An organization is considering adopting artificial intelligence (AI). Which of the
following is the risk practitioner's MOST important course of action?
An organization has recently updated its disaster recovery plan (DRP). Which of the following would be the GREATEST risk if the new plan is not tested?
When updating a risk register with the results of an IT risk assessment, the risk practitioner should log:
Which of the following risk register elements is MOST likely to be updated if the attack surface or exposure of an asset is reduced?
An organization has just implemented changes to close an identified vulnerability that impacted a critical business process. What should be the NEXT course of action?
Which of the following BEST measures the efficiency of an incident response process?
Which of the following is the GREATEST risk associated with the use of data analytics?
A third-party vendor has offered to perform user access provisioning and termination. Which of the following control accountabilities is BEST retained within the organization?
Which of the following would BEST help secure online financial transactions from improper users?
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an anti-virus program?
After identifying new risk events during a project, the project manager s NEXT step should be to:
Which of the following BEST enables the risk profile to serve as an effective resource to support business objectives?
Which of the following is the GREATEST concern when an organization uses a managed security service provider as a firewall administrator?
Which of the following would MOST effectively reduce the potential for inappropriate exposure of vulnerabilities documented in an organization's risk register?
An organizational policy requires critical security patches to be deployed in production within three weeks of patch availability. Which of the following is the BEST metric to verify adherence to the policy?
Which of the following is the PRIMARY objective of aggregating the impact of IT risk scenarios and reflecting the results in the enterprise risk register?
Which of the following would be MOST helpful in assessing the risk associated with data loss due to human vulnerabilities?
Which of the following is a risk practitioner's BEST course of action upon learning that a control under internal review may no longer be necessary?
A key risk indicator (KRI) threshold has reached the alert level, indicating data leakage incidents are highly probable. What should be the risk practitioner's FIRST course of action?
A new regulator/ requirement imposes severe fines for data leakage involving customers' personally identifiable information (Pll). The risk practitioner has recommended avoiding the risk. Which of the following actions would BEST align with this recommendation?
Which of the following would BEST help identify the owner for each risk scenario in a risk register?
An organization has initiated a project to implement an IT risk management program for the first time. The BEST time for the risk practitioner to start populating the risk register is when:
Which of the following is the BEST key performance indicator (KPI) for determining how well an IT policy is aligned to business requirements?
Which of the following is MOST helpful in determining the effectiveness of an organization's IT risk mitigation efforts?
Which of the following provides the BEST evidence that risk responses have been executed according to their risk action plans?
Which of the following presents the GREATEST challenge for an IT risk practitioner who wants to report on trends in historical IT risk levels?
Business areas within an organization have engaged various cloud service providers directly without assistance from the IT department. What should the risk practitioner do?
An identified high probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy. Which of the following is the BEST risk response?
A newly enacted information privacy law significantly increases financial penalties for breaches of personally identifiable information (Pll). Which of the following will MOST likely outcome for an organization affected by the new law?
Which of the following would provide the MOST comprehensive information for updating an organization's risk register?
IT stakeholders have asked a risk practitioner for IT risk profile reports associated with specific departments to allocate resources for risk mitigation. The BEST way to address this request would be to use:
An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk practitioner do FIRST?
A control owner identifies that the organization's shared drive contains personally identifiable information (Pll) that can be accessed by all personnel. Which of the following is the MOST effective risk response?
Which of the following BEST helps to identify significant events that could impact an organization?
Vulnerability analysis
Which of the following is MOST important for an organization that wants to reduce IT operational risk?
A payroll manager discovers that fields in certain payroll reports have been modified without authorization. Which of the following control weaknesses could have contributed MOST to this problem?
Which of the following MOST effectively limits the impact of a ransomware attack?
Which of the following is the PRIMARY reason to update a risk register with risk assessment results?
Which of the following should be a risk practitioner's NEXT action after identifying a high probability of data loss in a system?
Which of the following presents the GREATEST privacy risk related to personal data processing for a global organization?
Which of the following would offer the MOST insight with regard to an organization's risk culture?
When implementing an IT risk management program, which of the following is the BEST time to evaluate current control effectiveness?
Which of the following is a risk practitioner's BEST recommendation to help reduce IT risk associated with scheduling overruns when starting a new application development project?
An organization's risk management team wants to develop IT risk scenarios to show the impact of collecting and storing credit card information. Which of the following is the MOST comprehensive approach to capture this scenario?
Which of the following BEST protects organizational data within a production cloud environment?
Which of the following BEST enables a proactive approach to minimizing the potential impact of unauthorized data disclosure?
Which of the following observations would be GREATEST concern to a risk practitioner reviewing the implementation status of management action plans?
An organization has been experiencing an increasing number of spear phishing attacks Which of the following would be the MOST effective way to mitigate the risk associated with these attacks?
Which of the following is the MOST likely reason an organization would engage an independent reviewer to assess its IT risk management program?
An organization has restructured its business processes, and the business continuity plan (BCP) needs to be revised accordingly. Which of the following should be identified FIRST?
An organization recently implemented an automated interface for uploading payment files to its banking system to replace manual processing. Which of the following elements of the risk register is MOST appropriate for the risk practitioner to update to reflect the improved control?
Which of the following is MOST important requirement to include in a Software as a Service (SaaS) vendor contract to ensure data is protected?
Which of the following is the MOST important characteristic of a key risk indicator (KRI) to enable decision-making?
The software version of an enterprise's critical business application has reached end-of-life and is no longer supported by the vendor. IT has decided to develop an in-house replacement application. Which of the following should be the PRIMARY concern?
Which of the following will BEST help to improve an organization's risk culture?
Which of the following provides the MOST reliable evidence to support conclusions after completing an information systems controls assessment?
Which of the following is the MOST effective way to validate organizational awareness of cybersecurity risk?
Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?
Which of the following activities is a responsibility of the second line of defense?
A risk practitioner learns that a risk owner has been accepting gifts from a supplier of IT products. Some of these IT products are used to implement controls and to mitigate risk to acceptable levels. Which of the following should the risk practitioner do FIRST?
Which of the following should be the starting point when performing a risk analysis for an asset?
An online payment processor would be severely impacted if the fraud detection system has an outage. Which of the following is the BEST way to address this risk?
Which strategy employed by risk management would BEST help to prevent internal fraud?
Which of the following is the BEST indicator of the effectiveness of a control?
Which of the following is MOST useful for measuring the existing risk management process against a desired state?
Which of the following is the MOST useful information an organization can obtain from external sources about emerging threats?
Which of the following is MOST important to review when an organization needs to transition the majority of its employees to remote work during a crisis?
An organization has an internal control that requires all access for employees be removed within 15 days of their termination date. Which of the following should the risk practitioner use to monitor
adherence to the 15-day threshold?
Which process is MOST effective to determine relevance of threats for risk scenarios?
Which of the following is the GREATEST risk associated with inappropriate classification of data?
After an annual risk assessment is completed, which of the following would be MOST important to communicate to stakeholders?
An organization is considering the adoption of an aggressive business strategy to achieve desired growth From a risk management perspective what should the risk practitioner do NEXT?
Which of the following is MOST helpful in defining an early-warning threshold associated with insufficient network bandwidth’’?
Which of the following would be a risk practitioner's GREATEST concern with the use of a vulnerability scanning tool?
Which of the following activities is PRIMARILY the responsibility of senior management?
Which of the following is the PRIMARY role of the board of directors in corporate risk governance?
Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?
Which of the following is MOST important for a risk practitioner to update when a software upgrade renders an existing key control ineffective?
Which of the following should be the PRIMARY focus of an independent review of a risk management process?
An organization operates in a jurisdiction where heavy fines are imposed for leakage of customer data. Which of the following provides the BEST input to assess the inherent risk impact?
Which of the following is MOST important for a risk practitioner to consider when evaluating plans for changes to IT services?
Which of the following is MOST important to understand when developing key risk indicators (KRIs)?
Due to a change in business processes, an identified risk scenario no longer requires mitigation. Which of the following is the MOST important reason the risk should remain in the risk register?
The MOST important reason to aggregate results from multiple risk assessments on interdependent information systems is to:
An audit reveals that there are changes in the environment that are not reflected in the risk profile. Which of the following is the BEST course of action?
Which of the following statements in an organization's current risk profile report is cause for further action by senior management?
A bank has outsourced its statement printing function to an external service provider. Which of the following is the MOST critical requirement to include in the contract?
Which of the following is the GREATEST risk associated with the transition of a sensitive data backup solution from on-premise to a cloud service provider?
Which of the following is the BEST indication of the effectiveness of a business continuity program?
An organization is making significant changes to an application. At what point should the application risk profile be updated?
Which of the following provides The BEST information when determining whether to accept residual risk of a critical system to be implemented?
The risk associated with data loss from a website which contains sensitive customer information is BEST owned by:
Which of the following is MOST helpful in developing key risk indicator (KRl) thresholds?
A business manager wants to leverage an existing approved vendor solution from another area within the organization. Which of the following is the risk practitioner's BEST course of action?
Which of the following would be MOST relevant to stakeholders regarding ineffective control implementation?
Which of the following BEST confirms the existence and operating effectiveness of information systems controls?
Which of the following would prompt changes in key risk indicator {KRI) thresholds?
Which of the following will MOST improve stakeholders' understanding of the effect of a potential threat?
The BEST way to demonstrate alignment of the risk profile with business objectives is through:
Which of the following would present the GREATEST challenge when assigning accountability for control ownership?
Which of the following is the PRIMARY reason to establish the root cause of an IT security incident?
Which of the following would MOST likely result in updates to an IT risk appetite statement?
Once a risk owner has decided to implement a control to mitigate risk, it is MOST important to develop:
Who is MOST likely to be responsible for the coordination between the IT risk strategy and the business risk strategy?
The risk appetite for an organization could be derived from which of the following?
When developing risk treatment alternatives for a Business case, it is MOST helpful to show risk reduction based on:
While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the:
Winch of the following can be concluded by analyzing the latest vulnerability report for the it infrastructure?
An organization recently received an independent security audit report of its cloud service provider that indicates significant control weaknesses. What should be done NEXT in response to this report?
When reporting on the performance of an organization's control environment including which of the following would BEST inform stakeholders risk decision-making?
Which of the following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?
An information system for a key business operation is being moved from an in-house application to a Software as a Service (SaaS) vendor. Which of the following will have the GREATEST impact on the ability to monitor risk?
Which of the following would be MOST helpful when communicating roles associated with the IT risk management process?
Which of the following is the BEST approach when a risk practitioner has been asked by a business unit manager for special consideration during a risk assessment of a system?
A risk practitioner has become aware of production data being used in a test environment. Which of the following should be the practitioner's PRIMARY concern?
Which of the following would be a risk practitioner'$ BEST recommendation to help ensure cyber risk is assessed and reflected in the enterprise-level risk profile?
Several network user accounts were recently created without the required management approvals. Which of the following would be the risk practitioner's BEST recommendation to address this situation?
The design of procedures to prevent fraudulent transactions within an enterprise resource planning (ERP) system should be based on:
An organization uses a vendor to destroy hard drives. Which of the following would BEST reduce the risk of data leakage?
Which of the following should be the PRIMARY goal of developing information security metrics?
Which of the following is the MOST critical element to maximize the potential for a successful security implementation?
An IT risk practitioner has been asked to regularly report on the overall status and effectiveness of the IT risk management program. Which of the following is MOST useful for this purpose?
When of the following provides the MOST tenable evidence that a business process control is effective?
Which of the following BEST indicates that additional or improved controls ate needed m the environment?
The BEST way to obtain senior management support for investment in a control implementation would be to articulate the reduction in:
The PRIMARY objective for requiring an independent review of an organization's IT risk management process should be to:
Which of me following is MOST helpful to mitigate the risk associated with an application under development not meeting business objectives?
In an organization dependent on data analytics to drive decision-making, which of the following would BEST help to minimize the risk associated with inaccurate data?
Which of the following BEST facilities the alignment of IT risk management with enterprise risk management (ERM)?
An organization planning to transfer and store its customer data with an offshore cloud service provider should be PRIMARILY concerned with:
Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?
The PRIMARY benefit of conducting continuous monitoring of access controls is the ability to identify:
Which of the following is a risk practitioner's BEST recommendation to address an organization's need to secure multiple systems with limited IT resources?
Which of the following would be MOST helpful to an information security management team when allocating resources to mitigate exposures?
An organization has outsourced its billing function to an external service provider. Who should own the risk of customer data leakage caused by the service provider?
Winch of the following key control indicators (KCIs) BEST indicates whether security requirements are identified and managed throughout a project He cycle?
In which of the following system development life cycle (SDLC) phases should controls be incorporated into system specifications?
Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?
Which of the following is MOST important to compare against the corporate risk profile?
Which of the following BEST indicates that an organization has implemented IT performance requirements?
When performing a risk assessment of a new service to support a ewe Business process. which of the following should be done FRST10 ensure continuity of operations?
Which of the following approaches will BEST help to ensure the effectiveness of risk awareness training?
Which of the following is MOST important for a risk practitioner to verify when evaluating the effectiveness of an organization's existing controls?
Reviewing historical risk events is MOST useful for which of the following processes within the risk management life cycle?
Which of the following statements describes the relationship between key risk indicators (KRIs) and key control indicators (KCIs)?
Which of the following is MOST important for an organization to update following a change in legislation requiring notification to individuals impacted by data breaches?
Which of the following will be the GREATEST concern when assessing the risk profile of an organization?
After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?
Which of the following is the MOST important reason to link an effective key control indicator (KCI) to relevant key risk indicators (KRIs)?
A risk practitioner has received an updated enterprise risk management (ERM) report showing that residual risk is now within the organization's defined appetite and tolerance levels. Which of the following is the risk practitioner's BEST course of action?
Which of the following should be a risk practitioner's PRIMARY focus when tasked with ensuring organization records are being retained for a sufficient period of time to meet legal obligations?
What is the PRIMARY reason to periodically review key performance indicators (KPIs)?
The PRIMARY reason to have risk owners assigned to entries in the risk register is to ensure:
Print jobs containing confidential information are sent to a shared network printer located in a secure room. Which of the following is the BEST control to prevent the inappropriate disclosure of confidential information?
Which of the following is the MOST important consideration for protecting data assets m a Business application system?
An organization is implementing internet of Things (loT) technology to control temperature and lighting in its headquarters. Which of the following should be of GREATEST concern?
Which of the following is MOST helpful in preventing risk events from materializing?
In response to the threat of ransomware, an organization has implemented cybersecurity awareness activities. The risk practitioner's BEST recommendation to further reduce the impact of ransomware attacks would be to implement:
Which of the following statements BEST illustrates the relationship between key performance indicators (KPIs) and key control indicators (KCIs)?
Which of the following is the MOST important objective of an enterprise risk management (ERM) program?
A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:
While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach. Which of the following controls will BES reduce the risk associated with such a data breach?
Which of the following is the BEST control to detect an advanced persistent threat (APT)?
Which of the following BEST indicates the risk appetite and tolerance level (or the risk associated with business interruption caused by IT system failures?
Which of the following should be an element of the risk appetite of an organization?
Which of the following provides the MOST useful information to determine risk exposure following control implementations?
When developing a risk awareness training program, which of the following training topics would BEST facilitate a thorough understanding of risk scenarios?
The PRIMARY benefit of using a maturity model is that it helps to evaluate the:
During an internal IT audit, an active network account belonging to a former employee was identified. Which of the following is the BEST way to prevent future occurrences?
A newly hired risk practitioner finds that the risk register has not been updated in the past year. What is the risk practitioner's BEST course of action?
What are the MOST essential attributes of an effective Key control indicator (KCI)?
Which of the following tasks should be completed prior to creating a disaster recovery plan (DRP)?
Which of the following criteria associated with key risk indicators (KRIs) BEST enables effective risk monitoring?
Which of the following is the BEST reason to use qualitative measures to express residual risk levels related to emerging threats?
Which of the following is the BEST indicator of the effectiveness of IT risk management processes?
To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:
An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack?
Which of the following is the BEST source for identifying key control indicators (KCIs)?
Which of the following is the PRIMARY reason for monitoring activities performed in a production database environment?
An IT department has organized training sessions to improve user awareness of organizational information security policies. Which of the following is the BEST key performance indicator (KPI) to reflect effectiveness of the training?
An employee lost a personal mobile device that may contain sensitive corporate information. What should be the risk practitioner's recommendation?
While reviewing an organization's monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially Which of the following would be the BEST approach for the risk practitioner to take?
Which of the following would BEST help to address the risk associated with malicious outsiders modifying application data?
In an organization where each division manages risk independently, which of the following would BEST enable management of risk at the enterprise level?
Which of the following is the BEST way to determine whether new controls mitigate security gaps in a business system?
Which of the following provides the BEST measurement of an organization's risk management maturity level?
Which of the following is the PRIMARY objective of providing an aggregated view of IT risk to business management?
Which organization is implementing a project to automate the purchasing process, including the modification of approval controls. Which of the following tasks is lie responsibility of the risk practitioner*?
Which of the following would be of GREATEST concern regarding an organization's asset management?
Which of the following is the PRIMARY reason for sharing risk assessment reports with senior stakeholders?
A recent big data project has resulted in the creation of an application used to support important investment decisions. Which of the following should be of GREATEST concern to the risk practitioner?
Senior management is deciding whether to share confidential data with the organization's business partners. The BEST course of action for a risk practitioner would be to submit a report to senior management containing the:
The BEST metric to demonstrate that servers are configured securely is the total number of servers:
To define the risk management strategy which of the following MUST be set by the board of directors?
Which of the following is the MOST effective way to help ensure accountability for managing risk?
An organization wants to launch a campaign to advertise a new product Using data analytics, the campaign can be targeted to reach potential customers. Which of the following should be of GREATEST concern to the risk practitioner?
An organization is participating in an industry benchmarking study that involves providing customer transaction records for analysis Which of the following is the MOST important control to ensure the privacy of customer information?
Which of the following is the MOST comprehensive resource for prioritizing the implementation of information systems controls?
Which of the following is the BEST way for a risk practitioner to present an annual risk management update to the board''
The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for.
What is the PRIMARY reason an organization should include background checks on roles with elevated access to production as part of its hiring process?
Which of the following would provide the MOST helpful input to develop risk scenarios associated with hosting an organization's key IT applications in a cloud environment?
An organization has decided to implement a new Internet of Things (loT) solution. Which of the following should be done FIRST when addressing security concerns associated with this new technology?
Which of the following is the PRIMARY reason to perform periodic vendor risk assessments?
Which of the following has the GREATEST influence on an organization's risk appetite?
Which of the following practices would be MOST effective in protecting personality identifiable information (Ptl) from unauthorized access m a cloud environment?
Which of the following should be used as the PRIMARY basis for evaluating the state of an organization's cloud computing environment against leading practices?
Which of the following should be of MOST concern to a risk practitioner reviewing an organization risk register after the completion of a series of risk assessments?
Which of the following would MOST effectively reduce risk associated with an increase of online transactions on a retailer website?
A risk practitioner has identified that the agreed recovery time objective (RTO) with a Software as a Service (SaaS) provider is longer than the business expectation. Which ot the following is the risk practitioner's BEST course of action?
Which of the following is the BEST method to maintain a common view of IT risk within an organization?
A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner's NEXT step?
Which of the following would BEST facilitate the implementation of data classification requirements?
Which of the following is MOST helpful in providing a high-level overview of current IT risk severity*?
When establishing an enterprise IT risk management program, it is MOST important to:
An organization has agreed to a 99% availability for its online services and will not accept availability that falls below 98.5%. This is an example of:
Which of the following is the PRIMARY reason for a risk practitioner to review an organization's IT asset inventory?
A multinational organization is considering implementing standard background checks to' all new employees A KEY concern regarding this approach
An organization has decided to use an external auditor to review the control environment of an outsourced service provider. The BEST control criteria to evaluate the provider would be based on:
An organization has completed a risk assessment of one of its service providers. Who should be accountable for ensuring that risk responses are implemented?
Which of the following is the BEST indication that key risk indicators (KRls) should be revised?
A segregation of duties control was found to be ineffective because it did not account for all applicable functions when evaluating access. Who is responsible for ensuring the control is designed to effectively address risk?
Which of the following is MOST important to determine when assessing the potential risk exposure of a loss event involving personal data?
Which of the following is MOST important to the effectiveness of key performance indicators (KPIs)?
Which of the following is the MOST important consideration when communicating the risk associated with technology end-of-life to business owners?
Business management is seeking assurance from the CIO that IT has a plan in place for early identification of potential issues that could impact the delivery of a new application Which of the following is the BEST way to increase the chances of a successful delivery'?
Which of the following situations presents the GREATEST challenge to creating a comprehensive IT risk profile of an organization?
Which of the following provides the MOST useful information for developing key risk indicators (KRIs)?
What is the MAIN benefit of using a top-down approach to develop risk scenarios?
Which of the following is MOST important for maintaining the effectiveness of an IT risk register?
Which of the following BEST enables a risk practitioner to understand management's approach to organizational risk?
Which of the following is the BEST method of creating risk awareness in an organization?
A risk practitioner observed Vial a high number of pokey exceptions were approved by senior management. Which of the following is the risk practitioner’s BEST course of action to determine root cause?
When a risk practitioner is determining a system's criticality. it is MOST helpful to review the associated:
An organization has decided to postpone the assessment and treatment of several risk scenarios because stakeholders are unavailable. As a result of this decision, the risk associated with these new entries has been;
Which of the following resources is MOST helpful to a risk practitioner when updating the likelihood rating in the risk register?
Which of the following is MOST important to consider when determining the value of an asset during the risk identification process?
Which of the following is the BEST approach for obtaining management buy-in
to implement additional IT controls?
Which of the following process controls BEST mitigates the risk of an employee issuing fraudulent payments to a vendor?
An organization recently implemented a machine learning-based solution to monitor IT usage and analyze user behavior in an effort to detect internal fraud. Which of the following is MOST likely to be reassessed as a result of this initiative?
An organization operates in an environment where the impact of ransomware attacks is high, with a low likelihood. After quantifying the impact of the risk associated with ransomware attacks exceeds the organization's risk appetite and tolerance, which of the following is the risk practitioner's BEST recommendation?
Which of the following should be a risk practitioner's GREATEST concern upon learning of failures in a data migration activity?
Which of the following is the MOST important document regarding the treatment of sensitive data?
A failed IT system upgrade project has resulted in the corruption of an organization's asset inventory database. Which of the following controls BEST mitigates the impact of this incident?
The operational risk associated with attacks on a web application should be owned by the individual in charge of:
A recent regulatory requirement has the potential to affect an organization's use of a third party to supply outsourced business services. Which of the following is the BEST course of action?
Which of the following is MOST important for a multinational organization to consider when developing its security policies and standards?
A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner s NEXT step? r
An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk practitioner do FIRST?
A business impact analysis (BIA) has documented the duration of maximum allowable outage for each of an organization's applications. Which of the following MUST be aligned with the maximum allowable outage?
An organization uses one centralized single sign-on (SSO) control to cover many applications. Which of the following is the BEST course of action when a new application is added to the environment after testing of the SSO control has been completed?
Which of the following is MOST important for the organization to consider before implementing a new in-house developed artificial intelligence (Al) solution?
Which of the following is the MOST important reason to restrict access to the risk register on a need-to-know basis?
A risk practitioner has been notified of a social engineering attack using artificial intelligence (Al) technology to impersonate senior management personnel. Which of the following would BEST mitigate the impact of such attacks?
An organization recently experienced a cyber attack that resulted in the loss of confidential customer data. Which of the following is the risk practitioner's BEST recommendation after recovery steps have been completed?
A risk practitioner's BEST guidance to help an organization develop relevant risk scenarios is to ensure the scenarios are:
A data center has recently been migrated to a jurisdiction where heavy fines will be imposed should leakage of customer personal data occur. Assuming no other changes to the operating environment, which factor should be updated to reflect this situation as an input to scenario development for this particular risk event?
Which of the following will BEST ensure that controls adequately support business goals and objectives?
Which of the following observations from a third-party service provider review would be of GREATEST concern to a risk practitioner?
Which of the following is the MOST important reason to communicate control effectiveness to senior management?
Which of the following is the BEST course of action for a system administrator who suspects a colleague may be intentionally weakening a system's validation controls in order to pass through fraudulent transactions?
Which of the following BEST mitigates the risk associated with inadvertent data leakage by users who work remotely?
Which of the following is the BEST criterion to determine whether higher residual risk ratings in the risk register should be accepted?
A risk practitioner notices a risk scenario associated with data loss at the organization's cloud provider is assigned to the provider who should the risk scenario be reassigned to.
Which of the following scenarios is MOST important to communicate to senior management?
Which of the following offers the SIMPLEST overview of changes in an organization's risk profile?
After the announcement of a new IT regulatory requirement, it is MOST important for a risk practitioner to;
Which of the following is the BEST key performance indicator (KPI) for a server patch management process?
Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?
The acceptance of control costs that exceed risk exposure is MOST likely an example of:
Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?
Which of the following attributes of a key risk indicator (KRI) is MOST important?
Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?
Which of the following would BEST help to ensure that identified risk is efficiently managed?
Which of the following is a PRIMARY benefit of engaging the risk owner during the risk assessment process?
Which of the following should be the HIGHEST priority when developing a risk response?
Which of the following will BEST quantify the risk associated with malicious users in an organization?
An organization is planning to engage a cloud-based service provider for some of its data-intensive business processes. Which of the following is MOST important to help define the IT risk associated with this outsourcing activity?
In an organization with a mature risk management program, which of the following would provide the BEST evidence that the IT risk profile is up to date?
Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?
Which of the following would BEST provide early warning of a high-risk condition?
Which of the following will BEST mitigate the risk associated with IT and business misalignment?
Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?
Which of the following BEST provides an early warning that network access of terminated employees is not being revoked in accordance with the service level agreement (SLA)?
An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:
Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:
A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?
Which of the following controls will BEST detect unauthorized modification of data by a database administrator?
The PRIMARY benefit of maintaining an up-to-date risk register is that it helps to:
Who should be accountable for ensuring effective cybersecurity controls are established?
A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?
An organization has allowed its cyber risk insurance to lapse while seeking a new insurance provider. The risk practitioner should report to management that the risk has been:
The PRIMARY objective of testing the effectiveness of a new control before implementation is to:
Which of the following would be the BEST recommendation if the level of risk in the IT risk profile has decreased and is now below management's risk appetite?
A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption. Which of the following would be the MOST effective approach to mitigate the risk associated with data loss?
Which of the following would BEST help minimize the risk associated with social engineering threats?
Which of the following is the BEST way to determine the ongoing efficiency of control processes?
Which of the following is the MOST important element of a successful risk awareness training program?
Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?
Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?
The MOST important characteristic of an organization s policies is to reflect the organization's:
Which of the following is the BEST way to validate the results of a vulnerability assessment?
Which of the following is the MOST important foundational element of an effective three lines of defense model for an organization?
A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:
The MOST effective way to increase the likelihood that risk responses will be implemented is to:
A risk practitioners PRIMARY focus when validating a risk response action plan should be that risk response:
A risk practitioner is organizing a training session lo communicate risk assessment methodologies to ensure a consistent risk view within the organization Which of the following i< the MOST important topic to cover in this training?
Which of the following would be MOST helpful when estimating the likelihood of negative events?
Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?
Which of the following is the MOST important key performance indicator (KPI) to establish in the service level agreement (SLA) for an outsourced data center?
Which of the following is the MAIN reason for documenting the performance of controls?
Which of the following is the BEST key performance indicator (KPI) to measure the maturity of an organization's security incident handling process?
The PRIMARY reason a risk practitioner would be interested in an internal audit report is to:
Which of the following is the MOST important benefit of key risk indicators (KRIs)'
An unauthorized individual has socially engineered entry into an organization's secured physical premises. Which of the following is the BEST way to prevent future occurrences?
A review of an organization s controls has determined its data loss prevention {DLP) system is currently failing to detect outgoing emails containing credit card data. Which of the following would be MOST impacted?
Which of the following is MOST helpful in identifying new risk exposures due to changes in the business environment?
After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?
Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?
Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited. Which of the following would be the BEST response to this scenario?
Which of the following is the MAIN reason to continuously monitor IT-related risk?
An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system. The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:
Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?
Which of the following is the MOST important consideration when multiple risk practitioners capture risk scenarios in a single risk register?
Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:
An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations?
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?
Which of the following provides the BEST evidence of the effectiveness of an organization's account provisioning process?
A risk practitioner observes that hardware failure incidents have been increasing over the last few months. However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:
Which of the following is the MOST important factor affecting risk management in an organization?
Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?
A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:
Which of the following is the BEST way to identify changes to the risk landscape?
Which of the following is the MOST important consideration when developing an organization's risk taxonomy?
Which of the following is the MOST useful indicator to measure the efficiency of an identity and access management process?
Which of the following is the BEST method to ensure a terminated employee's access to IT systems is revoked upon departure from the organization?
Which of the following would BEST help to ensure that suspicious network activity is identified?
Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?
After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:
During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:
An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:
An organization has procured a managed hosting service and just discovered the location is likely to be flooded every 20 years. Of the following, who should be notified of this new information FIRST.
A data processing center operates in a jurisdiction where new regulations have significantly increased penalties for data breaches. Which of the following elements of the risk register is MOST important to update to reflect this change?
Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?
Which of the following is the MOST important data source for monitoring key risk indicators (KRIs)?
During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?
Establishing and organizational code of conduct is an example of which type of control?
Which of the following tools is MOST effective in identifying trends in the IT risk profile?
When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?