Summer Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exc65

When of the following 15 MOST important when developing a business case for a proposed security investment?

A.

identification of control requirements

B.

Alignment to business objectives

C.

Consideration of new business strategies

D.

inclusion of strategy for regulatory compliance

The PRIMARY objective of a risk identification process is to:

A.

evaluate how risk conditions are managed.

B.

determine threats and vulnerabilities.

C.

estimate anticipated financial impact of risk conditions.

D.

establish risk response options.

An organization recently experienced a cyber attack that resulted in the loss of confidential customer data. Which of the following is the risk practitioner's BEST recommendation after recovery steps have been completed?

A.

Develop new key risk indicators (KRIs).

B.

Perform a root cause analysis.

C.

Recommend the purchase of cyber insurance.

D.

Review the incident response plan.

Recent penetration testing of an organization's software has identified many different types of security risks. Which of the following is the MOST likely root cause for the identified risk?

A.

SIEM software is producing faulty alerts.

B.

Threat modeling was not utilized in the software design process.

C.

The configuration management process is not applied consistently during development.

D.

An identity and access management (IAM) tool has not been properly integrated into the software.

Who should be responsible (of evaluating the residual risk after a compensating control has been

A.

Compliance manager

B.

Risk owner

C.

Control owner

D.

Risk practitioner

Owners of technical controls should be PRIMARILY accountable for ensuring the controls are:

A.

Mapped to the corresponding business areas.

B.

Aligned with corporate security policies.

C.

Effectively implemented and maintained.

D.

Designed based on standards and frameworks.

Which of the following is MOST important to consider when determining the value of an asset during the risk identification process?

A.

The criticality of the asset

B.

The monetary value of the asset

C.

The vulnerability profile of the asset

D.

The size of the asset's user base

After mapping generic risk scenarios to organizational security policies, the NEXT course of action should be to:

A.

record risk scenarios in the risk register for analysis.

B.

validate the risk scenarios for business applicability.

C.

reduce the number of risk scenarios to a manageable set.

D.

perform a risk analysis on the risk scenarios.

An organization's IT department wants to complete a proof of concept (POC) for a security tool. The project lead has asked for approval to use the production data for testing purposes as it will yield the best results. Which of the following is the risk practitioner's BEST recommendation?

A.

Accept the risk of using the production data to ensure accurate results.

B.

Assess the risk of using production data for testing before making a decision.

C.

Benchmark against what peer organizations are doing with POC testing environments.

D.

Deny the request, as production data should not be used for testing purposes.

Which of the following is the GREATEST benefit of analyzing logs collected from different systems?

A.

A record of incidents is maintained.

B.

Forensic investigations are facilitated.

C.

Security violations can be identified.

D.

Developing threats are detected earlier.

Which of the following is MOST important when identifying an organization's risk exposure associated with Internet of Things (loT) devices?

A.

Defined remediation plans

B.

Management sign-off on the scope

C.

Manual testing of device vulnerabilities

D.

Visibility into all networked devices

A risk practitioner notices that a particular key risk indicator (KRI) has remained below its established trigger point for an extended period of time. Which of the following should be done FIRST?

A.

Recommend a re-evaluation of the current threshold of the KRI.

B.

Notify management that KRIs are being effectively managed.

C.

Update the risk rating associated with the KRI In the risk register.

D.

Update the risk tolerance and risk appetite to better align to the KRI.

Which of the following BEST protects organizational data within a production cloud environment?

A.

Data encryption

B.

Continuous log monitoring

C.

Right to audit

D.

Data obfuscation

Which of the following helps ensure compliance with a nonrepudiation policy requirement for electronic transactions?

A.

Digital signatures

B.

Encrypted passwords

C.

One-time passwords

D.

Digital certificates

Which of the following would be MOST useful to management when allocating resources to mitigate risk to the organization?

A.

Risk assessments

B.

Control self-assessments (CSAs)

C.

Risk-based audits

D.

Vulnerability analysis

Which of the following would present the GREATEST challenge for a risk practitioner during a merger of two organizations?

A.

Variances between organizational risk appetites

B.

Different taxonomies to categorize risk scenarios

C.

Disparate platforms for governance, risk, and compliance (GRC) systems

D.

Dissimilar organizational risk acceptance protocols

A risk practitioner's BEST guidance to help an organization develop relevant risk scenarios is to ensure the scenarios are:

A.

Aligned with risk management capabilities.

B.

Based on industry trends.

C.

Related to probable events.

D.

Mapped to incident response plans.

A risk practitioner has reviewed new international regulations and realizes the new regulations will affect the organization. Which of the following should be the risk practitioner's NEXT course of

action?

A.

Conduct a peer response assessment.

B.

Update risk scenarios in the risk register.

C.

Reevaluate the risk management program.

D.

Ensure applications are compliant.

Which of the following is the BEST way for a risk practitioner to verify that management has addressed control issues identified during a previous external audit?

A.

Interview control owners.

B.

Observe the control enhancements in operation.

C.

Inspect external audit documentation.

D.

Review management's detailed action plans.

Which of the following provides the BEST indication that existing controls are effective?

A.

Control testing

B.

Control logging

C.

Control documentation

D.

Control design

An internal audit report reveals that a legacy system is no longer supported Which of the following is the risk practitioner's MOST important action before recommending a risk response'

A.

Review historical application down me and frequency

B.

Assess the potential impact and cost of mitigation

C.

identify other legacy systems within the organization

D.

Explore the feasibility of replacing the legacy system

A payroll manager discovers that fields in certain payroll reports have been modified without authorization. Which of the following control weaknesses could have contributed MOST to this problem?

A.

The user requirements were not documented.

B.

Payroll files were not under the control of a librarian.

C.

The programmer had access to the production programs.

D.

The programmer did not involve the user in testing.

IT stakeholders have asked a risk practitioner for IT risk profile reports associated with specific departments to allocate resources for risk mitigation. The BEST way to address this request would be to use:

A.

the cost associated with each control.

B.

historical risk assessments.

C.

key risk indicators (KRls).

D.

information from the risk register.

Which of the following BEST facilitates the mitigation of identified gaps between current and desired risk environment states?

A.

Develop a risk treatment plan.

B.

Validate organizational risk appetite.

C.

Review results of prior risk assessments.

D.

Include the current and desired states in the risk register.

Which of the following is MOST important for mitigating ethical risk when establishing accountability for control ownership?

A.

Ensuring processes are documented to enable effective control execution

B.

Ensuring regular risk messaging is Included in business communications from leadership

C.

Ensuring schedules and deadlines for control-related deliverables are strictly monitored

D.

Ensuring performance metrics balance business goals with risk appetite

Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?

A.

Continuous monitoring

B.

A control self-assessment

C.

Transaction logging

D.

Benchmarking against peers

An application runs a scheduled job that compiles financial data from multiple business systems and updates the financial reporting system. If this job runs too long, it can delay financial reporting. Which of the following is the risk practitioner's BEST recommendation?

A.

Implement database activity and capacity monitoring.

B.

Ensure the business is aware of the risk.

C.

Ensure the enterprise has a process to detect such situations.

D.

Consider providing additional system resources to this job.

Which of the following will MOST improve stakeholders' understanding of the effect of a potential threat?

A.

Establishing a risk management committee

B.

Updating the organization's risk register to reflect the new threat

C.

Communicating the results of the threat impact analysis

D.

Establishing metrics to assess the effectiveness of the responses

Which of the following roles would provide the MOST important input when identifying IT risk scenarios?

A.

Information security managers

B.

Internal auditors

C.

Business process owners

D.

Operational risk managers

Which of the following would BEST mitigate an identified risk scenario?

A.

Conducting awareness training

B.

Executing a risk response plan

C.

Establishing an organization's risk tolerance

D.

Performing periodic audits

Which of the following is the BEST key performance indicator (KPI) to measure the ability to deliver uninterrupted IT services?

A.

Mean time between failures (MTBF)

B.

Mean time to recover (MTTR)

C.

Planned downtime

D.

Unplanned downtime

An organization has just started accepting credit card payments from customers via the corporate website. Which of the following is MOST likely to increase as a result of this new initiative?

A.

Risk tolerance

B.

Risk appetite

C.

Inherent risk

D.

Residual risk

An organization recently implemented new technologies that enable the use of robotic process automation. Which of the following is MOST important to reassess?

A.

Risk profile

B.

Risk tolerance

C.

Risk capacity

D.

Risk appetite

When developing a response plan to address security incidents regarding sensitive data loss, it is MOST important

A.

revalidate current key risk indicators (KRIs).

B.

revise risk management procedures.

C.

review the data classification policy.

D.

revalidate existing risk scenarios.

A risk owner has identified a risk with high impact and very low likelihood. The potential loss is covered by insurance. Which of the following should the risk practitioner do NEXT?

A.

Recommend avoiding the risk.

B.

Validate the risk response with internal audit.

C.

Update the risk register.

D.

Evaluate outsourcing the process.

An organization becomes aware that IT security failed to detect a coordinated

cyber attack on its data center. Which of the following is the BEST course of

action?

A.

Perform a business impact analysis (BIA).

B.

Identify compensating controls

C.

Conduct a root cause analysis.

D.

Revise key risk indicator (KRI) thresholds.

An organization recently received an independent security audit report of its cloud service provider that indicates significant control weaknesses. What should be done NEXT in response to this report?

A.

Migrate all data to another compliant service provider.

B.

Analyze the impact of the provider's control weaknesses to the business.

C.

Conduct a follow-up audit to verify the provider's control weaknesses.

D.

Review the contract to determine if penalties should be levied against the provider.

A business impact analysis (BIA) enables an organization to determine appropriate IT risk mitigation actions by:

A.

validating whether critical IT risk has been addressed.

B.

assigning accountability for IT risk to business functions.

C.

identifying IT assets that support key business processes.

D.

defining the requirements for an IT risk-aware culture

An organization discovers significant vulnerabilities in a recently purchased commercial off-the-shelf software product which will not be corrected until the next release. Which of the following is the risk manager's BEST course of action?

A.

Review the risk of implementing versus postponing with stakeholders.

B.

Run vulnerability testing tools to independently verify the vulnerabilities.

C.

Review software license to determine the vendor's responsibility regarding vulnerabilities.

D.

Require the vendor to correct significant vulnerabilities prior to installation.

Which organization is implementing a project to automate the purchasing process, including the modification of approval controls. Which of the following tasks is lie responsibility of the risk practitioner*?

A.

Verify that existing controls continue to properly mitigate defined risk

B.

Test approval process controls once the project is completed

C.

Update the existing controls for changes in approval processes from this project

D.

Perform a gap analysis of the impacted control processes

The cost of maintaining a control has grown to exceed the potential loss. Which of the following BEST describes this situation?

A.

Insufficient risk tolerance

B.

Optimized control management

C.

Effective risk management

D.

Over-controlled environment

Which of the following offers the SIMPLEST overview of changes in an organization's risk profile?

A.

A risk roadmap

B.

A balanced scorecard

C.

A heat map

D.

The risk register

Which of the following would be of GREATEST concern regarding an organization's asset management?

A.

Lack of a mature records management program

B.

Lack of a dedicated asset management team

C.

Decentralized asset lists

D.

Incomplete asset inventory

The PRIMARY benefit of using a maturity model is that it helps to evaluate the:

A.

capability to implement new processes

B.

evolution of process improvements

C.

degree of compliance with policies and procedures

D.

control requirements.

Which of the following is the BEST indication that key risk indicators (KRIs) should be revised?

A.

An increase in the number of risk threshold exceptions

B.

An increase in the number of change events pending management review

C.

A decrease in the number of key performance indicators (KPIs)

D.

A decrease in the number of critical assets covered by risk thresholds

Which of the following is the MOST important benefit of reporting risk assessment results to senior management?

A.

Promotion of a risk-aware culture

B.

Compilation of a comprehensive risk register

C.

Alignment of business activities

D.

Facilitation of risk-aware decision making

Which of the following is the MOST important consideration when determining the appropriate data retention period throughout the data management life cycle?

A.

Data storage and collection methods

B.

Data owner preferences

C.

Legal and regulatory requirements

D.

Choice of encryption algorithms

Which of the following is the GREATEST concern if user acceptance testing (UAT) is not conducted when implementing a new application?

A.

The probability of application defects will increase

B.

Data confidentiality could be compromised

C.

Increase in the use of redundant processes

D.

The application could fail to meet defined business requirements

A third-party vendor has offered to perform user access provisioning and termination. Which of the following control accountabilities is BEST retained within the organization?

A.

Reviewing access control lists

B.

Authorizing user access requests

C.

Performing user access recertification

D.

Terminating inactive user access

Which of the following criteria associated with key risk indicators (KRIs) BEST enables effective risk monitoring?

A.

Approval by senior management

B.

Low cost of development and maintenance

C.

Sensitivity to changes in risk levels

D.

Use of industry risk data sources