Which of the following is a risk practitioner's MOST important responsibility in managing risk acceptance that exceeds risk tolerance?
Which of the following should be accountable for ensuring that media containing financial information are adequately destroyed per an organization's data disposal policy?
A risk practitioner recently discovered that personal information from the production environment is required for testing purposes in non-production environments. Which of the following is the BEST recommendation to address this situation?
An organization has used generic risk scenarios to populate its risk register. Which of the following presents the GREATEST challenge to assigning of the associated risk entries?
Which of the blowing is MOST important when implementing an organization s security policy?
An organization's recovery team is attempting to recover critical data backups following a major flood in its data center. However, key team members do not know exactly what steps should be taken to address this crisis. Which of the following is the MOST likely cause of this situation?
Which of the following is the PRIMARY objective of maintaining an information asset inventory?
An incentive program is MOST likely implemented to manage the risk associated with loss of which organizational asset?
The BEST key performance indicator (KPI) to measure the effectiveness of the security patching process is the percentage of patches installed:
Which of the following is MOST important for maintaining the effectiveness of an IT risk register?
Of the following, who is BEST suited to assist a risk practitioner in developing a relevant set of risk scenarios?
Which of the following is the BEST method to maintain a common view of IT risk within an organization?
An organization has an approved bring your own device (BYOD) policy. Which of the following would BEST mitigate the security risk associated with the inappropriate use of enterprise applications on the devices?
An organization uses a vendor to destroy hard drives. Which of the following would BEST reduce the risk of data leakage?
Which of the following roles should be assigned accountability for monitoring risk levels?
Senior management has asked a risk practitioner to develop technical risk scenarios related to a recently developed enterprise resource planning (ERP) system. These scenarios will be owned by the system manager. Which of the following would be the BEST method to use when developing the scenarios?
The BEST key performance indicator (KPI) for monitoring adherence to an organization's user accounts provisioning practices is the percentage of:
An organization is conducting a review of emerging risk. Which of the following is the BEST input for this exercise?
Days before the realization of an acquisition, a data breach is discovered at the company to be acquired. For the accruing organization, this situation represents which of the following?
When updating the risk register after a risk assessment, which of the following is MOST important to include?
An organization is preparing to transfer a large number of customer service representatives to the sales department. Of the following, who is responsible for mitigating the risk associated with residual system access?
A control for mitigating risk in a key business area cannot be implemented immediately. Which of the following is the risk practitioner's BEST course of action when a compensating control needs to be applied?
A department allows multiple users to perform maintenance on a system using a single set of credentials. A risk practitioner determined this practice to be high-risk. Which of the following is the MOST effective way to mitigate this risk?
Upon learning that the number of failed back-up attempts continually exceeds the current risk threshold, the risk practitioner should:
An internal audit report reveals that not all IT application databases have encryption in place. Which of the following information would be MOST important for assessing the risk impact?
Which of the following BEST indicates how well a web infrastructure protects critical information from an attacker?
During implementation of an intrusion detection system (IDS) to monitor network traffic, a high number of alerts is reported. The risk practitioner should recommend to:
Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?
In response to the threat of ransomware, an organization has implemented cybersecurity awareness activities. The risk practitioner's BEST recommendation to further reduce the impact of ransomware attacks would be to implement:
Which of the following is MOST important to have in place to ensure the effectiveness of risk and security metrics reporting?
To minimize the risk of a potential acquisition being exposed externally, an organization has selected a few key employees to be engaged in the due diligence process. A member of the due diligence team realizes a close acquaintance is a high-ranking IT professional at a subsidiary of the company about to be acquired. What is the BEST course of action for this team member?
Which of the following will help ensure the elective decision-making of an IT risk management committee?
Which of the following BEST indicates whether security awareness training is effective?
An organizations chief technology officer (CTO) has decided to accept the risk associated with the potential loss from a denial-of-service (DoS) attack. In this situation, the risk practitioner's BEST course of action is to:
Winch of the following is the BEST evidence of an effective risk treatment plan?
Which of the following is the PRIMARY objective of providing an aggregated view of IT risk to business management?
An organization operates in an environment where reduced time-to-market for new software products is a top business priority. Which of the following should be the risk practitioner's GREATEST concern?
To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:
Which of the following is MOST important for a risk practitioner to verify when evaluating the effectiveness of an organization's existing controls?
Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?
A risk practitioner has become aware of production data being used in a test environment. Which of the following should be the practitioner's PRIMARY concern?
Which of the following tools is MOST effective in identifying trends in the IT risk profile?
Which type of indicators should be developed to measure the effectiveness of an organization's firewall rule set?
Which of the following is the BEST reason to use qualitative measures to express residual risk levels related to emerging threats?
An organization has provided legal text explaining the rights and expected behavior of users accessing a system from geographic locations that have strong privacy regulations. Which of the following control types has been applied?
A global organization is planning to collect customer behavior data through social media advertising. Which of the following is the MOST important business risk to be considered?
Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?
An organization is implementing encryption for data at rest to reduce the risk associated with unauthorized access. Which of the following MUST be considered to assess the residual risk?
When reviewing a business continuity plan (BCP). which of the following would be the MOST significant deficiency?
Which of the following is the BEST indicator of an effective IT security awareness program?
Which of The following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?
When reporting on the performance of an organization's control environment including which of the following would BEST inform stakeholders risk decision-making?
An information system for a key business operation is being moved from an in-house application to a Software as a Service (SaaS) vendor. Which of the following will have the GREATEST impact on the ability to monitor risk?
Which of the following is the MOST important key performance indicator (KPI) to establish in the service level agreement (SLA) for an outsourced data center?
A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?
Key risk indicators (KRIs) are MOST useful during which of the following risk management phases?
In addition to the risk register, what should a risk practitioner review to develop an understanding of the organization's risk profile?
Which of the following is the BEST way to determine the ongoing efficiency of control processes?
Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?
The acceptance of control costs that exceed risk exposure is MOST likely an example of:
The PRIMARY reason a risk practitioner would be interested in an internal audit report is to:
Which of the following would BEST ensure that identified risk scenarios are addressed?
Which of the following is MOST effective against external threats to an organizations confidential information?
Which of the following roles would provide the MOST important input when identifying IT risk scenarios?
Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?
Which of the following is MOST important when developing key performance indicators (KPIs)?
A review of an organization s controls has determined its data loss prevention {DLP) system is currently failing to detect outgoing emails containing credit card data. Which of the following would be MOST impacted?
The analysis of which of the following will BEST help validate whether suspicious network activity is malicious?
After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:
Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:
A risk practitioner is assisting with the preparation of a report on the organization s disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile?
Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?
Who should be accountable for ensuring effective cybersecurity controls are established?
Which of the following will BEST quantify the risk associated with malicious users in an organization?
A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:
Which of the following is the MOST useful indicator to measure the efficiency of an identity and access management process?
Which of the following is the MOST important consideration when developing an organization's risk taxonomy?
Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?
Which of the following is the BEST way to validate the results of a vulnerability assessment?
Which of the following is the PRIMARY factor in determining a recovery time objective (RTO)?
Which of the following should be the HIGHEST priority when developing a risk response?
The MOST effective way to increase the likelihood that risk responses will be implemented is to:
Which of the following activities would BEST contribute to promoting an organization-wide risk-aware culture?
Which of the following is the BEST indication of an effective risk management program?
An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations?
A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?
Which of the following is the MOST important foundational element of an effective three lines of defense model for an organization?
Which of the following is the MOST important element of a successful risk awareness training program?
A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?
A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management. The BEST way to support risk-based decisions by senior management would be to:
When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?
Which of the following is the MOST cost-effective way to test a business continuity plan?
The PRIMARY benefit of maintaining an up-to-date risk register is that it helps to:
Which of the following is MOST important to understand when determining an appropriate risk assessment approach?
Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security?
A risk practitioner has identified that the organization's secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?
During an IT department reorganization, the manager of a risk mitigation action plan was replaced. The new manager has begun implementing a new control after identifying a more effective option. Which of the following is the risk practitioner's BEST course of action?
Quantifying the value of a single asset helps the organization to understand the:
It is MOST important for a risk practitioner to have an awareness of an organization s processes in order to:
Deviation from a mitigation action plan's completion date should be determined by which of the following?
Read" rights to application files in a controlled server environment should be approved by the:
A department has been granted an exception to bypass the existing approval process for purchase orders. The risk practitioner should verify the exception has been approved by which of the following?
The MOST important reason to monitor key risk indicators (KRIs) is to help management:
A newly enacted information privacy law significantly increases financial penalties for breaches of personally identifiable information (Pll). Which of the following will MOST likely outcome for an organization affected by the new law?
Which of the following statements in an organization's current risk profile report is cause for further action by senior management?
Which of these documents is MOST important to request from a cloud service
provider during a vendor risk assessment?
Which of the following is the MOST important input when developing risk scenarios?
An IT license audit has revealed that there are several unlicensed copies of co be to:
Which of the following is MOST important for a risk practitioner to update when a software upgrade renders an existing key control ineffective?
Which of the following is MOST important for developing effective key risk indicators (KRIs)?
A bank has outsourced its statement printing function to an external service provider. Which of the following is the MOST critical requirement to include in the contract?
Which of the following is MOST important to the effective monitoring of key risk indicators (KRIS)?
Which of the following methods is the BEST way to measure the effectiveness of automated information security controls prior to going live?
Which of the following activities should be performed FIRST when establishing IT risk management processes?
Which of the following is the GREATEST concern associated with business end users developing their own applications on end user spreadsheets and database programs?
A bank is experiencing an increasing incidence of customer identity theft. Which of the following is the BEST way to mitigate this risk?
Of the following, who should be responsible for determining the inherent risk rating of an application?
An external security audit has reported multiple findings related to control noncompliance. Which of the following would be MOST important for the risk practitioner to communicate to senior management?
Which of the following would BEST enable a risk practitioner to embed risk management within the organization?
Which of the following should be management's PRIMARY focus when key risk indicators (KRIs) begin to rapidly approach defined thresholds?
Which of the following indicates an organization follows IT risk management best practice?
Which of the following is the PRIMARY benefit of identifying and communicating with stakeholders at the onset of an IT risk assessment?
The MOST essential content to include in an IT risk awareness program is how to:
After identifying new risk events during a project, the project manager s NEXT step should be to:
A payroll manager discovers that fields in certain payroll reports have been modified without authorization. Which of the following control weaknesses could have contributed MOST to this problem?
An organization is making significant changes to an application. At what point should the application risk profile be updated?
Which of the following MUST be assessed before considering risk treatment options for a scenario with significant impact?
A zero-day vulnerability has been discovered in a globally used brand of hardware server that allows hackers to gain
access to affected IT systems. Which of the following is MOST likely to change as a result of this situation?
A risk assessment indicates the residual risk associated with a new bring your own device (BYOD) program is within organizational risk tolerance. Which of the following should the risk practitioner
recommend be done NEXT?
Which of the following is the PRIMARY reason for an organization to ensure the risk register is updated regularly?
The risk associated with inadvertent disclosure of database records from a public cloud service provider (CSP) would MOST effectively be reduced by:
Which of the following is the BEST measure of the effectiveness of an employee deprovisioning process?
Which of the following BEST indicates that an organizations risk management program is effective?
Which of the following could BEST detect an in-house developer inserting malicious functions into a web-based application?
During the control evaluation phase of a risk assessment, it is noted that multiple controls are ineffective. Which of the following should be the risk practitioner's FIRST course of action?
Which of the following is the GREATEST benefit of identifying appropriate risk owners?
An organization recently configured a new business division Which of the following is MOST likely to be affected?
When documenting a risk response, which of the following provides the STRONGEST evidence to support the decision?
Which of the following is the BEST way to ensure adequate resources will be allocated to manage identified risk?
Which key performance efficiency IKPI) BEST measures the effectiveness of an organization's disaster recovery program?
Which of the following is MOST helpful in defining an early-warning threshold associated with insufficient network bandwidth''
A legacy application used for a critical business function relies on software that has reached the end of extended support Which of the following is the MOST effective control to manage this application?
A newly incorporated enterprise needs to secure its information assets From a governance perspective which of the following should be done FIRST?
Which of the following potential scenarios associated with the implementation of a new database technology presents the GREATEST risk to an organization?
During a risk assessment, a key external technology supplier refuses to provide control design and effectiveness information, citing confidentiality concerns. What should the risk practitioner do NEXT?
Which of the following is the BEST way to validate whether controls to reduce user device vulnerabilities have been implemented according to management's action plan?
A cote data center went offline abruptly for several hours affecting many transactions across multiple locations. Which of the to" owing would provide the MOST useful information to determine mitigating controls?
Which of the following would be a risk practitioner's GREATEST concern with the use of a vulnerability scanning tool?
A risk practitioner has identified that the agreed recovery time objective (RTO) with a Software as a Service (SaaS) provider is longer than the business expectation. Which ot the following is the risk practitioner's BEST course of action?
Which of the following is MOST important information to review when developing plans for using emerging technologies?
What is senior management's role in the RACI model when tasked with reviewing monthly status reports provided by risk owners?
An organization is analyzing the risk of shadow IT usage. Which of the following is the MOST important input into the assessment?
An organization has experienced a cyber attack that exposed customer personally identifiable information (Pll) and caused extended outages of network services. Which of the following stakeholders are MOST important to include in the cyber response team to determine response actions?
Which of the following will BEST help to ensure key risk indicators (KRIs) provide value to risk owners?
Which of the following presents the GREATEST challenge to managing an organization's end-user devices?
Which of the following is the BEST way for a risk practitioner to present an annual risk management update to the board''
Which of the following issues found during the review of a newly created disaster recovery plan (DRP) should be of MOST concern?
An organization retains footage from its data center security camera for 30 days when the policy requires 90-day retention The business owner challenges whether the situation is worth remediating Which of the following is the risk manager s BEST response'