An organization has established workflows in its service desk to support employee reports of security-related concerns. Which of the following is the MOST efficient approach to analyze these concerns?
Which of the following BEST enables an organization to address new risk associated with an Internet of Things (IoT) solution?
Which of the following would MOST effectively reduce the potential for inappropriate exposure of vulnerabilities documented in an organization's risk register?
Which of the following is the GREATEST risk associated with inappropriate classification of data?
A risk practitioner has received an updated enterprise risk management (ERM) report showing that residual risk is now within the organization's defined appetite and tolerance levels. Which of the following is the risk practitioner's BEST course of action?
A bank recently incorporated blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner's BEST course of action?
Which of the following is the BEST recommendation to senior management when the results of a risk and control assessment indicate a risk scenario can only be partially mitigated?
The BEST way to demonstrate alignment of the risk profile with business objectives is through:
A risk practitioner is performing a risk assessment of recent external advancements in quantum computing. Which of the following would pose the GREATEST concern for the risk practitioner?
Which of the following is the GREATEST benefit when enterprise risk management (ERM) provides oversight of IT risk management?
A newly hired risk practitioner finds that the risk register has not been updated in the past year. What is the risk practitioner's BEST course of action?
A risk practitioner is preparing a report to communicate changes in the risk and control environment. The BEST way to engage stakeholder attention is to:
Which of the following is the MOST effective control to maintain the integrity of system configuration files?
Which of the following is the MOST important objective of establishing an enterprise risk management (ERM) function within an organization?
The PRIMARY benefit of using a maturity model is that it helps to evaluate the:
Which of the following is the BEST evidence that risk management is driving business decisions in an organization?
An organization uses a vendor to destroy hard drives. Which of the following would BEST reduce the risk of data leakage?
Which of the following presents the GREATEST risk to change control in business application development over the complete life cycle?
The PRIMARY reason for tracking the status of risk mitigation plans is to ensure:
Which of the following is MOST important to review when evaluating the ongoing effectiveness of the IT risk register?
The risk associated with an asset after controls are applied can be expressed as:
An organization has completed a project to implement encryption on all databases that host customer data. Which of the following elements of the risk register should be updated the reflect this change?
Which of the following would BEST help secure online financial transactions from improper users?
When preparing a risk status report for periodic review by senior management, it is MOST important to ensure the report includes
An organization wants to launch a campaign to advertise a new product Using data analytics, the campaign can be targeted to reach potential customers. Which of the following should be of GREATEST concern to the risk practitioner?
Which of the following is MOST important for developing effective key risk indicators (KRIs)?
Which of the following approaches BEST identifies information systems control deficiencies?
Warning banners on login screens for laptops provided by an organization to its employees are an example of which type of control?
Which of the following is the BEST recommendation to address recent IT risk trends that indicate social engineering attempts are increasing in the organization?
Risk acceptance of an exception to a security control would MOST likely be justified when:
The risk to an organization's reputation due to a recent cybersecurity breach is PRIMARILY considered to be:
Who is MOST important lo include in the assessment of existing IT risk scenarios?
A failure in an organization’s IT system build process has resulted in several computers on the network missing the corporate endpoint detection and response (EDR) software. Which of the following should be the risk practitioner's IMMEDIATE concern?
Recent penetration testing of an organization's software has identified many different types of security risks. Which of the following is the MOST likely root cause for the identified risk?
Which of the following BEST reduces the likelihood of fraudulent activity that occurs through use of a digital wallet?
Which of the following should be a risk practitioner's GREATEST concern upon learning of failures in a data migration activity?
Which of the following would MOST likely cause management to unknowingly accept excessive risk?
Which of the following is MOST important to ensure risk management practices are effective at all levels within the organization?
Which of the following is the BEST way to prevent the loss of highly sensitive data when disposing of storage media?
Which of the following would be the GREATEST challenge when implementing a corporate risk framework for a global organization?
Which of the following would BEST indicate to senior management that IT processes are improving?
Which of the following is MOST helpful in aligning IT risk with business objectives?
Which of the following activities should only be performed by the third line of defense?
The BEST way for an organization to ensure that servers are compliant to security policy is
to review:
Which of the following is the MOST important document regarding the treatment of sensitive data?
Which of the following is the GREATEST risk of relying on artificial intelligence (Al) within heuristic security systems?
Which of the following is the BEST metric to demonstrate the effectiveness of an organization's patch management process?
A large organization recently restructured the IT department and has decided to outsource certain functions. What action should the control owners in the IT department take?
When establishing leading indicators for the information security incident response process it is MOST important to consider the percentage of reported incidents:
Which of the following is a PRIMARY objective of privacy impact assessments (PIAs)?
During the creation of an organization's IT risk management program, the BEST time to identify key risk indicators (KRIs) is while:
A deficient control has been identified which could result in great harm to an organization should a low frequency threat event occur. When communicating the associated risk to senior management the risk practitioner should explain:
An organization has received notification that it is a potential victim of a cybercrime that may have compromised sensitive customer data. What should be The FIRST course of action?
Which of the following would BEST provide early warning of a high-risk condition?
Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?
Which of the following is the BEST course of action to help reduce the probability of an incident recurring?
Which of the following presents the GREATEST security risk associated with Internet of Things (IoT) technology?
Which of the following would be MOST helpful to a risk owner when making risk-aware decisions?
During an acquisition, which of the following would provide the MOST useful input to the parent company's risk practitioner when developing risk scenarios for the post-acquisition phase?
Which of the following is the MOST essential characteristic of a good IT risk scenario?
Which of the following should be the MOST important consideration when determining controls necessary for a highly critical information system?
An organization allows programmers to change production systems in emergency situations. Which of the following is the BEST control?
An insurance company handling sensitive and personal information from its customers receives a large volume of telephone requests and electronic communications daily. Which of the following
is MOST important to include in a risk awareness training session for the customer service department?
The BEST key performance indicator (KPI) for monitoring adherence to an organization's user accounts provisioning practices is the percentage of:
Which of the following is the PRIMARY reason for a risk practitioner to report changes and trends in the IT risk profile to senior management?
Which of the following is the BEST way to assess the effectiveness of an access management process?
Which of the following risk impacts should be the PRIMARY consideration for determining recovery priorities in a disaster recovery situation?
Which of the following BEST supports the management of identified risk scenarios?
Which of the following process controls BEST mitigates the risk of an employee issuing fraudulent payments to a vendor?
Which of the following proposed benefits is MOST likely to influence senior management approval to reallocate budget for a new security initiative?
Which of the following is the MOST important criteria for selecting key risk indicators (KRIs)?
Which of the following is the MOST effective way to validate organizational awareness of cybersecurity risk?
Which of the following is the PRIMARY reason for logging in a production database environment?
An organization has established a contract with a vendor that includes penalties for loss of availability. Which risk treatment has been adopted by the organization?
Which of the following is the BEST key control indicator (KCI) for risk related to IT infrastructure failure?
Which of the following is MOST important to consider when determining the value of an asset during the risk identification process?
Which of the following is the MOST important reason to restrict access to the risk register on a need-to-know basis?
Which of the following will BEST help to ensure implementation of corrective action plans?
Which of the following outcomes of disaster recovery planning is MOST important to enable the initiation of necessary actions during a disaster?
A software developer has administrative access to a production application. Which of the following should be of GREATEST concern to a risk practitioner?
If concurrent update transactions to an account are not processed properly, which of the following will MOST likely be affected?
An organization has restructured its business processes, and the business continuity plan (BCP) needs to be revised accordingly. Which of the following should be identified FIRST?
Which of the following is the MOST critical consideration when awarding a project to a third-party service provider whose servers are located offshore?
An organizational policy requires critical security patches to be deployed in production within three weeks of patch availability. Which of the following is the BEST metric to verify adherence to the policy?
Which of the following describes the relationship between risk appetite and risk tolerance?
Which of the following scenarios is MOST important to communicate to senior management?
Which of the following scenarios is MOST likely to cause a risk practitioner to request a formal risk acceptance sign-off?
The BEST way for management to validate whether risk response activities have been completed is to review:
An organization recently implemented a machine learning-based solution to monitor IT usage and analyze user behavior in an effort to detect internal fraud. Which of the following is MOST likely to be reassessed as a result of this initiative?
Who should be responsible for determining which stakeholders need to be involved in the development of a risk scenario?
The PRIMARY benefit of selecting an appropriate set of key risk indicators (KRIs) is that they:
Which of the following has the GREATEST positive impact on ethical compliance within the risk management process?
Which of the following is MOST important for management to consider when deciding whether to invest in an IT initiative that exceeds management's risk appetite?
Which of the following is MOST useful for measuring the existing risk management process against a desired state?
Which of the following is the MOST important data attribute of key risk indicators (KRIs)?
A risk practitioner has been notified that an employee sent an email in error containing customers' personally identifiable information (Pll). Which of the following is the risk practitioner's BEST course of action?
Which of the following is the BEST Key control indicator KCO to monitor the effectiveness of patch management?
An organization has committed to a business initiative with the knowledge that the risk exposure is higher than the risk appetite. Which of the following is the risk practitioner's MOST important action related to this decision?
Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:
The PRIMARY reason for a risk practitioner to review business processes is to:
Which of the following is MOST helpful when prioritizing action plans for identified risk?
Which of the following is the BEST key performance indicator (KPI) for determining how well an IT policy is aligned to business requirements?
A risk manager has determined there is excessive risk with a particular technology. Who is the BEST person to own the unmitigated risk of the technology?
Which of the following is the PRIMARY risk management responsibility of the second line of defense?
Which of the following statements BEST illustrates the relationship between key performance indicators (KPIs) and key control indicators (KCIs)?
Which of the following is the MOST important key performance indicator (KPI) to establish in the service level agreement (SLA) for an outsourced data center?
A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session?
When a risk practitioner is building a key risk indicator (KRI) from aggregated data, it is CRITICAL that the data is derived from:
The GREATEST benefit of including low-probability, high-impact events in a risk assessment is the ability to:
Which of the following is the BEST key control indicator (KCI) for a vulnerability management program?
Which of the following would be MOST helpful to an information security management team when allocating resources to mitigate exposures?
The PRIMARY reason to have risk owners assigned to entries in the risk register is to ensure:
The BEST indication that risk management is effective is when risk has been reduced to meet:
Which of the following is the STRONGEST indication an organization has ethics management issues?
Which of the following BEST assists in justifying an investment in automated controls?
A newly enacted information privacy law significantly increases financial penalties for breaches of personally identifiable information (Pll). Which of the following will MOST likely outcome for an organization affected by the new law?
Improvements in the design and implementation of a control will MOST likely result in an update to:
Which of the following activities would BEST contribute to promoting an organization-wide risk-aware culture?
Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?
The BEST way to justify the risk mitigation actions recommended in a risk assessment would be to:
Which of the following is MOST helpful to management when determining the resources needed to mitigate a risk?
Which of the following is the BEST indication of the effectiveness of a business continuity program?
Who is responsible for IT security controls that are outsourced to an external service provider?
Which of the following is the PRIMARY reason to conduct risk assessments at periodic intervals?
A change management process has recently been updated with new testing procedures. What is the NEXT course of action?
A robotic process automation (RPA) project has implemented new robots to enhance the efficiency of a sales business process. Which of the following provides the BEST evidence that the new controls have been implemented successfully?
Which of the following is the BEST method to mitigate the risk of an unauthorized employee viewing confidential data in a database''
Which of the following contributes MOST to the effective implementation of risk responses?
When of the following standard operating procedure (SOP) statements BEST illustrates appropriate risk register maintenance?
The MAIN reason for prioritizing IT risk responses is to enable an organization to:
Which of the following would provide the MOST reliable evidence of the effectiveness of security controls implemented for a web application?
Which of the following would BEST facilitate the implementation of data classification requirements?
Which of the following is the MOST important benefit of reporting risk assessment results to senior management?
Which of the following is MOST important for maintaining the effectiveness of an IT risk register?
A control process has been implemented in response to a new regulatory requirement, but has significantly reduced productivity. Which of the following is the BEST way to resolve this concern?
What information is MOST helpful to asset owners when classifying organizational assets for risk assessment?
A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:
Which of the following is the PRIMARY risk management responsibility of the second line of defense?
Which of the following BEST enables senior management lo compare the ratings of risk scenarios?
Which of the following is the PRIMARY reason for an organization to include an acceptable use banner when users log in?
Which strategy employed by risk management would BEST help to prevent internal fraud?
Which of the following is the BEST source for identifying key control indicators (KCIs)?
Who is BEST suited to provide information to the risk practitioner about the effectiveness of a technical control associated with an application?
Which of the following presents the GREATEST challenge for an IT risk practitioner who wants to report on trends in historical IT risk levels?
An internal audit report reveals that not all IT application databases have encryption in place. Which of the following information would be MOST important for assessing the risk impact?
Reviewing historical risk events is MOST useful for which of the following processes within the risk management life cycle?
Which of the following is the PRIMARY benefit of using an entry in the risk register to track the aggregate risk associated with server failure?
Which of the following is the PRIMARY reason for monitoring activities performed in a production database environment?
Which of the following would BEST assist in reconstructing the sequence of events following a security incident across multiple IT systems in the organization's network?
Which of the following should be included in a risk scenario to be used for risk analysis?
Which of the following data would be used when performing a business impact analysis (BIA)?
Which of the following is the MOST appropriate action when a tolerance threshold is exceeded?
Which of the following should be done FIRST when developing a data protection management plan?
Which of the following should be the PRIMARY focus of an IT risk awareness program?
Which of the following controls are BEST strengthened by a clear organizational code of ethics?
The BEST way to obtain senior management support for investment in a control implementation would be to articulate the reduction in:
The MAIN purpose of reviewing a control after implementation is to validate that the control:
Days before the realization of an acquisition, a data breach is discovered at the company to be acquired. For the accruing organization, this situation represents which of the following?
A financial institution has identified high risk of fraud in several business applications. Which of the following controls will BEST help reduce the risk of fraudulent internal transactions?
Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?
An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack?
Which of the following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?
The results of a risk assessment reveal risk scenarios with high impact and low likelihood of occurrence. Which of the following would be the BEST action to address these scenarios?
Which of the following is the BEST approach when a risk treatment plan cannot be completed on time?
Which of the following would BEST facilitate the implementation of data classification requirements?
Which of the following should management consider when selecting a risk mitigation option?
An organization has implemented a policy requiring staff members to take a minimum of five consecutive days' leave per year to mitigate the risk of malicious insider activities. Which of the following is the BEST key performance indicator (KPI) of the effectiveness of this policy?
Which of the following should be the PRIMARY consideration when assessing the risk of using Internet of Things (loT) devices to collect and process personally identifiable information (PII)?
A risk practitioner has been notified of a social engineering attack using artificial intelligence (AI) technology to impersonate senior management personnel. Which of the following would BEST mitigate the impact of such attacks?
A recent internal risk review reveals the majority of core IT application recovery time objectives (RTOs) have exceeded the maximum time defined by the business application owners. Which of the following is MOST likely to change as a result?
While reviewing an organization's monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially Which of the following would be the BEST approach for the risk practitioner to take?
Which of the following should be the MOST important consideration when performing a vendor risk assessment?
Which of the following tasks should be completed prior to creating a disaster recovery plan (DRP)?
Which of the following is the BEST approach when a risk practitioner has been asked by a business unit manager for special consideration during a risk assessment of a system?
An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following should be the risk practitioner's NEXT course of action?
Which of the following is the MOST effective way to help ensure future risk levels do not exceed the organization's risk appetite?
Which of the following is the BEST key performance indicator (KPI) to measure how effectively risk management practices are embedded in the project management office (PMO)?
Which of the following would present the GREATEST challenge for a risk practitioner during a merger of two organizations?
An organization is outsourcing a key database to be hosted by an external service provider. Who is BEST suited to assess the impact of potential data loss?
An organization has engaged a third party to provide an Internet gateway encryption service that protects sensitive data uploaded to a cloud service. This is an example of risk:
A technology company is developing a strategic artificial intelligence (Al)-driven application that has high potential business value. At what point should the enterprise risk profile be updated?
From a risk management perspective, the PRIMARY objective of using maturity models is to enable:
A risk practitioner has been asked by executives to explain how existing risk treatment plans would affect risk posture at the end of the year. Which of the following is MOST helpful in responding to this request?
Which of the following will BEST help an organization evaluate the control environment of several third-party vendors?
During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:
A risk practitioner is MOST likely to use a SWOT analysis to assist with which risk process?
Which of the following is the BEST way to validate the results of a vulnerability assessment?
A risk practitioner is assisting with the preparation of a report on the organization s disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile?
An organization has established a policy prohibiting ransom payments if subjected to a ransomware attack. Which of the following is the MOST effective control to support this policy?
Which of the following is the BEST way to mitigate the risk associated with fraudulent use of an enterprise's brand on Internet sites?
Which of the following is the BEST indicator of the effectiveness of a control action plan's implementation?
Which of the following BEST indicates that an organizations risk management program is effective?
A monthly payment report is generated from the enterprise resource planning (ERP) software to validate data against the old and new payroll systems. What is the BEST way to mitigate the risk associated with data integrity loss in the new payroll system after data migration?
Which of the following will BEST ensure that information security risk factors are mitigated when developing in-house applications?
Which of the following observations would be GREATEST concern to a risk practitioner reviewing the implementation status of management action plans?
Which of the following would be MOST relevant to stakeholders regarding ineffective control implementation?
An organization has decided to outsource a web application, and customer data will be stored in the vendor's public cloud. To protect customer data, it is MOST important to ensure which of the following?
The risk associated with inadvertent disclosure of database records from a public cloud service provider (CSP) would MOST effectively be reduced by:
Which of the following is MOST important to sustainable development of secure IT services?
Which of the following would be of GREATEST concern to a risk practitioner reviewing current key risk indicators (KRIs)?
When collecting information to identify IT-related risk, a risk practitioner should FIRST focus on IT:
Which of the following would offer the MOST insight with regard to an organization's risk culture?
After identifying new risk events during a project, the project manager s NEXT step should be to:
Which of the following will BEST help an organization select a recovery strategy for critical systems?
Which of the following is the BEST course of action when risk is found to be above the acceptable risk appetite?
Which of the following is the BEST way to promote adherence to the risk tolerance level set by management?
Which of the following is the BEST approach for performing a business impact analysis (BIA) of a supply-chain management application?
When reporting risk assessment results to senior management, which of the following is MOST important to include to enable risk-based decision making?
Which of the following would MOST likely result in updates to an IT risk appetite statement?
Which of the following will BEST communicate the importance of risk mitigation initiatives to senior management?
When communicating changes in the IT risk profile, which of the following should be included to BEST enable stakeholder decision making?
Which of the following would BEST enable a risk practitioner to embed risk management within the organization?
Which of the following should be a risk practitioner's NEXT action after identifying a high probability of data loss in a system?
Which of the following is the BEST measure of the effectiveness of an employee deprovisioning process?
An organization has raised the risk appetite for technology risk. The MOST likely result would be:
An organization's risk practitioner learns a new third-party system on the corporate network has introduced vulnerabilities that could compromise corporate IT systems. What should the risk practitioner do
FIRST?
Which of the following methods would BEST contribute to identifying obscure risk scenarios?
The MOST important reason to aggregate results from multiple risk assessments on interdependent information systems is to:
Which of the following is the MOST important component of effective security incident response?
Which of the following IT key risk indicators (KRIs) provides management with the BEST feedback on IT capacity?
From a risk management perspective, which of the following is the PRIMARY benefit of using automated system configuration validation tools?
Which of the following is MOST helpful in determining the effectiveness of an organization's IT risk mitigation efforts?
Which of the following would MOST likely drive the need to review and update key performance indicators (KPIs) for critical IT assets?
To implement the MOST effective monitoring of key risk indicators (KRIs), which of the following needs to be in place?
IT management has asked for a consolidated view into the organization's risk profile to enable project prioritization and resource allocation. Which of the following materials would
be MOST helpful?
Which of the following is the PRIMARY reason to perform ongoing risk assessments?
Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?
Which of the following is the MOST important factor affecting risk management in an organization?
A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?
Which of the following is MOST important when developing key performance indicators (KPIs)?
An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:
Which of the following is the MOST cost-effective way to test a business continuity plan?
Which of the following will BEST mitigate the risk associated with IT and business misalignment?
Which of the following is MOST helpful when determining whether a system security control is effective?
Which of the following controls would BEST reduce the risk of account compromise?
An organization is planning to engage a cloud-based service provider for some of its data-intensive business processes. Which of the following is MOST important to help define the IT risk associated with this outsourcing activity?
Which of the following is MOST important to understand when determining an appropriate risk assessment approach?
Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?
Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?
What is the BEST information to present to business control owners when justifying costs related to controls?
A risk practitioner discovers several key documents detailing the design of a product currently in development have been posted on the Internet. What should be the risk practitioner's FIRST course of action?
A risk practitioners PRIMARY focus when validating a risk response action plan should be that risk response:
Which of the following roles would provide the MOST important input when identifying IT risk scenarios?
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?
Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?
Which of the following is the BEST key performance indicator (KPI) to measure the maturity of an organization's security incident handling process?
A risk practitioner is organizing a training session lo communicate risk assessment methodologies to ensure a consistent risk view within the organization Which of the following i< the MOST important topic to cover in this training?
Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security?
In an organization with a mature risk management program, which of the following would provide the BEST evidence that the IT risk profile is up to date?
It is MOST appropriate for changes to be promoted to production after they are:
Which of the following is a PRIMARY benefit of engaging the risk owner during the risk assessment process?
A rule-based data loss prevention {DLP) tool has recently been implemented to reduce the risk of sensitive data leakage. Which of the following is MOST likely to change as a result of this implementation?
Calculation of the recovery time objective (RTO) is necessary to determine the:
Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?
Which of the following is the MOST important benefit of key risk indicators (KRIs)'
Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?
Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?
Which of the following provides the BEST evidence of the effectiveness of an organization's account provisioning process?
Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?
An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:
Which of the following is the MOST important outcome of reviewing the risk management process?
The PRIMARY objective of the board of directors periodically reviewing the risk profile is to help ensure:
Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?
Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management?
An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations?
Which of the following is a specific concern related to machine learning algorithms?
An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system. The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:
The MOST important characteristic of an organization s policies is to reflect the organization's:
Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?
When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?
When an organization's business continuity plan (BCP) states that it cannot afford to lose more than three hours of a critical application's data, the three hours is considered the application’s:
The PRIMARY reason a risk practitioner would be interested in an internal audit report is to:
A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:
Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?
The PRIMARY benefit of maintaining an up-to-date risk register is that it helps to:
A data processing center operates in a jurisdiction where new regulations have significantly increased penalties for data breaches. Which of the following elements of the risk register is MOST important to update to reflect this change?
Which of the following is the MOST important foundational element of an effective three lines of defense model for an organization?
Which of the following is the BEST indication of an effective risk management program?
An application development team has a backlog of user requirements for a new system that will process insurance claim payments for customers. Which of the following should be the MOST important consideration for a risk-based review of the user requirements?
Which of the following controls will BEST detect unauthorized modification of data by a database administrator?
An organization has procured a managed hosting service and just discovered the location is likely to be flooded every 20 years. Of the following, who should be notified of this new information FIRST.
An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action?
Which of the following will BEST quantify the risk associated with malicious users in an organization?
An organization is implementing internet of Things (loT) technology to control temperature and lighting in its headquarters. Which of the following should be of GREATEST concern?
The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overall continuity planning process is to:
In an organization dependent on data analytics to drive decision-making, which of the following would BEST help to minimize the risk associated with inaccurate data?
Which of the following is the MOST important consideration when sharing risk management updates with executive management?
Which of the following is the MOST effective key performance indicator (KPI) for change management?
The MOST effective way to increase the likelihood that risk responses will be implemented is to:
A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:
During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?
When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?
Which of the following is the MOST useful indicator to measure the efficiency of an identity and access management process?
Upon learning that the number of failed back-up attempts continually exceeds the current risk threshold, the risk practitioner should:
Which of the following statements describes the relationship between key risk indicators (KRIs) and key control indicators (KCIs)?
An organization has implemented a preventive control to lock user accounts after three unsuccessful login attempts. This practice has been proven to be unproductive, and a change in the control threshold value has been recommended. Who should authorize changing this threshold?
Which of the following should be the PRIMARY goal of developing information security metrics?
Which of the following is the GREATEST risk associated with the misclassification of data?
Which of the following is the MOST important consideration when implementing ethical remote work monitoring?
When performing a risk assessment of a new service to support a ewe Business process. which of the following should be done FRST10 ensure continuity of operations?
An organization must make a choice among multiple options to respond to a risk. The stakeholders cannot agree and decide to postpone the decision. Which of the following risk responses has the organization adopted?
The PRIMARY objective for requiring an independent review of an organization's IT risk management process should be to:
Which of the following is the BEST evidence that a user account has been properly authorized?
Which of the following should be the risk practitioner s FIRST course of action when an organization has decided to expand into new product areas?
A business unit has decided to accept the risk of implementing an off-the-shelf, commercial software package that uses weak password controls. The BEST course of action would be to:
What should a risk practitioner do FIRST when vulnerability assessment results identify a weakness in an application?
Which of the following is the PRIMARY reason for an organization to ensure the risk register is updated regularly?
Which of the following is MOST likely to be impacted as a result of a new policy which allows staff members to remotely connect to the organization's IT systems via personal or public computers?
Which of the following should be the MAIN consideration when validating an organization's risk appetite?
Which of these documents is MOST important to request from a cloud service
provider during a vendor risk assessment?
The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:
Before implementing instant messaging within an organization using a public solution, which of the following should be in place to mitigate data leakage risk?
When assessing the maturity level of an organization's risk management framework, which of the following deficiencies should be of GREATEST concern to a risk practitioner?
An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy. Which of the following is the BEST risk response?
A risk practitioner notices that a particular key risk indicator (KRI) has remained below its established trigger point for an extended period of time. Which of the following should be done FIRST?
Which of the following is the BEST way to support communication of emerging risk?
An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following is the risk practitioner s BEST course of action?
An organization has identified that terminated employee accounts are not disabled or deleted within the time required by corporate policy. Unsure of the reason, the organization has decided to monitor the situation for three months to obtain more information. As a result of this decision, the risk has been:
Which of the following is the GREATEST concern associated with business end users developing their own applications on end user spreadsheets and database programs?
Which of the following should a risk practitioner do FIRST when an organization decides to use a cloud service?
Which of the following should be the PRIMARY objective of a risk awareness training program?
Which of the following BEST facilitates the development of effective IT risk scenarios?
Who is MOST likely to be responsible for the coordination between the IT risk strategy and the business risk strategy?
After migrating a key financial system to a new provider, it was discovered that a developer could gain access to the production environment. Which of the following is the BEST way to mitigate the risk in this situation?
An IT license audit has revealed that there are several unlicensed copies of co be to:
Which of the following will provide the BEST measure of compliance with IT policies?
Which of the following activities is PRIMARILY the responsibility of senior management?
Which of the following is MOST important for a risk practitioner to update when a software upgrade renders an existing key control ineffective?
Which of the following methods is the BEST way to measure the effectiveness of automated information security controls prior to going live?
A control owner responsible for the access management process has developed a machine learning model to automatically identify excessive access privileges. What is the risk practitioner's BEST course of action?
A control owner identifies that the organization's shared drive contains personally identifiable information (Pll) that can be accessed by all personnel. Which of the following is the MOST effective risk response?
An organization's senior management is considering whether to acquire cyber insurance. Which of the following is the BEST way for the risk practitioner to enable management’s decision?
An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?
Which of the following should be a risk practitioner's NEXT step upon learning the impact of an organization's noncompliance with a specific legal regulation?
Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:
A risk practitioner observes that hardware failure incidents have been increasing over the last few months. However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:
Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?
When of the following is the MOST significant exposure when an application uses individual user accounts to access the underlying database?
Within the three lines of defense model, the accountability for the system of internal control resides with:
A risk practitioner identifies a database application that has been developed and implemented by the business independently of IT. Which of the following is the BEST course of action?
Winch of the following can be concluded by analyzing the latest vulnerability report for the it infrastructure?
The MOST important consideration when selecting a control to mitigate an identified risk is whether:
Which of the following would be MOST useful to senior management when determining an appropriate risk response?
When formulating a social media policy lo address information leakage, which of the following is the MOST important concern to address?
Which of the following is the GREATEST concern associated with redundant data in an organization's inventory system?
An organization has detected unauthorized logins to its client database servers. Which of the following should be of GREATEST concern?
An IT department has organized training sessions to improve user awareness of organizational information security policies. Which of the following is the BEST key performance indicator (KPI) to reflect effectiveness of the training?
Which of the following is MOST important for mitigating ethical risk when establishing accountability for control ownership?
Which of the following s MOST likely to deter an employee from engaging in inappropriate use of company owned IT systems?
Which of the following has the GREATEST influence on an organization's risk appetite?
Which of the following is the MOST critical factor to consider when determining an organization's risk appetite?
Which of the following is the GREATEST benefit of a three lines of defense structure?
Which of the following is the MOST important objective from a cost perspective for considering aggregated risk responses in an organization?
A risk practitioner implemented a process to notify management of emergency changes that may not be approved. Which of the following is the BEST way to provide this information to management?
Which of the following would BEST facilitate the implementation of data classification requirements?
Which of the following, who should be PRIMARILY responsible for performing user entitlement reviews?
What is the PRIMARY reason an organization should include background checks on roles with elevated access to production as part of its hiring process?
Which of the following is the BEST way for a risk practitioner to present an annual risk management update to the board''
Which of the following is a risk practitioner's MOST important responsibility in managing risk acceptance that exceeds risk tolerance?
Senior management wants to increase investment in the organization's cybersecurity program in response to changes in the external threat landscape. Which of the following would BEST help to prioritize investment efforts?
An organization has asked an IT risk practitioner to conduct an operational risk assessment on an initiative to outsource the organization's customer service operations overseas. Which of the following would MOST significantly impact management's decision?
Which of the following is the BEST indicator of executive management's support for IT risk mitigation efforts?
It is MOST important that security controls for a new system be documented in:
An organization has used generic risk scenarios to populate its risk register. Which of the following presents the GREATEST challenge to assigning of the associated risk entries?
Which of the following would BEST enable a risk-based decision when considering the use of an emerging technology for data processing?
Which risk response strategy could management apply to both positive and negative risk that has been identified?
Which of the following is MOST helpful to understand the consequences of an IT risk event?
Which of the following is the MOST effective way for a large and diversified organization to minimize risk associated with unauthorized software on company devices?
An organization is analyzing the risk of shadow IT usage. Which of the following is the MOST important input into the assessment?
A bank recently incorporated Blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner’s BEST course of action?
Which of the following will BEST help to ensure new IT policies address the enterprise's requirements?
A risk practitioner recently discovered that personal information from the production environment is required for testing purposes in non-production environments. Which of the following is the BEST recommendation to address this situation?
A risk practitioner has collaborated with subject matter experts from the IT department to develop a large list of potential key risk indicators (KRIs) for all IT operations within theorganization of the following, who should review the completed list and select the appropriate KRIs for implementation?
The objective of aligning mitigating controls to risk appetite is to ensure that:
Using key risk indicators (KRIs) to illustrate changes in the risk profile PRIMARILY helps to:
A risk practitioner observed Vial a high number of pokey exceptions were approved by senior management. Which of the following is the risk practitioner’s BEST course of action to determine root cause?
A risk practitioner has identified that the agreed recovery time objective (RTO) with a Software as a Service (SaaS) provider is longer than the business expectation. Which ot the following is the risk practitioner's BEST course of action?
An organization's recovery team is attempting to recover critical data backups following a major flood in its data center. However, key team members do not know exactly what steps should be taken to address this crisis. Which of the following is the MOST likely cause of this situation?
An organization has experienced several incidents of extended network outages that have exceeded tolerance. Which of the following should be the risk practitioner's FIRST step to address this situation?
An organization is concerned that its employees may be unintentionally disclosing data through the use of social media sites. Which of the following will MOST effectively mitigate tins risk?
Which of the following is the MOST important consideration when developing risk strategies?
An organization maintains independent departmental risk registers that are not automatically aggregated. Which of the following is the GREATEST concern?
When performing a risk assessment of a new service to support a core business process, which of the following should be done FIRST to ensure continuity of operations?
An organization has decided to implement a new Internet of Things (loT) solution. Which of the following should be done FIRST when addressing security concerns associated with this new technology?
When developing risk scenario using a list of generic scenarios based on industry best practices, it is MOST imported to:
An organization has agreed to a 99% availability for its online services and will not accept availability that falls below 98.5%. This is an example of:
An organization has completed a risk assessment of one of its service providers. Who should be accountable for ensuring that risk responses are implemented?
Which of the following is the MOST important information to cover a business continuity awareness Ira nine, program for all employees of the organization?
Business management is seeking assurance from the CIO that IT has a plan in place for early identification of potential issues that could impact the delivery of a new application Which of the following is the BEST way to increase the chances of a successful delivery'?
Which component of a software inventory BEST enables the identification and mitigation of known vulnerabilities?
Who should be responsible (of evaluating the residual risk after a compensating control has been
Which of the following would MOST likely require a risk practitioner to update the risk register?
Which of the following is the BEST approach for an organization in a heavily regulated industry to comprehensively test application functionality?
The following is the snapshot of a recently approved IT risk register maintained by an organization's information security department.
After implementing countermeasures listed in ‘’Risk Response Descriptions’’ for each of the Risk IDs, which of the following component of the register MUST change?
Which of the following is the MOST important reason to validate that risk responses have been executed as outlined in the risk response plan''
An organization has experienced a cyber-attack that exposed customer personally identifiable information (Pll) and caused extended outages of network services. Which of the following stakeholders are MOST important to include in the cyber response team to determine response actions?
Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner?
Which of the following BEST helps to identify significant events that could impact an organization?
What should be the PRIMARY consideration related to data privacy protection when there are plans for a business initiative to make use of personal information?
An internal audit report reveals that a legacy system is no longer supported Which of the following is the risk practitioner's MOST important action before recommending a risk response'
Which of the following is the PRIMARY reason for a risk practitioner to review an organization's IT asset inventory?
Which of the following is the BEST indication that key risk indicators (KRls) should be revised?
An organization's chief information officer (CIO) has proposed investing in a new. untested technology to take advantage of being first to market Senior management has concerns about the success of the project and has set a limit for expenditures before final approval. This conditional approval indicates the organization's risk:
An organization recently configured a new business division Which of the following is MOST likely to be affected?
After entering a large number of low-risk scenarios into the risk register, it is MOST important for the risk practitioner to:
Which of the following would provide the MOST helpful input to develop risk scenarios associated with hosting an organization's key IT applications in a cloud environment?
Which of the following would MOST effectively reduce risk associated with an increase of online transactions on a retailer website?
The BEST key performance indicator (KPI) to measure the effectiveness of the security patching process is the percentage of patches installed:
A newly incorporated enterprise needs to secure its information assets From a governance perspective which of the following should be done FIRST?
When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:
Which of the following would be a risk practitioner's BEST course of action when a project team has accepted a risk outside the established risk appetite?
Which of the following is the MOST important consideration for effectively maintaining a risk register?
In order to determining a risk is under-controlled the risk practitioner will need to
Who is BEST suited to provide objective input when updating residual risk to reflect the results of control effectiveness?
Which of the following would be the result of a significant increase in the motivation of a malicious threat actor?
Which of the following BEST reduces the risk associated with the theft of a laptop containing sensitive information?
Which of the following is MOST helpful in providing a high-level overview of current IT risk severity*?
Which of the following is MOST important to determine when assessing the potential risk exposure of a loss event involving personal data?