Risk Management KPIs and Controls PDF

Summary

This document presents a series of multiple-choice questions related to risk management, focusing on key performance indicators and various controls within a business setting. The questions cover topics such as process redesign, risk response implementation, service outage risk assessment, and control effectiveness.

Full Transcript

A key performance indicator (KPI) shows that a process is operating inefficiently, even though no control issues were noted during the most recent risk assessment. Which of the following should be done FIRST? - Redesign the process. - Recalibrate the key performance indicator (KPI). - Imple...

A key performance indicator (KPI) shows that a process is operating inefficiently, even though no control issues were noted during the most recent risk assessment. Which of the following should be done FIRST? - Redesign the process. - Recalibrate the key performance indicator (KPI). - Implement new controls. - Re-evaluate the existing control design. 2. Which of the following contributes MOST to the effective implementation of risk responses\'' - Detailed standards and procedures - Appropriate resources - Clear understanding of the risk - Comparable industry risk trends 3. Which of the following key performance indicators (KPIs) would BEST measure the risk of a service outage when using a Software as a Service (SaaS) vendor? - Frequency of business continuity plan (BCP) testing - Frequency and number of new software releases - Frequency and duration of unplanned downtime - Number of IT support staff available after business hours 4. A financial institution has identified high risk of fraud in several business applications. Which of the following controls will BEST help reduce the risk of fraudulent internal transactions? - Segregation of duties - Periodic internal audits - Log monitoring - Periodic user privileges review 5. The MOST important characteristic of an organization s policies ts to reflect the organization s - capabilities - risk appetite - risk assessment methodology - asset value 6. An organization recently acquired a new business division Which of the following is MOST likely to be affected\'? b - Risk profile - Risk culture - Risk appetite - Risk tolerance 7. Which of the following is the GREATEST benefit of using IT risk scenarios? - They support compliance with regulations. - They provide evidence of risk assessment. - They facilitate communication of risk - They enable the use of key risk indicators (KRIs). 8. Senior management has asked the risk practitioner for the overall residual risk level for a process that contains numerous risk scenarios Which of the following should be provided\*? - The loss expectancy lot aggregated risk scenarios - The highest loss expectancy among the risk scenarios - The average of anticipated residual risk levels - The sum of residual risk levels for each scenario 9. Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are - independent from the business operations - authorized to select nsk mitigation options - members of senior management - accountable for the affected processes 10. When implementing an IT risk management program, which ol the following is the BEST time to evaluate current control effectiveness? - Before defining a framework - During the risk assessment - When evaluating risk response - When updating the risk register 11. Which of the following is the PRIMARY reason to perform periodic vendor risk assessments? - To assess the vendor\'s risk mitigation plans - To provide input to the organization\'s risk appetite - To verify the vendor\'s ongoing financial viability - To monitor the vendor\'s control effectiveness 12. From a risk management perspective, which of the following is the PRIMARY benefit of using automated system configuration validation tools' - Operational costs are reduced - Inherent risk is reduced - Staff costs are reduced - Residual risk is reduced 13. When reporting risk assessment results to senior management, which of the following is MOST important to include lo enable risk-based decision making? - Recent audit and self-assessment results - Potential losses compared to treatment cost - A list of assets exposed to the highest risk - Risk action plans and associated owners 14. After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to - recommend a program that minimizes the concerns of that production system. - inform the process owner of the concerns and propose measures to reduce them. - inform the IT manager of the concerns and propose measures to reduce them. - inform the development team of the concerns and together formulate risk reduction measures. 15. A review of an organization s controls has determined its data loss prevention (DLP) system is currently failing to detect outgoing emails containing credit card data Which of the following would be MOST impacted\'5 - Residual risk - Risk appetite - Key risk indicators (KRIs) - Inherent risk 16. Sensitive data has been lost after an employee inadvertently removed a file from the premises in violation of organizational policy. Which of the following controls MOST likely tailed\'? - User access - Policy management - Background checks - Awareness (taming 17. Which of the following is the PRIMARY objective of risk management? - Identify and analyze risk - Achieve business objectives. - Minimize business disruptions. - Identify threats and vulnerabilities. 18. Which of the following practices would be MOST effective in protecting personally identifiable information (Pli) from unauthorized access in a cloud environment? - Obtain the right to audit - Utilize encryption with logical access controls - Apply data classification policy - Require logical separation of company data 19. Which of the following BEST balances the costs and benefits of managing IT risk4\* - Prioritizing and addressing risk in line with risk appetite - Eliminating risk through preventive and detective controls - Considering risk that can be shared with a third party - Evaluating the probability and impact of risk scenarios 20. An IT department has organized training sessions to improve user awareness of organizational information security policies. Which of the following is the BEST key performance indicator (KPI) to reflect effectiveness of the training? - Percentage of staff members who attend the training with positive feedback - Percentage of attendees versus total staff - Percentage of staff members who complete the training with a passing score - Number of training sessions completed 21. Which of the following would MOST ikely drive the need to review and update key performance indicators (KPIs) for critical IT assets\'' - Findings from continuous monitoring - The outsourcing of related IT processes - Changes in service level objectives - Outcomes of periodic risk assessments 22. A MAJOR advantage of using key risk indicators (KRIs) is that they - identify when risk exceeds defined thresholds - assess risk scenarios that exceed defined thresholds - identify scenarios that exceed defined risk appetite - help with internal control assessments concerning risk appetite 23. An organization has allowed several employees to retire early in order to avoid layoffs. Many of these employees have been subject matter experts for critical assets. Which type of risk is MOST likely to materialize? - Confidentiality breach - Institutional knowledge loss - Intellectual property loss - Unauthorized access 24. Which of the following key risk indicators (KRIsJ is MOST effective for monitoring risk related to a bring your own device (BYOD) program\'' - Number of incidents originating from BYOD devices - Budget allocated to the BYOD program security controls - Number of devices enrolled in the BYOD program - Number of users who have signed a BYOD acceptable use policy 25. Who is MOST appropriate to be assigned ownership of a control? - The individual responsible tor control operation - The individual informed of the control effectiveness - The individual responsible for testing the control - ; The individual accountable for monitoring control effectiveness 26. An organization is planning to outsource its payroll function to an external service provider. Which of the following should be the MOST important consideration when selecting the provider? - Right to audit the provider - ® Internal controls to ensure data privacy - Disaster recovery plan (DRP) of the system - Transparency of key performance indicators (KPIs) 27. Which of the following MOST effectively limits the impact of a ransomware attack\"' - Cryptocurrency reserve - Data backups - End user training - Cyber insurance 28. Which of the following would provide the BEST evidence of an effective internal control environment? - Adherence to governing policies - Risk assessment results - Regular stakeholder briefings - Independent audit results 29. One of an organization\'s key IT systems cannot be patched because the patches interfere with critical business application functionalities. Which of the following would be the risk practitioner\'s BEST recommendation? - Additional mitigating controls should be identified. - C The system should not be used until the application is changed. - The organization\'s IT risk appetite should be adjusted. - The associated IT risk should be accepted by management 30. Which of the following is the BEST metric to demonstrate the effectiveness of an organization s software testing program? - Percentage of applications covered by the testing team - The number of personnel dedicated to software testing - Number of incidents resulting from software changes - Average time io complete software test cases 31. Which of the following is MOST likely to cause Key Risk Indicator (KRI) to exceed thresholds? - Occurrences of specific events - The risk tolerance level - Risk scenarios - A performance measurement 32. An organization uses one centralized single sign-on (SSO) control to cover many applications. Which of the following is the BEST course of action when a new application is added to the environment after testing of the SSO control has been completed? - Initiate a retest of the full control. - Retest the control using the new application as the only sample. - Review the corresponding change control documentation. - Re-evaluate the control during the next assessment. 33. Which of the following should be an element of risk appetite of an organization? - The amount of inherent risk considered appropriate - The effectiveness of compensating controls - The enterprise\'s capacity to absorb loss - The residual risk affected by preventive controls 34. Which stakeholder is MOST important to include when defining a risk profile during the selection process for a new third-party application\'? - The third-party risk manager - The application vendor - \$ The business process owner - The information security manager 35. Which of the following would present the GREATEST challenge for a risk practitioner during a merger of two organizations\'? - Variances between organizational risk appetites - Different taxonomies to categorize risk scenarios - Disparate platforms for governance, risk, and compliance (GRC) systems - Dissimilar organizational risk acceptance protocols 36. Which of the following BEST enables an organization to address risk associated with technical complexity? - Minimizing dependency on technology - Aligning with a security architecture - Documenting system hardening requirements - Establishing configuration guidelines 37. The BEST key performance indicator (KPI) to measure the ongoing effectiveness of a risk awareness training program is the percentage of staff members who have: - passed subsequent random testing, - accessed online training materials. - attended annual training. - passed the training session test. 38. A risk assessment has identified that an organization may not be in compliance with industry regulations What is the BEST course of action\'' - Collaborate with management to meet compliance requirements - Conduct a gap analysis against compliance criteria - Identify necessary controls to ensure compliance - Modify internal assurance activities Io include control validation 39. Which of the following will be the GREATEST concern when assessing the risk profile of an organization\"? - The risk profile was developed without using industry standards - The risk profile was not updated after a recent incident - The risk profile was last reviewed two years ago - The risk profile does not contain historical loss data 40. When classifying and prioritizing risk responses, the areas to address FIRST are those with: - low cost effectiveness ratios and high risk levels. - high cost effectiveness ratios and low risk levels. - high cost effectiveness ratios and high risk levels. - low cost effectiveness ratios and low risk levels. 41. Which of the following is the MOST significant indicator of the need to perform a penetration test? - An increase in the percentage of turnover in IT personnel - An increase in the number of security incidents - An increase m the number of high-risk audit findings - An increase in the number of infrastructure changes 42. An internal audit report repeals that a legacy system is no longer supported Which of the following is the risk practitioner\'s MOST important action before recommending a risk response' - Review historical application downtime and frequency - Assess the potential impact and cost ot mitigation - identify other legacy systems within the organization - Explore the feasibility of replacing the legacy system 43. The risk associated with an asset before controls are applied can be expressed as: - ® a function of the likelihood and impact. - the likelihood of a given threat. - a function of the cost and effectiveness of controls. - the magnitude of an impact 44. Which of the following is BEST used to aggregate data from multiple systems to identify abnormal behavior? - Cyber threat intelligence - Endpoint detection and response (EDR) - Anti-malware software - SIEM systems 45. Which of the following is MOST important when implementing an organisation\'s security policy? - Benchmarking against industry standards - Assessing compliance requirements - Identifying threats and vulnerabilities - Obtaining management support 46. Which of the following is MOST important consideration when developing an organization\'s risk taxonomy? - Leading industry frameworks - Business context - IT strategy - Regulatory requirements 47. The BEST metric to demonstrate that servers are configured securely is the total number of servers: - meeting the baseline for hardening. - exceeding current patching standards. - exceeding availability thresholds. - experiencing hardware failures. 48. Which of the following key risk indicators (KRIs) is MOST effective for monitoring risk related to a bring your own device (BYOD) program? - Budget allocated to the BYOD program security controls - Number of devices enrolled in the BYOD program - Number of incidents originating from BYOD devices - Number of users who have signed a BYOD acceptable use policy 49. Which of the following issues found during the review of a newly created disaster recovery plan (DRP) should be of MOST concern? - The chief information security officer (ClSO) has not approved the plan - Some critical business applications are not included in the plan - Several recovery activities will be outsourced - The plan is not based on an internationally recognized framework 50. Which of the following is MOST helpful in providing a high level overview of current IT risk severity? - Risk mitigation plans - Heat map - Risk appetite statement - Key risk indicators (KRIs) 51. A legacy application used for a critical business function relies on software that has reached the end of extended support. Which of the following is the MOST effective control to manage this application? - Subscribe to threat intelligence to monitor external attacks. - Apply patches for a newer version of the application. - Segment lhe application within the existing network. - Increase the frequency of regular system and data backups. 52. The PRIMARY purpose of using a framework for risk analysis is to: - improve accountability. - improve consistency. - help develop risk scenarios. - help define risk tolerance. 53. Which of the following will be MOST helpful when communicating roles associated with the IT risk management process? - RACI chart - Organizational chart - Skills matrix - Job descriptions 54. Which of the following is the BEST indication of an improved risk-aware culture following (he implementation of a security awareness training program for all employees\'' - A reduction in the number of user access resets - An increase in 1he number ol identified system Haws - A reduction in the number of help desk calls - An increase in lhe number of incidents reported 55. A risk practitioner notices a risk scenario associated with data loss at the organization\'s cloud provider is assigned to the provider. Who should the risk scenario be reassigned to? - Senior management - Chief risk officer (CRO) - Vendor manager - Data owner 56. Which of the following would MOST likely require a risk practitioner to update the risk register? - Development of a project schedule lor implementing a risk response - An alert being reported by the security operations center - Completion of a project for implementing a new control - Engagement of a third party to conduct a vulnerability scan 57. An organization has just implemented changes tc close an identified vulnerability that impacted a critical business process What should be the NEXT course of action? - Update the risk register - Redesign the heat map - Review the risk tolerance - Perform a business impact analysis (BIA) 58. Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation? - Results of end-user acceptance testing - Variances between planned and actual cost - Availability of in-house resources - Completeness of system documentation 59. Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the corporate risk register? - Corporate incident escalation protocols are established - The organization-wide control budget is expanded. - Exposure is integrated into the organization\'s risk profile - Risk appetite cascades to business unit management. 60. The risk associated with an asset after controls are applied can be expressed as - a function of the cost and effectiveness of controls - the magnitude of an impact - the likelihood of a given threat - a function of the likelihood and impact 61. Which of the following would be of GREATEST concern regarding an organization\'s asset management? - Lack of a mature records management program - Lack of a dedicated asset management team - Decentralized asset lists - Incomplete asset inventory 62. Which of the following would be a risk practitioner\'s BEST course of action when a project team has accepted a risk outside the established risk appetite? - Reject the risk acceptance and require mitigating controls. - Monitor the residual risk level of the accepted risk. - Escalate the risk decision to the project sponsor for review. - Document the risk decision in the project risk register. 63. Which of the following BEST enables senior management to compare the ratings of risk scenarios? - Key risk indicators (KRIs) - Risk heat map - Key performance indicators (KPIs) - Control self-assessment (CSA) 64. Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management? - Changes in control design - Changes in control ownership - A decrease in the number of key controls - An increase in residual risk 65. Which of the following is the MOST effective way to incorporate stakeholder concerns when developing risk scenarios\^ - Conducing internal audits - Evaluating risk impact - Creating quarterly risk reports - Establishing key performance indicators (KPIs) 66. To define the risk management strategy, which of the following MUST be set by the board of directors\'? - Operational strategies - Risk governance - Annualized loss expectancy (ALE) - Risk appetite 67. Who is MOST important to include in the assessment of existing IT risk scenarios? - Technology subject matter experts - Business process owners - Business users of IT systems - Risk management consultants 68. A project team recommends accepting the residual risk associated with known regulatory control deficiencies Which of the following is the risk practitioner\'s MOST important recommendation to the project manager\^ - Present the remaining deficiencies to the project steering committee for sign-off - Update the project risk register with the remaining deficiencies and remediation - actions - Confirm a timeline to remediate the remaining deficiencies after the project goes - live - Assess the risk of the remaining deficiencies and develop an action plan 69. To define the risk management strategy, which of the following MUST be set by the board of directors\'? - Operational strategies - Risk governance - Annualized loss expectancy (ALE) - Risk appetite 70. An organization plans to implement a new Software as a Service (SaaS) speech-to-text solution. Which of the following is MOST important to mitigate risk associated with data privacy? - Secure encryption protocols are utilized - Multi-factor authentication is set up for users. - The solution architecture is approved by IT. - A risk transfer clause is included in the contract 71. An organization will be impacted by a new data privacy regulation due to the location of ns production facilities What action should ihe risk practitioner lake when evaluating the new regulation\'? - Assess the validity and perform update testing on data privacy controls - Evaluate if the existing risk responses to the previous regulation are still - adequate - Develop internal control assessments over data privacy for the new regulation - Perform an analysis of the new regulation Io ensure current risk is identified 72. An information security audit identified a risk resulting from the failure of an automated control Who is responsible for ensuring the risk register is updated accordingly\'? - The risk practitioner - The risk owner - The control owner - The audit manager 73. An organization plans to implement a new Software as a Service (SaaS) speech-to-text solution. Which of the following is MOST important to mitigate risk associated with data privacy? - Secure encryption protocols are utilized. - Multi-factor authentication is set up for users. - The solution architecture is approved by IT. - A risk transfer clause is included in the contract. 74. Which of the following is the MOST effective way to incorporate stakeholder concerns when developing risk scenarios\'? - Evaluating risk impact - Creating quarterly risk reports - Establishing key performance indicators (KPIs) - Conducting internal audits 75. Which of the following is PRIMARILY a risk management responsibility of the first line of defense\*? - Implementing risk treatment plans - Conducting independent reviews of nsk assessment results - Validating the status of risk mitigation efforts - Establishing risk policies and standards 76. Which of the following provides the BEST evidence that a selected risk treatment plan is effective4' - Identifying key risk indicators (KRls) - Evaluating the return on investment (ROI) - Evaluating the residual risk level - Performing a cost-benefit analysis - 77. Which of the following BEST indicates the risk appetite and tolerance level for the risk associated with business interruption caused by IT system failures? - Mean time to recover (MTTR) - Recovery time objective (RTO) - Incident management service level agreement (SLA) - IT system criticality classification 78. Which of the following is the PRIMARY reason to engage business unit managers in risk management processes? - Improved alignment with technical risk - Better-informed business decisions - Enhanced understanding of enterprise architecture (EA) - Improved business operations efficiency 79. Which of the following would provide the BEST evidence of an effective internal control environment? - Risk assessment results - Regular stakeholder briefings - Adherence to governing policies - Independent audit results 80. Which of the following is the MOST effective way to validate organizational awareness of cybersecurity risk? - Implementing mock phishing exercises - Conducting security awareness training - Requiring two-factor authentication - Updating the information security policy 81. Which of the following should be the PRIMARY focus of a risk owner once a decision is made to mitigate a risk? - Ensuring that control design reduces risk to an acceptable level - Determining processes for monitoring the effectiveness of the controls - Updating the risk register to include the risk mitigation plan - Confirming to management the controls reduce the likelihood of the risk 82. An organization has completed a risk assessment of one of its service providers Who should be accountable for ensuring that nsk responses are implemented\^ - Third-party security teem - The relationship owner - IT risk practitioner - legal representation of the business 83. organization has operations in a location that regularly experiences severe weather events Which of the following would BEST help to mitigate the risk to operations\'? - Prepare a disaster recovery plan (DRP) - Prepare a cost-benefit analysis to evaluate relocation - Conduct a business impact analysis (BlA) for an alternate location - Develop a business continuity plan (BCP) 84. Which of the following stakeholders are typically included as part of a line of defense within the three lines of defense modeP - Board of directors - Regulators - Vendors - Legal team 85. Which of the following provides the BEST evidence that risk responses are effective? - Compliance breaches are addressed in a timely manner. - Risk with low impact is accepted. - Residual risk is within risk tolerance. - Risk ownership is identified and assigned 86. Which of the following is MOST helpful to understand the consequences of an IT risk event? - Business impact analysis - Fault tree analysis - Root cause analysis - Historical trend analysis 87. Which of the following BEST indicates the risk appetite and tolerance level for the nsk associated with business interruption caused by IT system failures' - IT system criticality classification - Mean time to recover (MTTR) - Incident management service level agreement (SLA) - Recovery time objective (RTO) 88. Which of the following is MOST useful when performing a quantitative risk assessment? - Management support - Industry benchmarking - RACI matrix - Financial models 89. Which of the following should an organization perform to forecast the effects of a disaster? - Simulate a disaster recovery. - Develop a business impact analysis (BIA). - Define recovery time objectives (RTO). - Analyze capability maturity model gaps. 90. An organization retains footage from its data center security camera for 30 days when the policy requires 90-day retention The business owner challenges whether the situation is worth remediating Which of the following is the risk manager s BEST response7 - Identify the regulatory bodies that may highlight this gap - Highlight news articles about data breaches - Evaluate the risk as a measure of probable loss - Verify if competitors comply with a similar polity 91. Which of the following would BEST help to address the risk associated with malicous outsiders modifying application data? - Multi-factor authentication - Role based access controls - Activation of control audits - Acceptable use policies 92. before assigning sensitivity levels to information, it is MOST important to - conduct a sensitivity analysis - define recovery time objectives (RTOs) - define the information classification policy - identify information custodians 93. Which of the following is the MAIN purpose of monitoring risk' - Decision support - Benchmarking - Risk analysis - Communication 94. An organization has been experiencing an increasing number ol spear phishing attacks Which of the following would be the MOST effective way to mitigate the risk associated with these attacks\^ - Update firewall configuration - Require strong password complexity - 3 Implement a security awareness program - Implement Iwo-factor authentication 95. The PRIMARY advantage of involving end users in continuity planning is that they - have a better understanding of specific business needs - are more objective than information security management - can balance the overall technical and business concerns - can see the overall impact to the business 96. Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform: - a vulnerability assessment - a gap analysis. - a root cause analysis - an impact assessment. 97. Which of the following should be accountable for ensuring that media containing financial information are adequately destroyed per an organization\'s data disposal policy\"' - Data architect - Compliance manager - Data owner - Chief information officer (CIO) 98. Which of the following is MOST important information to review when developing plans for using emerging technologies\'' - IT strategic plan - Organizational strategic plan - Risk register - Existing IT environment 99. Which of the following is MOST important to ensure when reviewing an organization\'s nsk register? - Risk ownership is recorded - Vulnerabilities have separate entries - Residual risk is less than inherent risk - Control ownership is recorded 100. An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for ihe response team 1o recover the application Which of the following should be the NEXT course of action\"' - Reduce the recovery time by strengthening the response team - Invoke the disaster recovery plan (DRP) during an incident - Prepare a cost-benefit analysis of alternatives available - Implement redundant infrastructure for the application 101. Which of the following is the BEST way to mitigate the risk associated with fraudulent use of an enterprise\'s brand on Internet sites? - Developing training and awareness campaigns - Monitoring the enterprise s use of the Internet - \[s\] Scanning the Internet to search for unauthorized usage - Utilizing data loss prevention (DLP) technology 102. What is the BEST recommendation to reduce the risk associated with potential system compromise when a vendor stops releasing security patches and updates for a business-critical legacy system\'' - Install antivirus software on the system - Virtualize the system in the cloud - Segment the system on its own network - Ensure regular backups take place 103. Which of the following is the ULTIMATE goal of conducting a privacy impact analysis (PlA) - To develop a customer notification plan - To identity personally identifiable information (PII) - To determine gaps in data deidentification processes - To identity gaps in data protection controls 104. Which of the following should be a nsk practitioner s NEXT step after learning of an incident that has affected a competitor\'? - Implement compensating controls - Update the risk register - Develop risk scenarios - Activate the incident response plan 105. Which of the following key risk indicators (KRIs) is MOST effective for monitoring risk related to a bring your own device (BYOD) program? - Number of incidents originating from BYOD devices - Number of users who have signed a BYOD acceptable use policy - Budget allocated to the BYOD program security controls - Number of devices enrolled in the BYOD program 106. Which of the following is the MOST important characteristic of a key risk indicator (KRI) to enable decision-making"? - Setting minimum sample sizes to ensure accuracy - Listing alternative causes for risk events - Illustrating changes in risk trends - Monitoring the risk until the exposure is reduced 107. Which of the following is the GREATEST critical success factor (CSF) of an IT risk management program? - Identifying IT risk scenarios - Aligning with business objectives - Conducting focus group meetings with key stakeholders - Identifying enterprise risk events 108. Which of the following is the PRIMARY responsibility of the first line of defense related to computer-enabled fraud\"\* - Ensuring that risk and control assessments consider fraud - Monitoring the results of actions taken to mitigate fraud - Providing oversight of risk management processes - Implementing processes Io detect and deter fraud 109. Which of the following is the MOST important for an organization to have in place to ensure IT asset protection? - A plan that includes processes for the recovery of IT assets - Procedures for risk assessments on IT assets - An IT asset management checklist - An IT asset inventory populated by an automated scanning tool 110. Which of the following is the GREATEST benefit of implementing an enterprise risk management (ERM) program? - A common view of enterprise risk is established - Risk management controls are implemented - Risk-aware decision making is enabled - Risk management is integrated into the organization 111. The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner\'s BEST recommendation? - Perform a code review - Implement version control software. - Implement training on coding best practices. - Perform a root cause analysis. 112. Which risk response strategy could management apply to both positive and negative risk that has been identified? - Mitigate - Transfer - Exploit - Accept 113. An organization has an approved bring your own device (BYOD) policy. Which of the following would BEST mitigate the security risk associated with the inappropriate use of enterprise applications on the devices? - Implement BYOD mobile device management (MDM) controls. - Enable a remote wipe capability for BYOD devices. - Include BYOD in organizational awareness programs. - Periodically review applications on BYOD devices. 114. Which of the following is MOST helpful to review when identifying risk scenarios associated with the adoption of Internet of Things (loT) technology in an organization? - (®\] The loT threat landscape - The business case for the use of loT - The network that loT devices can access - Policy development for loT 115. Which of the following will BEST help to ensure the continued effectiveness of the IT risk management function within an organization experiencing high employee turnover? - Risk and issue tracking - Change and release management - An IT strategy committee - Well documented policies and procedures 116. UTMOST important measure of the effectiveness of risk management in project implementation is the percentage of projects - having the risk register updated regularly - having key risk indicators (KRIs) established to measure risk - introduced into production without high-risk issues - having an action plan to remediate overdue issues 117. Malware has recently affected an organization The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform - a gap analysis - an impact assessment - a root cause analysis - a vulnerability assessment 118. A global organization has implemented an application that does not address all privacy requirements across multiple jurisdictions Which of the following risk responses has the organization adopted with regard to privacy requirements' - Risk transfer - ) Risk acceptance - Risk mitigation - Risk avoidance 119. The percentage of unpatched systems is a: - critical success factor (CSF). - key risk indicator (KR1). - threat vector. - key performance indicator (KPI). 120. Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities? - Identify the vulnerabilities and applicable OS patches. - Evaluate permanent fixes such as patches and upgrades. - Document and implement a patching process. - Temporarily mitigate the OS vulnerabilities. 121. Which of the following is MOST important when determining risk appetite? - Benchmarking against industry standards - Assessing regulatory requirements - « Gaining management consensus - Identifying risk tolerance 122. Which of the following is the PRIMARY reason for sharing risk assessment reports with senior stakeholders\'? - To secure resourcing for risk treatment efforts - To hold risk owners accountable for risk action plans - To enable senior management to compile a risk profile - To support decision-making for risk response 123. An organization has completed a risk assessment of one of its service providers. Who should be accountable for ensuring that risk responses are implemented? - Legal representation of the business - IT risk practitioner - The relationship owner - Third-party security team 124. An organization has completed a risk assessment of one of its service providers Who should be accountable for ensuring that risk responses are implemented\'? - The relationship owner - IT risk practitioner - legal representation of the business - Third-party security team 125. Which of the following is the BEST way to protect sensitive data from administrators within a public cloud? - Encrypt physical hard drives within the cloud - Encrypt data before it leaves the organization - Use an encrypted tunnel to connect to the cloud - Encrypt the data in the cloud database 126. Which of (he following has the GREATEST influence on an organization\'s risk appetite\*? - Threats and vulnerabilities - Internal and external risk factors - Business objectives and strategies - ® Management culture and behavior 127. An IT department originally planned to outsource the hosting of its data center at an overseas location to reduce operational expenses. After a risk assessment, the department has decided to keep the data center in-house. How should the risk treatment response be reflected in the risk register? - Risk acceptance - Risk transfer - Risk mitigation - Risk avoidance 128. Which of the following should be the FIRST step when a company is made aware of new regulatory requirements impacting IT? - Perform a risk assessment - Perform a gap analysis - Prioritize impact to the business units - Review the risk tolerance and appetite 129. Which of the following issues found during the review of a newly created disaster recovery plan (DRP) should be of MOST concern? - The chief information security officer (CISO) has not approved the plan. - Some critical business applications are not included in the plan. - The plan is not based on an internationally recognized framework. - Several recovery activities will be outsourced 130. Which of the following is the ULTIMATE objective of implementing technical controls in the IT environment? - Enhancing the maturity of the IT control environment - Reducing regulatory risk - Minimizing the likelihood of a threat exposure - Optimizing the cost of IT resources 131. An organization is implementing a project to automate the purchasing process, including the modification of approval controls Which of ihe following tasks is the responsibility of the risk practitioner\'? - Verify that existing controls continue to properly mitigate defined risk - Test approval process controls once the project is completed - Update the existing controls for changes in approval processes from this project - Perform a gap analysis of the impacted control processes 132. The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for: - data classification and labeling. - data logging and monitoring. - data retention and destruction. - data mining and analytics. 133. Which of the following should be of MOST concern to a risk practitioner reviewing an organization\'s risk register after the completion of a series of risk assessments? - Senior management has accepted more risk than usual. - Risk associated with many assets is only expressed in qualitative terms. - Several risk action plans have missed target completion dates. - Many risk scenarios are owned by the same senior manager. 134. The PRIMARY benefit of conducting a risk workshop using a top-down approach instead of a bottom-up approach is the ability to: - incorporate subject matter expertise - identify specific project risk. - obtain a holistic view of IT strategy risk. - understand risk associated with complex processes. 135. Mapping open risk issues to an enterprise risk heat map BEST facilitates - risk ownership - risk identification - control monitoring - risk response 136. An organization is conducting a review of emerging risk. Which of the following is the BEST input for this exercise? - Annual threat reports - Financial forecasts - Industry benchmarks - Audit reports 137. Which of the following is MOST important for mitigating ethical risk when establishing accountability for control ownership? - Ensuring regular risk messaging is included in business communications from leadership - Ensuring schedules and deadlines for control-related deliverables are strictly monitored - Ensuring processes are documented Io enable effective control execution - Ensuring performance metrics balance business goals with risk appetite 138. Which of the following is MOST important to determine when assessing the potential risk exposure of a loss event involving personal data\*? - The cost associated with incident response activities - The composition and number of records in the information asset - The maximum levels of applicable regulatory fines - The length of time between identification and containment of the incident 139. An organization has decided to postpone the assessment and treatment of several risk scenarios because stakeholders are unavailable. As a result of this decision, the risk associated with these new entries has been: - accepted, - transferred, - deferred - mitigated. 140. Which of the following is MOST likely to be impacted when a global organization is required by law to implement a new data protection regulation across its operations? - Vulnerability assessment results - Threat profile - Risk ownership assignments - Risk profile 141. Which of the following is MOST likely to deter an employee from engaging m inappropriate use of company-owned IT systems? - A centralized computer security response team - Regular performance reviews and management check-ins - Code of ethics training for all employees - ® Communication of employee activity monitoring 142. While reviewing the risk register, a risk practitioner notices that different business units have significant variances in inherent risk for the same risk scenario. Which of the following is the BEST course of action? - Review the assumptions of both risk scenarios to determine whether the variance is reasonable. - Request that both business units conduct another review of the risk. - Update the risk register with the average of residual risk for both business units. - Update the risk register to ensure both risk scenarios have the highest residual risk. 143. An organization has been notified that a disgruntled, terminated IT administrator has tried to break into the corporate network. Which of the following discoveries should be of GREATEST concern to the organization? - Authentication logs have been disabled. - An external vulnerability scan has been detected - A brute force attack has been detected - An increase in support requests has been observed. 144. Reviewing which of the following BEST helps an organization gain insight into its overall risk profile? - Risk register - Risk appetite - Threat landscape - Risk metrics 145. An organization is developing a security risk awareness training program for the IT help desk and has asked the risk practitioner for suggestions. In addition to technical topics, which of the following is MOST important to recommend be included in the training? - Incident reporting procedures - Password selection options - Identity verification procedures - Security policy review 146. Which of the following is the GREATEST benefit of a three lines ot defense structure\'? - An effective risk culture that empowers employees to report risk - Effective segregation of duties to prevent internal fraud - Clear accountability for risk management processes - Improved effectiveness and efficiency of business operations 147. Which of the following should be determined FIRST when a new security vulnerability is made public? - How pervasive the vulnerability is within the organization - Whether the affected technology is Internet-facing - Whether the affected technology is used within the organization - What mitigating controls are currently in place 148. Which of the following provides the MOST comprehensive view of an organization\'s IT risk management status? - A review of IT incidents and related root cause analyses - An aggregation of control self-assessment (CSA) results - An IT risk register with known threats and vulnerabilities - Interviews with IT risk stakeholders 149. Which of the following is the MOST effective way to identify an application backdoor prior to implementation? - User acceptance testing (UAT) - Database activity monitoring - Source code review - Vulnerability analysis 150. An organization has used generic risk scenarios to populate its risk register. Which of the following presents the GREATEST challenge Io assigning ownership of the associated risk entries? - The risk analysis for each scenario is incomplete. - Risk aggregation has not been completed. - Risk scenarios are not applicable. - The volume of risk scenarios is too large 151. Which of the following is MOST important to the effectiveness of key performance indicators (KPIs)? - Annual review - Relevance - Management approval - Automation 152. If preventive controls cannot be implemented due to technology limitations which of the following should be done FIRST to reduce risk? - Redefine the business process to reduce the risk - ® Evaluate alternative controls - Develop a plan to upgrade technology - Define a process for monitoring risk 153. Which of the following is MOST helpful in preventing risk events from materializing? - Prioritizing and tracking issues - Reviewing and analyzing security incidents - Maintaining the risk register - Establishing key risk indicators (KRIs) 154. Which of the following is the MOST significant indicator of the need to perform a penetration test? - An increase in the number of infrastructure changes - An increase in the number of high-risk audit findings - An increase in the percentage of turnover in IT personnel - An increase in the number of security incidents 155. Which of the following is the PRIMARY objective of establishing an organization\'s risk tolerance and appetite' - To align with board reporting requirements - To assist management in decision making - To create organization-wide risk awareness - To minimize risk mitigation efforts 156. Recovery time objectives (RTOs) should be based on: - minimum tolerable downtime. - minimum tolerable loss of data. - maximum tolerable downtime. - maximum tolerable loss of data. 157. The MAJOR reason io classify information assets is to - maintain a current inventory and catalog of information assets - ® determine their sensitivity and criticality - establish recovery time objectives (RTOs) - categorize data into groups 158. When developing a risk awareness training program, which of the following training topics would BEST facilitate a thorough understanding of risk scenarios? - Analyzing key risk indicators (KRIs) - Mapping threats to organizational objectives - Reviewing past audits - Identifying potential sources of risk 159. Which of the following would present the MOST significant risk to an organization when updating the incident response plan? - Undefined assignment of responsibility - Failure to audit third-party providers - Obsolete response documentation - Increased stakeholder turnover 160. The analysis of which at the following will BEST help validate whether suspicious network activity is malicious? - Intrusion detection system (IDS) rules - Logs and system events - Vulnerability assessment reports - Penetration test reports 161. Which of the following is the BEST control to mitigate the risk when a critical customer-facing application has been susceptible to recent credential stuffing attacks? - Increase password complexity requirements. - Implement multi-factor authentication. - Increase monitoring of account usage. - Block IP addresses from foreign countries 162. Which of the following would MOST likely result in agreement on accountability for risk scenarios? - Using a facilitated risk management workshop - Relying on generic risk scenarios - Relying on external IT risk professionals - Distributing predefined scenarios for review 163. Several newly identified risk scenarios are being integrated into an organization\'s risk register The MOST appropriate risk owner would be the individual who \*\* - is responsible for enterprise risk management (ERM) - is in charge of information security - can implement remediation action plans - is accountable for loss if the risk materializes. 164. Which of the following BEST enables the identification of trends in risk levels? - Measurements for key risk indicators (KRIs) are repeatable. - Correlation between risk levels and key risk indicators (KRIs) is positive. - Quantitative measurements are used for key risk indicators (KRIs). - Qualitative definitions for key risk indicators (KRIs) are used. 165. Which of the following is a drawback in the use of quantitative risk analysis? - It is based on impact analysis of information assets. - It requires more resources than other methods. - It produces the results in numeric form. - It assigns numeric values to exposures of assets. 166. A risk practitioner has been asked to recommend a key performance indicator (KPI) to assess the effectiveness of a manual process to terminate user access. Which of the following would be the BEST KPI to recommend? - Timeframe from user termination to access revocation - Timeframe of notification from business management to IT Percent increase in number of access termination requests Ratio of successful log-in attempts to unsuccessful log-in attempts 167. During a risk assessment of a financial institution, a risk practitioner discovers that tellers can initiate and approve transactions of significant value. This team is also responsible for ensuring transactions are recorded and balances are reconciled by the end of the day. Which of the following is the risk practitioner\'s BEST recommendation to mitigate the associated risk? - Require a second level of approval. - Require a code of ethics. - Implement continuous monitoring. - Implement segregation of duties. 168. After the implementation of Internet of Things (loT) devices, new risk scenarios were identified. What is the PRIMARY reason to report this information to risk owners? - To confirm the impact to the risk profile - To add new controls to mitigate the risk - To reevaluate continued use of loT devices - To recommend changes to the loT policy 169. An organization is planning to move its application infrastructure from on-premise to tne cloud Which of the following is the BEST course of action to address the risk associated with data transfer if the relationship is terminated with the vendor? - Work closely with the information security officer to ensure the company has the proper security controls in place. - Collect requirements for the environment to ensure the Infrastructure as a Service (laaS) is configured appropriately - Meet with the business leaders to ensure the classification of their transferred data is in place. - Ensure the language in the contract explicitly states who is accountable for each step of the data transfer process 170. Which of the following is the PRIMARY reason to adopt key control indicators (KCIs) in the risk monitoring and reporting process? - To provide assessments of mitigation effectiveness - To provide measurements on the potential for risk to occur - To provide data for establishing the risk profile - To provide assurance of adherence to risk management policies 171. Which of the following provides the MOST reliable information to ensure a newly acquired company has appropriate IT controls in place? - Penetration testing - Vulnerability assessment - IT risk assessment - Information system audit 172. Which of the following is MOST important for secure application development? - Secure coding practices - Security training for systems development staff - Well-documented business cases - A recognized risk management framework 173. From a risk management perspective, which of the following is the PRIMARY benefit of using automated system configuration validation tools? - Operational costs are reduced. - Staff costs are reduced. - Inherent risk is reduced. - Residual risk is reduced. 174. Which key performance indicator (KPI) BEST measures the effectiveness of an organizations disaster recovery program? - Percentage of recovery issues identified during the exercise - Number of total systems recovered within the recovery point objective (RPO) - Percentage of critical systems recovered within the recovery time objective (RTO) Number of service level agreement (SLA) violations 175. Which of the following is PRIMARILY responsible for providing assurance to the board of directors and senior management during the evaluation of a risk management program implementation? - Internal audit - Risk management - Business units - External audit 176. The PRIMARY purpose of using a framework for risk analysis is to: - help develop risk scenarios. - improve accountability. - help define risk tolerance. - improve consistency. 177. A core data center went offline abruptly for several hours, affecting many transactions across multiple locations. Which of the following would provide the MOST useful information to determine mitigating controls? - Risk assessment - Forensic analysis - Business impact analysis (BIA) - Root cause analysis 178. Which of the following should a risk practitioner do FIRST ti support the implementation of governance around organizational assets within an enterprise risk management (ERM) program? - Hire experienced and knowledgeable resources. - Develop a detailed risk profile. - Schedule internal audits across the business. - \[\#)\] Conduct risk assessments across the business. 179. Which of the following provides the BEST evidence that a selected risk treatment plan is effective? - Identifying key risk indicators (KRIs) - Evaluating the return on investment (ROI) - Performing a cost-benefit analysis - Evaluating the residual risk level 180. A risk practitioner has been asked to recommend a key performance indicator (KPI) to assess the effectiveness of a manual process to terminate user access. Which of the following would be the BEST KPI to recommend? - Timeframe from user termination to access revocation - Ratio of successful log-in attempts to unsuccessful log-in attempts - Timeframe of notification from business management to IT - Percent increase in number of access termination requests 181. Which of the following would present the MOST significant risk to an organization when updating the incident response plan? - Increased stakeholder turnover - Obsolete response documentation - Failure to audit third-party providers - Undefined assignment of responsibility 182. Which of the following will BEST help to ensure the continued effectiveness of the IT risk management function within an organization experiencing high employee turnover? - Well documented policies and procedures - Change and release management - An IT strategy committee - Risk and issue tracking 183. Which of the following is MOST helpful in preventing risk events from materializing? - Prioritizing and tracking issues - Maintaining the risk register - Establishing key risk indicators (KRIs) - Reviewing and analyzing security incidents 184. Which of the following is a risk practitioner\'s BEST recommendation to address an organization s need to secure multiple systems with limited IT resources? - Conduct a business impact analysis (BIA). - Schedule a penetration test. - Apply available security patches - Perform a vulnerability analysis. 185. While reviewing the risk register, a risk practitioner notices that different business units have significant variances in inherent risk for the same risk scenario. Which of the following is the BEST course of action? - Update the risk register with the average of residual risk for both business units. - Update the risk register to ensure both risk scenarios have the highest residual risk. - Request that both business units conduct another review of the risk. - Review the assumptions of both risk scenarios to determine whether the variance is reasonable. 186. Which of the following is MOST important for managing ethical risk? - Identifying the ethical concerns of each stakeholder - Establishing a code of conduct for employee behavior - Involving senior management in resolving ethical disputes - Developing metrics to trend reported ethics violations 187. An organization is concerned that its employees may be unintentionally disclosing data through the use of social media sites. Which of the following will MOST effectively mitigate this risk? - Establishing a data classification policy - Requiring the use of virtual private networks (VPNs) - Requiring employee agreement of the acceptable use policy - Conducting user awareness training 188. Which of the following is MOST important for an organization to update following a change in legislation requiring notification to individuals impacted by data breaches? - Policies and standards - Insurance coverage - Risk appetite and tolerance - Security awareness training 189. An organization striving to be on the leading edge in regard to risk monitoring would MOST likely implement: - a tool for monitoring critical activities and controls. - real-time monitoring of risk events and control exceptions. - procedures to monitor the operation of controls. - monitoring activities for all critical assets. 190. Which strategy employed by risk management would BEST help to prevent internal fraud? - Ensure segregation of duties are implemented within key systems or processes. - Require the information security officer to review unresolved incidents. - Require control owners to conduct an annual control certification. - Conduct regular internal and external audits on the systems supporting financial reporting. 191. Which of the following is the PRIMARY objective of aggregating the impact of IT risk scenarios and reflecting the results in the enterprise risk register? - To ensure IT risk impact can be compared to the IT risk appetite - To ensure IT risk scenarios are consistently assessed within the organization - To ensure IT risk ownership is assigned at the appropriate organizational level - To ensure IT risk appetite is communicated across the organization 192. Which of the following is MOST important for maintaining the effectiveness of an IT risk register? - Performing regular reviews and updates to the register - Communicating the register to key stakeholders - Recording and tracking the status of risk response plans within the register - Removing entries from the register after the risk has been treated 193. A risk manager has determined there is excessive risk with a particular technology. Who is the BEST person to own the unmitigated risk of the technology? - IT system owner - Chief risk officer (CRO) - Business process owner - Chief financial officer (CFO) 194. A key risk indicator (KR1) flags an exception for exceeding a threshold but remains within risk appetite. Which of the following should be done NEXT? - Review the risk appetite level to ensure it is appropriate - Document that the KRI is within risk appetite. - Adjust the risk threshold level to match risk appetite. - Review the trend to determine whether action is needed. 195. Which of the following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system? - Interview process owners. - Perform a post-implementation review. - Review the key performance indicators (KPIs). - Conduct user acceptance testing (CAT). 196. Which of the following is the BEST recommendation of a risk practitioner for an organization that recently changed its organizational structure? - Communicate the new risk profile. - Review and adjust key risk indicators (KRIs). - Re-validate the corporate risk appetite - Implement a new risk assessment process. 197. Which of the following standard operating procedure (SOP) statements BEST illustrates appropriate risk register maintenance? - Remove risk when mitigation results in residual risk within tolerance levels. - Remove risk that management has decided to accept. - Remove risk that has been mitigated by third-party transfer. - Remove risk only following a significant change in the risk environment. 198. Which of the following is a risk practitioner\'s BEST course of action upon learning that regulatory authorities have concerns with an emerging technology the organization is considering? - Update risk responses. - Redesign key risk indicators (KRIs). - Conduct a SWOT analysis. - Perform a threat assessment. 199. Which of the following attributes of data provided to an automated log analysis tool is MOST important for effective risk monitoring? - Scalability - Relevancy - Retention - Confidentiality 200. Which of the following should be the PRIMARY goal of developing information security metrics? - Raising security awareness - Enabling continuous improvement - Ensuring regulatory compliance - Identifying security threats 201. Who should have the authority to approve an exception to a control? - Control owner - Risk manager - Risk owner - Information security manager 202. A project team recommends accepting the residual risk associated with known regulatory control deficiencies. Which of the following is the risk practitioner\'s MOST important recommendation to the project manager? - Update the project risk register with the remaining deficiencies and remediation actions. - Confirm a timeline to remediate the remaining deficiencies after the project goes live, - Present the remaining deficiencies to the project steering committee for sign-off. - Assess the risk of the remaining deficiencies and develop an action plan. 203. Who should be responsible for evaluating the residual risk after a compensating control has been applied? - Control owner - Compliance manager - Risk practitioner - Risk owner 204. The MOST essential content to include in an IT risk awareness program is how to: - populate risk register entries and build a risk profile for management reporting. - ID comply with the organization\'s IT risk and information security policies. - prioritize IT-related actions by considering risk appetite and risk tolerance. - define the IT risk framework for the organization. 205. Making decisions about risk mitigation actions is the PRIMARY role of the: - risk owner. - risk manager. - risk practitioner. - risk officer. 206. An organization has decided to use an external auditor to review the control environment of an outsourced service provider. The BEST control criteria to evaluate the provider would be based on: - the service provider\'s existing controls. - guidance provided by the external auditor. - the organization\'s specific control requirements - a recognized industry control framework. 207. Which of \^he following privacy principles reduces the impact of accidental leakage of personal data? - Accuracy - Purpose - Minimization - Transparency 208. The PRIMARY reason for communicating risk assessment results to data owners is to enable the: - design of appropriate controls. - industry benchmarking of controls. - classification of information assets. - prioritization of response efforts. 209. Which of the following is the BEST indication that key risk indicators (KRIs) should be revised? - An increase in the number of risk threshold exceptions - An increase in the number of change events pending management review - A decrease in the number ot critical assets covered by risk thresholds - A decrease in the number ol key performance indicators (KPIs) 210. Which of the following is the MOST important reason to validate that risk responses have been executed as outlined in the risk response plan? - To ensure completion of the risk assessment cycle - To ensure residual risk Is al an acceptable level - To ensure control costs do not exceed benefits - C To ensure controls are operating effectively 211. Which of the following would MOST effectively reduce risk associated with an increased volume of online transactions on a retailer website\'? - A hot backup site - Scalable infrastructure - Website activity monitoring - Transaction limits 212. An organization has agreed to a 99% availably for its online services and will not accept availability that falls below 98.5%. This is an example of: - C risk tolerance - risk evaluation. - risk appetite - risk mitigation. 213. An organization is planning to engage a cloud-based service provider for some of its data-intensive business of the following is MOST important to help define the IT risk associated with this outsourcing activity? - Service level agreement (SLA) - Scope of services provided - Customer service reviews - Right to audit the provider 214. Which of the following is the PRIMARY responsibility of the first line of defense related to computer-enabled fraud? - Ensuring that risk and control assessments consider fraud - Providing oversight of risk management processes - Implementing processes to detect and deter fraud - Monitoring the results of actions taken to mitigate fraud 215. Which of the following is MOST important to ensure when reviewing an organization s risk register? - Vulnerabilities have separate entries. - Residual risk is less than inherent risk. - Control ownership is recorded. - Risk ownership is recorded 216. Which of the following is a risk practitioner's MOST important responsibility in managing risk acceptance that exceeds risk tolerance? - Update the risk response in the risk register. - Ensure the acceptance is set to expire over time. - Increase the risk appetite to align with the current risk level. - ® Verify authorization by senior management. 217. A control process has been implemented in response to a new regulatory requirement, but has significantly reduced productivity Which of the following is the BEST way 10 resolve this concern? - Remove the control to accommodate business objectives - Request a waiver to the requirements - Absorb (he loss in productivity. - Escalate the issue to senior management 218. Which of the following management actions will MOST likely change the likelihood rating of a risk scenario related to remote network access? - Updating remote desktop software - ® Updating the organizational policy for remote access - Creating metrics to track remote connections - Implementing multi-factor authentication 219. A poster has been displayed in a data center that reads. 'Anyone caught taking photographs in the data center may be subject to disciplinary action \' Which of the following control types has been implemented? - C Corrective - C Detective - A Deterrent - Preventative 220. Which of the following would provide the BEST evidence of an effective internal control environment? - Adherence to governing policies - Regular stakeholder briefings - Risk assessment results - Independent audit results 221. Of the following. who is responsible for approval when a change in an application system is ready for release to production? - Information security officer - IT risk manager - 0 Chief risk officer (CRO) - Business owner 222. Which of the following is the BEST approach to mitigate the risk associated with a control deficiency? - Build a provision for risk. - Perform a business case analysis. - Conduct a control self-assessment (CSA). - Implement compensating controls 223. Which of the following is MOST important when determining risk appetite? - Assessing regulatory requirements - 0 Benchmarking against industry standards - 0 Gaining management consensus - 0 Identifying risk tolerance 224. Which of the following is the MOST comprehensive resource for prioritizing the implementation of information systems controls\'? - The risk register - Emerging technology trends - Data classification policy - © The IT strategic plan 225. Which risk response strategy could management apply to both positive arid negative risk that has been identified\'? - Mitigate - Exploit - C Accept - C Transfer 226. An organization implements a risk avoidance approach to collecting personal information. Which of the following is the BEST way for a risk practitioner to validate the risk response? - Perform a scan for personal information. - Verify security baselines are implemented for databases. - Confirm that personal information is encrypted. - Review the privacy policy to confirm it is up to date. 227. Which of the following is MOST important to the effectiveness of key performance indicators (KPIs)? - Management approval - Automation - Relevance - Annual review 228. What IS me BEST recommendation in reduce the nsk associated with potential system compromise when a vendor stops releasing security patches and updates for a Business- critical legacy system? - \% Segment the system on Is own network - Ensure regular- backups lake place. - Virtualize the system in the cloud. - Install antivirus software on the system 229. A core data center went offline abruptly for several hours, affecting many transactions across multiple locations. Which of the following would provide the MOST useful information to determine mitigating controls? - Forensic analysis - Business impact analysis (BIA) - Risk assessment - Root cause analysis 230. Of the following, who is BEST suited to assist a risk practitioner in developing a relevant set of risk scenarios? - Internal auditor - Finance manager - Control owner - Asset owner 231. Which of the following BEST enables the selection of appropriate risk treatment in the event of a disaster? - Risk treatment plan - Business impact analysis (BIA) - Failover procedures - Risk scenario analysis 232. Which of the following should be management\'s PRIMARY focus when key risk indicators (KRIs) begin to rapidly approach defined thresholds? - Determining if KRIs have been updated recently - Assessing the effectiveness of the incident response plan - Determining what has changed in the environment - Designing compensating controls 233. Which of the following should be the FIRST step to investigate an IT monitoring system that has a decreasing alert rate? - Conduct regression testing to ensure alerts can be triggered - Determine the root cause for the change in alert rate. - Adjust the sensitivity to trigger more alerts. - Review and adjust the timing of the reporting window. 234. Which of the following is the PRIMARY reason for an organization Io include an acceptable use banner when users log in? - To reduce the likelihood of insider threat - To eliminate the possibility of insider threat - To enable rapid discovery of insider threat - To reduce the Impact of insider threat 235. After the announcement of a new IT regulatory requirement, it is MOST important for a risk practitioner to: - review the impact to the IT environment. - prepare an IT risk mitigation strategy. - escalate to senior management. - perform a cost-benefit analysis. 236. A risk practitioner has established that a particular control is working as desired, but the annual cost of maintenance has increased and now exceeds the expected annual loss exposure The result is that the control is: - mature - ineffective. - optimized. - ft Inefficient 237. Which of the following is the PRIMARY responsibility of the first line of defense related to computer-enabled fraud? - 4 Implementing processes to detect and deter fraud - Monitoring the results of actions taken to mitigate fraud - Providing oversight of risk management processes - Ensuring that risk and control assessments consider fraud 238. Which of the following practices would be MOST effective in protecting personally identifiable information (Pll\] from unauthorized access in a cloud environment? - Require logical separation of company data. - Utilize encryption with logical access controls. - Apply data classification policy. - Obtain the right to audit. 239. What is the PRIMARY reason an organization should include background checks on roles with elevated access to production as part ot its hiring process\'? - Reduce internal threats. - Ensure new hires have the required skills. - Eliminate risk associated with personnel. - Reduce exposure to vulnerabilities. 240. Due to a change in business processes, an identified risk scenario no longer requires mitigation. Which of the following is the MOST important reason the risk should remain in the risk register\"? - To track historical risk assessment results - To support regulatory requirements - To prevent the risk scenario In the current environment - To monitor for potential changes to the risk scenario 241. Which of the following is MOST important to communicate to senior management during the initial implementation of a risk management program? - Best practices - Desired risk level - Regulatory compliance - Risk ownership 242. Which of the following key risk indicators (KRIs) is MOST effective for monitoring risk related to a bring your own device (BYOD) program? - Budget allocated to the BYOD program security controls - Number of devices enrolled in the BYOD program - Number of incidents originating from BYOD devices - Number of users who have signed a BYOD acceptable use policy 243. While reviewing the risk register, a risk practitioner notices that different business units have significant variances in inherent risk for the same risk scenario. Which of the following is the BEST course of action? - Update the risk register to ensure both risk scenarios have the highest residual risk. - Review the assumptions of both risk scenarios to determine whether the variance is reasonable. - Request that both business units conduct another review of the risk - Update the risk register with the average of residual risk for both business units. 244. Which of the following is MOST Important to include when reporting the effectiveness of risk management to senior management? - Changes in the organization\'s risk appetite and risk tolerance levels - Impact due to changes in external and internal risk (actors - 9 Changes in residual risk levels against acceptable levels - Gaps in best practices and implemented controls across the industry 245. An organization\'s business process requires the verbal verification of personal information in an environment where other customers may overhear this information. Which of the following is the MOST significant risk? - The process could result in intellectual property theft. - The customer may view the process negatively. - The process could result in compliance violations. - The information could be used for identity theft 246. Which of the following is MOST important to review when determining whether a potential IT service provider's control environment is effective? - Control self-assessment (CSA) - Independent audit report - Key performance indicators (KPIs) - Service level agreements (SLAs) 247. A recent regulatory requirement has the potential to affect an organization s use of a third patty to supply outsourced business services. Which of the following is the BEST course of action? - W Conduct a gap analysis - 0 Terminate the outsourcing agreement - 0 Identify compensating controls. - Transfer risk to the third party 248. Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities? - Temporarily mitigate the OS vulnerabilities. - Identify the vulnerabilities and applicable OS patches. - Evaluate permanent fixes such as patches and upgrades. - Document and implement a patching process. 249. Which of the following key control indicators (KCIs) BEST indicates whether security requirements are identified and managed throughout a protect life cycle? - Number of protects going live without a security review - Number of employees completing project-specific security training - Number ol security projects started in core departments - Number ol security-related status reports submitted by project managers 250. Which of the following should a risk practitioner validate FIRST when a mitigating control cannot be implemented fully to support business objectives? - If the risk owner has accepted the risk - If business objectives continue to align with organizational goals - If insurance coverage has been obtained - If compensating controls have been implemented 251. An organization 6 implementing encryption tor data at rest to reduce the risk associated with unauthorized access. Which of the following MUST be considered to assess the residual risk\*7 - Data retention requirements - Data destruction requirements - Key management - Cloud storage architecture 252. Risk acceptance of an exception to a security control would MOST likely be justified when: - the control is difficult to enforce in practice. - automation cannot be applied to the control. - the end-user license agreement has expired. - business benefits exceed the loss exposure. 253. Which of the following BEST enables senior management to compare the ratings of risk scenarios? - Key risk indicators (KRIs) - Key performance indicators (KPIs) - Control self-assessment (CSA) - Risk heal map 254. An organization is considering modifying its system to enable acceptance of credit card payments. To reduce the risk of data exposure, which of the following should the organization do FIRST\'? - Update the risk register. - Update the security strategy. - Implement additional controls. - \' Conduct a risk assessment. 255. Which of the following IB the MOST effective way Io promote organization-wide awaieness of data security in response to an increase In regulatory penalties for data leakage? - Enforce sanctions for noncompliance with security procedures. - Conduct organization-wide phishing simulations - Require training on the data handling policy - Require regular testing of the data breach response plan. 256. A risk practitioner notices a trend of noncompliance with an IT-related control. Which of the following would BEST assist in making a recommendation to management? - Assessing noncompliance with control best practices - Reviewing the roles and responsibilities of control process owners - Reviewing the IT policy with the risk owner - Assessing the degree to which the control hinders business objectives 257. What is senior management\'s role in the RACI model when tasked with reviewing monthly status reports provided by risk owners? - Accountable - Informed - Responsible - Consulted 258. Which of the following would BEST facilitate the implementation of data classification requirements\'? - Implementing technical controls over the assets - Assigning a data owner - Scheduling periodic audits - implementing a data loss prevention (DIP) solution 259. Which of the fallowing changes would be reflected in an organization\'s risk profile after the failure of a critical patch implementation? - Inherent risk is increased. - 0 Residual risk is increased. - Risk tolerance is decreased. - Risk appetite is decreased. 260. For a large software development project, risk assessments are MOST effective when performed: - at system development. - at each stage of the system development life cycle (SDLC). - before system development begins. - during the development of the business case. 261. Which of the following should be a risk practitioner\'s NEXT step after learning of an incident that has affected a competitor? - Activate the incident response plan. - Implement compensating controls. - Update the risk register. - Develop risk scenarios. 262. A risk manager has determined there is excessive risk with a particular technology. Who is the BEST person to own the unmitigated risk of the technology? - Chief financial officer (CFO) - Chief risk officer (CRO) - IT system owner - Business process owner 263. Which of the following is the BEST way to quantify the likelihood of risk materialization\'? - Balanced scorecard - year and vulnerability assessment - Compliance assessments - Business impact analysis (BIA) 264. Which of the following management actions will MOST likely change the likelihood rating of a risk see nano related to remote network access? - Creating metrics to track remote connections - C Implementing multi-factor authentication - Updating remote desktop software - Updating the organizational policy for remote access 265. Where is the FIRST place a risk practitioner should look to identify accountability for a specific risk? - Risk scenario - Risk response plan - 1 RACI matrix - Risk register 266. An IT department originally planned to outsource the hosting of its data center at an overseas location to reduce operational expenses. After a risk assessment, the department has decided to keep the data center in-house. How should the risk treatment response be reflected in the risk register? - Risk acceptance - Risk mitigation - Risk avoidance - Risk transfer 267. Which of the following should be the PRIMARY consideration when assessing the risk of using Internet of Things (loT) devices to collect and process personally identifiable information (Pll)? - Local laws and regulations - Security features and support - Business strategies and needs - Costs and benefits 268. A financial institution has identified high risk of fraud in several business applications. Which of the following controls will BEST help reduce the risk of fraudulent internal transactions? - Segregation of duties - Periodic user privileges review - Periodic internal audits - Log monitoring 269. Which of the following should be an element of the risk appetite of an organization? - The effectiveness of compensating controls - The residual risk affected by preventive controls - The amount of inherent risk considered appropriate - The enterprise s capacity to absorb loss 270. When formulating a social media policy to address information leakage, which of the following is the MOST important concern to address? - Sharing company information on social media - Using social media to maintain contact with business associates - Sharing personal information on social media - Using social media for personal purposes during working hours 271. A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner s NEXT step? - Prepare a business case for the response options. - Identify resources for implementing responses - Develop a mechanism for monitoring residual risk - V Update the risk register with the results. 272. Which of the following is a PRIMARY benefit of creating an organizational code of conduct? - Enhanced integrity of management - Improvement in workforce productivity - Identification of ethical risk facing the organization - \[S\] Clear expectations for employee behavior 273. A large organization needs to report risk at all levels for a new centralized virtualization project to reduce cost and improve performance. Which of the following would MOST effectively represent the overall risk of the project to senior management? - Risk heat map - Centralized risk register - Aggregated key performance indicators (KPIs) - Key risk indicators (KRIs) 274. Which of the following is the PRIMARY accountability for a control owner? - Communicate risk to senior management. - Own me associated risk the control is mitigating. - Ensure the control operates effectively. - Identify and assess control weaknesses. 275. Which of the following would be MOST helpful to an information security management team when allocating resources to mitigate exposures? - Relevant risk case studies - Risk assessment results - Penetration testing results - Internal audit findings 276. An insurance company handling sensitive and personal information from its customers receives a large volume of telephone requests and electronic communications daily Which of the following is MOST important to include in a risk awareness training session for the customer service department? - identifying social engineering attacks - Understanding the importance of using a secure password Understanding the incident management process Archiving sensitive information 277. When creating a separate IT risk register for a large organization, which of the following is MOST important to consider with regard to the existing corporate risk register? - Leveraging business risk professionals - Relying on generic IT risk scenarios - Describing IT risk in business terms - H Using a common risk taxonomy 278. Which of the following sources is MOST relevant to reference when updating security awareness training materials? - Global security standards - Risk register - Risk management framework - Recent security incidents reported by competitors 279. An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual true requited for the response team to recover the application Which of the following should be the NEXT course of action? - Invoke the disaster recovery plan (DRP) during an incident. - Reduce the recovery tana by strengthening the response team, h Prepare a cost-benefit analysis of alternatives available. - C Implement redundant infrastructure for the application 280. What should bo a risk practitioner\'s PRIMARY focus when evaluating a proposed robotic process automation of a business service? - Control capability - Cost-benefit analysis - License availability - Code review 281. An organization is planning to implement a guest wireless network granting Internet access only. Which of the following is the MOST important consideration to effectively mitigate the risk of guests gaining access to the organization s internal network? - Guests are required to accept terms and conditions. - The networks are property segregated from each other. - Only approved equipment is allowed on the guest network. - The wireless network is not available outside the office areas. 282. Which of the following controls MOST effectively addresses the risk associated with tailgating into a restricted area? - Implementing CCTV monitoring - Using biometric door locks - Security awareness training - Using two-factor authentication 283. Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation? - Availability of in-house resources - Completeness of system documentation - Results of end-user acceptance testing - Variances between planned and actual cost 284. Which of the following is MOST important for a risk practitioner to consider when evaluating plans for changes to IT services? - Change testing schedule - Change communication plan - User acceptance testing (UAT) - Impact assessment of the change 285. When developing risk scenarios using a list of generic scenarios based on industry best practices, it is MOST important to: - validate the generic risk scenarios for relevance. - select the maximum possible risk scenarios from the list. - identify common threats causing generic risk scenarios. - assess generic risk scenarios with business users 286. Which of the following is the MOST appropriate action when a tolerance threshold is exceeded? - Research the root cause of similar incidents. - Increase human resources to respond in the interim. - Communicate potential impact to decision makers - Verify the response plan is adequate. 287. Which of the following should be the PRIMARY focus of an IT risk awareness program? - Communicate IT risk policy to the participants. - Cultivate long-term behavioural change. - Ensure compliance with the organization\'s internal policies. - Demonstrate regulatory compliance. 288. Which of the following will be the GREATEST concern when assessing the risk profile of an organization? - The risk profile does not contain historical loss data. - The risk profile was last reviewed two years ago. - The risk profile was developed without using industry standards. - The risk profile was not updated after a recent incident. 289. The MOST significant benefit of using a consistent risk ranking methodology across an organization is that it enables: - allocation of available resources. - risk to be expressed in quantifiable terms. - clear understanding of risk levels. - assignment of risk to the appropriate owners. 290. Which of the following issues found during the review of a newly created disaster recovery plan (DRP) should be of MOST concern? - The plan is not based on an internationally recognized framework. - The chief information security officer (CISO) has not approved the plan. - Some critical business applications are not included in the plan. - Several recovery activities will be outsourced. 291. In an organization with mature risk management practices, the risk appetite can be inferred from which of the following? - Residual risk - Compliance reports - Control taxonomy - Inherent risk 292. A risk practitioner is presenting the risk profile to management, indicating an increase in the number of successful network attacks. This information would be MOST helpful to: - justify additional controls. - determine the availability of network resources. - justify investing in a log collection system. - determine the frequency of monitoring. 293. Which of the following is the GREATEST risk associated with inappropriate classification of data? - Inaccurate recovery time objectives (RTOs) - Inaccurate record management data - \[5\] Users having unauthorized access to data - Lack of accountability for data ownership 294. An organization has decided to postpone the assessment and treatment of several risk scenarios because stakeholders are unavailable. As a result of this decision, the risk associated with these new entries has been: - accepted, - mitigated, - deferred, - transferred 295. Which of the following is the GREATEST critical success factor (CSF) of an IT risk management program? - Identifying IT risk scenarios - Identifying enterprise risk events - Conducting focus group meetings with key stakeholders - Aligning with business objectives 296. An organization is considering allowing users to access company data from their personal devices. Which of the following is the MOST important factor when assessing the risk? - Classification of the data - Type of device - Volume of data - Remote management capabilities 297. An organization\'s email protection policy states that at least 95% of phishing emails should be blocked by email filters. Which type of indicator has been established? - Key goal indicator (KGI) - Key risk indicator (KR1) - \] Key performance indicator (KPI) - Key control indicator (KCI) 298. What should a risk practitioner do FIRST when a shadow IT application is identified in a business owner\'s business impact analysis (BIA)? - Include the application in the business continuity plan (BCP) - Report the finding to management - Determine the business purpose of the application. - Segregate the application from the network. 299. A risk practitioner is preparing a report to communicate changes in the risk and control environment. The BEST way to engage stakeholder attention is to: - include detailed deviations from industry benchmarks. - include a summary linking information to stakeholder needs. - include a roadmap to achieve operational excellence - publish the report on-demand for stakeholders. 300. Which of the following should bo of MOST concern to a risk practitioner reviewing an organization\'s risk register after the completion of a series of risk assessments? - Several risk action plans have missed target completion dates. - Risk associated with many assets is only expressed in qualitative terms. - Senior management has accepted more risk than usual. - Many risk scenarios are owned by the same senior manager. 301. Management has determined that it will take significant time to remediate exposures in the current IT control environment. Which of the following is the BEST course of action? - Identify compensating controls. - Improve project management methodology. - Implement control monitoring - Reassess the risk periodically. 302. When establishing a business continuity plan (BCP), which of the following should be performed to identify possible loss events? - Business impact analysis (BIA) - Incident response testing - Residual risk profile review - Vulnerability assessment 303. Within the three lines of defense model, the PRIMARY responsibility for ensuring risk mitigation controls are properly configured. L & belongs with: - line management. - internal audit. - enterprise compliance. - the IT risk function. 304. An employee lost a personal mobile device that may contain sensitive corporate information. What should be the risk practitioner\'s recommendation? - Invoke the incident response plan. - Conduct a risk analysis. - Disable the user account. - Initiate a remote data wipe. 305. Which of the following is the role of the board of directors in the three lines of defe

Use Quizgecko on...
Browser
Browser