CRISC 2024 latest final.pdf

Full Transcript

A key performance indicator (KPI) shows that a process is operating inefficiently, even though
no control issues were noted during the most recent risk assessment. Which of the following
should be done FIRST?
O Redesign the process.
O Recalibrate the key performance indicator (KPI).
O Implement new controls.
Re-evaluate the existing control design.

Which of the following contributes MOST to the effective implementation of risk responses'’
Detailed standards and procedures
Appropriate resources
Clear understanding of the risk
Comparable industry risk trends

Which of the following key performance indicators (KPIs) would BEST measure the risk of a
service outage when using a Software as a Service (SaaS) vendor?
O Frequency of business continuity plan (BCP) testing
O Frequency and number of new software releases
Frequency and duration of unplanned downtime
O Number of IT support staff available after business hours

A financial institution has identified high risk of fraud in several business applications. Which of
the following controls will BEST help reduce the risk of fraudulent internal transactions?
Segregation of duties
Periodic internal audits
Log monitoring
Periodic user privileges review

The MOST important characteristic of an organization s policies ts to reflect the organization s
capabilities
risk appetite
risk assessment methodology
asset value

An organization recently acquired a new business division Which of the following is MOST likely
to be affected'? b
® Risk profile
O Risk culture
O Risk appetite
O Risk tolerance

Which of the following is the GREATEST benefit of using IT risk scenarios?
O They support compliance with regulations.
O They provide evidence of risk assessment.
® They facilitate communication of risk
O They enable the use of key risk indicators (KRIs).

Senior management has asked the risk practitioner for the overall residual risk level for a
process that contains numerous risk scenarios Which of the following should be provided*?
The loss expectancy lot aggregated risk scenarios
The highest loss expectancy among the risk scenarios
The average of anticipated residual risk levels
The sum of residual risk levels for each scenario

Which of the following is the MOST important consideration when identifying stakeholders to
review risk scenarios developed by a risk analyst? The reviewers are
O independent from the business operations
O authorized to select nsk mitigation options
O members of senior management
J accountable for the affected processes

When implementing an IT risk management program, which ol the following is the BEST time to
evaluate current control effectiveness?
O Before defining a framework
@ During the risk assessment
O When evaluating risk response
O When updating the risk register

Which of the following is the PRIMARY reason to perform periodic vendor risk assessments?
O To assess the vendor's risk mitigation plans
O To provide input to the organization's risk appetite
O To verify the vendor's ongoing financial viability
To monitor the vendor's control effectiveness

From a risk management perspective, which of the following is the PRIMARY benefit of using
automated system configuration validation tools’
* Operational costs are reduced
Inherent risk is reduced
Staff costs are reduced
Residual risk is reduced

When reporting risk assessment results to senior management, which of the following is MOST
important to include lo enable risk-based decision making?
O Recent audit and self-assessment results
O Potential losses compared to treatment cost
O A list of assets exposed to the highest risk
® Risk action plans and associated owners

After undertaking a risk assessment of a production system, the MOST appropriate action is for
the risk manager to
O recommend a program that minimizes the concerns of that production system.
® inform the process owner of the concerns and propose measures to reduce them.
O inform the IT manager of the concerns and propose measures to reduce them.
O inform the development team of the concerns and together formulate risk reduction
measures.

A review of an organization s controls has determined its data loss prevention (DLP) system is
currently failing to detect outgoing emails containing credit card data Which of the following
would be MOST impacted'5
Residual risk
Risk appetite
Key risk indicators (KRIs)
Inherent risk

Sensitive data has been lost after an employee inadvertently removed a file from the premises
in violation of organizational policy. Which of the following controls MOST likely tailed'?
O User access
O Policy management
O Background checks
® Awareness (taming

Which of the following is the PRIMARY objective of risk management?
O Identify and analyze risk
® Achieve business objectives.
O Minimize business disruptions.
O Identify threats and vulnerabilities.

Which of the following practices would be MOST effective in protecting personally identifiable
information (Pli) from unauthorized access in a cloud environment?
Obtain the right to audit
Utilize encryption with logical access controls
Apply data classification policy
Require logical separation of company data

Which of the following BEST balances the costs and benefits of managing IT risk4*
® Prioritizing and addressing risk in line with risk appetite
O Eliminating risk through preventive and detective controls
O Considering risk that can be shared with a third party
O Evaluating the probability and impact of risk scenarios

An IT department has organized training sessions to improve user awareness of organizational
information security policies. Which of the following is the BEST key performance indicator (KPI)
to reflect effectiveness of the training?
O Percentage of staff members who attend the training with positive feedback
® Percentage of attendees versus total staff
O Percentage of staff members who complete the training with a passing score
O Number of training sessions completed

Which of the following would MOST ikely drive the need to review and update key performance
indicators (KPIs) for critical IT assets'’
Findings from continuous monitoring
The outsourcing of related IT processes
Changes in service level objectives
* Outcomes of periodic risk assessments

A MAJOR advantage of using key risk indicators (KRIs) is that they
@ identify when risk exceeds defined thresholds
O assess risk scenarios that exceed defined thresholds
O identify scenarios that exceed defined risk appetite
O help with internal control assessments concerning risk appetite
An organization has allowed several employees to retire early in order to avoid layoffs. Many of
these employees have been subject matter experts for critical assets. Which type of risk is
MOST likely to materialize?
O Confidentiality breach
® Institutional knowledge loss
O Intellectual property loss
O Unauthorized access

Which of the following key risk indicators (KRIsJ is MOST effective for monitoring risk related to
a bring your own device (BYOD) program'’
Number of incidents originating from BYOD devices
Budget allocated to the BYOD program security controls
Number of devices enrolled in the BYOD program
Number of users who have signed a BYOD acceptable use policy

Who is MOST appropriate to be assigned ownership of a control?
O The individual responsible tor control operation
O The individual informed of the control effectiveness
O The individual responsible for testing the control
; The individual accountable for monitoring control effectiveness
0 Select here to search

An organization is planning to outsource its payroll function to an external service provider.
Which of the following should be the MOST important consideration when selecting the
provider?
O Right to audit the provider
® Internal controls to ensure data privacy
O Disaster recovery plan (DRP) of the system
O Transparency of key performance indicators (KPIs)

Which of the following MOST effectively limits the impact of a ransomware attack"’
Cryptocurrency reserve
Data backups
End user training
Cyber insurance

Which of the following would provide the BEST evidence of an effective internal control
environment?
O Adherence to governing policies
O Risk assessment results
O Regular stakeholder briefings
i® Independent audit results

One of an organization's key IT systems cannot be patched because the patches interfere with
critical business application functionalities. Which of the following would be the risk
practitioner's BEST recommendation?
® Additional mitigating controls should be identified.
C The system should not be used until the application is changed.
O The organization's IT risk appetite should be adjusted.
O The associated IT risk should be accepted by management

Which of the following is the BEST metric to demonstrate the effectiveness of an organization s
software testing program?
Percentage of applications covered by the testing team
The number of personnel dedicated to software testing
Number of incidents resulting from software changes
Average time io complete software test cases

Which of the following is MOST likely to cause Key Risk Indicator (KRI) to exceed thresholds?
) Occurrences of specific events
O The risk tolerance level
O Risk scenarios
O A performance measurement

An organization uses one centralized single sign-on (SSO) control to cover many applications.
Which of the following is the BEST course of action when a new application is added to the
environment after testing of the SSO control has been completed?
© Initiate a retest of the full control.
O Retest the control using the new application as the only sample.
O Review the corresponding change control documentation.
O Re-evaluate the control during the next assessment.

Which of the following should be an element of risk appetite of an organization?
The amount of inherent risk considered appropriate
The effectiveness of compensating controls
The enterprise's capacity to absorb loss
The residual risk affected by preventive controls

Which stakeholder is MOST important to include when defining a risk profile during the
selection process for a new third-party application'?
O The third-party risk manager
O The application vendor
$ The business process owner
O The information security manager

Which of the following would present the GREATEST challenge for a risk practitioner during a
merger of two organizations'?
O Variances between organizational risk appetites
-® Different taxonomies to categorize risk scenarios
O Disparate platforms for governance, risk, and compliance (GRC) systems
O Dissimilar organizational risk acceptance protocols

Which of the following BEST enables an organization to address risk associated with technical
complexity?
O Minimizing dependency on technology
O Aligning with a security architecture
O Documenting system hardening requirements
Establishing configuration guidelines

The BEST key performance indicator (KPI) to measure the ongoing effectiveness of a risk
awareness training program is the percentage of staff members who have:
passed subsequent random testing,
accessed online training materials.
attended annual training.
passed the training session test.

A risk assessment has identified that an organization may not be in compliance with industry
regulations What is the BEST course of action'’
Collaborate with management to meet compliance requirements
Conduct a gap analysis against compliance criteria
Identify necessary controls to ensure compliance
Modify internal assurance activities Io include control validation

Which of the following will be the GREATEST concern when assessing the risk profile of an
organization"?
The risk profile was developed without using industry standards
O The risk profile was not updated after a recent incident
A The risk profile was last reviewed two years ago
O The risk profile does not contain historical loss data

When classifying and prioritizing risk responses, the areas to address FIRST are those with:
O low cost effectiveness ratios and high risk levels.
O high cost effectiveness ratios and low risk levels.
@ high cost effectiveness ratios and high risk levels.
O low cost effectiveness ratios and low risk levels.

Which of the following is the MOST significant indicator of the need to perform a penetration
test?
An increase in the percentage of turnover in IT personnel
An increase in the number of security incidents
An increase m the number of high-risk audit findings
An increase in the number of infrastructure changes

An internal audit report repeals that a legacy system is no longer supported Which of the
following is the risk practitioner's MOST important action before recommending a risk response’
O Review historical application downtime and frequency
V) Assess the potential impact and cost ot mitigation
O identify other legacy systems within the organization
O Explore the feasibility of replacing the legacy system

The risk associated with an asset before controls are applied can be expressed as:
® a function of the likelihood and impact.
O the likelihood of a given threat.
O a function of the cost and effectiveness of controls.
O the magnitude of an impact

Which of the following is BEST used to aggregate data from multiple systems to identify
abnormal behavior?
O Cyber threat intelligence
O Endpoint detection and response (EDR)
O Anti-malware software
SIEM systems

Which of the following is MOST important when implementing an organisation's security policy?
Benchmarking against industry standards
Assessing compliance requirements
Identifying threats and vulnerabilities
Obtaining management support

Which of the following is MOST important consideration when developing an organization's risk
taxonomy?
O Leading industry frameworks
Business context
O IT strategy
Q Regulatory requirements

The BEST metric to demonstrate that servers are configured securely is the total number of
servers:
® meeting the baseline for hardening.
O exceeding current patching standards.
O exceeding availability thresholds.
O experiencing hardware failures.

Which of the following key risk indicators (KRIs) is MOST effective for monitoring risk related to
a bring your own device (BYOD) program?
Budget allocated to the BYOD program security controls
Number of devices enrolled in the BYOD program
Number of incidents originating from BYOD devices
Number of users who have signed a BYOD acceptable use policy

Which of the following issues found during the review of a newly created disaster recovery plan
(DRP) should be of MOST concern?
The chief information security officer (ClSO) has not approved the plan
Some critical business applications are not included in the plan
Several recovery activities will be outsourced
The plan is not based on an internationally recognized framework
Which of the following is MOST helpful in providing a high level overview of current IT risk
severity?
O Risk mitigation plans
Heat map
O Risk appetite statement
O Key risk indicators (KRIs)

A legacy application used for a critical business function relies on software that has reached the
end of extended support. Which of the following is the MOST effective control to manage this
application?
O Subscribe to threat intelligence to monitor external attacks.
O Apply patches for a newer version of the application.
O Segment lhe application within the existing network.
® Increase the frequency of regular system and data backups.

The PRIMARY purpose of using a framework for risk analysis is to:
improve accountability.
improve consistency.
help develop risk scenarios.
help define risk tolerance.

Which of the following will be MOST helpful when communicating roles associated with the IT
risk management process?
RACI chart
Organizational chart
Skills matrix
Job descriptions

Which of the following is the BEST indication of an improved risk-aware culture following (he
implementation of a security awareness training program for all employees'’
O A reduction in the number of user access resets
O An increase in 1he number ol identified system Haws
O A reduction in the number of help desk calls
< An increase in lhe number of incidents reported

A risk practitioner notices a risk scenario associated with data loss at the organization's cloud
provider is assigned to the provider. Who should the risk scenario be reassigned to?
O Senior management
O Chief risk officer (CRO)
O Vendor manager
© Data owner

Which of the following would MOST likely require a risk practitioner to update the risk register?
Development of a project schedule lor implementing a risk response
An alert being reported by the security operations center
Completion of a project for implementing a new control
Engagement of a third party to conduct a vulnerability scan
An organization has just implemented changes tc close an identified vulnerability that impacted
a critical business process What should be the NEXT course of action?
O Update the risk register
O Redesign the heat map
O Review the risk tolerance
® Perform a business impact analysis (BIA)

Which of the following is the MOST important consideration for a risk practitioner when making
a system implementation go-live recommendation?
© Results of end-user acceptance testing
O Variances between planned and actual cost
O Availability of in-house resources
O Completeness of system documentation

Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the
corporate risk register?
Corporate incident escalation protocols are established
The organization-wide control budget is expanded.
Exposure is integrated into the organization's risk profile
Risk appetite cascades to business unit management.

The risk associated with an asset after controls are applied can be expressed as
a function of the cost and effectiveness of controls
the magnitude of an impact
the likelihood of a given threat
a function of the likelihood and impact

Which of the following would be of GREATEST concern regarding an organization's asset
management?
O Lack of a mature records management program
O Lack of a dedicated asset management team
O Decentralized asset lists
Incomplete asset inventory

Which of the following would be a risk practitioner's BEST course of action when a project team
has accepted a risk outside the established risk appetite?
O Reject the risk acceptance and require mitigating controls.
O Monitor the residual risk level of the accepted risk.
® Escalate the risk decision to the project sponsor for review.
O Document the risk decision in the project risk register.

Which of the following BEST enables senior management to compare the ratings of risk
scenarios?
O Key risk indicators (KRIs)
H] Risk heat map
O Key performance indicators (KPIs)
O Control self-assessment (CSA)

Which of the following aspects of an IT risk and control self-assessment would be MOST
important to include in a report to senior management?
Changes in control design
Changes in control ownership
A decrease in the number of key controls
* An increase in residual risk

Which of the following is the MOST effective way to incorporate stakeholder concerns when
developing risk scenarios^
Conducing internal audits
Evaluating risk impact
Creating quarterly risk reports
Establishing key performance indicators (KPIs)

To define the risk management strategy, which of the following MUST be set by the board of
directors'?
O Operational strategies
Risk governance
O Annualized loss expectancy (ALE)
O Risk appetite

Who is MOST important to include in the assessment of existing IT risk scenarios?
O Technology subject matter experts
O Business process owners
@ Business users of IT systems
O Risk management consultants

A project team recommends accepting the residual risk associated with known regulatory
control deficiencies Which of the following is the risk practitioner's MOST important
recommendation to the project manager^
Present the remaining deficiencies to the project steering committee for sign-off
Update the project risk register with the remaining deficiencies and remediation
actions
Confirm a timeline to remediate the remaining deficiencies after the project goes
live
Assess the risk of the remaining deficiencies and develop an action plan

To define the risk management strategy, which of the following MUST be set by the board of
directors'?
O Operational strategies
® Risk governance
O Annualized loss expectancy (ALE)
O Risk appetite
An organization plans to implement a new Software as a Service (SaaS) speech-to-text solution.
Which of the following is MOST important to mitigate risk associated with data privacy?
® Secure encryption protocols are utilized
O Multi-factor authentication is set up for users.
O The solution architecture is approved by IT.
O A risk transfer clause is included in the contract

An organization will be impacted by a new data privacy regulation due to the location of ns
production facilities What action should ihe risk practitioner lake when evaluating the new
regulation'?
Assess the validity and perform update testing on data privacy controls
Evaluate if the existing risk responses to the previous regulation are still
adequate
Develop internal control assessments over data privacy for the new regulation
Perform an analysis of the new regulation Io ensure current risk is identified

An information security audit identified a risk resulting from the failure of an automated control
Who is responsible for ensuring the risk register is updated accordingly'?
® The risk practitioner
O The risk owner
O The control owner
O The audit manager

An organization plans to implement a new Software as a Service (SaaS) speech-to-text solution.
Which of the following is MOST important to mitigate risk associated with data privacy?
® Secure encryption protocols are utilized.
O Multi-factor authentication is set up for users.
O The solution architecture is approved by IT.
O A risk transfer clause is included in the contract.

Which of the following is the MOST effective way to incorporate stakeholder concerns when
developing risk scenarios'?
@ Evaluating risk impact
O Creating quarterly risk reports
O Establishing key performance indicators (KPIs)
O Conducting internal audits

Which of the following is PRIMARILY a risk management responsibility of the first line of
defense*?
Implementing risk treatment plans
Conducting independent reviews of nsk assessment results
Validating the status of risk mitigation efforts
Establishing risk policies and standards

Which of the following provides the BEST evidence that a selected risk treatment plan is
effective4’
O Identifying key risk indicators (KRls)
O Evaluating the return on investment (ROI)
Evaluating the residual risk level
O Performing a cost-benefit analysis

Which of the following BEST indicates the risk appetite and tolerance level for the risk
associated with business interruption caused by IT system failures?
Mean time to recover (MTTR)
Recovery time objective (RTO)
Incident management service level agreement (SLA)
IT system criticality classification

Which of the following is the PRIMARY reason to engage business unit managers in risk
management processes?
O Improved alignment with technical risk
Better-informed business decisions
O Enhanced understanding of enterprise architecture (EA)
O Improved business operations efficiency

Which of the following would provide the BEST evidence of an effective internal control
environment?
Risk assessment results
Regular stakeholder briefings
Adherence to governing policies
Independent audit results

Which of the following is the MOST effective way to validate organizational awareness of
cybersecurity risk?
Implementing mock phishing exercises
Conducting security awareness training
Requiring two-factor authentication
Updating the information security policy

Which of the following should be the PRIMARY focus of a risk owner once a decision is made to
mitigate a risk?
; ) Ensuring that control design reduces risk to an acceptable level
O Determining processes for monitoring the effectiveness of the controls
O Updating the risk register to include the risk mitigation plan
O Confirming to management the controls reduce the likelihood of the risk

An organization has completed a risk assessment of one of its service providers Who should be
accountable for ensuring that nsk responses are implemented^
Third-party security teem
The relationship owner
IT risk practitioner
legal representation of the business
organization has operations in a location that regularly experiences severe weather events
Which of the following would BEST help to mitigate the risk to operations'?
O Prepare a disaster recovery plan (DRP)
O Prepare a cost-benefit analysis to evaluate relocation
O Conduct a business impact analysis (BlA) for an alternate location
Develop a business continuity plan (BCP)

Which of the following stakeholders are typically included as part of a line of defense within the
three lines of defense modeP
Board of directors
Regulators
Vendors
Legal team

Which of the following provides the BEST evidence that risk responses are effective?
Compliance breaches are addressed in a timely manner.
Risk with low impact is accepted.
Residual risk is within risk tolerance.
Risk ownership is identified and assigned

Which of the following is MOST helpful to understand the consequences of an IT risk event?
O Business impact analysis
O Fault tree analysis
O Root cause analysis
® Historical trend analysis

Which of the following BEST indicates the risk appetite and tolerance level for the nsk
associated with business interruption caused by IT system failures’
> IT system criticality classification
Mean time to recover (MTTR)
Incident management service level agreement (SLA)
Recovery time objective (RTO)

Which of the following is MOST useful when performing a quantitative risk assessment?
O Management support
O Industry benchmarking
O RACI matrix
Financial models

Which of the following should an organization perform to forecast the effects of a disaster?
Simulate a disaster recovery.
Develop a business impact analysis (BIA).
Define recovery time objectives (RTO).
Analyze capability maturity model gaps.
An organization retains footage from its data center security camera for 30 days when the
policy requires 90-day retention The business owner challenges whether the situation is worth
remediating Which of the following is the risk manager s BEST response7
O Identify the regulatory bodies that may highlight this gap
O Highlight news articles about data breaches
® Evaluate the risk as a measure of probable loss
O Verify if competitors comply with a similar polity

Which of the following would BEST help to address the risk associated with malicous outsiders
modifying application data?
Multi-factor authentication
Role based access controls
Activation of control audits
Acceptable use policies

before assigning sensitivity levels to information, it is MOST important to
O conduct a sensitivity analysis
O define recovery time objectives (RTOs)
) define the information classification policy
O identify information custodians

Which of the following is the MAIN purpose of monitoring risk’
Decision support
Benchmarking
Risk analysis
Communication

An organization has been experiencing an increasing number ol spear phishing attacks Which
of the following would be the MOST effective way to mitigate the risk associated with these
attacks^
O Update firewall configuration
O Require strong password complexity
3 Implement a security awareness program
O Implement Iwo-factor authentication

The PRIMARY advantage of involving end users in continuity planning is that they
have a better understanding of specific business needs
are more objective than information security management
can balance the overall technical and business concerns
can see the overall impact to the business

Malware has recently affected an organization. The MOST effective way to resolve this situation
and define a comprehensive risk treatment plan would be to perform:
a vulnerability assessment
a gap analysis.
a root cause analysis
an impact assessment.

Which of the following should be accountable for ensuring that media containing financial
information are adequately destroyed per an organization's data disposal policy"’
O Data architect
O Compliance manager
® Data owner
O Chief information officer (CIO)

Which of the following is MOST important information to review when developing plans for
using emerging technologies'’
IT strategic plan
Organizational strategic plan
Risk register
Existing IT environment

Which of the following is MOST important to ensure when reviewing an organization's nsk
register?
® Risk ownership is recorded
O Vulnerabilities have separate entries
O Residual risk is less than inherent risk
O Control ownership is recorded

An application owner has specified the acceptable downtime in the event of an incident to be
much lower than the actual time required for ihe response team 1o recover the application
Which of the following should be the NEXT course of action"’
O Reduce the recovery time by strengthening the response team
O Invoke the disaster recovery plan (DRP) during an incident
Prepare a cost-benefit analysis of alternatives available
O Implement redundant infrastructure for the application

Which of the following is the BEST way to mitigate the risk associated with fraudulent use of an
enterprise's brand on Internet sites?
O Developing training and awareness campaigns
O Monitoring the enterprise s use of the Internet
[s] Scanning the Internet to search for unauthorized usage
O Utilizing data loss prevention (DLP) technology

What is the BEST recommendation to reduce the risk associated with potential system
compromise when a vendor stops releasing security patches and updates for a business-critical
legacy system'’
O Install antivirus software on the system
O Virtualize the system in the cloud
Segment the system on its own network
O Ensure regular backups take place
Which of the following is the ULTIMATE goal of conducting a privacy impact analysis (PlA)
O To develop a customer notification plan
O To identity personally identifiable information (PII)
O To determine gaps in data deidentification processes
To identity gaps in data protection controls

Which of the following should be a nsk practitioner s NEXT step after learning of an incident
that has affected a competitor'?
O Implement compensating controls
O Update the risk register
O Develop risk scenarios
® Activate the incident response plan

Which of the following key risk indicators (KRIs) is MOST effective for monitoring risk related to
a bring your own device (BYOD) program?
Number of incidents originating from BYOD devices
O Number of users who have signed a BYOD acceptable use policy
O Budget allocated to the BYOD program security controls
O Number of devices enrolled in the BYOD program

Which of the following is the MOST important characteristic of a key risk indicator (KRI) to
enable decision-making”?
O Setting minimum sample sizes to ensure accuracy
O Listing alternative causes for risk events
* Illustrating changes in risk trends
O Monitoring the risk until the exposure is reduced

Which of the following is the GREATEST critical success factor (CSF) of an IT risk management
program?
Identifying IT risk scenarios
Aligning with business objectives
Conducting focus group meetings with key stakeholders
Identifying enterprise risk events

Which of the following is the PRIMARY responsibility of the first line of defense related to
computer-enabled fraud"*
O Ensuring that risk and control assessments consider fraud
O Monitoring the results of actions taken to mitigate fraud
O Providing oversight of risk management processes
® Implementing processes Io detect and deter fraud

Which of the following is the MOST important for an organization to have in place to ensure IT
asset protection?
O A plan that includes processes for the recovery of IT assets
® Procedures for risk assessments on IT assets
O An IT asset management checklist
O An IT asset inventory populated by an automated scanning tool
Which of the following is the GREATEST benefit of implementing an enterprise risk management
(ERM) program?
O A common view of enterprise risk is established
O Risk management controls are implemented
O Risk-aware decision making is enabled
a. Risk management is integrated into the organization

The number of tickets to rework application code has significantly exceeded the established
threshold. Which of the following would be the risk practitioner's BEST recommendation?
Perform a code review
Implement version control software.
Implement training on coding best practices.
Perform a root cause analysis.

Which risk response strategy could management apply to both positive and negative risk that
has been identified?
(♦) Mitigate
O Transfer
O Exploit
O Accept

An organization has an approved bring your own device (BYOD) policy. Which of the following
would BEST mitigate the security risk associated with the inappropriate use of enterprise
applications on the devices?
Implement BYOD mobile device management (MDM) controls.
O Enable a remote wipe capability for BYOD devices.
Include BYOD in organizational awareness programs.
O Periodically review applications on BYOD devices.

Which of the following is MOST helpful to review when identifying risk scenarios associated
with the adoption of Internet of Things (loT) technology in an organization?
(®] The loT threat landscape
O The business case for the use of loT
O The network that loT devices can access
O Policy development for loT

Which of the following will BEST help to ensure the continued effectiveness of the IT risk
management function within an organization experiencing high employee turnover?
Risk and issue tracking
Change and release management
An IT strategy committee
Well documented policies and procedures
UTMOST important measure of the effectiveness of risk management in project implementation
is the percentage of projects
O having the risk register updated regularly
O having key risk indicators (KRIs) established to measure risk
O introduced into production without high-risk issues
having an action plan to remediate overdue issues

Malware has recently affected an organization The MOST effective way to resolve this situation
and define a comprehensive risk treatment plan would be to perform
O a gap analysis
O an impact assessment
a root cause analysis
O a vulnerability assessment

A global organization has implemented an application that does not address all privacy
requirements across multiple jurisdictions Which of the following risk responses has the
organization adopted with regard to privacy requirements’
O Risk transfer
) Risk acceptance
O Risk mitigation
O Risk avoidance

The percentage of unpatched systems is a:
O critical success factor (CSF).
[f>] key risk indicator (KR1).
O threat vector.
O key performance indicator (KPI).

Which of the following would BEST mitigate the ongoing risk associated with operating system
(OS) vulnerabilities?
Identify the vulnerabilities and applicable OS patches.
Evaluate permanent fixes such as patches and upgrades.
Document and implement a patching process.
Temporarily mitigate the OS vulnerabilities.

Which of the following is MOST important when determining risk appetite?
O Benchmarking against industry standards
O Assessing regulatory requirements
« Gaining management consensus
O Identifying risk tolerance

Which of the following is the PRIMARY reason for sharing risk assessment reports with senior
stakeholders'?
O To secure resourcing for risk treatment efforts
O To hold risk owners accountable for risk action plans
O To enable senior management to compile a risk profile
») To support decision-making for risk response
An organization has completed a risk assessment of one of its service providers. Who should
be accountable for ensuring that risk responses are implemented?
Legal representation of the business
IT risk practitioner
The relationship owner
Third-party security team

An organization has completed a risk assessment of one of its service providers Who should be
accountable for ensuring that risk responses are implemented'?
® The relationship owner
O IT risk practitioner
O legal representation of the business
O Third-party security team

Which of the following is the BEST way to protect sensitive data from administrators within a
public cloud?
® Encrypt physical hard drives within the cloud
O Encrypt data before it leaves the organization
O Use an encrypted tunnel to connect to the cloud
O Encrypt the data in the cloud database

Which of (he following has the GREATEST influence on an organization's risk appetite*?
O Threats and vulnerabilities
O Internal and external risk factors
O Business objectives and strategies
® Management culture and behavior

An IT department originally planned to outsource the hosting of its data center at an overseas
location to reduce operational expenses. After a risk assessment, the department has decided
to keep the data center in-house. How should the risk treatment response be reflected in the
risk register?
Risk acceptance
Risk transfer
Risk mitigation
Risk avoidance

Which of the following should be the FIRST step when a company is made aware of new
regulatory requirements impacting IT?
) Perform a risk assessment
O Perform a gap analysis
O Prioritize impact to the business units
O Review the risk tolerance and appetite

Which of the following issues found during the review of a newly created disaster recovery plan
(DRP) should be of MOST concern?
The chief information security officer (CISO) has not approved the plan.
Some critical business applications are not included in the plan.
The plan is not based on an internationally recognized framework.
Several recovery activities will be outsourced
Which of the following is the ULTIMATE objective of implementing technical controls in the IT
environment?
O Enhancing the maturity of the IT control environment
O Reducing regulatory risk
Minimizing the likelihood of a threat exposure
O Optimizing the cost of IT resources

An organization is implementing a project to automate the purchasing process, including the
modification of approval controls Which of ihe following tasks is the responsibility of the risk
practitioner'?
» Verify that existing controls continue to properly mitigate defined risk
O Test approval process controls once the project is completed
O Update the existing controls for changes in approval processes from this project
O Perform a gap analysis of the impacted control processes

The BEST way to mitigate the high cost of retrieving electronic evidence associated with
potential litigation is to implement policies and procedures for:
data classification and labeling.
data logging and monitoring.
data retention and destruction.
data mining and analytics.

Which of the following should be of MOST concern to a risk practitioner reviewing an
organization's risk register after the completion of a series of risk assessments?
Senior management has accepted more risk than usual.
Risk associated with many assets is only expressed in qualitative terms.
Several risk action plans have missed target completion dates.
Many risk scenarios are owned by the same senior manager.

The PRIMARY benefit of conducting a risk workshop using a top-down approach instead of a
bottom-up approach is the ability to:
incorporate subject matter expertise
identify specific project risk.
obtain a holistic view of IT strategy risk.
understand risk associated with complex processes.

Mapping open risk issues to an enterprise risk heat map BEST facilitates
O risk ownership
O risk identification
O control monitoring
risk response
An organization is conducting a review of emerging risk. Which of the following is the BEST
input for this exercise?
Annual threat reports
Financial forecasts
Industry benchmarks
Audit reports

Which of the following is MOST important for mitigating ethical risk when establishing
accountability for control ownership?
Ensuring regular risk messaging is included in business communications from
leadership
Ensuring schedules and deadlines for control-related deliverables are strictly monitored
Ensuring processes are documented Io enable effective control execution
Ensuring performance metrics balance business goals with risk appetite

Which of the following is MOST important to determine when assessing the potential risk
exposure of a loss event involving personal data*?
O The cost associated with incident response activities
O The composition and number of records in the information asset
The maximum levels of applicable regulatory fines
O The length of time between identification and containment of the incident

An organization has decided to postpone the assessment and treatment of several risk
scenarios because stakeholders are unavailable. As a result of this decision, the risk associated
with these new entries has been:
accepted,
transferred,
deferred
mitigated.

Which of the following is MOST likely to be impacted when a global organization is required by
law to implement a new data protection regulation across its operations?
O Vulnerability assessment results
O Threat profile
O Risk ownership assignments
Risk profile

Which of the following is MOST likely to deter an employee from engaging m inappropriate use
of company-owned IT systems?
O A centralized computer security response team
O Regular performance reviews and management check-ins
O Code of ethics training for all employees
® Communication of employee activity monitoring
While reviewing the risk register, a risk practitioner notices that different business units have
significant variances in inherent risk for the same risk scenario. Which of the following is the
BEST course of action?
Review the assumptions of both risk scenarios to determine whether the variance is
reasonable.
Request that both business units conduct another review of the risk.
Update the risk register with the average of residual risk for both business units.
Update the risk register to ensure both risk scenarios have the highest residual risk.

An organization has been notified that a disgruntled, terminated IT administrator has tried to
break into the corporate network. Which of the following discoveries should be of GREATEST
concern to the organization?
Authentication logs have been disabled.
An external vulnerability scan has been detected
A brute force attack has been detected
An increase in support requests has been observed.

Reviewing which of the following BEST helps an organization gain insight into its overall risk
profile?
) Risk register
O Risk appetite
O Threat landscape
O Risk metrics

An organization is developing a security risk awareness training program for the IT help desk
and has asked the risk practitioner for suggestions. In addition to technical topics, which of the
following is MOST important to recommend be included in the training?
Incident reporting procedures
Password selection options
Identity verification procedures
Security policy review

Which of the following is the GREATEST benefit of a three lines ot defense structure'?
An effective risk culture that empowers employees to report risk
O Effective segregation of duties to prevent internal fraud
Clear accountability for risk management processes
O Improved effectiveness and efficiency of business operations

Which of the following should be determined FIRST when a new security vulnerability is made
public?
How pervasive the vulnerability is within the organization
Whether the affected technology is Internet-facing
Whether the affected technology is used within the organization
What mitigating controls are currently in place

Which of the following provides the MOST comprehensive view of an organization's IT risk
management status?
O A review of IT incidents and related root cause analyses
O An aggregation of control self-assessment (CSA) results
 An IT risk register with known threats and vulnerabilities
O Interviews with IT risk stakeholders

Which of the following is the MOST effective way to identify an application backdoor prior to
implementation?
O User acceptance testing (UAT)
O Database activity monitoring
Source code review
O Vulnerability analysis

An organization has used generic risk scenarios to populate its risk register. Which of the
following presents the GREATEST challenge Io assigning ownership of the associated risk
entries?
The risk analysis for each scenario is incomplete.
Risk aggregation has not been completed.
Risk scenarios are not applicable.
The volume of risk scenarios is too large

Which of the following is MOST important to the effectiveness of key performance indicators
(KPIs)?
O Annual review
Relevance
O Management approval
O Automation

If preventive controls cannot be implemented due to technology limitations which of the
following should be done FIRST to reduce risk?
O Redefine the business process to reduce the risk
® Evaluate alternative controls
O Develop a plan to upgrade technology
O Define a process for monitoring risk

Which of the following is MOST helpful in preventing risk events from materializing?
Prioritizing and tracking issues
Reviewing and analyzing security incidents
Maintaining the risk register
Establishing key risk indicators (KRIs)

Which of the following is the MOST significant indicator of the need to perform a penetration
test?
V'* An increase in the number of infrastructure changes
An increase in the number of high-risk audit findings
An increase in the percentage of turnover in IT personnel
An increase in the number of security incidents

Which of the following is the PRIMARY objective of establishing an organization's risk tolerance
and appetite’
O To align with board reporting requirements
To assist management in decision making
O To create organization-wide risk awareness
O To minimize risk mitigation efforts

Recovery time objectives (RTOs) should be based on:
minimum tolerable downtime.
minimum tolerable loss of data.
maximum tolerable downtime.
maximum tolerable loss of data.

The MAJOR reason io classify information assets is to
O maintain a current inventory and catalog of information assets
® determine their sensitivity and criticality
O establish recovery time objectives (RTOs)
O categorize data into groups

When developing a risk awareness training program, which of the following training topics
would BEST facilitate a thorough understanding of risk scenarios?
Analyzing key risk indicators (KRIs)
Mapping threats to organizational objectives
Reviewing past audits
Identifying potential sources of risk

Which of the following would present the MOST significant risk to an organization when
updating the incident response plan?
J* Undefined assignment of responsibility
Failure to audit third-party providers
Obsolete response documentation
Increased stakeholder turnover

The analysis of which at the following will BEST help validate whether suspicious network
activity is malicious?
O Intrusion detection system (IDS) rules
O Logs and system events
O Vulnerability assessment reports
Penetration test reports

Which of the following is the BEST control to mitigate the risk when a critical customer-facing
application has been susceptible to recent credential stuffing attacks?
Increase password complexity requirements.
Implement multi-factor authentication.
Increase monitoring of account usage.
Block IP addresses from foreign countries

Which of the following would MOST likely result in agreement on accountability for risk
scenarios?
[f>] Using a facilitated risk management workshop
O Relying on generic risk scenarios
O Relying on external IT risk professionals
O Distributing predefined scenarios for review

Several newly identified risk scenarios are being integrated into an organization's risk register
The MOST appropriate risk owner would be the individual who **
O is responsible for enterprise risk management (ERM)
O is in charge of information security
O can implement remediation action plans
is accountable for loss if the risk materializes.

Which of the following BEST enables the identification of trends in risk levels?
Measurements for key risk indicators (KRIs) are repeatable.
Correlation between risk levels and key risk indicators (KRIs) is positive. Quantitative
measurements are used for key risk indicators (KRIs).
Qualitative definitions for key risk indicators (KRIs) are used.

Which of the following is a drawback in the use of quantitative risk analysis?
It is based on impact analysis of information assets.
It requires more resources than other methods.
It produces the results in numeric form.
It assigns numeric values to exposures of assets.

A risk practitioner has been asked to recommend a key performance indicator (KPI) to assess
the effectiveness of a manual process to terminate user access. Which of the following would be
the BEST KPI to recommend?
Timeframe from user termination to access revocation
Timeframe of notification from business management to IT Percent increase in number of access
termination requests Ratio of successful log-in attempts to unsuccessful log-in attempts

During a risk assessment of a financial institution, a risk practitioner discovers that tellers can
initiate and approve transactions of significant value. This team is also responsible for ensuring
transactions are recorded and balances are reconciled by the end of the day. Which of the
following is the risk practitioner's BEST recommendation to mitigate the associated risk?
Require a second level of approval.
Require a code of ethics.
Implement continuous monitoring.
Implement segregation of duties.

After the implementation of Internet of Things (loT) devices, new risk scenarios were identified.
What is the PRIMARY reason to report this information to risk owners?
To confirm the impact to the risk profile
To add new controls to mitigate the risk
To reevaluate continued use of loT devices
To recommend changes to the loT policy
An organization is planning to move its application infrastructure from on-premise to tne cloud
Which of the following is the BEST course of action to address the risk associated with data
transfer if the relationship is terminated with the vendor?
Work closely with the information security officer to ensure the company has the proper
security controls in place.
Collect requirements for the environment to ensure the Infrastructure as a Service (laaS) is
configured appropriately
Meet with the business leaders to ensure the classification of their transferred data is in place.
Ensure the language in the contract explicitly states who is accountable for each step of the
data transfer process

Which of the following is the PRIMARY reason to adopt key control indicators (KCIs) in the risk
monitoring and reporting process?
W To provide assessments of mitigation effectiveness
To provide measurements on the potential for risk to occur
To provide data for establishing the risk profile
To provide assurance of adherence to risk management policies

Which of the following provides the MOST reliable information to ensure a newly acquired
company has appropriate IT controls in place?
Penetration testing
Vulnerability assessment
IT risk assessment
Information system audit

Which of the following is MOST important for secure application development?
O Secure coding practices
® Security training for systems development staff
O Well-documented business cases
O A recognized risk management framework

From a risk management perspective, which of the following is the PRIMARY benefit of using
automated system configuration validation tools?
Operational costs are reduced.
Staff costs are reduced.
Inherent risk is reduced.
Residual risk is reduced.

Which key performance indicator (KPI) BEST measures the effectiveness of an organizations
disaster recovery program?
Percentage of recovery issues identified during the exercise
Number of total systems recovered within the recovery point objective (RPO)
Percentage of critical systems recovered within the recovery time objective (RTO)
Number of service level agreement (SLA) violations

Which of the following is PRIMARILY responsible for providing assurance to the board of
directors and senior management during the evaluation of a risk management program
implementation?
O Internal audit
O Risk management
[f>] Business units
O External audit

The PRIMARY purpose of using a framework for risk analysis is to:
help develop risk scenarios.
improve accountability.
help define risk tolerance.
improve consistency.

A core data center went offline abruptly for several hours, affecting many transactions across
multiple locations. Which of the following would provide the MOST useful information to
determine mitigating controls?
Risk assessment
Forensic analysis
Business impact analysis (BIA)
Root cause analysis

Which of the following should a risk practitioner do FIRST ti support the implementation of
governance around organizational assets within an enterprise risk management (ERM)
program?
O Hire experienced and knowledgeable resources.
O Develop a detailed risk profile.
O Schedule internal audits across the business.
[#)] Conduct risk assessments across the business.

Which of the following provides the BEST evidence that a selected risk treatment plan is
effective?
Identifying key risk indicators (KRIs)
Evaluating the return on investment (ROI)
Performing a cost-benefit analysis
Evaluating the residual risk level

A risk practitioner has been asked to recommend a key performance indicator (KPI) to assess
the effectiveness of a manual process to terminate user access. Which of the following would be
the BEST KPI to recommend?
Timeframe from user termination to access revocation
Ratio of successful log-in attempts to unsuccessful log-in attempts
Timeframe of notification from business management to IT
Percent increase in number of access termination requests

Which of the following would present the MOST significant risk to an organization when
updating the incident response plan?
Increased stakeholder turnover
Obsolete response documentation
Failure to audit third-party providers
Undefined assignment of responsibility

Which of the following will BEST help to ensure the continued effectiveness of the IT risk
management function within an organization experiencing high employee turnover?
Well documented policies and procedures
 Change and release management
An IT strategy committee
Risk and issue tracking

Which of the following is MOST helpful in preventing risk events from materializing?
Prioritizing and tracking issues
Maintaining the risk register
Establishing key risk indicators (KRIs)
Reviewing and analyzing security incidents

Which of the following is a risk practitioner's BEST recommendation to address an organization
s need to secure multiple systems with limited IT resources?
Conduct a business impact analysis (BIA).
Schedule a penetration test.
Apply available security patches
Perform a vulnerability analysis.

While reviewing the risk register, a risk practitioner notices that different business units have
significant variances in inherent risk for the same risk scenario. Which of the following is the
BEST course of action?
Update the risk register with the average of residual risk for both business units.
Update the risk register to ensure both risk scenarios have the highest residual risk.
Request that both business units conduct another review of the risk.
Review the assumptions of both risk scenarios to determine whether the variance is
reasonable.

Which of the following is MOST important for managing ethical risk?
Identifying the ethical concerns of each stakeholder
Establishing a code of conduct for employee behavior
Involving senior management in resolving ethical disputes
Developing metrics to trend reported ethics violations

An organization is concerned that its employees may be unintentionally disclosing data through
the use of social media sites. Which of the following will MOST effectively mitigate this risk?
Establishing a data classification policy
Requiring the use of virtual private networks (VPNs)
Requiring employee agreement of the acceptable use policy
Conducting user awareness training

Which of the following is MOST important for an organization to update following a change in
legislation requiring notification to individuals impacted by data breaches?
Policies and standards
Insurance coverage
Risk appetite and tolerance
Security awareness training

An organization striving to be on the leading edge in regard to risk monitoring would MOST
likely implement:
a tool for monitoring critical activities and controls.
 real-time monitoring of risk events and control exceptions.
procedures to monitor the operation of controls.
monitoring activities for all critical assets.

Which strategy employed by risk management would BEST help to prevent internal fraud?
Ensure segregation of duties are implemented within key systems or processes.
Require the information security officer to review unresolved incidents.
Require control owners to conduct an annual control certification.
Conduct regular internal and external audits on the systems supporting financial reporting.

Which of the following is the PRIMARY objective of aggregating the impact of IT risk scenarios
and reflecting the results in the enterprise risk register?
To ensure IT risk impact can be compared to the IT risk appetite
To ensure IT risk scenarios are consistently assessed within the organization
To ensure IT risk ownership is assigned at the appropriate organizational level
To ensure IT risk appetite is communicated across the organization

Which of the following is MOST important for maintaining the effectiveness of an IT risk
register?
Performing regular reviews and updates to the register
Communicating the register to key stakeholders
Recording and tracking the status of risk response plans within the register
Removing entries from the register after the risk has been treated

A risk manager has determined there is excessive risk with a particular technology. Who is the
BEST person to own the unmitigated risk of the technology?
IT system owner
Chief risk officer (CRO)
Business process owner
Chief financial officer (CFO)

A key risk indicator (KR1) flags an exception for exceeding a threshold but remains within risk
appetite. Which of the following should be done NEXT?
Review the risk appetite level to ensure it is appropriate
Document that the KRI is within risk appetite.
Adjust the risk threshold level to match risk appetite.
Review the trend to determine whether action is needed.

Which of the following is the BEST way to confirm whether appropriate automated controls are
in place within a recently implemented system?
O Interview process owners.
Perform a post-implementation review.
O Review the key performance indicators (KPIs).
O Conduct user acceptance testing (CAT).
Which of the following is the BEST recommendation of a risk practitioner for an organization
that recently changed its organizational structure?
Communicate the new risk profile.
Review and adjust key risk indicators (KRIs).
Re-validate the corporate risk appetite
Implement a new risk assessment process.

Which of the following standard operating procedure (SOP) statements BEST illustrates
appropriate risk register maintenance?
Remove risk when mitigation results in residual risk within tolerance levels.
Remove risk that management has decided to accept.
Remove risk that has been mitigated by third-party transfer.
Remove risk only following a significant change in the risk environment.

Which of the following is a risk practitioner's BEST course of action upon learning that
regulatory authorities have concerns with an emerging technology the organization is
considering?
Update risk responses.
Redesign key risk indicators (KRIs).
Conduct a SWOT analysis.
Perform a threat assessment.

Which of the following attributes of data provided to an automated log analysis tool is MOST
important for effective risk monitoring?
Scalability
Relevancy
Retention
Confidentiality

Which of the following should be the PRIMARY goal of developing information security metrics?
Raising security awareness
Enabling continuous improvement
Ensuring regulatory compliance
Identifying security threats

Who should have the authority to approve an exception to a control?
Control owner
Risk manager
Risk owner
Information security manager

A project team recommends accepting the residual risk associated with known regulatory
control deficiencies. Which of the following is the risk practitioner's MOST important
recommendation to the project manager?
Update the project risk register with the remaining deficiencies and remediation actions.
Confirm a timeline to remediate the remaining deficiencies after the project goes live,
Present the remaining deficiencies to the project steering committee for sign-off.
Assess the risk of the remaining deficiencies and develop an action plan.
Who should be responsible for evaluating the residual risk after a compensating control has
been applied?
Control owner
Compliance manager
Risk practitioner
Risk owner

The MOST essential content to include in an IT risk awareness program is how to:
O populate risk register entries and build a risk profile for management reporting.
ID comply with the organization's IT risk and information security policies.
O prioritize IT-related actions by considering risk appetite and risk tolerance.
O define the IT risk framework for the organization.

Making decisions about risk mitigation actions is the PRIMARY role of the:
risk owner.
O risk manager.
O risk practitioner.
O risk officer.

An organization has decided to use an external auditor to review the control environment of an
outsourced service provider. The BEST control criteria to evaluate the provider would be based
on:
the service provider's existing controls.
guidance provided by the external auditor.
the organization's specific control requirements
a recognized industry control framework.

Which of ^he following privacy principles reduces the impact of accidental leakage of personal
data?
O Accuracy
O Purpose
Minimization
O Transparency

The PRIMARY reason for communicating risk assessment results to data owners is to enable
the:
O design of appropriate controls.
O industry benchmarking of controls.
O classification of information assets.
prioritization of response efforts.

Which of the following is the BEST indication that key risk indicators (KRIs) should be revised?
@ An increase in the number of risk threshold exceptions
O An increase in the number of change events pending management review
O A decrease in the number ot critical assets covered by risk thresholds
O A decrease in the number ol key performance indicators (KPIs)

Which of the following is the MOST important reason to validate that risk responses have been
executed as outlined in the risk response plan?
O To ensure completion of the risk assessment cycle
To ensure residual risk Is al an acceptable level
O To ensure control costs do not exceed benefits
C To ensure controls are operating effectively

Which of the following would MOST effectively reduce risk associated with an increased volume
of online transactions on a retailer website'?
O A hot backup site
® Scalable infrastructure
O Website activity monitoring
O Transaction limits

An organization has agreed to a 99% availably for its online services and will not accept
availability that falls below 98.5%. This is an example of:
C risk tolerance
risk evaluation.
O risk appetite
O risk mitigation.

An organization is planning to engage a cloud-based service provider for some of its data-
intensive business of the following is MOST important to help define the IT risk associated with
this outsourcing activity?
[f>] Service level agreement (SLA)
O Scope of services provided
O Customer service reviews
O Right to audit the provider

Which of the following is the PRIMARY responsibility of the first line of defense related to
computer-enabled fraud?
O Ensuring that risk and control assessments consider fraud
O Providing oversight of risk management processes
@ Implementing processes to detect and deter fraud
O Monitoring the results of actions taken to mitigate fraud

Which of the following is MOST important to ensure when reviewing an organization s risk
register?
O Vulnerabilities have separate entries.
O Residual risk is less than inherent risk.
Control ownership is recorded.
O Risk ownership is recorded

Which of the following is a risk practitioner’s MOST important responsibility in managing risk
acceptance that exceeds risk tolerance?
O Update the risk response in the risk register.
O Ensure the acceptance is set to expire over time.
O Increase the risk appetite to align with the current risk level.
® Verify authorization by senior management.

A control process has been implemented in response to a new regulatory requirement, but has
significantly reduced productivity Which of the following is the BEST way 10 resolve this
concern?
Q Remove the control to accommodate business objectives
O Request a waiver to the requirements
O Absorb (he loss in productivity.
I Escalate the issue to senior management

Which of the following management actions will MOST likely change the likelihood rating of a
risk scenario related to remote network access?
O Updating remote desktop software
® Updating the organizational policy for remote access
O Creating metrics to track remote connections
O Implementing multi-factor authentication

A poster has been displayed in a data center that reads. ‘Anyone caught taking photographs in
the data center may be subject to disciplinary action ' Which of the following control types has
been implemented?
C Corrective
C Detective
A Deterrent
O Preventative

Which of the following would provide the BEST evidence of an effective internal control
environment?
Adherence to governing policies
Regular stakeholder briefings
Risk assessment results
Independent audit results

Of the following. who is responsible for approval when a change in an application system is
ready for release to production?
O Information security officer
O IT risk manager
0 Chief risk officer (CRO)
Business owner

Which of the following is the BEST approach to mitigate the risk associated with a control
deficiency?
Build a provision for risk.
Perform a business case analysis.
Conduct a control self-assessment (CSA).
Implement compensating controls

Which of the following is MOST important when determining risk appetite?
O Assessing regulatory requirements
0 Benchmarking against industry standards
0 Gaining management consensus
0 Identifying risk tolerance

Which of the following is the MOST comprehensive resource for prioritizing the implementation
of information systems controls'?
O The risk register
O Emerging technology trends
O Data classification policy
© The IT strategic plan
Which risk response strategy could management apply to both positive arid negative risk that
has been identified'?
Mitigate
Exploit
C Accept
C Transfer

An organization implements a risk avoidance approach to collecting personal information.
Which of the following is the BEST way for a risk practitioner to validate the risk response?
(®] Perform a scan for personal information.
O Verify security baselines are implemented for databases.
O Confirm that personal information is encrypted.
O Review the privacy policy to confirm it is up to date.

Which of the following is MOST important to the effectiveness of key performance indicators
(KPIs)?
O Management approval
O Automation
Relevance
O Annual review

What IS me BEST recommendation in reduce the nsk associated with potential system
compromise when a vendor stops releasing security patches and updates for a Business- critical
legacy system?
% Segment the system on Is own network
Ensure regular- backups lake place.
O Virtualize the system in the cloud.
Install antivirus software on the system

A core data center went offline abruptly for several hours, affecting many transactions across
multiple locations. Which of the following would provide the MOST useful information to
determine mitigating controls?
Forensic analysis
Business impact analysis (BIA)
Risk assessment
Root cause analysis

Of the following, who is BEST suited to assist a risk practitioner in developing a relevant set of
risk scenarios?
O Internal auditor
O Finance manager
O Control owner
© Asset owner

Which of the following BEST enables the selection of appropriate risk treatment in the event of
a disaster?
O Risk treatment plan
||[] Business impact analysis (BIA)
O Failover procedures
O Risk scenario analysis

Which of the following should be management's PRIMARY focus when key risk indicators (KRIs)
begin to rapidly approach defined thresholds?
Determining if KRIs have been updated recently
Assessing the effectiveness of the incident response plan
Determining what has changed in the environment
Designing compensating controls

Which of the following should be the FIRST step to investigate an IT monitoring system that has
a decreasing alert rate?
O Conduct regression testing to ensure alerts can be triggered
Determine the root cause for the change in alert rate.
O Adjust the sensitivity to trigger more alerts.
O Review and adjust the timing of the reporting window.

Which of the following is the PRIMARY reason for an organization Io include an acceptable use
banner when users log in?
f To reduce the likelihood of insider threat
O To eliminate the possibility of insider threat
O To enable rapid discovery of insider threat
O To reduce the Impact of insider threat

After the announcement of a new IT regulatory requirement, it is MOST important for a risk
practitioner to:
review the impact to the IT environment.
O prepare an IT risk mitigation strategy.
O escalate to senior management.
O perform a cost-benefit analysis.

A risk practitioner has established that a particular control is working as desired, but the annual
cost of maintenance has increased and now exceeds the expected annual loss exposure The
result is that the control is:
O mature
O ineffective.
O optimized.
ft Inefficient

Which of the following is the PRIMARY responsibility of the first line of defense related to
computer-enabled fraud?
4 Implementing processes to detect and deter fraud
O Monitoring the results of actions taken to mitigate fraud
O Providing oversight of risk management processes
O Ensuring that risk and control assessments consider fraud

Which of the following practices would be MOST effective in protecting personally identifiable
information (Pll] from unauthorized access in a cloud environment?
Require logical separation of company data.
Utilize encryption with logical access controls.
Apply data classification policy.
Obtain the right to audit.

What is the PRIMARY reason an organization should include background checks on roles with
elevated access to production as part ot its hiring process'?
J Reduce internal threats.
Ensure new hires have the required skills.
Eliminate risk associated with personnel.
O Reduce exposure to vulnerabilities.

Due to a change in business processes, an identified risk scenario no longer requires
mitigation. Which of the following is the MOST important reason the risk should remain in the
risk register"?
To track historical risk assessment results
O To support regulatory requirements
O To prevent the risk scenario In the current environment
QJ To monitor for potential changes to the risk scenario

Which of the following is MOST important to communicate to senior management during the
initial implementation of a risk management program?
Best practices
Desired risk level
Regulatory compliance
* Risk ownership

Which of the following key risk indicators (KRIs) is MOST effective for monitoring risk related to
a bring your own device (BYOD) program?
O Budget allocated to the BYOD program security controls
Number of devices enrolled in the BYOD program
O Number of incidents originating from BYOD devices
O Number of users who have signed a BYOD acceptable use policy

While reviewing the risk register, a risk practitioner notices that different business units have
significant variances in inherent risk for the same risk scenario. Which of the following is the
BEST course of action?
Update the risk register to ensure both risk scenarios have the highest residual risk.
Review the assumptions of both risk scenarios to determine whether the variance is
reasonable.
Request that both business units conduct another review of the risk
Update the risk register with the average of residual risk for both business units.

Which of the following is MOST Important to include when reporting the effectiveness of risk
management to senior management?
O Changes in the organization's risk appetite and risk tolerance levels
O Impact due to changes in external and internal risk (actors
9 Changes in residual risk levels against acceptable levels
O Gaps in best practices and implemented controls across the industry

An organization's business process requires the verbal verification of personal information in an
environment where other customers may overhear this information. Which of the following is
the MOST significant risk?
The process could result in intellectual property theft.
The customer may view the process negatively.
The process could result in compliance violations.
The information could be used for identity theft

Which of the following is MOST important to review when determining whether a potential IT
service provider’s control environment is effective?
O Control self-assessment (CSA)
@ Independent audit report
O Key performance indicators (KPIs)
O Service level agreements (SLAs)

A recent regulatory requirement has the potential to affect an organization s use of a third
patty to supply outsourced business services. Which of the following is the BEST course of
action?
W Conduct a gap analysis
0 Terminate the outsourcing agreement
0 Identify compensating controls.
O Transfer risk to the third party

Which of the following would BEST mitigate the ongoing risk associated with operating system
(OS) vulnerabilities?
Temporarily mitigate the OS vulnerabilities.
Identify the vulnerabilities and applicable OS patches.
Evaluate permanent fixes such as patches and upgrades.
Document and implement a patching process.

Which of the following key control indicators (KCIs) BEST indicates whether security
requirements are identified and managed throughout a protect life cycle?
umber of protects going live without a security review
O Number of employees completing project-specific security training
Number ol security projects started in core departments
Number ol security-related status reports submitted by project managers

Which of the following should a risk practitioner validate FIRST when a mitigating control
cannot be implemented fully to support business objectives?
O If the risk owner has accepted the risk
If business objectives continue to align with organizational goals
O If insurance coverage has been obtained
If compensating controls have been implemented

An organization 6 implementing encryption tor data at rest to reduce the risk associated with
unauthorized access. Which of the following MUST be considered to assess the residual risk*7
O Data retention requirements
O Data destruction requirements
Key management
O Cloud storage architecture

Risk acceptance of an exception to a security control would MOST likely be justified when:
the control is difficult to enforce in practice.
automation cannot be applied to the control.
the end-user license agreement has expired.
business benefits exceed the loss exposure.

Which of the following BEST enables senior management to compare the ratings of risk
scenarios?
O Key risk indicators (KRIs)
O Key performance indicators (KPIs)
O Control self-assessment (CSA)
^^Risk heal map

An organization is considering modifying its system to enable acceptance of credit card
payments. To reduce the risk of data exposure, which of the following should the organization
do FIRST'?
Update the risk register.
Update the security strategy.
Implement additional controls.
' Conduct a risk assessment.

Which of the following IB the MOST effective way Io promote organization-wide awaieness of
data security in response to an increase In regulatory penalties for data leakage?
O Enforce sanctions for noncompliance with security procedures.
Conduct organization-wide phishing simulations
O Require training on the data handling policy
O Require regular testing of the data breach response plan.

A risk practitioner notices a trend of noncompliance with an IT-related control. Which of the
following would BEST assist in making a recommendation to management?
Assessing noncompliance with control best practices
Reviewing the roles and responsibilities of control process owners
Reviewing the IT policy with the risk owner
Assessing the degree to which the control hinders business objectives

What is senior management's role in the RACI model when tasked with reviewing monthly
status reports provided by risk owners?
O Accountable
Informed
O Responsible
O Consulted

Which of the following would BEST facilitate the implementation of data classification
requirements'?
Implementing technical controls over the assets
Assigning a data owner
Scheduling periodic audits
implementing a data loss prevention (DIP) solution

Which of the fallowing changes would be reflected in an organization's risk profile after the
failure of a critical patch implementation?
O Inherent risk is increased.
0 Residual risk is increased.
O Risk tolerance is decreased.
O Risk appetite is decreased.

For a large software development project, risk assessments are MOST effective when
performed:
at system development.
at each stage of the system development life cycle (SDLC).
before system development begins.
during the development of the business case.

Which of the following should be a risk practitioner's NEXT step after learning of an incident
that has affected a competitor?
t Activate the incident response plan.
O Implement compensating controls.
0 Update the risk register.
C Develop risk scenarios.

A risk manager has determined there is excessive risk with a particular technology. Who is the
BEST person to own the unmitigated risk of the technology?
Chief financial officer (CFO)
Chief risk officer (CRO)
IT system owner
Business process owner

Which of the following is the BEST way to quantify the likelihood of risk materialization'?
Balanced scorecard
year and vulnerability assessment
Compliance assessments
Business impact analysis (BIA)

Which of the following management actions will MOST likely change the likelihood rating of a
risk see nano related to remote network access?
O Creating metrics to track remote connections
C Implementing multi-factor authentication
O Updating remote desktop software
O Updating the organizational policy for remote access

Where is the FIRST place a risk practitioner should look to identify accountability for a specific
risk?
O Risk scenario
O Risk response plan
1 RACI matrix
O Risk register

An IT department originally planned to outsource the hosting of its data center at an overseas
location to reduce operational expenses. After a risk assessment, the department has decided
to keep the data center in-house. How should the risk treatment response be reflected in the
risk register?
Risk acceptance
Risk mitigation
Risk avoidance
Risk transfer

Which of the following should be the PRIMARY consideration when assessing the risk of using
Internet of Things (loT) devices to collect and process personally identifiable information (Pll)?
Local laws and regulations
O Security features and support
Business strategies and needs
Costs and benefits

A financial institution has identified high risk of fraud in several business applications. Which of
the following controls will BEST help reduce the risk of fraudulent internal transactions?
Segregation of duties
Periodic user privileges review
Periodic internal audits
Log monitoring

Which of the following should be an element of the risk appetite of an organization?
The effectiveness of compensating controls
The residual risk affected by preventive controls
The amount of inherent risk considered appropriate
The enterprise s capacity to absorb loss

When formulating a social media policy to address information leakage, which of the following
is the MOST important concern to address?
* Sharing company information on social media
Using social media to maintain contact with business associates
Sharing personal information on social media
Using social media for personal purposes during working hours

A recent risk workshop has identified risk owners and responses for newly identified risk
scenarios. Which of the following should be the risk practitioner s NEXT step?
O Prepare a business case for the response options.
O Identify resources for implementing responses
O Develop a mechanism for monitoring residual risk
V Update the risk register with the results.

Which of the following is a PRIMARY benefit of creating an organizational code of conduct?
Enhanced integrity of management
Improvement in workforce productivity
Identification of ethical risk facing the organization
[S] Clear expectations for employee behavior

A large organization needs to report risk at all levels for a new centralized virtualization project
to reduce cost and improve performance. Which of the following would MOST effectively
represent the overall risk of the project to senior management?
Risk heat map
Centralized risk register
Aggregated key performance indicators (KPIs)
Key risk indicators (KRIs)

Which of the following is the PRIMARY accountability for a control owner?
O Communicate risk to senior management.
O Own me associated risk the control is mitigating.
Ensure the control operates effectively.
O Identify and assess control weaknesses.

Which of the following would be MOST helpful to an information security management team
when allocating resources to mitigate exposures?
Relevant risk case studies
Risk assessment results
Penetration testing results
Internal audit findings

An insurance company handling sensitive and personal information from its customers receives
a large volume of telephone requests and electronic communications daily Which of the
following is MOST important to include in a risk awareness training session for the customer
service department?
identifying social engineering attacks
Understanding the importance of using a secure password Understanding the incident
management process Archiving sensitive information

When creating a separate IT risk register for a large organization, which of the following is
MOST important to consider with regard to the existing corporate risk register?
O Leveraging business risk professionals
O Relying on generic IT risk scenarios
O Describing IT risk in business terms
H Using a common risk taxonomy

Which of the following sources is MOST relevant to reference when updating security awareness
training materials?
Global security standards
Risk register
Risk management framework
Recent security incidents reported by competitors

An application owner has specified the acceptable downtime in the event of an incident to be
much lower than the actual true requited for the response team to recover the application
Which of the following should be the NEXT course of action?
O Invoke the disaster recovery plan (DRP) during an incident.
O Reduce the recovery tana by strengthening the response team, h Prepare a cost-benefit
analysis of alternatives available.
C Implement redundant infrastructure for the application

What should bo a risk practitioner's PRIMARY focus when evaluating a proposed robotic
process automation of a business service?
Control capability
Cost-benefit analysis
License availability
Code review

An organization is planning to implement a guest wireless network granting Internet access
only. Which of the following is the MOST important consideration to effectively mitigate the risk
of guests gaining access to the organization s internal network?
Guests are required to accept terms and conditions.
The networks are property segregated from each other.
Only approved equipment is allowed on the guest network.
The wireless network is not available outside the office areas.

Which of the following controls MOST effectively addresses the risk associated with tailgating
into a restricted area?
Implementing CCTV monitoring
Using biometric door locks
Security awareness training
Using two-factor authentication

Which of the following is the MOST important consideration for a risk practitioner when making
a system implementation go-live recommendation?
Availability of in-house resources
Completeness of system documentation
Results of end-user acceptance testing
Variances between planned and actual cost

Which of the following is MOST important for a risk practitioner to consider when evaluating
plans for changes to IT services?
Change testing schedule
Change communication plan
User acceptance testing (UAT)
Impact assessment of the change
When developing risk scenarios using a list of generic scenarios based on industry best
practices, it is MOST important to:
validate the generic risk scenarios for relevance.
select the maximum possible risk scenarios from the list.
identify common threats causing generic risk scenarios.
assess generic risk scenarios with business users

Which of the following is the MOST appropriate action when a tolerance threshold is exceeded?
Research the root cause of similar incidents.
Increase human resources to respond in the interim.
Communicate potential impact to decision makers
Verify the response plan is adequate.

Which of the following should be the PRIMARY focus of an IT risk awareness program?
Communicate IT risk policy to the participants.
Cultivate long-term behavioural change.
Ensure compliance with the organization's internal policies.
Demonstrate regulatory compliance.
Which of the following will be the GREATEST concern when assessing the risk profile of an
organization?
The risk profile does not contain historical loss data.
The risk profile was last reviewed two years ago.
The risk profile was developed without using industry standards.
The risk profile was not updated after a recent incident.

The MOST significant benefit of using a consistent risk ranking methodology across an
organization is that it enables:
allocation of available resources.
risk to be expressed in quantifiable terms.
clear understanding of risk levels.
assignment of risk to the appropriate owners.

Which of the following issues found during the review of a newly created disaster recovery plan
(DRP) should be of MOST concern?
The plan is not based on an internationally recognized framework.
The chief information security officer (CISO) has not approved the plan.
Some critical business applications are not included in the plan.
Several recovery activities will be outsourced.

In an organization with mature risk management practices, the risk appetite can be inferred
from which of the following?
Residual risk
O Compliance reports
O Control taxonomy
O Inherent risk

A risk practitioner is presenting the risk profile to management, indicating an increase in the
number of successful network attacks. This information would be MOST helpful to:
justify additional controls.
determine the availability of network resources.
justify investing in a log collection system.
determine the frequency of monitoring.

Which of the following is the GREATEST risk associated with inappropriate classification of
data?
O Inaccurate recovery time objectives (RTOs)
O Inaccurate record management data
Users having unauthorized access to data
O Lack of accountability for data ownership

An organization has decided to postpone the assessment and treatment of several risk
scenarios because stakeholders are unavailable. As a result of this decision, the risk associated
with these new entries has been:
accepted,
mitigated,
deferred,
transferred
Which of the following is the GREATEST critical success factor (CSF) of an IT risk management
program?
Identifying IT risk scenarios
Identifying enterprise risk events
Conducting focus group meetings with key stakeholders
Aligning with business objectives

An organization is considering allowing users to access company data from their personal
devices. Which of the following is the MOST important factor when assessing the risk?
Classification of the data
Type of device
Volume of data
Remote management capabilities

An organization's email protection policy states that at least 95% of phishing emails should be
blocked by email filters. Which
type of indicator has been established?
O Key goal indicator (KGI)
O Key risk indicator (KR1)
] Key performance indicator (KPI)
O Key control indicator (KCI)

What should a risk practitioner do FIRST when a shadow IT application is identified in a
business owner's business impact analysis (BIA)?
Include the application in the business continuity plan (BCP)
Report the finding to management
Determine the business purpose of the application.
Segregate the application from the network.

A risk practitioner is preparing a report to communicate changes in the risk and control
environment. The BEST way to engage stakeholder attention is to:
include detailed deviations from industry benchmarks.
include a summary linking information to stakeholder needs.
include a roadmap to achieve operational excellence
publish the report on-demand for stakeholders.

Which of the following should bo of MOST concern to a risk practitioner reviewing an
organization's risk register after the completion of a series of risk assessments?
Several risk action plans have missed target completion dates.
Risk associated with many assets is only expressed in qualitative terms.
Senior management has accepted more risk than usual.
Many risk scenarios are owned by the same senior manager.

Management has determined that it will take significant time to remediate exposures in the
current IT control environment. Which of the following is the BEST course of action?
Identify compensating controls.
Improve project management methodology.
Implement control monitoring
Reassess the risk periodically.
When establishing a business continuity plan (BCP), which of the following should be performed
to identify possible loss events?
Business impact analysis (BIA)
Incident response testing
Residual risk profile review
Vulnerability assessment

Within the three lines of defense model, the PRIMARY responsibility for ensuring risk mitigation
controls are properly configured. L &
belongs with:
[®] line management.
O internal audit.
O enterprise compliance.
O the IT risk function.

An employee lost a personal mobile device that may contain sensitive corporate information.
What should be the risk practitioner's recommendation?
Invoke the incident response plan.
Conduct a risk analysis.
Disable the user account.
Initiate a remote data wipe.

Which of the following is the role of the board of directors in the three lines of defense nsk
management model?
C Approving organizational risk management structure
Overseeing departmental adherence to risk policies
Overseeing the three lines of defense
Providing the risk governance framework for the three lines of defense

An organization has decided to commit io a business activity with the knowledge that the risk
exposure is higher than the risk appetite Which ot (he following is the risk practitioner's MOST
important action related to this decision'?
O Reject the business initiative.
Recommend risk remediation.
Document formal acceptance of the risk
O Change the level of risk appetite

Which of the following should be the risk practitioners FIRST course of action when an
organization plans to adopt a cloud computing strategy’’
O Perform a controls assessment.
O Request a budget for implementation.
Conduct a threat analysis.
O Create a cloud computing policy.

Which of the following would be a risk practitioner's BEST course of action when a project team
has accepted a risk outside the established nsk appetite'’
C Monitor the residual risk level of the accepted nsk
Escalate the risk decision to the project sponsor for review.
Reject the risk acceptance and require mitigating controls.
Document the risk decision in the project risk register.
Using a data simulation method is BEST suited for:
C improving the usefulness of qualitative data.
performing quantitative analysis on uncertain data,
removing randomness from otherwise random data,
ensuring quantitative estimates are precise

When establishing an enterprise IT risk management program, it is MOST important to:
review alignment with the organization s strategy.
understand the organization's information security policy.
O report identified IT nsk scenarios to senior management.
validate the organization's data classification scheme

Which of the following is the MOST significant indicator of the need to perform a penetration
test?
O An increase in the number of high-risk audit findings
j An increase in the percentage of turnover in IT personnel
An increase in the number of infrastructure changes
An increase in the number of security incidents

Which of the following should be the PRIMARY goal of developing information security metrics?
Raising security awareness
Enabling continuous improvement
Ensuring regulatory compliance
Identifying security threats

Which of the following is the BEST key performance indicator (KPI) to measure the maturity of
an organization's security incident handling process?
The number of security incidents escalated to senior management
The number of resolved security incidents
The number of recurring security incidents
The number of newly identified security incidents

A large organization ts replacing its enterprise resource planning The owner of the financial reporting process
The risk rating of affected financial processes

Which of the following would be a risk practitioner's BEST recommendation upon learning of an
updated cybersecurity regulation that could impact the organization?
Implement compensating controls.
O Conduct system testing.
Perform a gap analysis.
Update security policies.

Which of the following is the PRIMARY responsibility of the second line of defense?
Monitoring risk in relation to the organization’s risk appetite
Providing assurance for the design and effectiveness of controls
Integrating control activities into business processes
Conducting timely investigations into control exceptions

Which of the following is MOST helpful in defining an early-warning threshold associated with
insufficient network bandwidth?
Peak bandwidth usage
O Average bandwidth usage
O Total bandwidth usage
Bandwidth used during business hours

When documenting a risk response, which of the following provides the STRONGEST evidence
to support the decision?
Verbal majority acceptance of risk by committee
List of compensating controls
C A memo indicating risk acceptance
IT audit follow-up responses

Which of the following is MOST likely to be impacted as a result of a new policy which allows
staff members to remotely connect to the organization's IT systems via personal or public
computers?
Risk appetite
Risk tolerance
 Inherent risk
O Key risk indicator (KRI)

Which of the following is the PRIMARY responsibility of the first line of defense related to
computer-enabled fraud?
Implementing processes to detect and deter fraud
Providing oversight of risk management processes
Ensuring that risk and control assessments consider fraud
Monitoring the results of actions taken to mitigate fraud

The acceptance of control costs that exceed risk exposure MOST likely demonstrates:
few risk tolerance.
corporate culture misalignment.
O high risk tolerance.
corporate culture alignment.

Which of the following is the MOST important consideration when developing an organization's
risk taxonomy?
Regulatory requirements
IT strategy
Business context
Leading industry frameworks

Which of the following is the PRIMARY benefit of stakeholder involvement in risk scenario
development?
Decision-making authority for risk treatment
Ability to determine business impact Up-to-date
knowledge on risk responses
Awareness of emerging business threats

A risk practitioner identifies a database application that has been developed and implemented
by the business independently of IT Which of the following is the BEST course of action?
O Document the reasons for the exception
O Escalate the concern to senior management
Include the application in IT risk assessments
O Propose that the application be transferred to IT

When establishing a business continuity plan (BCP) which of 1he following should be performed
lo identify possible loss events'?
O Business impact analysis (BIA)
C Residual risk profile review
Vulnerability assessment
O Incident response testing

Which of the following is the BEST way to help ensure nsk will be managed properly after a
business process has been re-engineered?
Reassessing control effectiveness of the process
O Conducting a post-implementation review to determine lessons learned
C Reporting key performance indicators {KPIs) for core processes
O Establishing escalation procedures for anomaly events
An organization has provided legal text explaining the rights and expected behavior o1 users
accessing a system from geographic locations that have strong privacy regulations Which of the
fol lowing control types has been applied"?
Directive
C Detective
C Preventive
O Compensating

When is the BEST lime to identify risk associated with major projects to determine a mitigation
plan?
Project execution phase
+ Project initiation phase
Project closing phase
Project planning phase

Which of the following should be the PRIMARY goal of developing information security
metrics'?
Identifying security threats
Ensuring regulatory compliance
_ Raising security awareness
Enabling continuous improvement

Which of the following)is the MOST appropriate action when a tolerance threshold is exceeded?
® Verify the response plan is adequate.
O Communicate potential impact to decision makers.
O Increase human resources to respond in the interim.
O Research the root cause of similar incidents.

Which of the following is the GREATEST benefit of identifying appropriate risk owners?
O Stakeholders are consulted about risk treatment options.
® Accountability is established for risk treatment decisions.
O Responsibility is established for risk treatment decisions.
O Risk owners are informed of risk treatment options.

An external security audit has reported multiple findings related to control noncompliance.
Which of the following is MOST important for the risk practitioner to communicate to senior
management?
O The impact to the organization's risk profile
O A recommendation for internal audit validation
O Suggestions for improving