the following will BEST support management reporting on risk?

Question285: An organization has established a single enterprise-wide risk register that records high-level risk scenarios.
The IT risk department has created its own register to record more granular scenarios applicable to IT. Which of the following is the BEST way to ensure alignment between these two registers?

Question286: Which of the following information is MOST useful to a risk practitioner for developing IT risk scenarios?

Question287: Which of the following is the MOST important reason to communicate control effectiveness to senior management?

Question288: When is the BEST to identify risk associated with major project to determine a mitigation plan?

Question289: Which of the following key risk indicators (KRIs) is MOST effective for monitoring risk related to a bring your own device (BYOD) program?

Question290: A risk practitioner has discovered a deficiency in a critical system that cannot be patched. Which of the following should be the risk practitioner's FIRST course of action?

Question291: Which of the following is a KEY responsibility of the second line of defense?

Question292: Because of a potential data breach, an organization has decided to temporarily shut down its online sales order system until sufficient controls can be implemented. Which risk treatment has been selected?

Question293: Which of the following should be the PRIMARY focus of an IT risk awareness program?

Question294: IT disaster recovery point objectives (RPOs) should be based on the:

Question295: Which of the following provides the BEST evidence that a selected risk treatment plan is effective?

Question296: A risk practitioner is preparing a report to communicate changes in the risk and control environment. The BEST way to engage stakeholder attention is to:

Question297: A risk practitioner has just learned about new malware that has severely impacted industry peers worldwide data loss?

Question298: When performing a risk assessment of a new service to support a ewe Business process. which of the following should be done FRST10 ensure continuity of operations?

Question299: Which of the following is the MOST effective way to integrate business risk management with IT operations?

Question300: Which of the following would be- MOST helpful to understand the impact of a new technology system on an organization's current risk profile?

Question301: When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?

Question302: Which of the following process controls BEST mitigates the risk of an employee issuing fraudulent payments to a vendor?

Question303: Which of the following is MOST helpful in determining the effectiveness of an organization's IT risk mitigation efforts?

Question304: Which of the following should be the FIRST consideration when establishing a new risk governance program?

Question305: Which of the following is the MOST cost-effective way to test a business continuity plan?

Question306: Which of the following is MOST important when discussing risk within an organization?

Question307: Which of the following is the MOST important characteristic of a key risk indicator (KRI) to enable decision-making?

Question308: During testing, a risk practitioner finds the IT department's recovery time objective (RTO) for a key system does not align with the enterprise's business continuity plan (BCP). Which of the following should be done NEXT?

Question309: What should be the PRIMARY driver for periodically reviewing and adjusting key risk indicators (KRIs)?

Question310: Which of the following should be management's PRIMARY focus when key risk indicators (KRIs) begin to rapidly approach defined thresholds?

Question311: When a high-risk security breach occurs, which of the following would be MOST important to the person responsible for managing the incident?

Question312: Which of the following will BEST ensure that information security risk factors are mitigated when developing in-house applications?

Question313: Which of the following is the MOST useful information an organization can obtain from external sources about emerging threats?

Question314: Implementing which of the following will BEST help ensure that systems comply with an established baseline before deployment?

Question315: When reporting on the performance of an organization's control environment including which of the following would BEST inform stakeholders risk decision-making?

Question316: Which of the following should be a risk practitioner's GREATEST concern upon learning of failures in a data migration activity?

Question317: Zero Trust architecture is designed and deployed with adherence to which of the following basic tenets?

Question318: An internal audit report reveals that not all IT application databases have encryption in place. Which of the following information would be MOST important for assessing the risk impact?

Question319: When a risk practitioner is determining a system's criticality. it is MOST helpful to review the associated:

Question320: Which of the following BEST enables the identification of trends in risk levels?

Question321: A risk practitioner is reviewing the status of an action plan to mitigate an emerging IT risk and finds the risk level has increased. The BEST course of action would be to:

Question322: An organization has allowed several employees to retire early in order to avoid layoffs Many of these employees have been subject matter experts for critical assets Which type of risk is MOST likely to materialize?

Question323: An organization has implemented a preventive control to lock user accounts after three unsuccessful login attempts. This practice has been proven to be unproductive, and a change in the control threshold value has been recommended. Who should authorize changing this threshold?

Question324: When determining the accuracy of a key risk indicator (KRI), it is MOST important that the indicator:

Question325: Which component of a software inventory BEST enables the identification and mitigation of known vulnerabilities?

Question326: it was determined that replication of a critical database used by two business units failed. Which of the following should be of GREATEST concern1?

Question327: Which of the following BEST mitigates ethical risk?

Question328: Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?

Question329: The MAIN reason for creating and maintaining a risk register is to:

Question330: Which of the following provides the MOST useful information to determine risk exposure following control implementations?

Question331: Which of the following should a risk practitioner review FIRST when evaluating risk events associated with the organization's data flow model?

Question332: Which of the following BEST enables an organization to determine whether risk management is aligned with its goals and objectives?

Question333: Which of the following activities is a responsibility of the second line of defense?

Question334: Which of the following provides the MOST useful information to trace the impact of aggregated risk across an organization's technical environment?

Question335: Which of the following is the FIRST step in risk assessment?

Question336: Which of the following is the MOST important input when developing risk scenarios?

Question337: The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for.

Question338: The MOST important objective of information security controls is to:

Question339: Risk appetite should be PRIMARILY driven by which of the following?

Question340: Which of the following BEST enables an organization to determine whether external emerging risk factors will impact the organization's risk profile?

Question341: Which of the following is the MOST effective way for a large and diversified organization to minimize risk associated with unauthorized software on company devices?

Question342: Who is BEST suited to provide information to the risk practitioner about the effectiveness of a technical control associated with an application?

Question343: Which of the following is MOST important to review when determining whether a potential IT service provider's control environment is effective?

Question344: Which of the following BEST reduces the likelihood of employees unintentionally disclosing sensitive information to outside parties?

Question345: An internally developed payroll application leverages Platform as a Service (PaaS) infrastructure from the cloud. Who owns the related data confidentiality risk?

Question346: Several network user accounts were recently created without the required management approvals. Which of the following would be the risk practitioner's BEST recommendation to address this situation?

Question347: To define the risk management strategy which of the following MUST be set by the board of directors?

Question348: An organization is considering adopting artificial intelligence (AI). Which of the following is the risk practitioner's MOST important course of action?

Question349: Which of the following is the MAIN reason to continuously monitor IT-related risk?

Question350: A cloud service provider has completed upgrades to its cloud infrastructure to enhance service availability.
Which of the following is the MOST important key risk indicator (KRI) for management to monitor?

Question351: A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:

Question352: After the review of a risk record, internal audit questioned why the risk was lowered from medium to low.
Which of the following is the BEST course of action in responding to this inquiry?

Question353: Which of the following criteria for assigning owners to IT risk scenarios provides the GREATEST benefit to an organization?

Question354: Which of the following is MOST important to ensure when continuously monitoring the performance of a client-facing application?

Question355: An organization has determined that risk is not being adequately tracked and managed due to a distributed operating model. Which of the following is the BEST way to address this issue?

Question356: Who is the BEST person to an application system used to process employee personal data?

Question357: Which of the following is MOST important when identifying an organization's risk exposure associated with Internet of Things (loT) devices?

Question358: Which of the following provides the BEST measurement of an organization's risk management maturity level?

Question359: An organization has implemented a system capable of comprehensive employee monitoring. Which of the following should direct how the system is used?

Question360: Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?

Question361: Which of the following is MOST important to have in place to ensure the effectiveness of risk and security metrics reporting?

Question362: The PRIMARY advantage of implementing an IT risk management framework is the:

Question363: An organization has asked an IT risk practitioner to conduct an operational risk assessment on an initiative to outsource the organization's customer service operations overseas. Which of the following would MOST significantly impact management's decision?

Question364: A company has recently acquired a customer relationship management (CRM) application from a certified software vendor. Which of the following will BE ST help lo prevent technical vulnerabilities from being exploded?

Question365: Which of the following is the MOST essential factor for managing risk in a highly dynamic environment?

Question366: Which of the following is the PRIMARY reason to establish the root cause of an IT security incident?

Question367: Which of the following BEST indicates that an organizations risk management program is effective?

Question368: Which of the following is the PRIMARY reason for logging in a production database environment?

Question369: An organization is conducting a review of emerging risk. Which of the following is the BEST input for this exercise?

Question370: Which of the following should be done FIRST when developing an initial set of risk scenarios for an organization?

Question371: Which of the following actions should a risk practitioner do NEXT when an increased industry trend of external cyber attacks is identified?

Question372: An organization uses one centralized single sign-on (SSO) control to cover many applications. Which of the following is the BEST course of action when a new application is added to the environment after testing of the SSO control has been completed?

Question373: An IT project risk was identified during a monthly steering committee meeting. Which of the following roles is BEST positioned to approve the risk mitigation response?

Question374: Which of the following is the BEST approach to mitigate the risk associated with a control deficiency?

Question375: Which of the following BEST enforces access control for an organization that uses multiple cloud technologies?

Question376: A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?

Question377: Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are:

Question378: An organization plans to implement a new Software as a Service (SaaS) speech-to-text solution Which of the following is MOST important to mitigate risk associated with data privacy?

Question379: Which of the following would BEST mitigate an identified risk scenario?

Question380: Which of the following is the MOST important factor when deciding on a control to mitigate risk exposure?

Question381: Which of the following would BEST help minimize the risk associated with social engineering threats?

Question382: An organization control environment is MOST effective when:

Question383: Which of the following is the BEST way for an organization to enable risk treatment decisions?

Question384: Which of the following should be determined FIRST when a new security vulnerability is made public?

Question385: Which of the following risk register elements is MOST likely to be updated if the attack surface or exposure of an asset is reduced?

Question386: Which of the following is the PRIMARY reason to perform periodic vendor risk assessments?

Question387: An organization maintains independent departmental risk registers that are not automatically aggregated.
Which of the following is the GREATEST concern?

Question388: Which of the following is BEST used to aggregate data from multiple systems to identify abnormal behavior?

Question389: To help identify high-risk situations, an organization should:

Question390: Which of the following is the ULTIMATE objective of utilizing key control indicators (KCIs) in the risk management process?

Question391: Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security?

Question392: Which of the following would be the GREATEST challenge when implementing a corporate risk framework for a global organization?

Question393: Which of the following risk scenarios would be the GREATEST concern as a result of a single sign-on implementation?

Question394: Which of the following BEST facilities the alignment of IT risk management with enterprise risk management (ERM)?

Question395: The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for:

Question396: After an annual risk assessment is completed, which of the following would be MOST important to communicate to stakeholders?

Question397: Which of the following stakeholders are typically included as part of a line of defense within the three lines of defense model?

Question398: After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?

Question399: A contract associated with a cloud service provider MUST include:

Question400: It is MOST important that security controls for a new system be documented in:

Question401: Which of the following observations would be GREATEST concern to a risk practitioner reviewing the implementation status of management action plans?

Question402: Which of the following would MOST likely require a risk practitioner to update the risk register?

Question403: Which of the following is the PRIMARY responsibility of the first line of defense related to computer- enabled fraud?

Question404: When evaluating enterprise IT risk management it is MOST important to:

Question405: Which of the following is a PRIMARY objective of privacy impact assessments (PIAs)?

Question406: Which of the following should be management's PRIMARY consideration when approving risk response action plans?

Question407: Which of the following is MOST important when developing key performance indicators (KPIs)?

Question408: Which of the following is the MAIN benefit to an organization using key risk indicators (KRIs)?

Question409: Which of the following can be interpreted from a single data point on a risk heat map?

Question410: Who is PRIMARILY accountable for risk treatment decisions?

Question411: Which of the following should be the GREATEST concern for an organization that uses open source software applications?

Question412: IT management has asked for a consolidated view into the organization's risk profile to enable project prioritization and resource allocation. Which of the following materials would be MOST helpful?

Question413: An external security audit has reported multiple findings related to control noncompliance. Which of the following would be MOST important for the risk practitioner to communicate to senior management?

Question414: Which of the blowing is MOST important when implementing an organization s security policy?

Question415: Which of the following is MOST important when developing risk scenarios?

Question416: Which of the following is the BEST way to determine the value of information assets for risk management purposes?

Question417: Which of the following BEST helps to ensure disaster recovery staff members are able to complete their assigned tasks effectively during a disaster?

Question418: After migrating a key financial system to a new provider, it was discovered that a developer could gain access to the production environment. Which of the following is the BEST way to mitigate the risk in this situation?

Question419: A robotic process automation (RPA) project has implemented new robots to enhance the efficiency of a sales business process. Which of the following provides the BEST evidence that the new controls have been implemented successfully?

Question420: A migration from an in-house developed system to an external cloud-based solution is affecting a previously rated key risk scenario related to payroll processing. Which part of the risk register should be updated FIRST?

Question421: An organization is analyzing the risk of shadow IT usage. Which of the following is the MOST important input into the assessment?

Question422: A key risk indicator (KRI) that incorporates data from external open-source threat intelligence sources has shown changes in risk trend data. Which of the following is MOST important to update in the risk register?

Question423: An organization needs to send files to a business partner to perform a quality control audit on the organization' s record-keeping processes. The files include personal information on the organization's customers. Which of the following is the BEST recommendation to mitigate privacy risk?

Question424: During the initial risk identification process for a business application, it is MOST important to include which of the following stakeholders?

Question425: Which of the following should a risk practitioner recommend FIRST when an increasing trend of risk events and subsequent losses has been identified?

Question426: Which of the following is the BEST way to quantify the likelihood of risk materialization?

Question427: An online payment processor would be severely impacted if the fraud detection system has an outage. Which of the following is the BEST way to address this risk?

Question428: Which of the following is the MAIN purpose of monitoring risk?

Question429: Which of the following is the MOST important consideration for prioritizing risk treatment plans when faced with budget limitations?

Question430: Which of the following BEST enables an organization to address new risk associated with an Internet of Things (IoT) solution?

Question431: Which of the following is the BEST way to address IT regulatory compliance risk?

Question432: Which of the following is MOST important when considering risk in an enterprise risk management (ERM) process?

Question433: When reporting to senior management on changes in trends related to IT risk, which of the following is MOST important?

Question434: Which of the following is MOST important to consider when determining a recovery time objective (RTO)?

Question435: A control owner responsible for the access management process has developed a machine learning model to automatically identify excessive access privileges. What is the risk practitioner's BEST course of action?

Question436: Which process is MOST effective to determine relevance of threats for risk scenarios?

Question437: An organization is considering modifying its system to enable acceptance of credit card payments. To reduce the risk of data exposure, which of the following should the organization do FIRST?

Question438: Which key performance efficiency IKPI) BEST measures the effectiveness of an organization's disaster recovery program?

Question439: Which of the following is MOST important to compare against the corporate risk profile?

Question440: What should be the PRIMARY objective for a risk practitioner performing a post-implementation review of an IT risk mitigation project?

Question441: A failure in an organization's IT system build process has resulted in several computers on the network missing the corporate endpoint detection and response (EDR) software. Which of the following should be the risk practitioner's IMMEDIATE concern?

Question442: A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?

Question443: To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:

Question444: Which of the following would MOST likely drive the need to review and update key performance indicators (KPIs) for critical IT assets?

Question445: Who should be PRIMARILY responsible for establishing an organization's IT risk culture?

Question446: Which of the following BEST supports the integration of IT risk management into an organization's strategic planning?

Question447: Which of the following would be a risk practitioner's GREATEST concern related to the monitoring of key risk indicators (KRIs)?

Question448: Which of the following would BEST help to address the risk associated with malicious outsiders modifying application data?

Question449: Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?

Question450: Which of the following would be MOST helpful when estimating the likelihood of negative events?

Question451: A risk practitioner notices that a particular key risk indicator (KRI) has remained below its established trigger point for an extended period of time. Which of the following should be done FIRST?

Question452: An organization's IT department wants to complete a proof of concept (POC) for a security tool. The project lead has asked for approval to use the production data for testing purposes as it will yield the best results.
Which of the following is the risk practitioner's BEST recommendation?

Question453: Effective risk communication BEST benefits an organization by:

Question454: Which of the following will BEST support management repotting on risk?

Question455: The BEST indicator of the risk appetite of an organization is the

Question456: Which of the following would be a risk practitioner's GREATEST concern with the use of a vulnerability scanning tool?

Question457: A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption. Which of the following would be the MOST effective approach to mitigate the risk associated with data loss?

Question458: In the three lines of defense model, a PRIMARY objective of the second line is to:

Question459: The PRIMARY benefit of selecting an appropriate set of key risk indicators (KRIs) is that they:

Question460: Which of the following is the MOST important consideration when developing an organization's risk taxonomy?

Question461: A risk practitioner is involved in a comprehensive overhaul of the organizational risk management program.
Which of the following should be reviewed FIRST to help identify relevant IT risk scenarios?

Question462: Which of the following is the PRIMARY benefit of using an entry in the risk register to track the aggregate risk associated with server failure?

Question463: Implementing which of the following controls would BEST reduce the impact of a vulnerability that has been exploited?

Question464: Which of the following is MOST important to the effectiveness of a senior oversight committee for risk monitoring?

Question465: The MAIN purpose of reviewing a control after implementation is to validate that the control:

Question466: Reviewing which of the following BEST helps an organization gain insight into its overall risk profile?

Question467: Which of the following BEST indicates that security requirements have been incorporated into the system development life cycle (SDLC)?

Question468: Which of the following is the BEST way for a risk practitioner to verify that management has addressed control issues identified during a previous external audit?

Question469: Which of the following is the MOST important consideration when determining whether to accept residual risk after security controls have been implemented on a critical system?

Question470: Which of the following is the BEST way to mitigate the risk associated with fraudulent use of an enterprise's brand on Internet sites?

Question471: Which of the following is the MAIN benefit to an organization using key risk indicators (KRIs)?

Question472: Calculation of the recovery time objective (RTO) is necessary to determine the:

Question473: To enable effective risk governance, it is MOST important for senior management to:

Question474: Within the three lines of defense model, the responsibility for managing risk and controls resides with:

Question475: Which of the following BEST balances the costs and benefits of managing IT risk*?

Question476: Which of the following BEST assists in justifying an investment in automated controls?

Question477: Who should be responsible for implementing and maintaining security controls?

Question478: Which of the following contributes MOST to the effective implementation of risk responses?

Question479: A technology company is developing a strategic artificial intelligence (Al)-driven application that has high potential business value. At what point should the enterprise risk profile be updated?

Question480: An organization has detected unauthorized logins to its client database servers. Which of the following should be of GREATEST concern?

Question481: Which of the following is MOST important to determine as a result of a risk assessment?

Question482: A PRIMARY function of the risk register is to provide supporting information for the development of an organization's risk:

Question483: A service organization is preparing to adopt an IT control framework to comply with the contractual requirements of a new client. Which of the following would be MOST helpful to the risk practitioner?

Question484: Which of the following provides the MOST comprehensive information when developing a risk profile for a system?

Question485: The risk associated with an asset before controls are applied can be expressed as:

Question486: A user has contacted the risk practitioner regarding malware spreading laterally across the organization's corporate network. Which of the following is the risk practitioner's BEST course of action?

Question487: An IT control gap has been identified in a key process. Who would be the MOST appropriate owner of the risk associated with this gap?

Question488: Which of the following is the GREATEST benefit of identifying appropriate risk owners?

Question489: Which of the following BEST indicates effective information security incident management?

Question490: Which of the following activities would BEST contribute to promoting an organization-wide risk-aware culture?

Question491: An application development team has a backlog of user requirements for a new system that will process insurance claim payments for customers. Which of the following should be the MOST important consideration for a risk-based review of the user requirements?

Question492: An organization wants to launch a campaign to advertise a new product Using data analytics, the campaign can be targeted to reach potential customers. Which of the following should be of GREATEST concern to the risk practitioner?

Question493: Which of the following MUST be updated to maintain an IT risk register?

Question494: Which of the following is MOST important for developing effective key risk indicators (KRIs)?

Question495: Which of the following would be the result of a significant increase in the motivation of a malicious threat actor?

Question496: The BEST way to obtain senior management support for investment in a control implementation would be to articulate the reduction in:

Question497: When assessing the maturity level of an organization's risk management framework, which of the following deficiencies should be of GREATEST concern to a risk practitioner?

Question498: Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?

Question499: Which of the following BEST reduces the probability of laptop theft?

Question500: An organization striving to be on the leading edge in regard to risk monitoring would MOST likely implement:

Question501: Which of the following is the MOST critical factor to consider when determining an organization's risk appetite?

Question502: The results of a risk assessment reveal risk scenarios with high impact and low likelihood of occurrence.
Which of the following would be the BEST action to address these scenarios?

Question503: An organization has committed to a business initiative with the knowledge that the risk exposure is higher than the risk appetite. Which of the following is the risk practitioner's MOST important action related to this decision?

Question504: A risk practitioner has been asked to advise management on developing a log collection and correlation strategy. Which of the following should be the MOST important consideration when developing this strategy?

Question505: Which of the following is the MOST important factor affecting risk management in an organization?

Question506: Which of the following should be considered FIRST when creating a comprehensive IT risk register?

Question507: Which of the following would MOST effectively reduce risk associated with an increase of online transactions on a retailer website?

Question508: Which of the following provides the BEST assurance of the effectiveness of vendor security controls?

Question509: Which of the following is a risk practitioner's BEST course of action if a risk assessment identifies a risk that is extremely unlikely but would have a severe impact should it occur?

Question510: An organization is implementing internet of Things (loT) technology to control temperature and lighting in its headquarters. Which of the following should be of GREATEST concern?

Question511: During a risk assessment, a key external technology supplier refuses to provide control design and effectiveness information, citing confidentiality concerns. What should the risk practitioner do NEXT?

Question512: Which of the following is the MOST important success factor when introducing risk management in an organization?

Question513: A multinational company needs to implement a new centralized security system. The risk practitioner has identified a conflict between the organization's data-handling policy and local privacy regulations. Which of the following would be the BEST recommendation?

Question514: The risk associated with data loss from a website which contains sensitive customer information is BEST owned by:

Question515: Which of the following would MOST likely cause a risk practitioner to change the likelihood rating in the risk register?

Question516: Which of the following is the PRIMARY reason to engage business unit managers in risk management processes'?

Question517: A root because analysis indicates a major service disruption due to a lack of competency of newly hired IT system administrators Who should be accountable for resolving the situation?

Question518: Which of the following is the GREATEST risk associated with an environment that lacks documentation of the architecture?

Question519: When reviewing a risk response strategy, senior management's PRIMARY focus should be placed on the:

Question520: A business delegates its application data management to the internal IT team. Which of the following is the role of the internal IT team in this situation?

Question521: Which of the following is the MOST essential characteristic of a good IT risk scenario?

Question522: Which of the following activities BEST facilitates effective risk management throughout the organization?

Question523: A risk practitioner identifies a database application that has been developed and implemented by the business independently of IT. Which of the following is the BEST course of action?

Question524: Following an acquisition, the acquiring company's risk practitioner has been asked to update the organization's IT risk profile What is the MOST important information to review from the acquired company to facilitate this task?

Question525: Which of the following should be the starting point when performing a risk analysis for an asset?

Question526: Which of the following is the BEST way for a risk practitioner to present an annual risk management update to the board''

Question527: An organization has operations in a location that regularly experiences severe weather events. Which of the following would BEST help to mitigate the risk to operations?

Question528: Which of the following is the MOST important reason to link an effective key control indicator (KCI) to relevant key risk indicators (KRIs)?

Question529: Which of the following is the BEST way to detect zero-day malware on an end user's workstation?

Question530: Which of the following practices would be MOST effective in protecting personality identifiable information (Ptl) from unauthorized access m a cloud environment?

Question531: An organization has introduced risk ownership to establish clear accountability for each process. To ensure effective risk ownership, it is MOST important that:

Question532: An information security audit identified a risk resulting from the failure of an automated control Who is responsible for ensuring the risk register is updated accordingly?

Question533: A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management. The BEST way to support risk-based decisions by senior management would be to:

Question534: An organization is considering the adoption of an aggressive business strategy to achieve desired growth From a risk management perspective what should the risk practitioner do NEXT?

Question535: Which of the following BEST indicates that additional or improved controls ate needed m the environment?

Question536: After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:

Question537: Which of me following is MOST helpful to mitigate the risk associated with an application under development not meeting business objectives?

Question538: Which of the following is MOST likely to be identified from an information systems audit report?

Question539: Which of the following is the BEST recommendation to senior management when the results of a risk and control assessment indicate a risk scenario can only be partially mitigated?

Question540: Which of the following should a risk practitioner do NEXT after learning that Internet of Things (loT) devices installed in the production environment lack appropriate security controls for sensitive data?

Question541: Who should be accountable for ensuring effective cybersecurity controls are established?

Question542: A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?

Question543: Which of the following is the BEST indication of an improved risk-aware culture following the implementation of a security awareness training program for all employees?

Question544: What should a risk practitioner do FIRST when vulnerability assessment results identify a weakness in an application?

Question545: Of the following, who is responsible for approval when a change in an application system is ready for release to production?

Question546: The PRIMARY purpose of a maturity model is to compare the:

Question547: An organization's recovery team is attempting to recover critical data backups following a major flood in its data center. However, key team members do not know exactly what steps should be taken to address this crisis. Which of the following is the MOST likely cause of this situation?

Question548: An organization's financial analysis department uses an in-house forecasting application for business projections. Who is responsible for defining access roles to protect the sensitive data within this application?

Question549: Once a risk owner has decided to implement a control to mitigate risk, it is MOST important to develop:

Question550: Which of the following is MOST influential when management makes risk response decisions?

Question551: Which of the following is the MOST important characteristic of an effective risk management program?

Question552: Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner?

Question553: Which of the following should be the MOST important consideration when determining controls necessary for a highly critical information system?

Question554: An organization uses a web application hosted by a cloud service that is populated by data sent to the vendor via email on a monthly basis. Which of the following should be the FIRST consideration when analyzing the risk associated with the application?

Question555: The PRIMARY reason for communicating risk assessment results to data owners is to enable the:

Question556: Which of the following is the BEST key performance indicator (KPI) to measure the maturity of an organization's security incident handling process?

Question557: Which of the following is the BEST evidence that risk management is driving business decisions in an organization?

Question558: During the control evaluation phase of a risk assessment, it is noted that multiple controls are ineffective.
Which of the following should be the risk practitioner's FIRST course of action?

Question559: A risk manager has determined there is excessive risk with a particular technology. Who is the BEST person to own the unmitigated risk of the technology?

Question560: Which of the following BEST indicates how well a web infrastructure protects critical information from an attacker?

Question561: An internal audit report reveals that a legacy system is no longer supported Which of the following is the risk practitioner's MOST important action before recommending a risk response'

Question562: Which of the following should be the FIRST step when a company is made aware of new regulatory requirements impacting IT?

Question563: A business is conducting a proof of concept on a vendor's AI technology. Which of the following is the MOST important consideration for managing risk?

Question564: Business areas within an organization have engaged various cloud service providers directly without assistance from the IT department. What should the risk practitioner do?

Question565: An organization requires a third party for processing customer personal data. Which of the following is the BEST approach when sharing data over a public network?

Question566: Which of the following provides the MOST useful information when developing a risk profile for management approval?

Question567: Which of the following BEST supports ethical IT risk management practices?

Question568: What is the MAIN benefit of using a top-down approach to develop risk scenarios?

Question569: An organization recently configured a new business division Which of the following is MOST likely to be affected?

Question570: The PRIMARY reason a risk practitioner would be interested in an internal audit report is to:

Question571: When presenting risk, the BEST method to ensure that the risk is measurable against the organization's risk appetite is through the use of a:

Question572: What is the PRIMARY purpose of a business impact analysis (BIA)?

Question573: What are the MOST important criteria to consider when developing a data classification scheme to facilitate risk assessment and the prioritization of risk mitigation activities?

Question574: Which of the following should be the PRIMARY focus of a risk owner once a decision is made to mitigate a risk?

Question575: When documenting a risk response, which of the following provides the STRONGEST evidence to support the decision?

Question576: Which of the following is the PRIMARY benefit of using a risk profile?

Question577: An organization's risk register contains a large volume of risk scenarios that senior management considers overwhelming. Which of the following would BEST help to improve the risk register?

Question578: Which of the following would prompt changes in key risk indicator {KRI) thresholds?

Question579: Which of the following analyses is MOST useful for prioritizing risk scenarios associated with loss of IT assets?

Question580: Which of the following should be the MOST important consideration when performing a vendor risk assessment?

Question581: Which of the following is MOST important for senior management to review during an acquisition?

Question582: A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner's NEXT step?

Question583: Which of the following is the PRIMARY reason to adopt key control indicators (KCIs) in the risk monitoring and reporting process?

Question584: Which of the following is the MOST important step to ensure regulatory requirements are adequately addressed within an organization?

Question585: An organization recently invested in an identity and access management (IAM) solution to manage user activities across corporate mobile devices. Which of the following is MOST important to update in the risk register?

Question586: Which of the following is the MOST relevant information to include in a risk management strategy?

Question587: A new policy has been published to forbid copying of data onto removable media. Which type of control has been implemented?

Question588: Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?

Question589: Risk aggregation in a complex organization will be MOST successful when:

Question590: An organization practices the principle of least privilege. To ensure access remains appropriate, application owners should be required to review user access rights on a regular basis by obtaining:

Question591: Reviewing which of the following would provide the MOST useful information when preparing to evaluate the effectiveness of existing controls?

Question592: The MAIN goal of the risk analysis process is to determine the:

Question593: Which of the following is the GREATEST risk associated with the misclassification of data?

Question594: A control for mitigating risk in a key business area cannot be implemented immediately. Which of the following is the risk practitioner's BEST course of action when a compensating control needs to be applied?

Question595: Senior management wants to increase investment in the organization's cybersecurity program in response to changes in the external threat landscape. Which of the following would BEST help to prioritize investment efforts?

Question596: Winch of the following is the BEST evidence of an effective risk treatment plan?

Question597: Which of the following is the BEST approach when a risk practitioner has been asked by a business unit manager to exclude an in-scope system from a risk assessment?

Question598: The MOST important reason to aggregate results from multiple risk assessments on interdependent information systems is to:

Question599: The PRIMARY reason to implement a formalized risk taxonomy is to:

Question600: Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?

Question601: Senior management has asked a risk practitioner to develop technical risk scenarios related to a recently developed enterprise resource planning (ERP) system. These scenarios will be owned by the system manager.
Which of the following would be the BEST method to use when developing the scenarios?

Question602: Which of the following scenarios presents the GREATEST risk of noncompliance with data privacy best practices?

Question603: Which of the following is the BEST method for assessing control effectiveness against technical vulnerabilities that could be exploited to compromise an information system?

Question604: An organization wants to transfer risk by purchasing cyber insurance. Which of the following would be MOST important for the risk practitioner to communicate to senior management for contract negotiation purposes?

Question605: Risk mitigation is MOST effective when which of the following is optimized?

Question606: A global organization is considering the transfer of its customer information systems to an overseas cloud service provider in the event of a disaster. Which of the following should be the MOST important risk consideration?

Question607: Which of the following will be MOST effective in uniquely identifying the originator of electronic transactions?

Question608: Which of the following should be the GREATEST concern to a risk practitioner when process documentation is incomplete?

Question609: Which of the following should be of MOST concern to a risk practitioner reviewing an organization risk register after the completion of a series of risk assessments?

Question610: Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:

Question611: A risk practitioner shares the results of a vulnerability assessment for a critical business application with the business manager. Which of the following is the NEXT step?

Question612: When preparing a risk status report for periodic review by senior management, it is MOST important to ensure the report includes

Question613: Who should be responsible (of evaluating the residual risk after a compensating control has been

Question614: Which of the following is the BEST method to track asset inventory?

Question615: Which of the following is the MOST important criteria for selecting key risk indicators (KRIs)?

Question616: Which of the following is MOST helpful in developing key risk indicator (KRl) thresholds?

Question617: Which of the following is the PRIMARY objective of a risk awareness program?

Question618: Who is the BEST person to the employee personal data?

Question619: Which of the following BEST represents a critical threshold value for a key control indicator (KCI)?

Question620: The PRIMARY objective of a risk identification process is to:

Question621: A business impact analysis (BIA) has documented the duration of maximum allowable outage for each of an organization's applications. Which of the following MUST be aligned with the maximum allowable outage?

Question622: Which of the following is the MOST important document regarding the treatment of sensitive data?

Question623: An organization has outsourced a critical process involving highly regulated data to a third party with servers located in a foreign country. Who is accountable for the confidentiality of this data?

Question624: An information system for a key business operation is being moved from an in-house application to a Software as a Service (SaaS) vendor. Which of the following will have the GREATEST impact on the ability to monitor risk?

Question625: Which of the following is MOST important for effective communication of a risk profile to relevant stakeholders?

Question626: Which of the following management actions will MOST likely change the likelihood rating of a risk scenario related to remote network access?

Question627: During the creation of an organization's IT risk management program, the BEST time to identify key risk indicators (KRIs) is while:

Question628: Which of the following provides the MOST reliable evidence to support conclusions after completing an information systems controls assessment?

Question629: The PRIMARY focus of an ongoing risk awareness program should be to:

Question630: The purpose of requiring source code escrow in a contractual agreement is to:

Question631: Which of the following is the MOST important consideration when prioritizing risk response?

Question632: Which of the following is the MOST important for an organization to have in place to ensure IT asset protection?

Question633: An organization has established a policy prohibiting ransom payments if subjected to a ransomware attack.
Which of the following is the MOST effective control to support this policy?

Question634: A data processing center operates in a jurisdiction where new regulations have significantly increased penalties for data breaches. Which of the following elements of the risk register is MOST important to update to reflect this change?

Question635: Which of the following is the GREATEST concern associated with the transmission of healthcare data across the internet?

Question636: Determining if organizational risk is tolerable requires:

Question637: Which of the following provides the MOST reliable evidence of a control's effectiveness?

Question638: Which of the following would be a risk practitioner's BEST course of action when a project team has accepted a risk outside the established risk appetite?

Question639: When outsourcing a business process to a cloud service provider, it is MOST important to understand that:

Question640: An insurance company handling sensitive and personal information from its customers receives a large volume of telephone requests and electronic communications daily. Which of the following is MOST important to include in a risk awareness training session for the customer service department?

Question641: The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:

Question642: When developing a risk awareness training program, which of the following training topics would BEST facilitate a thorough understanding of risk scenarios?

Question643: Which of the following events is MOST likely to trigger the need to conduct a risk assessment?

Question644: An organization has built up its cash reserves and has now become financially able to support additional risk while meeting its objectives. What is this change MOST likely to impact?

Question645: Which of the following is MOST important for an organization to update following a change in legislation requiring notification to individuals impacted by data breaches?

Question646: A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:

Question647: When prioritizing risk response, management should FIRST:

Question648: Which of the following should be of MOST concern to a risk practitioner reviewing the system development life cycle (SDLC)?

Question649: Which of the following BEST measures the impact of business interruptions caused by an IT service outage?

Question650: Who is the MOST appropriate owner for newly identified IT risk?

Question651: An organization operates in a jurisdiction where heavy fines are imposed for leakage of customer data. Which of the following provides the BEST input to assess the inherent risk impact?

Question652: Within the risk management space, which of the following activities could be delegated to a cloud service provider?

Question653: To implement the MOST effective monitoring of key risk indicators (KRIs), which of the following needs to be in place?

Question654: In an organization dependent on data analytics to drive decision-making, which of the following would BEST help to minimize the risk associated with inaccurate data?

Question655: A risk practitioner is utilizing a risk heat map during a risk assessment. Risk events that are coded with the same color will have a similar:

Question656: Which of the following observations from a third-party service provider review would be of GREATEST concern to a risk practitioner?

Question657: Which of the following is the BEST indicator of executive management's support for IT risk mitigation efforts?

Question658: Which of the following would BEST help identify the owner for each risk scenario in a risk register?

Question659: A bank wants to send a critical payment order via email to one of its offshore branches. Which of the following is the BEST way to ensure the message reaches the intended recipient without alteration?

Question660: A risk assessment has revealed that the probability of a successful cybersecurity attack is increasing. The potential loss could exceed the organization's risk appetite. Which of the following ould be the MOST effective course of action?

Question661: Which of the following key performance indicators (KPis) would BEST measure me risk of a service outage when using a Software as a Service (SaaS) vendors

Question662: An IT operations team implements disaster recovery controls based on decisions from application owners regarding the level of resiliency needed. Who is the risk owner in this scenario?

Question663: Which of the following is the BEST risk management approach for the strategic IT planning process?

Question664: An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy. Which of the following is the BEST risk response?

Question665: An organization's IT infrastructure is running end-of-life software that is not allowed without exception approval. Which of the following would provide the MOST helpful information to justify investing in updated software?

Question666: In an organization that allows employee use of social media accounts for work purposes, which of the following is the BEST way to protect company sensitive information from being exposed?

Question667: If preventive controls cannot be Implemented due to technology limitations, which of the following should be done FIRST to reduce risk7

Question668: Reviewing which of the following provides the BEST indication of an organizations risk tolerance?

Question669: Which of the following is MOST important to review when an organization needs to transition the majority of its employees to remote work during a crisis?

Question670: When of the following is the BEST key control indicator (KCI) to determine the effectiveness of en intrusion prevention system (IPS)?

Question671: The PRIMARY benefit of conducting a risk workshop using a top-down approach instead of a bottom-up approach is the ability to:

Question672: Which of the following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?

Question673: A recent vulnerability assessment of a web-facing application revealed several weaknesses. Which of the following should be done NEXT to determine the risk exposure?

Question674: Before assigning sensitivity levels to information it is MOST important to:

Question675: Which of the following scenarios is MOST likely to cause a risk practitioner to request a formal risk acceptance sign-off?

Question676: Key risk indicators (KRIs) BEST support risk treatment when they:

Question677: The PRIMARY purpose of IT control status reporting is to:

Question678: A risk practitioner has collaborated with subject matter experts from the IT department to develop a large list of potential key risk indicators (KRIs) for all IT operations within the organization of the following, who should review the completed list and select the appropriate KRIs for implementation?

Question679: A risk practitioner learns that the organization s industry is experiencing a trend of rising security incidents.
Which of the following is the BEST course of action?

Question680: An organization is concerned that a change in its market situation may impact the current level of acceptable risk for senior management. As a result, which of the following is MOST important to reevaluate?

Question681: Which of the following resources is MOST helpful to a risk practitioner when updating the likelihood rating in the risk register?

Question682: An organization has an approved bring your own device (BYOD) policy. Which of the following would BEST mitigate the security risk associated with the inappropriate use of enterprise applications on the devices?

Question683: Which of the following would be MOST beneficial as a key risk indicator (KRI)?

Question684: The risk appetite for an organization could be derived from which of the following?

Question685: An organization has updated its acceptable use policy to mitigate the risk of employees disclosing confidential information. Which of the following is the BEST way to reinforce the effectiveness of this policy?

Question686: What should a risk practitioner do FIRST upon learning a risk treatment owner has implemented a different control than what was specified in the IT risk action plan?

Question687: Which of the following is the PRIMARY role of a data custodian in the risk management process?

Question688: Which of the following is the BEST way to reduce the likelihood of an individual performing a potentially harmful action as the result of unnecessary entitlement?

Question689: A large organization needs to report risk at all levels for a new centralized visualization project to reduce cost and improve performance. Which of the following would MOST effectively represent the overall risk of the project to senior management?

Question690: The MOST effective way to increase the likelihood that risk responses will be implemented is to:

Question691: Which of the following BEST helps to balance the costs and benefits of managing IT risk?

Question692: Which of the following controls would BEST reduce the risk of account compromise?

Question693: Which of the following will BEST help to ensure key risk indicators (KRIs) provide value to risk owners?

Question694: A risk practitioner discovers that an IT operations team manager bypassed web filtering controls by using a mobile device, in violation of the network security policy. Which of the following should the risk practitioner do FIRST?

Question695: When establishing leading indicators for the information security incident response process it is MOST important to consider the percentage of reported incidents:

Question696: Which of the following roles is BEST suited to help a risk practitioner understand the impact of IT-related events on business objectives?

Question697: Which of the following MOST effectively limits the impact of a ransomware attack?

Question698: A risk practitioner identifies an increasing trend of employees copying company information unrelated to their job functions to USB drives. Which of the following elements of the risk register should be updated to reflect this observation?

Question699: Which of the following is the PRIMARY objective for automating controls?

Question700: Which stakeholders are PRIMARILY responsible for determining enterprise IT risk appetite?

Question701: Which of the following is MOST helpful to review when identifying risk scenarios associated with the adoption of Internet of Things (loT) technology in an organization?

Question702: An organization has been made aware of a newly discovered critical vulnerability in a regulatory reporting system. Which of the following is the risk practitioner's BEST course of action?

Question703: Which of the following would BEST enable a risk-based decision when considering the use of an emerging technology for data processing?

Question704: Which of the following approaches BEST identifies information systems control deficiencies?

Question705: Which of the following BEST confirms the existence and operating effectiveness of information systems controls?

Question706: A risk practitioner has been asked to propose a risk acceptance framework for an organization. Which of the following is the MOST important consideration for the risk practitioner to address in the framework?

Question707: Within the three lines of defense model, the accountability for the system of internal control resides with:

Question708: When developing a new risk register, a risk practitioner should focus on which of the following risk management activities?

Question709: The percentage of unpatched systems is a:

Question710: The MOST significant benefit of using a consistent risk ranking methodology across an organization is that it enables:

Question711: Which of the following is MOST important for the organization to consider before implementing a new in-house developed artificial intelligence (Al) solution?

Question712: An organization recently received an independent security audit report of its cloud service provider that indicates significant control weaknesses. What should be done NEXT in response to this report?

Question713: Which of the following is the MOST important reason to create risk scenarios?

Question714: Which of the following should be included in a risk scenario to be used for risk analysis?

Question715: A monthly payment report is generated from the enterprise resource planning (ERP) software to validate data against the old and new payroll systems. What is the BEST way to mitigate the risk associated with data integrity loss in the new payroll system after data migration?

Question716: Which of the following approaches will BEST help to ensure the effectiveness of risk awareness training?

Question717: Which of the following is the MOST effective way to help ensure accountability for managing risk?

Question718: Which of the following is the BEST way to mitigate the risk to IT infrastructure availability?

Question719: Whose risk tolerance matters MOST when making a risk decision?

Question720: A risk practitioner has learned that the number of emergency change management tickets without subsequent approval has doubled from the same period of the previous year. Which of the following is the MOST important action for the risk practitioner to take?

Question721: Which of the following is the MOST useful information for a risk practitioner when planning response activities after risk identification?

Question722: The BEST way to justify the risk mitigation actions recommended in a risk assessment would be to:

Question723: A global organization has implemented an application that does not address all privacy requirements across multiple jurisdictions. Which of the following risk responses has the organization adopted with regard to privacy requirements?