IT Exam Questions and Solutions Library
A risk practitioner is developing risk scenarios for a manufacturing organization that uses highly specialized systems to control its production process. Which of the following will BEST support management decision making that adequately addresses impacts to these systems? A. Bottom-up approach B. Event tree analysis C. Top-down approach D. Control gap analysis Suggested Answer: B
Which of the following is the GREATEST risk associated with inappropriate classification of data? A. Users having unauthorized access to data B. Inaccurate recovery time objectives (RTOs) C. Lack of accountability for data ownership D. Inaccurate record management data Suggested Answer: A
Which of the following is MOST helpful to review when identifying risk scenarios associated with the adoption of Internet of Things (IoT) technology in an organization? A. The network that IoT devices can access B. The IoT threat landscape C. Policy development for IoT D. The business case for the use of IoT Suggested Answer: B
Reviewing which of the following is the BEST way to gauge the effectiveness of a web application firewall (WAF)? A. Product documentation B. Capacity estimates C. Implementation details D. Penetration test results Suggested Answer: D
Warning banners on login screens for laptops provided by an organization to its employees are an example of which type of control? A. Corrective B. Detective C. Deterrent D. Preventive Suggested Answer: C
Who is BEST suited to provide information to the risk practitioner about the effectiveness of a technical control associated with an application? A. Risk owner B. Process owner C. System owner D. Internal auditor Suggested Answer: C
An organization has established a policy prohibiting ransom payments if subjected to a ransomware attack. Which of the following is the MOST effective control to support this policy? A. Implementing continuous intrusion detection monitoring B. Creating immutable backups C. Conducting periodic vulnerability scanning D. Performing required patching Suggested Answer: B
Which of the following is an example of the second line in the three lines of defense model? A. External auditors B. Risk management function C. Risk owners D. Control owners Suggested Answer: B
Which of the following is MOST important for a risk practitioner to understand about an organization in order to create an effective risk awareness program? A. Key risk indicators (KRIs) and thresholds B. Known threats and vulnerabilities C. Structure and culture D. Policies and procedures Suggested Answer: C
A technology company is developing a strategic artificial intelligence (AI)-driven application that has high potential business value. At what point should the enterprise risk profile be updated? A. When user stories are developed B. During post-implementation review C. After user acceptance testing (UAT) D. Upon approval of the business case Suggested Answer: D
Which of the following should be the PRIMARY focus of a disaster recovery management (DRM) framework and related processes? A. Ensuring timely recovery of critical business operations B. Determining capacity for alternate sites C. Assessing the impact and probability of disaster scenarios D. Restoring IT and cybersecurity operations Suggested Answer: A
Which of the following is PRIMARILY responsible for providing assurance to the board of directors and senior management during the evaluation of a risk management program implementation? A. Internal audit B. Business units C. Risk management D. External audit Suggested Answer: A
Which of the following describes the relationship between risk appetite and risk tolerance? A. Risk tolerance is used to determine risk appetite. B. Risk tolerance may exceed risk appetite. C. Risk appetite is completely independent of risk tolerance. D. Risk appetite and risk tolerance are synonymous. Suggested Answer: B
Concerned about system load capabilities during the month-end close process, management requires monitoring of the average time to complete tasks and monthly reporting of the findings. What type of measure has been established? A. Service level agreement (SLA) B. Key risk indicator (KRI) C. Key performance indicator (KPI) D. Critical success factor (CSF) Suggested Answer: C
Which of the following would MOST likely lower the risk associated with unauthorized access of sensitive data? A. Sensitive data is centralized in one directory for users to access. B. Uploading sensitive data requires department head approval. C. Access is managed according to the principle of least privilege. D. Access is restricted to staff members based on level of seniority. Suggested Answer: C
An organization implements a risk avoidance approach to collecting personal information. Which of the following is the BEST way for a risk practitioner to validate the risk response? A. Verify security baselines are implemented for databases. B. Perform a scan for personal information. C. Confirm that personal information is encrypted. D. Review the privacy policy to confirm it is up to date. Suggested Answer: B
Which of the following would produce the MOST comprehensive and relevant enterprise risk scenarios? A. Conduct risk assessment workshops with business process owners. B. Conduct risk assessment workshops with risk owners. C. Leverage current and historical data to inform risk scenarios. D. Combine top-down and bottom-up approaches. Suggested Answer: D
Which of the following would be the MOST effective way to identify changes in the internal control environment? A. Reviewing control ownership changes B. Performing control self-assessments (CSAs) C. Assessing risk objectives D. Reviewing the enterprise architecture (EA) roadmap Suggested Answer: B
Which of the following BEST measures how well a risk assessment process is performing? A. Process maturity reports B. Key performance indicators (KPIs) C. Key risk indicators (KRIs) D. An enterprise performance improvement program Suggested Answer: B
Which of the following is MOST important to ensure risk management practices are effective at all levels within the organization? A. Establishing key risk indicators (KRIs) to monitor risk management processes B. Ensuring that business activities minimize inherent risk C. Embedding risk management in business activities D. Communicating risk awareness materials regularly Suggested Answer: C
Which of the following is a PRIMARY objective of privacy impact assessments (PIAs)? A. To identify risk when personal information is collected B. To ensure compliance with data privacy laws and regulations C. To identify threats introduced by business processes D. To ensure senior management has approved the use of personal information Suggested Answer: A
Which of the following should be identified FIRST when using a bottom-up approach to develop IT risk scenarios related to a cloud environment managed by a third party? A. Scope of services provided and responsibilities carried out by the cloud vendor B. Business objectives to prioritize actions in the scenario treatment plan C. Control objectives applicable to the environment D. Current IT environment including cloud components Suggested Answer: A
What should a risk practitioner verify FIRST once an acquisition of another company has been confirmed? A. Impact of compliance and regulatory requirements B. Whether currently identified risk items need updating C. The alignment of the risk appetite and tolerance levels D. The risk management approaches Suggested Answer: A
Within the system development life cycle (SDLC), controls should be specified during: A. system integration testing. B. project initiation. C. requirements definition. D. business case development. Suggested Answer: C
Which of the following is the PRIMARY benefit of using a risk profile? A. It provides risk information to auditors. B. It enables vulnerability analysis. C. It enhances internal risk reporting. D. It promotes a security-aware culture. Suggested Answer: C
Which of the following is the GREATEST concern associated with quantum computing technology? A. Increase in computing resource demands B. Compromise of encryption techniques. C. Incompatibility with blockchain-based infrastructure D. Increase in the cost of security Suggested Answer: B
Which of the following processes is MOST helpful in proactively identifying non-compliant baseline images prior to implementing IT systems? A. Configuration management B. Change management C. Patch management D. Vulnerability management Suggested Answer: A
A risk practitioner is advising management on how to update the IT policy framework to account for the organization's cloud usage. Which of the following should be the FIRST step in this process? A. Evaluate adherence to existing IT policies and standards. B. Determine gaps between the current state and target framework C. Consult with industry peers regarding cloud best practices. D. Adopt an industry-leading cloud computing framework Suggested Answer: B
Which of the following BEST enables the integration of IT risk management across an organization? A. Enterprise-wide risk awareness training B. Robust risk reporting practices C. Risk management policies D. Enterprise risk management (ERM) framework Suggested Answer: D
Which of the following is MOST important when substantiating control effectiveness? A. Control design documentation B. Length of time the control has been in operation C. Evidence of operation D. Certification by the risk assessor Suggested Answer: C
Which of the following is the BEST way to prevent the loss of highly sensitive data when disposing of storage media? A. Physical destruction B. Degaussing C. Data deletion D. Data anonymization Suggested Answer: A
Which of the following is the BEST indicator of the effectiveness of a newly implemented security awareness program? A. An increase in the number of successful virus attacks detected B. A decrease in the number of phishing emails received C. An increase in the number of reported internal security incidents D. A decrease in the number of internal network attacks detected Suggested Answer: C
Which of the following events is MOST likely to trigger an update to the risk register? A. A reminder to reassess an identified risk has been sent to risk owners and risk custodians. B. A business case for implementing a new solution for automating controls has been proposed. C. A project to implement a risk response action plan has been completed and closed successfully. D. A post-implementation review of a new application has been initiated by senior management. Suggested Answer: D
Which of the following is the MOST important reason to maintain a risk register? A. To help develop IT risk management strategies B. To help develop accurate risk scenarios C. To support risk-aware decision making D. To track current risk scenarios Suggested Answer: C
Which of the following privacy principles reduces the impact of accidental leakage of personal data? A. Accuracy B. Purpose C. Transparency D. Minimization Suggested Answer: D
A separation of duties control can no longer be sustained due to resource reductions at an organization. Who is BEST suited to decide if additional compensating controls are needed? A. Risk owner B. Compliance manager C. Control owner D. Risk practitioner Suggested Answer: A
Which of the following should a risk practitioner do FIRST to support the implementation of governance around organizational assets within an enterprise risk management (ERM) program? A. Conduct risk assessments across the business. B. Hire experienced and knowledgeable resources. C. Develop a detailed risk profile. D. Schedule internal audits across the business. Suggested Answer: A
Which of the following should be done FIRST when developing an initial set of risk scenarios for an organization? A. Consider relevant business activities. B. Use a top-down approach. C. Use a bottom-up approach. D. Refer to industry standard scenarios. Suggested Answer: A
The PRIMARY reason for communicating risk assessment results to data owners is to enable the: A. prioritization of response efforts. B. industry benchmarking of controls. C. design of appropriate controls. D. classification of information assets. Suggested Answer: A
For which of the following activities is it MOST important to obtain input from business stakeholders? A. Emerging threat identification B. Awareness training content development C. Risk scenario development D. Control ownership assignment Suggested Answer: C
Recovery time objectives (RTOs) should be based on: A. maximum tolerable downtime. B. maximum tolerable loss of data. C. minimum tolerable loss of data. D. minimum tolerable downtime. Suggested Answer: A
Which of the following should be the PRIMARY driver for the prioritization of risk responses? A. Residual risk B. Inherent risk C. Mitigation cost D. Risk appetite Suggested Answer: D
A risk practitioner notes that controls in place for a risk are only partially effective. However, the risk owner has indicated that implementing additional controls would be too costly. Which of the following is the risk practitioner's BEST course of action? A. Recommend risk acceptance for the control gap. B. Document the inherent risk. C. Adjust the risk tolerance in the risk register. D. Recommend avoiding the risk. Suggested Answer: A
Which of the following BEST enables a risk practitioner to identify the consequences of losing critical resources due to a disaster? A. Tabletop exercise results B. Risk management action plans C. Business impact analysis (BIA) D. What-if technique Suggested Answer: C
An organization's board of directors is concerned about recent data breaches in the news and wants to assess its exposure to similar scenarios. Which of the following is the BEST course of action? A. Reassess the risk appetite and tolerance levels of the business. B. Review the organization's data retention policy and regulatory requirements. C. Evaluate the organization's existing data protection controls. D. Evaluate the sensitivity of data that the business needs to handle. Suggested Answer: C
The BEST use of key risk indicators (KRIs) is to provide: A. early indication of changes to required risk response. B. lagging indication of major information security incidents. C. insight into the performance of a monitored process. D. early indication of increasing exposure to a specific risk. Suggested Answer: D
Which of the following events is MOST likely to trigger the need to conduct a risk assessment? A. Introduction of a new product line B. An incident resulting in data loss C. Changes in executive management D. Updates to the information security policy Suggested Answer: B
An organization has completed a detailed root cause analysis of a security incident. Before selecting the risk treatment plan, it is MOST important to: A. perform a risk reassessment. B. conduct a business impact analysis (BIA). C. update the existing key risk indicators (KRIs). D. perform a control matrix analysis. Suggested Answer: A
Which of the following is the MOST important update for keeping the risk register current? A. Adding new risk assessment results annually B. Retiring risk scenarios that have been avoided C. Changing risk owners due to employee turnover D. Modifying organizational structures when lines of business merge Suggested Answer: A
Which of the following techniques is MOST helpful when quantifying the potential loss impact of cyber risk? A. Security assessment B. Cost-benefit analysis C. Penetration testing D. Business impact analysis (BIA) Suggested Answer: D
An internal risk assessment revealed multiple critical security findings for a newly commissioned testing environment. Which of the following should the risk practitioner do FIRST? A. Define mitigating steps. B. Update the IT risk register. C. Notify IT management. D. Set dates for the next review. Suggested Answer: C
Which of the following stakeholders define risk tolerance for an enterprise? A. The board and executive management B. IT compliance and IT audit C. Regulators and shareholders D. Enterprise risk management (ERM) Suggested Answer: A
Which of the following is MOST important for secure application development? A. A recognized risk management framework B. Secure coding practices C. Well-documented business cases D. Security training for systems development staff Suggested Answer: B
An increase in which of the following would be the MOST useful key risk indicator (KRI) for unauthorized access? A. Percentage of failed login attempts B. Number of direct logins to privileged accounts C. Percentage of user accounts not disabled after termination D. Number of system accounts provisioned Suggested Answer: A
Which of the following presents the GREATEST security risk associated with Internet of Things (IoT) technology? A. The lack of updates for vulnerable firmware B. The lack of relevant IoT security frameworks to guide the risk assessment process C. The heightened level of IoT threats via the widespread use of smart devices D. The inability to monitor via network management solutions Suggested Answer: A
Within the three lines of defense model, the PRIMARY responsibility for ensuring risk mitigation controls are properly configured belongs with: A. the IT risk function B. line management. C. enterprise compliance. D. internal audit. Suggested Answer: B
Which of the following is the MOST important outcome of monitoring key risk indicators (KRIs)? A. Increased risk control efficiency B. Improvement of risk awareness C. Identification of risk event root causes D. Development of risk transfer strategies Suggested Answer: B
Which of the following BEST reduces the likelihood of fraudulent activity that occurs through use of a digital wallet? A. Require public key infrastructure (PKI) to authorize transactions. B. Require multi-factor authentication (MFA) to access the digital wallet. C. Use a digital key to encrypt the contents of the wallet. D. Enable audit logging on the digital wallet's device. Suggested Answer: B
The MOST essential content to include in an IT risk awareness program is how to: A. populate risk register entries and build a risk profile for management reporting. B. define the IT risk framework for the organization. C. prioritize IT-related actions by considering risk appetite and risk tolerance. D. comply with the organization's IT risk and information security policies. Suggested Answer: D
Which of the following offers the SIMPLEST overview of changes in an organization's risk profile? A. A balanced scorecard B. The risk register C. A risk roadmap D. A heat map Suggested Answer: D
To minimize the number of unmanaged application systems, it is MOST important that the policy for controlling the systems includes requirements for: A. review of application system operation logs. B. periodic password expiration for application users. C. regular training of system administrators. D. documentation of system ownership. Suggested Answer: D
Which type of content would be MOST effective when an organization is building customized security awareness training? A. Real-world examples of security incidents with a selection of potential risk responses B. Awareness of the three lines of defense model C. Internal security policies and metrics to detect noncompliance D. Reinforcement of the acceptable use policy Suggested Answer: A
A risk practitioner has been asked to propose a risk acceptance framework for an organization. Which of the following is the MOST important consideration for the risk practitioner to address in the framework? A. Communication protocols when a risk is accepted B. Acceptable scenarios to override risk appetite or tolerance thresholds C. Consistent forms to document risk acceptance rationales D. Individuals or roles authorized to approve risk acceptance Suggested Answer: D
An organization's key risk indicator (KRI) that tracks patch compliance has exceeded its threshold. Which of the following is the risk practitioner's NEXT step? A. Instruct users to refrain from using affected devices. B. Submit change requests to deploy patches. C. Isolate noncompliant devices. D. Report the condition to the risk owner. Suggested Answer: D
Which of the following is MOST likely to trigger a penetration test? A. Loss of customer data is suspected. B. A disgruntled senior IT staff member has left the organization. C. An acquired company's systems are being integrated. D. A competitor's website was compromised. Suggested Answer: C
Which of the following is the PRIMARY advantage of having a single integrated business continuity plan (BCP) rather than each business unit developing its own BCP? A. It enables effective BCP maintenance and updates to reflect organizational changes. B. It provides assurance of timely business process response and effectiveness. C. It supports effective use of resources and provides reasonable confidence of recoverability. D. It decreases the risk of downtime and operational losses in the event of a disruption. Suggested Answer: C
What should a risk practitioner do FIRST when an assessment reveals a control is not operating as intended? A. Determine the root cause of the control issue. B. Recommend updates to the control procedures. C. Discuss the status with the control owner. D. Recommend compensating controls. Suggested Answer: A
A risk practitioner has observed an increasing trend of security events reported via network security monitoring tools. Which of the following would MOST likely be updated to reflect this trend? A. Risk impact B. Risk ownership C. Key risk indicators (KRIs) D. Risk tolerance level Suggested Answer: C
Who is ULTIMATELY accountable for risk treatment? A. Control owner B. Risk owner C. Risk practitioner D. Enterprise risk management (ERM) Suggested Answer: B
The PRIMARY benefit of selecting an appropriate set of key risk indicators (KRIs) is that they: A. provide a warning of emerging high-risk conditions. B. align with the organization's risk profile. C. provide data for updating the risk register. D. serve as a basis for measuring risk appetite. Suggested Answer: A
Zero Trust architecture is designed and deployed with adherence to which of the following basic tenets? A. Digital identities should be implemented. B. Security frameworks and libraries should be leveraged. C. Incoming traffic must be inspected before connection is established. D. All communication is secured regardless of network location. Suggested Answer: D
Which of the following BEST enables an organization to address new risk associated with an Internet of Things (IoT) solution? A. Introducing control procedures early in the life cycle B. Transferring the risk C. Updating the risk tolerance to include the new risk D. Implementing IoT device monitoring software Suggested Answer: A
Which of the following is the MOST reliable validation of a new control? A. Internal audit review of control design B. Control owner attestation of control effectiveness C. Approval of the control by senior management D. Complete and accurate documentation of control objectives Suggested Answer: A
Which of the following will have the GREATEST influence on the residual risk level in an organization? A. The investment portfolio B. IT department's capability C. The availability of resources D. The residual risk level in peer organizations Suggested Answer: C
Which of the following BEST supports the integration of risk management into an organization's strategic direction? A. Identifying processes for which key risk indicator (KRI) values are rising B. Establishing guidelines for regulatory compliance C. Providing leadership with timely information about emerging risk D. Demonstrating tone at the top for mitigating risk within projects Suggested Answer: C
During a review of the asset life cycle process, a risk practitioner identified several unreturned and unencrypted laptops belonging to former employees. Which of the following is the GREATEST concern with this finding? A. Unauthorized access to organizational data B. Insufficient laptops for existing employees C. Financial cost of replacing the laptops D. Abuse of leavers’ account privileges Suggested Answer: A
Which of the following is the MOST important consideration during control implementation to ensure risk is managed to an acceptable level? A. Organizational risk appetite B. Availability of budget and personnel C. Alignment with organizational objectives D. Risk management strategy Suggested Answer: A
A user has contacted the risk practitioner regarding malware spreading laterally across the organization's corporate network. Which of the following is the risk practitioner's BEST course of action? A. Update the risk register. B. Notify the cybersecurity incident response team. C. Perform a root cause analysis. D. Review all log files generated during the period of malicious activity. Suggested Answer: B
Which of the following is MOST important to document when accepting risk? A. Risk mitigation date B. Risk owner C. Risk impact level D. Risk identification date Suggested Answer: B
Which of the following provides the BEST evidence that robust risk management practices are in place within an organization? A. A management-approved risk dashboard B. A current control framework C. A regularly updated risk register D. Regularly updated risk management procedures Suggested Answer: C
Which of the following is the MOST important prerequisite for an effective risk management program? A. Established key risk indicators (KRIs) B. Risk awareness training C. An established risk policy D. Executive sponsorship Suggested Answer: D
What is the MOST important consideration when establishing key risk indicator (KRI) tolerance levels? A. Aligning KRI thresholds with the organization's business operations B. Aligning KRI thresholds with the organization's risk appetite C. Identifying KRIs that track changes in the organization's risk profile D. Establishing a reporting and escalation framework Suggested Answer: B
Which of the following would be MOST effectively communicated through the use of an IT risk management dashboard report? A. Trends in the risk profile B. The emergence of threats C. Changes in risk appetite D. The reconciliation of remediation costs Suggested Answer: A
Which of the following would MOST likely result in agreement on accountability for risk scenarios? A. Using a facilitated risk management workshop B. Distributing predefined scenarios for review C. Relying on external IT risk professionals D. Relying on generic risk scenarios Suggested Answer: A
Which of the following indicators BEST demonstrates the effectiveness of a disaster recovery management (DRM) program? A. Percentage of applications that have met disaster recovery test requirements B. Number of audit findings related to disaster recovery C. Number of disaster recovery tests completed on time D. Percentage of applications with a defined recovery time objective (RTO) Suggested Answer: A
A risk practitioner has been notified of a social engineering attack using artificial intelligence (AI) technology to impersonate senior management personnel. Which of the following would BEST mitigate the impact of such attacks? A. Training and awareness of employees for increased vigilance B. Subscription to data breach monitoring sites C. Suspension and takedown of malicious domains or accounts D. Increased monitoring of executive accounts Suggested Answer: A
A risk practitioner has reviewed new international regulations and realizes the new regulations will affect the organization. Which of the following should be the risk practitioner's NEXT course of action? A. Conduct a peer response assessment. B. Reevaluate the risk management program. C. Update risk scenarios in the risk register. D. Ensure applications are compliant. Suggested Answer: B
The risk to an organization's reputation due to a recent cybersecurity breach is PRIMARILY considered to be: A. operational risk. B. data risk. C. strategic risk. D. financial risk. Suggested Answer: C
Which of the following is the MOST important factor when determining a risk owner for a newly identified risk? A. The risk owner is accountable for the risk. B. The risk owner has the most in-depth knowledge of the risk. C. The risk owner has completed risk training. D. The risk owner is a member of senior management. Suggested Answer: A
A risk practitioner learns that department managers are attesting to application access reviews without actually performing the reviews. Which of the following would be the risk practitioner's BEST recommendation? A. Redesign and relaunch the review process. B. Review role descriptions and job titles. C. Implement separation of duties. D. Invoke the incident response process. Suggested Answer: A
Which of the following is the BEST way to address a board's concern about the organization's current cybersecurity posture? A. Assess security capabilities against an industry framework. B. Create a new security risk officer role. C. Update security risk scenarios. D. Increase the frequency of vulnerability testing. Suggested Answer: A
Which of the following should be of MOST concern to a risk practitioner reviewing an organization's risk register after the completion of a series of risk assessments? A. Several risk action plans have missed target completion dates. B. Many risk scenarios are owned by the same senior manager. C. Risk associated with many assets is only expressed in qualitative terms. D. Senior management has accepted more risk than usual. Suggested Answer: A
Making decisions about risk mitigation actions is the PRIMARY role of the: A. risk manager. B. risk officer. C. risk owner. D. risk practitioner. Suggested Answer: C
An organization operates in an environment where the impact of ransomware attacks is high, with a low likelihood. After quantifying the impact of the risk associated with ransomware attacks exceeds the organization's risk appetite and tolerance, which of the following is the risk practitioner's BEST recommendation? A. Ensure business continuity assessments are up to date. B. Obtain adequate cybersecurity insurance coverage. C. Obtain certification to a global information security standard. D. Adjust the organization's risk appetite and tolerance. Suggested Answer: B
In an organization with mature risk management practices, the risk appetite can be inferred from which of the following? A. Control taxonomy B. Inherent risk C. Compliance reports D. Residual risk Suggested Answer: D
An organization wants to improve its logical access controls to address the results of the annual risk assessment. Which of the following should be done FIRST to facilitate this initiative? A. Review business and operational requirements. B. Review roles and entitlements. C. Review user access logs. D. Review prior access management approval. Suggested Answer: A
Which of the following emerging technologies is frequently used for botnet distributed denial of service (DDoS) attacks? A. Machine learning B. Internet of Things (IoT) C. Quantum computing D. Virtual reality (VR) Suggested Answer: B
What should be the immediate action upon discovery that users of a critical finance application have potentially excessive privileges? A. Recommend compensating controls be implemented. B. Request the service owner to perform an entitlement review. C. Review system logs for potentially malicious behavior. D. Inform the risk owner so access can be removed. Suggested Answer: B
Which of the following is the BEST method for determining an enterprise's current appetite for risk? A. Reviews of brokerage firm assessments B. Trend analysis using prior annual reports C. Comparative analysis of peer companies D. Interviews with senior management Suggested Answer: D
A risk practitioner learns that a risk owner has been accepting gifts from a supplier of IT products. Some of these IT products are used to implement controls and to mitigate risk to acceptable levels. Which of the following should the risk practitioner do FIRST? A. Reassess the risk and review the underlying controls. B. Initiate disciplinary action against the risk owner. C. Report the activity to the supervisor. D. Review organizational ethics policies. Suggested Answer: C
Which of the following is MOST important requirement to include in a Software as a Service (SaaS) vendor contract to ensure data is protected? A. The vendor must host data in a specific geographic location. B. The vendor must be held liable for regulatory fines for failure to protect data. C. The vendor must provide periodic independent assurance reports. D. The vendor must participate in an annual vendor performance review. Suggested Answer: C
Which of the following is MOST critical to the successful adoption of an enterprise architecture (EA) program? A. Adequate funding B. Skilled resources C. A mature governance plan D. Stakeholder support Suggested Answer: D
Management has implemented additional administrative and technical controls to reduce the likelihood of a high-impact risk in a key information system. What is the BEST way to validate the effectiveness of the control implementation? A. Perform a vulnerability scan. B. Perform an audit. C. Perform a penetration test. D. Perform a risk assessment. Suggested Answer: B
The MAIN reason to use the risk register to monitor aggregated risk is to provide: A. insight on control gaps. B. a basis for risk management resource allocation. C. a comprehensive view of risk impact. D. historical information about risk impact. Suggested Answer: C
Which of the following is the MOST likely reason an organization would engage an independent reviewer to assess its IT risk management program? A. To identify gaps in the alignment of IT risk management processes and strategy B. To confirm that IT risk assessment results are expressed in quantitative terms C. To evaluate threats to the organization's operations and strategy D. To ensure IT risk management is focused on mitigating emerging risk Suggested Answer: A
Which of the following should a risk practitioner do NEXT after learning that Internet of Things (IoT) devices installed in the production environment lack appropriate security controls for sensitive data? A. Enable role-based access control. B. Recommend device management controls. C. Assess the threat and associated impact. D. Evaluate risk appetite and tolerance levels. Suggested Answer: C
Which of the following is the MOST effective method for a risk practitioner to identify risk scenarios? A. Review IT strategic plans. B. Conduct a control maturity assessment. C. Conduct interviews with key stakeholders. D. Analyze industry threat intelligence. Suggested Answer: C
When outsourcing a business process to a cloud service provider, it is MOST important to understand that: A. insurance could be acquired for the risk associated with the outsourced process. B. service accountability remains with the cloud service provider. C. a risk owner must be designated within the cloud service provider. D. accountability for the risk will remain with the organization. Suggested Answer: D
Which of the following criteria for assigning owners to IT risk scenarios provides the GREATEST benefit to an organization? A. The risk owner has strong technical aptitude across multiple business systems. B. The risk owner has extensive risk management experience. C. The risk owner is a member of senior leadership in the IT organization. D. The risk owner understands the effect of loss events on business operations. Suggested Answer: D
Which of the following BEST facilitates the development of relevant risk scenarios? A. Perform quantitative risk analysis of historical data. B. Conduct brainstorming sessions with key stakeholders. C. Use qualitative risk assessment methodologies. D. Adopt an industry-recognized risk framework. Suggested Answer: B
Which of the following situations would cause the GREATEST concern around the integrity of application logs? A. Lack of a security information and event management (SIEM) system B. Lack of data classification policies C. Use of hashing algorithms D. Weak privileged access management controls Suggested Answer: D
An organization has recently implemented an emerging technology across multiple business units. Which of the following is the responsibility of the control owners in the impacted departments? A. Perform a business impact analysis (BIA) on the controls. B. Review and document classifications for controls. C. Perform a gap analysis of the impacted processes. D. Analyze and update control assessments for changes. Suggested Answer: D
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an organization's cybersecurity program? A. Percentage of systems being monitored B. Average time to contain security incidents C. Number of false positives reported D. Number of personnel dedicated to security monitoring Suggested Answer: B
Which of the following is the MOST significant risk factor associated with the use of blockchain in legacy systems? A. Lack of transaction traceability B. Decentralized data processing C. Cross-system incompatibility D. Increased implementation costs Suggested Answer: C
Which of the following should be the starting point when performing a risk analysis for an asset? A. Assess controls. B. Assess risk scenarios. C. Evaluate threats. D. Update the risk register. Suggested Answer: B
Who should be accountable for authorizing information system access to internal users? A. Information security manager B. Information owner C. Information custodian D. Information security officer Suggested Answer: B
An organization is considering an Internet of Things (IoT) technology solution to manage its supply chain. Which of the following presents the GREATEST risk to the organization in this situation? A. IoT devices with hard-coded passwords B. Lack of physical hardening C. Lack of regulatory guidance regarding IoT D. Outdated out-of-the-box IoT firmware Suggested Answer: A
The MOST important reason for establishing clear ownership of firewall rules is to: A. hold owners accountable for incidents. B. enable removal of unused rules. C. support strong change control. D. comply with regulatory requirements. Suggested Answer: C
Which of the following should be done FIRST when a new risk scenario has been identified? A. Design control improvements. B. Identify the risk owner. C. Establish key risk indicators (KRIs). D. Estimate the residual risk. Suggested Answer: B
Which of the following is the PRIMARY objective of a risk awareness program? A. To demonstrate senior management support B. To clearly define ownership of risk C. To increase awareness of risk mitigation controls D. To enhance organizational risk culture Suggested Answer: D
An organization is in the process of reviewing its risk appetite statement and re-defining the risk tolerance threshold. Which of the following elements of the risk register is MOST likely to change as a result of this review? A. Risk impact B. Risk response C. Risk likelihood D. Risk ownership Suggested Answer: B
A large organization recently restructured the IT department and has decided to outsource certain functions. What action should the control owners in the IT department take? A. Determine whether risk responses still effectively address risk. B. Conduct risk classification for associated IT controls. C. Perform vulnerability and threat assessments. D. Analyze and update IT control assessments. Suggested Answer: D
An organization wants to leverage artificial intelligence (AI) to help identify and analyze root causes of data breaches involving multiple systems. Which of the following is BEST suited for this purpose? A. Intrusion detection and prevention systems B. Security information and event management (SIEM) system C. Application event logging system D. Database activity monitoring system Suggested Answer: B
The MAIN benefit of defining an organization's risk tolerance and appetite is that it helps to ensure: A. a top-down approach to risk management is used. B. risk is managed to an acceptable level. C. risk is assessed within acceptable tolerance. D. key risk indicators (KRIs) are aligned with risk scenarios. Suggested Answer: B
What type of controls will provide the MOST useful information for reporting on attempted system security breaches? A. Preventive B. Deterrent C. Corrective D. Detective Suggested Answer: D
It has been identified that segregation of duties controls failed due to the automation of an accounts payable system. Which of the following would BEST mitigate the associated risk? A. Implementing multi-level authentication B. Adding manual approvals to the departmental workflow C. Analyzing transaction reports for suspicious activity D. Automating account reconciliation Suggested Answer: B
Which of the following is the PRIMARY benefit of integrating risk and security requirements in an organization's enterprise architecture (EA)? A. Consistent management of information assets B. Establishment of digital forensic architectures C. Reduction in the number of test cases in the acceptance phase D. Adherence to legal and compliance requirements Suggested Answer: A
Which of the following is the BEST control for a large organization to implement to effectively mitigate risk related to fraudulent transactions? A. Password policies B. Monetary approval limits C. Clear roles and responsibilities D. Segregation of duties Suggested Answer: D
Which of the following is the BEST course of action for a system administrator who suspects a colleague may be intentionally weakening a system's validation controls in order to pass through fraudulent transactions? A. Implement compensating controls to deter fraud attempts. B. Determine whether the system environment has flaws that may motivate fraud attempts. C. Share the concern through a whistleblower communication channel. D. Monitor the activity to collect evidence. Suggested Answer: C
Which of the following is a PRIMARY benefit of using facilitated workshops to develop IT risk scenarios? A. Enhancing the risk culture within the organization B. Expressing IT risk scenarios in business terms C. Building consensus regarding risk priorities D. Developing an efficient process to identify risk Suggested Answer: C
Information that is no longer required to support business objectives should be: A. securely deleted according to the disposal policy. B. transferred and archived to an enterprise data vault. C. managed according to the retention policy. D. recoverable according to the business impact analysis (BIA). Suggested Answer: A
Which of the following would be the BEST way to proactively identify changes in organizational risk levels? A. Develop risk scenarios B. Conduct compliance reviews C. Monitor key risk indicators (KRIs) D. Perform business impact analyses Suggested Answer: C
How does an organization benefit by purchasing cyber theft insurance? A. It decreases the amount of organizational loss if risk events occur. B. It justifies the acceptance of risk associated with cyber theft events. C. It decreases the likelihood of risk events occurring. D. It transfers risk ownership along with associated liabilities to a third party. Suggested Answer: A
Which of the following actions should a risk practitioner do NEXT when an increased industry trend of external cyber attacks is identified? A. Update the key risk indicator (KRI) in the risk register. B. Update the risk impact rating in the risk register. C. Notify senior management of the new risk scenario. D. Conduct a threat and vulnerability analysis. Suggested Answer: D
Which of the following would be MOST helpful in assessing the risk associated with data loss due to human vulnerabilities? A. Reviewing password change history B. Reviewing the results of security awareness surveys C. Conducting social engineering exercises D. Performing periodic access recertifications Suggested Answer: C
Which of the following is MOST important to review when an organization needs to transition the majority of its employees to remote work during a crisis? A. Customer notification plans B. Capacity management C. Access management D. Impacts on IT project delivery Suggested Answer: C
Which of the following will have the GREATEST influence when determining an organization’s risk appetite? A. Risk culture B. Risk management budget C. Organizational structure D. Industry benchmarks Suggested Answer: A
A data center has recently been migrated to a jurisdiction where heavy fines will be imposed should leakage of customer personal data occur. Assuming no other changes to the operating environment, which factor should be updated to reflect this situation as an input to scenario development for this particular risk event? A. Risk impact B. Risk appetite C. Risk likelihood D. Risk capacity Suggested Answer: A
Which of the following is BEST to use when creating cyber risk scenarios focused on the operational concerns of the organization’s cyber team? A. Qualitative cyber risk assessment B. Top-down approach C. Bottom-up approach D. Quantitative cyber risk assessment Suggested Answer: C
Which of the following would be the BEST input when evaluating the risk associated with a proposed adoption of robotic process automation (RPA) of a business service? A. Control objectives B. Cost-benefit analysis results C. Code review results D. Business continuity plan (BCP) Suggested Answer: B
Which of the following is the MOST effective way to minimize the impact associated with the loss of key employees? A. Maintain and publish a RACI chart. B. Promote incentive programs. C. Perform succession planning. D. Develop a robust onboarding program. Suggested Answer: C
Which of the following provides the MOST reliable information to evaluate the current state of control effectiveness? A. Business impact analysis (BIA) B. Control self-assessment (CSA) results C. Audit results D. Key performance indicators (KPIs) Suggested Answer: C
When assigning an IT risk owner, it is ESSENTIAL that the owner has: A. ownership of the service where the risk exists. B. authority to commit resources to manage the risk. C. oversight of the IT function. D. relevant experience with risk mitigation strategy. Suggested Answer: B
Which of the following is an example of risk sharing? A. Rejecting a high-risk project B. Outsourcing the hosting of a critical system C. Investing in fault-tolerant technology D. Engaging in a code escrow agreement Suggested Answer: B
Which of the following is MOST important to identify when developing top-down risk scenarios? A. Hypothetical scenarios B. Key procedure control gaps C. Senior management's risk appetite D. Business objectives Suggested Answer: C
What is a risk practitioner's BEST approach to monitor and measure how quickly an exposure to a specific risk can affect the organization? A. Create key performance indicators (KPIs). B. Create key risk indicators (KRIs). C. Create a risk volatility report. D. Create an asset valuation report. Suggested Answer: B
Which of the following is the BEST approach for obtaining management buy-in to implement additional IT controls? A. Present new key risk indicators (KRIs) based on industry benchmarks. B. Provide information on new governance, risk, and compliance (GRC) platform functionalities. C. Describe IT risk impact on organizational processes in monetary terms. D. List requirements based on a commonly accepted IT risk management framework. Suggested Answer: C
Which of the following is the MOST important consideration when creating a risk management framework? A. Assigning roles and responsibilities B. Aligning with corporate goals and objectives C. Adjusting risk appetite and tolerance D. Defining acceptable residual risk Suggested Answer: B
Which of the following is the MOST effective way to help ensure a risk treatment plan remains on track? A. Documenting risk treatment procedures for relevant stakeholders B. Adopting an agile project management approach C. Requiring approval by the second line of defense D. Assigning sufficient resources to implement the plan Suggested Answer: B
Which of the following is the BEST method to track asset inventory? A. Asset registration form B. Periodic asset review by management C. Automated asset management software D. IT resource budgeting process Suggested Answer: C
Which of the following is the MOST important reason to communicate control effectiveness to senior management? A. To ensure management understands the current risk status B. To demonstrate alignment with industry best practices C. To align risk management with strategic objectives D. To assure management that control ownership is assigned Suggested Answer: A
Which of the following is the FIRST step when identifying risk items related to a new IT project? A. Review the IT control environment. B. Conduct a cost-benefit analysis. C. Review the business case. D. Conduct a gap analysis. Suggested Answer: C
What is the MOST important consideration when selecting key performance indicators (KPIs) for control monitoring? A. Source information is acquired at stable cost. B. Source information is tailored by removing outliers. C. Source information is readily quantifiable. D. Source information is consistently available. Suggested Answer: D
A risk practitioner is defining metrics for security threats that were not identified by antivirus software. Which type of metric is being developed? A. Operational level agreement (OLA) B. Key risk indicator (KRI) C. Key control indicator (KCI) D. Service level agreement (SLA) Suggested Answer: B
Which of the following should be done FIRST upon learning that the organization will be affected by a new regulation in its industry? A. Transfer the risk. B. Perform a gap analysis. C. Determine risk appetite for the new regulation. D. Implement specific monitoring controls. Suggested Answer: B
Which of the following is a PRIMARY responsibility of a control owner? A. Assessing levels of risk B. Identifying trends in the risk profile C. Selecting controls to mitigate risk D. Monitoring status of risk response Suggested Answer: C
Which of the following will be MOST effective in helping to ensure control failures are appropriately managed? A. Peer review B. Compensating controls C. Control ownership D. Control procedures Suggested Answer: C
A risk practitioner has implemented a key risk indicator (KRI) that triggers a warning when the number of untreated IT control deficiencies exceeds a given threshold. Which of the following should be the GREATEST concern regarding the design of this KRI? A. Setting unrealistic targets for compliance B. Ignoring the significance of the control deficiencies C. Generating a large number of false-positive warnings D. Failing to attract sufficient management support Suggested Answer: C
An organization has contracted with a cloud service provider to support the deployment of a new product. Of the following, who should own the associated risk? A. The IT risk manager B. The information security manager C. The product owner D. The head of enterprise architecture (EA) Suggested Answer: C
Which of the following BEST enables an organization to determine whether risk management is aligned with its goals and objectives? A. Environmental changes that impact risk are continually evaluated. B. Organizational controls are in place to effectively manage risk appetite. C. The organization has approved policies that provide operational boundaries. D. The organization has an approved enterprise architecture (EA) program. Suggested Answer: B
An organization is implementing data warehousing infrastructure. Senior management is concerned about safeguarding client data security in this new environment. Which of the following should the risk practitioner recommend be done NEXT? A. Ensure an attribute-based access control model is implemented. B. Ensure a role-based access control model is implemented. C. Perform a gap analysis regarding the organization’s client data access model. D. Establish new controls addressing a consistently applied data access model. Suggested Answer: C
Key control indicators (KCIs) help to assess the effectiveness of the internal control environment PRIMARILY by: A. enabling senior leadership to better understand the level of risk the organization is facing. B. ensuring controls are operating efficiently and facilitating productivity. C. monitoring changes in the likelihood of adverse events due to ineffective controls. D. providing information on the degree to which controls are meeting intended objectives. Suggested Answer: D
Which of the following is the BEST metric to demonstrate the effectiveness of an organization’s patch management process? A. Number of patches tested prior to deployment B. Average time to implement patches after vendor release C. Percent of patches implemented within established timeframe D. Increase in the frequency of patches deployed into production Suggested Answer: C
Which of the following is the BEST way to determine the value of information assets for risk management purposes? A. Assess the loss impact if the information is inadvertently disclosed. B. Calculate the overhead required to keep the information secure throughout its life cycle. C. Calculate the replacement cost of obtaining the information from alternate sources. D. Assess the market value offered by consumers of the information. Suggested Answer: A
Which of the following situations would BEST justify escalation to senior management? A. Residual risk equals current risk. B. Residual risk remains after controls have been applied. C. Residual risk is inadequately recorded. D. Residual risk exceeds acceptable limits. Suggested Answer: D
Which of the following would be MOST effective in promoting a risk-aware culture within an organization? A. Allocating budget for IT initiatives based on IT risk assessment results B. Appointing a risk committee to prioritize identified and assessed risk C. Issuing penalties to those who do not attend the risk awareness program D. Using risk scenarios to inform organizational strategy Suggested Answer: D
Which of the following is MOST helpful to a risk practitioner in determining whether assessed risk requires a risk treatment plan? A. Business objectives B. Risk tolerance C. Risk appetite D. Cost-benefit analysis Suggested Answer: B
Which of the following BEST supports an accurate asset inventory system? A. Asset management metrics are aligned to industry benchmarks. B. There are defined processes in place for onboarding assets. C. Organizational information risk controls are continuously monitored. D. The asset management team is involved in the budgetary planning process. Suggested Answer: B
An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of the following should be the risk practitioner's NEXT course of action? A. Remove the associated risk from the register. B. Validate control effectiveness and update the risk register. C. Review the contract and service level agreements (SLAs). D. Obtain an assurance report from the third-party provider. Suggested Answer: B
Which of the following is the BEST indicator of the effectiveness of a control? A. Number of steps necessary to operate process B. Scope of the control coverage C. Number of control deviations detected D. The number of exceptions granted Suggested Answer: C
Which of the following activities is a responsibility of the second line of defense? A. Implementing risk response plans B. Establishing organizational risk appetite C. Challenging risk decision making D. Developing controls to manage risk scenarios Suggested Answer: C
The PRIMARY reason to use a bottom-up approach to analyze risk scenarios is to: A. identify the relationship to enterprise risk. B. identify key stakeholders. C. ensure risk details are appropriately gathered. D. determine positional risk ranking. Suggested Answer: C
Which of the following is the PRIMARY purpose of developing a risk register? A. To provide a means to identify risk scenarios requiring mitigation B. To provide a means to respond to risk as it arises C. To provide a means to identify relevant threat actors D. To provide a means to track risk as it is identified Suggested Answer: A
Which of the following is a risk practitioner’s BEST recommendation to help reduce IT risk associated with scheduling overruns when starting a new application development project? A. Assign more developers to the project team. B. Involve the development team in planning. C. Implement a tool to track the development team’s deliverables. D. Review the software development life cycle. Suggested Answer: B
Which of the following is the BEST key performance indicator (KPI) for a server patch management process? A. The number of servers with local credentials to install patches B. The number of servers running the software patching service C. The percentage of servers patched within required service level agreements D. The percentage of servers with allowed patching exceptions Suggested Answer: C
Which of the following BEST mitigates ethical risk? A. Ethics committees B. Contingency scenarios C. Routine changes in senior management D. Awareness of consequences for violations Suggested Answer: D
Which of the following is the MOST important criteria for selecting key risk indicators (KRIs)? A. Historical data availability B. Sensitivity and reliability C. Ability to display trends D. Implementation and reporting effort Suggested Answer: B
A data privacy regulation has been revised to incorporate more stringent requirements on personal data protection. Which of the following will provide the MOST important input to help ensure compliance with the revised regulation? A. Gap analysts B. Risk profile update C. Business impact analysis (BIA) D. Current control attestation Suggested Answer: A
Which of the following should be the FIRST course of action if the risk associated with a new technology is found to be increasing? A. Implement additional controls B. Re-evaluate current controls C. Revise the current risk action plan D. Escalate the risk to senior management Suggested Answer: B
Who should be responsible for approving the cost of controls to be :mplemented for mitigating risk? A. Risk owner B. Control implementer C. Control owner D. Risk practitioner Suggested Answer: A
Which of the following should be of MOST concern to a risk practitioner reviewing the system development life cycle (SDLC)? A. Segregation of duties controls are overridden during user testing phases B. Testing is completed by IT support users without input from end users C. Data anonymization is used during all cycles of end user testing D. Testing is completed in phases with user testing scheduled as the final phase Suggested Answer: B
Which of the following process controls BEST mitigates the risk of an employee issuing fraudulent payments to a vendor? A. Enforcing segregation of duties between the vendor master file and invoicing B. Conducting system access reviews to ensure least privilege and appropriate access C. Performing regular reconciliation of payments to the check registers D. Performing credit verification of third-party vendors prior to payment Suggested Answer: A
Which of the following is an example of risk avoidance? A. Outsourcing a software development project B. Insurance coverage C. Configuration management D. Delaying entry into an emerging market Suggested Answer: D
An organization uses an automated vulnerability scanner to identify potential vulnerabilities on various enterprise systems. Who is accountable for ensuring the vulnerabilities are mitigated? A. System administrators B. Data owners C. System owners D. Information security manager Suggested Answer: C
Which of the following would MOST likely cause senior management to lower the risk tolerance level? A. Organizational restructuring B. Increase in penalties for unauthorized data disclosure C. Outsourcing of in-house software development D. Decrease in budget allocated for risk mitigation activities Suggested Answer: B
An organization has updated its acceptable use policy to mitigate the risk of employees disclosing confidential information. Which of the following is the BEST way to reinforce the effectiveness of this policy? A. Communicate sanctions for policy violations to all staff B. Obtain signed acceptance of the new policy from employees C. Implement data loss prevention (DLP) with n the corporate network D. Train all staff on relevant information security best practices Suggested Answer: D
An organization recently experienced a cyber attack that resulted in the loss of confidential customer data. Which of the following is the risk practitioner’s BEST recommendation after recovery steps have been completed? A. Review the incident response plan B. Perform a root cause analysis C. Develop new key risk indicators (KRIs) D. Recommend the purchase of cyber insurance Suggested Answer: B
Which of the following is MOST important to review when evaluating the ongoing effectiveness of the IT risk register? A. The timeframes for risk response actions B. The costs associated with mitigation options C. The cost-benefit analysis of each risk response D. The status of identified risk scenarios Suggested Answer: D
Which of the following is MOST important for a multinational organization to consider when developing its security policies and standards? A. Industry-standard templates B. Ability to monitor and enforce compliance C. Differences in regulatory requirements D. Regional competitors’ policies and standards Suggested Answer: C
An application development team has a backlog of user requirements for a new system that will process insurance claim payments for customers. Which of the following should be the MOST important consideration for a risk-based review of the user requirements? A. Number of claims affected by the user requirements B. Level of resources required to implement the user requirements C. Impact to the accuracy of claim calculation D. Number of customers impacted Suggested Answer: C
A Software as a Service (SaaS) company wants to use aggregated data from its clients to improve its services via a machine learning model. However, its contracts do not clearly allow this use of aggregated data. What should the organization do NEXT? A. Update the organization’s data processing agreement template B. Request internal risk acceptance from senior management. C. Request formal consent from clients to use their data. D. Update the organization’s privacy policy to reflect the use of aggregated data. Suggested Answer: C
Who is BEST suited to own an IT risk scenario in an organization where only one IT support person knows how to maintain a core business application? A. Business owner B. IT manager C. Application business analyst D. Risk manager Suggested Answer: A
Which types of controls are BEST used to minimize the risk associated with a vulnerability? A. Preventive B. Deterrent C. Detective D. Directive Suggested Answer: A
An organization has an internal control that requires all access for employees be removed within 15 days of their termination date. Which of the following should the risk practitioner use to monitor adherence to the 15-day threshold? A. Service level agreement (SLA) B. Operation level agreement (OLA) C. Key performance indicator (KPI) D. Key risk indicator (KRI) Suggested Answer: C
An organization recently implemented new technologies that enable the use of robotic process automation. Which of the following is MOST important to reassess? A. Risk capacity B. Risk appetite C. Risk tolerance D. Risk profile Suggested Answer: D
Which of the following BEST indicates that security requirements have been incorporated into the system development life cycle (SDLC)? A. Completed user acceptance testing (UAT) B. Compliance with laws and regulatory requirements C. Validated security requirements and design documents D. Comprehensive security training of developers Suggested Answer: C
Which of the following is the BEST source of information for identifying suitable key risk indicators (KRIs)? A. Business impact analysis (BIA) B. Risk register C. Audit findings D. Laws and regulations Suggested Answer: B
A multinational bank is considering a product that involves using personal data to tailor customer financial plans. Which of the following is the PRIMARY privacy consideration when deciding whether to use this product? A. The ability to update customer data B. Data anonymization capabilities C. Data retention requirements D. Customer consent for use of data Suggested Answer: D
Which of the following should an organization do FIRST upon learning of the potential risk of noncompliance with new regulations in its industry? A. Determine availability of resources to address noncompliance B. Identify and assess threats C. Perform a business impact analysis (BIA) D. Implement controls to comply with the new regulations Suggested Answer: B
Which of the following BEST demonstrates that an implemented control is effective in mitigating the intended risk? A. Successful outcome of an external audit B. Accurate reporting of control test results to management C. Successful completion of risk action plans related to the control D. Appropriate assignment of control ownership to mitigate risk Suggested Answer: B
Which of the following is MOST important when identifying an organization's risk exposure associated with Internet of Things (IoT) devices? A. Defined remediation plans B. Management sign-off on the scope C. Manual testing of device vulnerabilities D. Visibility into all networked devices Suggested Answer: D
An organization uses a web application hosted by a cloud service that is populated by data sent to the vendor via email on a monthly basis. Which of the following should be the FIRST consideration when analyzing the risk associated with the application? A. Whether the service provider contract allows right of onsite audit B. Whether the service provider's data center is located in the same country C. Whether the data has been appropriately classified D. Whether the data sent by email has been encrypted Suggested Answer: C
To measure improvements in the performance of spam email filtering software, which of the following key performance indicators (KPIs) would be MOST useful to monitor? A. The number of spam messages not detected by the email filter B. The number of spam messages received by the email filtering software C. The number of messages classified as spam by the email filter D. The number of phishing attacks conducted through spam email messages Suggested Answer: A
Which of the following is MOST important for management to consider when deciding whether to invest in an IT initiative that exceeds management's risk appetite? A. Risk management budget B. Risk tolerance C. Risk capacity D. Risk management industry trends Suggested Answer: C
Which of the following provides the MOST useful input to the development of realistic risk scenarios? A. Risk map B. Balanced scorecard C. Risk appetite D. Risk events Suggested Answer: D
An organization has established a contract with a vendor that includes penalties for loss of availability. Which risk treatment has been adopted by the organization? A. Reduction B. Acceptance C. Avoidance D. Transfer Suggested Answer: D
Which of me following groups would provide the MOST relevant perspective when reporting loss exposure based on a risk analysis exercise? A. Process owners B. Senior management C. Internal auditors D. Independent risk consultants Suggested Answer: B
When a risk practitioner is developing a set of risk scenarios, the scenarios MUST include information about: A. control efficiency B. threat impact analysis results C. the relevant threat agents D. the severity of occurrences Suggested Answer: D
Which of the following is the BEST response when a potential IT control deficiency has been identified? A. Verify the deficiency and then notify the business process owner B. Verify the deficiency and then notify internal audit C. Remediate and report the deficiency to senior executive management D. Remediate and report the deficiency to the enterprise risk committee Suggested Answer: A
Which of the following observations would be the GREATEST concern to a risk practitioner evaluating an organization’s risk management practices? A. Several risk scenarios have art on plans spanning mu t pie years B. Business leaders provide final approval for information security policies C. Senior management has approved numerous requests for risk acceptance D. Senior management does not set risk tolerance Suggested Answer: D
Which of the following will BEST help to improve an organization’s risk culture? A. Allocating resources for risk remediation B. Maintaining a documented risk register C. Rewarding employees for reporting security incidents D. Establishing a risk awareness program Suggested Answer: D
Which of the following BEST enables the alignment of risk management with organizational objectives? A. Management policies are periodically reviewed and updated B. Control architectures meet industry standards C. Risk assessment results articulate business goals D. Business risk appetite and tolerance are defined Suggested Answer: D
A risk assessment has revealed that the probability of a successful cybersecurity attack is increasing. The potential loss could exceed the organization’s risk appetite. Which of the following would be the MOST effective course of action? A. Purchase cybersecurity insurance B. Re-evaluate the organization’s risk appetite C. Outsource the cybersecurity function D. Review cybersecurity incident response procedures Suggested Answer: D
Senior management has asked the risk practitioner for the overall residual risk level for a process that contains numerous risk scenarios. Which of the following should be provided? A. The sum of residual risk levels for each scenario B. The highest loss expectancy among the risk scenarios C. The loss expectancy for aggregated risk scenarios D. The average of anticipated residual risk levels Suggested Answer: C
Which of the following provides the BEST aggregation of risk factors for an enterprise? A. Risk scenario analysis B. Risk tolerance and appetite statement C. Risk register D. Business area risk profile Suggested Answer: C
Which of the following is the PRIMARY reason to obtain independent reviews of risk assessment and response mechanisms? A. To minimize the subjectivity of risk assessment results B. To correct errors in the risk assessment process C. To ensure risk thresholds are properly defined D. To validate impact and probability ratings Suggested Answer: A
Which of the following should be the PRIMARY consideration when assessing tools for automated control monitoring? A. Cost-benefit analysis B. Continuity plan C. Enterprise architecture (EA) D. Risk register Suggested Answer: A
Which of the following is the MOST important reason to restrict access to the risk register on a need-to-know basis? A. Contents may be used as auditable findings. B. It contains vulnerabilities and threats. C. Risk scenarios may be misinterpreted. D. The risk methodology is intellectual property. Suggested Answer: B
An organization wants to grant remote access to a system containing sensitive data to an overseas third party. Which of the following should be of GREATEST concern to management? A. Lack of monitoring over vendor activities B. Differences in regional standards C. Transborder data transfer restrictions D. Lack of after-hours incident management support Suggested Answer: C
Which of the following is MOST helpful when prioritizing action plans for identified risk? A. Comparing risk rating against appetite B. Determining cost of controls to mitigate risk C. Obtaining input from business units D. Ranking the risk based on likelihood of occurrence Suggested Answer: A
Which of the following is MOST important when implementing an organization's security policy? A. Assessing compliance requirements B. Identifying threats and vulnerabilities C. Benchmarking against industry standards D. Obtaining management support Suggested Answer: D
Within the three lines of defense model, the responsibility for managing risk and controls resides with: A. the internal auditor. B. the risk practitioner. C. operational management. D. executive management. Suggested Answer: C
An organization is analyzing the risk of shadow IT usage. Which of the following is the MOST important input into the assessment? A. Application-related expenses B. Classification of the data C. Business benefits of shadow IT D. Volume of data Suggested Answer: B
Which of the following risk impacts should be the PRIMARY consideration for determining recovery priorities in a disaster recovery situation? A. Data security B. Business disruption C. Recovery resource availability D. Recovery costs Suggested Answer: B
Which of the following is the BEST criterion to determine whether higher residual risk ratings in the risk register should be accepted? A. Risk maturity B. Risk policy C. Risk culture D. Risk appetite Suggested Answer: D
A cloud service provider has completed upgrades to its cloud infrastructure to enhance service availability. Which of the following is the MOST important key risk indicator (KRI) for management to monitor? A. Peak demand on the cloud service during business hours B. Number of incidents with downtime exceeding contract threshold C. Percentage of servers not patched per policy D. Percentage of technology upgrades resulting in security breaches Suggested Answer: B
A migration from an in-house developed system to an external cloud-based solution is affecting a previously rated key risk scenario related to payroll processing. Which part of the risk register should be updated FIRST? A. Payroll system risk factors B. Payroll system risk mitigation plans C. Payroll administrative controls D. Payroll process owner Suggested Answer: A
Which of the following types of controls is MOST effective to mitigate the risk of users bypassing controls? A. Corrective B. Preventive C. Detective D. Directive Suggested Answer: B
Which of the following will MOST likely change as a result of the decrease in risk appetite due to a new privacy regulation? A. Key performance indicators (KPIs) B. Risk objectives C. Key risk indicator (KRI) thresholds D. Risk trends Suggested Answer: C
An IT project sponsor has approved the removal of some test cases to expedite user acceptance test;ng (UAT). It would be MOST important for the risk practitioner to: A. evaluate the savings associated with the revised testing. B. review changes to the test environment. C. monitor potential impact of untested business scenarios. D. monitor and report the number of failed test results. Suggested Answer: C
When reporting to senior management on changes in trends related to IT risk, which of the following is MOST important? A. Maturity B. Materiality C. Confidentiality D. Transparency Suggested Answer: B
An organization recently implemented an automated interface for uploading payment files to its banking system to replace manual processing. Which of the following elements of the risk register is MOST appropriate for the risk practitioner to update to reflect the improved control? A. Risk likelihood B. Risk scenarios C. Risk impact D. Risk ownership Suggested Answer: A
Which of the following is the GREATEST benefit of involving business owners in risk scenario development? A. Business owners are able to assess the impact B. Business owners understand the residual risk of competitors C. Business owners have the ability to effectively manage risk D. Business owners have authority to approve control implementation Suggested Answer: A
Which of the following is the PRIMARY reason to ensure policies and standards are properly documented within the risk management process? A. It facilitates the use of a framework for risk management B. It encourages risk-based decision making for stakeholders. C. It establishes a means for senior management to formally approve risk practices. D. It provides a basis for benchmarking against industry standards. Suggested Answer: C
Which of the following has the GREATEST positive impact on ethical compliance within the risk management process? A. An independent ethics investigation team has been established B. The risk practitioner is required to consult with the ethics committee. C. Senior management demonstrates ethics in their day-to-day decision making. D. Employees are required to complete ethics training courses annually. Suggested Answer: C
Which of the following information MUST be included in a business impact analysis (BIA) to facilitate risk assessments related to business continuity? A. Critical business processes with their dependent resources B. List of threats impacting critical business processes C. Vulnerabilities identified within critical business processes D. Business continuity and disaster recovery testing requirements Suggested Answer: A
While reviewing the risk register, a risk practitioner notices that different business units have significant variances in inherent risk for the same risk scenario. Which of the following is the BEST course of action? A. Request that both business units conduct another review of the risk. B. Review the assumptions of both risk scenarios to determine whether the variance is reasonable. C. Update the risk register with the average of residual risk for both business units. D. Update the risk register to ensure both risk scenarios have the highest residual risk. Suggested Answer: B
Which of the following is MOST important for developing effective key risk indicators (KRIs)? A. Including input from risk and business unit management B. Engaging sponsorship by senior management C. Utilizing data and resources internal to the organization D. Developing in collaboration with internal audit Suggested Answer: A
Which of the following is the MOST essential factor for managing risk in a highly dynamic environment? A. Obtaining support from senior leadership B. Ongoing sharing of information among industry peers C. Adhering to industry-recognized risk management standards D. Implementing detection and response measures Suggested Answer: D
A global organization has initiated a project to migrate its existing IT infrastructure to cloud-based products. Which of the following should the risk practitioner do FIRST? A. Analyze the risk register for potential changes to risk scenarios. B. Reassess whether risk responses properly address known risk. C. Update processes within impacted control assessments. D. Evaluate existing control test plans for potential changes. Suggested Answer: A
Which of the following is MOST helpful for communicating the significance of IT-related risk to business managers? A. Industry trends B. Risk awareness training C. Risk scenarios D. Event-driven risk reporting Suggested Answer: C
If concurrent update transactions to an account are not processed properly, which of the following will MOST likely be affected? A. Accountability B. Availability C. Confidentiality D. Integrity Suggested Answer: D
Which of the following is BEST to use as a basis for developing a comprehensive list of IT risk scenarios? A. IT architecture roadmap B. IT strategic plan C. IT asset inventory D. IT key risk indicators (KRIs) Suggested Answer: C
An organization has built up its cash reserves and has now become financially able to support additional risk while meeting its objectives. What is this change MOST likely to impact? A. Risk tolerance B. Risk indicators C. Risk capacity D. Risk profile Suggested Answer: C
Which of the following is MOST important to consider when determining key performance indicators (KPIs) for a process? A. Success criteria for the process B. Known problems with the process C. Alignment with established industry frameworks D. Historical trends in process-related incidents Suggested Answer: A
Which of the following is the FIRST step when conducting a business impact analysis (BIA)? A. Creating a data classification scheme B. Analyzing previous risk assessment results C. Identifying events impacting continuity of operations D. Identifying critical information assets Suggested Answer: D
Which of the following practices MOST effectively safeguards the processing of personal data? A. Personal data attributed to a specific data subject is tokenized. B. Data protection impact assessments are performed on a regular basis. C. Personal data certifications are performed to prevent excessive data collection. D. Data retention guidelines are documented, established, and enforced. Suggested Answer: B
Which of the following enterprise architecture (EA) practices BEST reduces the impact of a successful attack? A. Virtual machines B. Antivirus C. Firewalls D. Segmentation Suggested Answer: D
An organization is moving its critical assets to the cloud. Which of the following is the MOST important key performance indicator (KPI) to include in the service level agreement (SLA)? A. Average time to respond to incidents B. Number of assets included in recovery processes C. Percentage of standard supplier uptime D. Number of key applications hosted Suggested Answer: C
The BEST way for an organization to ensure that servers are compliant to security policy is to review: A. server access logs. B. anti-malware compliance. C. configuration settings. D. change logs. Suggested Answer: C
For no apparent reason, the time required to complete daily processing for a legacy application is approaching a risk threshold. Which of the following activities should be performed FIRST? A. Suspend processing to investigate the problem B. Conduct a root cause analysis C. Temporarily increase the risk threshold D. Initiate a feasibility study for a new application Suggested Answer: B
Which of the following is the risk practitioner's BEST course of action after management successfully implements a security information and event management (SIEM) tool? A. Review and update key risk indicators (KRIs). B. Reassess control effectiveness to determine the level of residual risk. C. Reassess the impact of scenarios to reflect use of the new control. D. Update the IT risk profile to reflect the change in residual risk. Suggested Answer: B
A risk practitioner notes control design changes when comparing risk response to a previously approved action plan. Which of the following is MOST important for the practitioner to confirm? A. The effectiveness of the resulting control B. Appropriate approvals for the control changes C. The risk owner's approval of the revised action plan D. The reason the action plan was modified Suggested Answer: B
Which of the following is the MOST important consideration for the board and senior leadership regarding the organization's approach to risk management for emerging technologies? A. Ensuring the risk framework and policies are suitable for emerging technologies B. Ensuring the organization follows risk management industry best practices C. Ensuring IT risk scenarios are updated and include emerging technologies D. Ensuring threat intelligence services are used to gather data about emerging technologies Suggested Answer: A
Before defining a response strategy for a specific risk scenario, it is MOST important to confirm that: A. the risk register has been reviewed by management. B. annual less expectancy (ALE) is less than the remediation cost. C. compensating controls are available. D. the risk rating exceeds risk appetite. Suggested Answer: D
An IT operations team implements disaster recovery controls based on decisions from application owners regarding the level of resiliency needed. Who is the control owner in this scenario? A. The IT operations team B. The application owner C. The disaster recovery team D. The business resilience team Suggested Answer: B
Which of the following is the GREATEST concern if user acceptance testing (UAT) is not conducted when implementing a new application? A. The probability of application defects will increase B. The application could fail to meet defined business requirements C. Data confidentiality could be compromised D. Increase in the use of redundant processes Suggested Answer: B
Which process is MOST effective to determine relevance of threats for risk scenarios? A. Penetration testing B. Vulnerability assessment C. Root cause analysis D. Business impact analysis (BIA) Suggested Answer: D
Which of the following is MOST useful in developing risk scenarios? A. Threat modeling B. Past audit findings C. Vulnerabilities D. Risk appetite Suggested Answer: A
Which of the following is the MOST important requirement when implementing a data loss prevention (DLP) system? A. Determining the value of data B. Defining the data retention period C. Identifying users who have access D. Selecting an encryption solution Suggested Answer: A
Which of the following should be of GREATEST concern to a risk practitioner reviewing an organization’s disaster recovery plan (DRP)? A. Risk scenarios used for the plan were last tested two years ago. B. The call list in the plan was last updated a year ago. C. The disaster recovery plan (DRP) does not identify a hot site. D. The IT steering committee determined the application recovery priorities. Suggested Answer: A
It was discovered that a service provider's administrator was accessing sensitive information without the approval of the customer in an Infrastructure as a Service (IaaS) model. Which of the following would BEST protect against a future recurrence? A. Intrusion prevention system (IPS) B. Contractual requirements C. Data encryption D. Two-factor authentication Suggested Answer: B
A risk practitioner has been asked to assist in developing a third-party agreement for a Software as a Service (SaaS) vendor that will store personally identifiable data. Which of the following would BEST enable management to verify the vendor's data security practices over the life of the agreement? A. Nondisclosure agreement (NDA) clause B. Annual third-party assurance report clause C. Service level agreement (SLA) clause D. Annual vendor attestation clause Suggested Answer: B
Which group has PRIMARY ownership of reputational risk stemming from unethical behavior within the organization? A. Audit committee B. Board of directors C. Human resources (HR) D. Risk management committee Suggested Answer: B
Which of the following presents the GREATEST challenge for an IT risk practitioner who wants to report on trends in historical IT risk levels? A. Qualitative measures for potential loss events B. Changes in owners for identified IT risk scenarios C. Changes in methods used to calculate probability D. Frequent use of risk acceptance as a treatment option Suggested Answer: C
The BEST key performance indicator (KPI) to measure the ongoing effectiveness of a risk awareness training program is the percentage of staff members who have: A. passed subsequent random testing. B. passed the training session test. C. attended annual training. D. accessed online training materials. Suggested Answer: A
Which of the following metrics would be MOST helpful to management in understanding the effectiveness of the organization’s security awareness controls? A. Number of false positive alerts in a given time frame B. Number of employees who have not completed training C. Number of data exfiltration attempts D. Number of malware incidents identified on a system Suggested Answer: C
Which of the following sources is MOST relevant to reference when updating security awareness training materials? A. Global security standards B. Risk management framework C. Recent security incidents reported by competitors D. Risk register Suggested Answer: C
Which of the following would BEST indicate to senior management that IT processes are improving? A. Changes in the position in the maturity model B. Changes to the structure of the risk register C. Changes in the number of intrusions detected D. Changes in the number of security exceptions Suggested Answer: A
Which of the following should be the PRIMARY consideration when identifying and assigning ownership of IT-related risk? A. Accountability for control operation B. Accountability for losses due to impact C. Ability to design controls to mitigate the risk D. Span of control within the organization Suggested Answer: A
An organization's risk profile indicates that residual risk levels have fallen significantly below management's risk appetite. Which of the following is the BEST course of action? A. Add more risk scenarios to the risk register. B. Decrease monitoring of residual risk levels. C. Optimize controls. D. Increase risk appetite. Suggested Answer: C
A multinational company needs to implement a new centralized security system. The risk practitioner has identified a conflict between the organization's data-handling policy and local privacy regulations. Which of the following would be the BEST recommendation? A. Request a policy exception from senior management. B. Request an exception from the local regulatory agency. C. Comply with the organizational policy. D. Report the noncompliance to the local regulatory agency. Suggested Answer: B
In addition to the risk exposure, which of the following is MOST important for senior management to understand prior to approving the use of artificial intelligence (AI) solutions? A. Changes to existing infrastructure to support AI solutions B. Potential benefits from use of AI solutions C. Monitoring techniques required for AI solutions D. Skills required to support AI solutions Suggested Answer: B
If a control cannot be developed to prevent an inevitable operational event, which of the following is the MOST effective risk treatment option? A. Raise the risk threshold. B. Evaluate alternative controls. C. Reduce the threat. D. Minimize the impact. Suggested Answer: D
Which of the following BEST enables an organization to mitigate ethical risk? A. Reorganization of business processes to deter unethical activities B. Ethics training for staff during onboarding C. A culture of ethical integrity from the top down D. Senior leadership communication of ethics policies Suggested Answer: C
A risk practitioner is performing a risk assessment of recent external advancements in quantum computing. Which of the following would pose the GREATEST concern for the risk practitioner? A. The organization has not reviewed its encryption standards. B. The organization has not adopted Infrastructure as a Service (IaaS) for its operations. C. The organization has implemented heuristics on its network firewall. D. The organization has incorporated blockchain technology in its operations. Suggested Answer: A
Which of the following is the BEST recommendation when a key risk indicator (KRI) is generating an excessive volume of events? A. Reevaluate the design of the KRIs. B. Develop a corresponding key performance indicator (KPI). C. Monitor KRIs within a specific timeframe. D. Activate the incident response plan. Suggested Answer: A
Which of the following BEST protects organizational data within a production cloud environment? A. Right to audit B. Data encryption C. Data obfuscation D. Continuous log monitoring Suggested Answer: B
Which of the following is the MOST important responsibility of a business process owner to enable effective IT risk management? A. Prioritizing risk for appropriate response B. Escalating risk to senior management C. Collecting and analyzing risk data D. Delivering risk reports in a timely manner Suggested Answer: A
Which of the following is the MOST important course of action to foster an ethical, risk-aware culture? A. Establish an enterprise-wide ethics training and awareness program. B. Ensure the alignment of the organization's policies and standards to the defined risk appetite. C. Implement a fraud detection and prevention framework. D. Perform a comprehensive review of all applicable legislative frameworks and requirements. Suggested Answer: A
After automated controls have been implemented and tested, which of the following is MOST useful to perform? A. Continuous control monitoring B. Internal audit review C. Control self-assessment (CSA) D. Cost-benefit analysis Suggested Answer: A
The software version of an enterprise's critical business application has reached end-of-life and is no longer supported by the vendor. IT has decided to develop an in-house replacement application. Which of the following should be the PRIMARY concern? A. The business process owner is not an active participant. B. The board of directors has not approved the decision. C. The system documentation is not available. D. Enterprise risk management (ERM) has not approved the decision. Suggested Answer: A
Which of the following BEST enables the accurate assessment of potential impact to a particular business area? A. Risk classification B. Control self-assessments (CSAs) C. Risk scenarios D. Business continuity testing Suggested Answer: C
Which of the following is the BEST key performance indicator (KPI) to measure the ability to deliver uninterrupted IT services? A. Mean time to recover (MTTR) B. Mean time between failures (MTBF) C. Planned downtime D. Unplanned downtime Suggested Answer: B
Before selecting a final risk response option for a given risk scenario, management should FIRST: A. determine the remediation timeline. B. evaluate the risk response of similar sized organizations. C. determine control ownership. D. evaluate the organization’s ability to implement the solution. Suggested Answer: D
Which of the following is the PRIMARY benefit of consistently recording risk assessment results in the risk register? A. Accuracy of risk profiles B. Compliance with best practice C. Assessment of organizational risk appetite D. Accountability for loss events Suggested Answer: A
The PRIMARY focus of an ongoing risk awareness program should be to: A. enable better risk-based decisions. B. expand understanding of risk indicators. C. define appropriate controls to mitigate risk. D. determine impact of risk scenarios. Suggested Answer: A
Which of the following is the BEST indication that key risk indicators (KRIs) should be revised? A. An increase in the number of change events pending management review B. A decrease in the number of critical assets covered by risk thresholds C. A decrease in the number of key performance indicators (KPIs) D. An increase in the number of risk threshold exceptions Suggested Answer: D
Which of the following risk activities is BEST facilitated by enterprise architecture (EA)? A. Determining attack likelihood per business unit B. Aligning business unit risk responses to organizational priorities C. Customizing incident response plans for each business unit D. Adjusting business unit risk tolerances Suggested Answer: B
An organization's stakeholders are unable to agree on appropriate risk responses. Which of the following would be the BEST course of action? A. Reassess risk scenarios. B. Identify a risk transfer option. C. Benchmark with similar industries. D. Escalate to senior management. Suggested Answer: D
Which of the following deficiencies identified during a review of an organization’s cybersecurity policy should be of MOST concern? A. The policy has gaps against relevant cybersecurity standards and frameworks. B. The policy lacks specifics on how to secure the organization's systems from cyberattacks. C. The policy has not been reviewed by the cybersecurity team in over a year. D. The policy has not been approved by the organization's board. Suggested Answer: B
Which of the following is the BEST way to help ensure risk will be managed properly after a business process has been re-engineered? A. Reassessing control effectiveness of the process B. Reporting key performance indicators (KPIs) for core processes C. Conducting a post-implementation review to determine lessons learned D. Establishing escalation procedures for anomaly events Suggested Answer: A
Which of the following is MOST important to update following a change in organizational risk appetite and tolerance? A. Risk profile B. Industry benchmark analysis C. Business impact assessment (BIA) D. Key performance indicators (KPIs) Suggested Answer: A
Of the following, who should be responsible for determining the inherent risk rating of an application? A. Application owner B. Senior management C. Business process owner D. Risk practitioner Suggested Answer: A
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an organization’s patch management process? A. Percentage of systems with the latest patches B. Average time to implement system patches C. Number of updates to the patch management policy D. Number of systems subject to regular vulnerability scans Suggested Answer: A
Which of the following should be of GREATEST concern to a risk practitioner reviewing the implementation of an emerging technology? A. Lack of management approval B. Lack of risk and control procedures C. Lack of risk assessment D. Lack of alignment to best practices Suggested Answer: B
Which of the following changes in a business-critical application is MOST likely to require a revision to a successfully tested disaster recovery plan (ORP)? A. A change to the confidentiality level of processed data B. An increase in the number of concurrent users C. Replacement of the technical support team D. A new integration with an existing system Suggested Answer: D
Which of the following is the MOST important consideration when determining which data elements should be captured in the risk register? A. International risk management standards B. Prior experience of risk managers C. Specific needs of the organization D. Recommendations from internal audit Suggested Answer: C
Which of the following situations would create the GREATEST need to review the organization's risk appetite? A. Increased adoption of personal devices for business use B. Increasing business reliance on legacy infrastructure C. Recent acquisition of a large business partner D. New privacy laws affecting the organization's processing of personal data Suggested Answer: C
Which of the following should be done FIRST when developing a business continuity plan (BCP)? A. Identifying costs associated with continuity requirements B. Performing business impact analysis (BIA) C. Establishing recovery time objectives (RTOs) D. Identifying critical business functions Suggested Answer: D
Which of the following would be MOST useful to management when allocating resources to mitigate risk to the organization? A. Risk-based audits B. Control self-assessments (CSAs) C. Risk assessments D. Vulnerability analysis Suggested Answer: C
An organization expects to continually deal with severe distributed denial of service (DDoS) attacks from hacktivist groups. Which of the following is the BEST recommendation to help address this threat? A. Implement Internet service provider (ISP) redundancy. B. Implement an intrusion prevention system (IPS). C. Develop an incident response plan. D. Plan data center redundancy. Suggested Answer: A
Which of the following is the MOST significant benefit of using quantitative risk analysis instead of qualitative risk analysis? A. Minimized time to completion B. Decreased cost C. Decreased structure D. Minimized subjectivity Suggested Answer: D
An operations manager has requested risk acceptance after the execution of a mitigation plan has failed. Which of the following is the risk practitioner's BEST response? A. Ask the risk owner to review the request. B. Document the risk acceptance in the risk register. C. Reassess the risk scenario associated with the action plan. D. Adjust the organization's risk profile by the amount of risk accepted. Suggested Answer: A
Which of the following would be MOST helpful when selecting appropriate protection for data? A. Data classification B. Data access requirements C. Risk tolerance level D. Business objectives Suggested Answer: A
Which of the following information would BEST promote understanding of IT risk among senior management? A. IT risk treatment plans B. Threat modeling summary C. Control self-assessment (CSA) results D. IT incident trends Suggested Answer: D
Which of the following is the MOST appropriate key performance indicator (KPI) to measure change management performance? A. Percentage of rejected change requests B. Percentage of changes implemented successfully C. Number of after-hours emergency changes D. Number of change control requests Suggested Answer: B
During a data loss incident, which role in the RACI chart would be aligned to the risk practitioner? A. Accountable B. Informed C. Responsible D. Consulted Suggested Answer: D
An organizational policy requires critical security patches to be deployed in production within three weeks of patch availability. Which of the following is the BEST metric to verify adherence to the policy? A. Maximum time gap between patch availability and deployment B. Percentage of critical patches deployed within three weeks C. Minimum time gap between patch availability and deployment D. Number of critical patches deployed within three weeks Suggested Answer: B
An organization has been made aware of a newly discovered critical vulnerability in a regulatory reporting system. Which of the following is the risk practitioner's BEST course of action? A. Perform an impact assessment. B. Perform a penetration test. C. Request an external audit. D. Escalate the risk to senior management. Suggested Answer: A
Which of the following should be the PRIMARY driver for an organization on a multi-year cloud implementation to publish a cloud security policy? A. Evaluating gaps in the on-premise and cloud security profiles B. Establishing minimum cloud security requirements C. Enforcing compliance with cloud security parameters D. Educating IT staff on variances between on-premise and cloud security Suggested Answer: B
Which organizational role should be accountable for ensuring information assets are appropriately classified? A. Data protection officer B. Chief information officer (CIO) C. Information asset custodian D. Information asset owner Suggested Answer: D
An organization's IT team has proposed the adoption of cloud computing as a cost-saving measure for the business. Which of the following should be of GREATEST concern to the risk practitioner? A. Due diligence for the recommended cloud vendor has not been performed. B. The business can introduce new Software as a Service (SaaS) solutions without IT approval. C. The maintenance of IT infrastructure has been outsourced to an Infrastructure as a Service (IaaS) provider. D. Architecture responsibilities may not be clearly defined. Suggested Answer: B
Which of the following provides the MOST useful information to trace the impact of aggregated risk across an organization's technical environment? A. Business case documentation B. Organizational risk appetite statement C. Enterprise architecture (EA) documentation D. Organizational hierarchy Suggested Answer: C
Which of the following is the PRIMARY reason for a risk practitioner to report changes and trends in the IT risk profile to senior management? A. To ensure risk owners understand their responsibilities B. To ensure IT risk is managed within acceptable limits C. To ensure the organization complies with legal requirements D. To ensure the IT risk awareness program is effective Suggested Answer: B
An organization allows programmers to change production systems in emergency situations. Which of the following is the BEST control? A. Implementing an emergency change authorization process B. Periodically reviewing operator logs C. Limiting the number of super users D. Reviewing the programmers’ emergency change reports Suggested Answer: A
Which of the following BEST enables an organization to increase the likelihood of identifying risk associated with unethical employee behavior? A. Conduct background checks for new employees. B. Establish a channel to anonymously report unethical behavior. C. Require a signed agreement by employees to comply with ethics policies. D. Implement mandatory ethics training for employees. Suggested Answer: B
Which of the following is MOST important to include in an IT risk management policy? A. Risk treatment types B. Risk ownership requirements C. Risk assessment requirements D. Risk scoring methodology Suggested Answer: C
An organization recently completed a major restructuring project to reduce overhead costs by streamlining the approval hierarchy. Which of the following should be done FIRST by the control owner? A. Evaluate effectiveness of risk responses. B. Revise risk classifications. C. Execute control test plans. D. Analyze the control assessments. Suggested Answer: C
A risk practitioner wants to identify potential risk events that affect the continuity of a critical business process. Which of the following should the risk practitioner do FIRST? A. Evaluate current risk management alignment with relevant regulations. B. Conduct a benchmarking exercise against industry peers. C. Determine if business continuity procedures are reviewed and updated on a regular basis. D. Review the methodology used to conduct the business impact analysis (BIA). Suggested Answer: D
Which of the following is the MOST important information for determining inherent risk? A. The effectiveness of controls in place to prevent the risk B. Loss the risk has historically caused C. The IT risk manager's view of emerging risk D. The maturity of the control environment Suggested Answer: B
A risk assessment has been completed on an application and reported to the application owner. The report includes validated vulnerability findings that require mitigation. Which of the following should be the NEXT step? A. Report the findings to executive management to enable treatment decisions. B. Prepare a risk response that is aligned to the organization's risk tolerance. C. Reassess each vulnerability to evaluate the risk profile of the application. D. Conduct a penetration test to determine how to mitigate the vulnerabilities. Suggested Answer: B
Which of the following activities should only be performed by the third line of defense? A. Operating controls for risk mitigation B. Testing the effectiveness and efficiency of internal controls C. Providing assurance on risk management processes D. Recommending risk treatment options Suggested Answer: C
Which of the following is MOST helpful in reducing the likelihood of inaccurate risk assessment results? A. Having internal audit validate control effectiveness B. Updating organizational risk tolerance levels C. Reviewing the applicable risk assessment methodologies D. Involving relevant stakeholders in the risk assessment process Suggested Answer: D
Which of the following is a risk practitioner's BEST recommendation to management when testing results indicate the organization's recovery time objective (RTO) cannot be met? A. Engage IT and the business to re-evaluate the RTO. B. Engage business users to develop and document alternative procedures. C. Adjust the recovery point objectives (RPOs) to align with the RTO. D. Revise the RTO in the business impact analysis (BIA). Suggested Answer: A
Which of the following is the GREATEST benefit of establishing a program to design, report, and monitor key control indicators (KCIs) as part of the risk management process? A. Reducing overall total cost of managing controls B. Reducing the amount of audit effort C. Providing reference data for key performance indicators (KPIs) D. Detecting early signs of potential control failure Suggested Answer: D
Which of the following is the PRIMARY focus of enterprise architecture (EA)? A. To facilitate the alignment of IT with business strategy B. To facilitate organization-wide risk assessments C. To reduce the number of platform components D. To integrate secure coding practices into development operations Suggested Answer: A
Which of the following would be the GREATEST concern for a risk practitioner when evaluating a proposed risk response action plan? A. The plan was not developed based on a standard methodology. B. The plan is not aligned with the organization's risk appetite and risk tolerance. C. The plan was developed by the IT manager and approved by business management. D. The plan requires approval for additional funds by the business. Suggested Answer: B
Which of the following is the BEST indication that an organization has a mature risk awareness program? A. Residual risk levels are consistently below inherent risk levels. B. Employees consider risk when making decisions. C. Employees comply with approved risk policies. D. Annual risk awareness training is provided with 100% attendance. Suggested Answer: B
From an IT risk perspective, which of the following has the GREATEST impact on organizational strategy? A. Changes in IT risk tolerance B. Methodology for IT risk identification C. Complexity of recovery plans D. Complexity of IT architecture Suggested Answer: D
An organization recently experienced multiple breaches that were detected months later. Which of the following would be MOST useful for timely monitoring and analysis going forward? A. Threat intelligence information B. Security information and event management (SIEM) C. Security incident and problem reports D. External information security reviews Suggested Answer: B
Which of the following scenarios is MOST likely to cause a risk practitioner to request a formal risk acceptance sign-off? A. Residual risk in excess of the risk appetite cannot be mitigated. B. Risk appetite has changed to align with organizational objectives. C. Residual risk remains at the same level over time without further mitigation. D. Inherent risk is too high, resulting in the cancellation of an initiative. Suggested Answer: A
Automated code reviews to reduce the risk associated with web applications are MOST effective when performed: A. in the design phase. B. during pre-production testing. C. throughout development. D. once in the production environment. Suggested Answer: C
Employees of an organization are using an unapproved cloud-based service to share their company calendars. The employees have been attaching files to calendar invitations. Which of the following would MOST effectively mitigate the risk of data loss? A. Implement an information classification policy. B. Implement a technical solution that prevents syncing. C. Instruct employees not to use attachments in calendar entries. D. Update the security awareness program. Suggested Answer: B
Which of the following is the responsibility of the second line of defense? A. Auditing compliance with corporate risk policies and standards B. Approving enterprise risk appetite thresholds C. Providing oversight of the organization's financial statements D. Monitoring the result of actions taken to mitigate risk Suggested Answer: D
Well-developed, data-driven risk measurements should be: A. focused on providing a forward-looking view. B. a data feed taken directly from operational production systems. C. reported to management the same day data is collected. D. reflective of the lowest organizational level. Suggested Answer: A
Which of the following BEST facilitates the development of effective IT risk scenarios? A. Validation by senior management B. Utilization of a cross-functional team C. Participation by IT subject matter experts D. Integration of contingency planning Suggested Answer: B
Which of the following is the MOST important benefit of implementing a data classification program? A. Reduction in processing times B. Identification of appropriate controls C. Reduction in data complexity D. Identification of appropriate ownership Suggested Answer: B
Which of the following BEST indicates that risk management is embedded into the responsibilities of all employees? A. The number of incidents has decreased over time. B. Risk management practices are incorporated into business processes. C. Industry benchmarking is performed on an annual basis. D. Risk management practices are audited on an annual basis. Suggested Answer: B
Which of the following information in a risk monitoring report will provide the MOST insight to stakeholders regarding risk status? A. Heat map B. Mitigation plans C. Risk ownership D. Independent verification Suggested Answer: A
An organization moved one of its applications to a public cloud, but after migration decided to move it back on-premise after an issue caused the application to be down for one day. What does this scenario indicate? A. The organization has high risk tolerance. B. The organization has low risk tolerance. C. The organization has high risk appetite. D. The organization has low risk appetite. Suggested Answer: B
A risk practitioner discovers that a data center's air conditioning system cannot provide sufficient cooling. What else is MOST important to consider when predicting the probability of adverse business impact from this issue? A. Maintenance history B. Compensating controls C. Replacement cost D. Applicable threats Suggested Answer: D
A risk practitioner observes that the network team responsible for maintaining the network infrastructure is severely understaffed, which could lead to operational losses. Which of the following is MOST directly affected by the risk practitioner's observation? A. Inherent risk B. Impact rating C. Likelihood rating D. Control risk Suggested Answer: D
Which of the following BEST enables the development of a successful IT strategy focused on business risk mitigation? A. Providing risk awareness training for business units B. Conducting a business impact analysis (BIA) C. Obtaining input from business management D. Understanding the business controls currently in place Suggested Answer: C
Which of the following should be the PRIMARY role of the data owner in a risk management program? A. Maintaining data syntax rules B. Establishing enterprise system security levels C. Applying data classification policy D. Specifying retention requirements Suggested Answer: C
Which of the following is the PRIMARY advantage of aligning generic risk scenarios with business objectives? A. It ensures relevance to the organization. B. It provides better estimates of the impact of current threats. C. It establishes where controls should be implemented. D. It quantifies the materiality of any losses that may occur. Suggested Answer: A
Which of the following is a risk factor associated with migrating to an Infrastructure as a Service (IaaS) public cloud service provider? A. Reduced availability B. Reduced storage capacity C. Reduced elasticity of the infrastructure D. Reduced control of the infrastructure Suggested Answer: D
An organizational code of ethics is MOST useful as a: A. detective control. B. recovery control. C. corrective control. D. directive control. Suggested Answer: D
An organization has modified its disaster recovery plan (DRP) to reflect recent changes in its IT environment. Which of the following is the PRIMARY reason to test the new plan? A. To ensure all assets have been identified B. To ensure the risk assessment is validated C. To ensure the plan is comprehensive D. To ensure staff is sufficiently trained on the plan Suggested Answer: D
Which of the following should be the MOST important consideration for prioritizing the development of risk scenarios? A. Potential impact B. Risk trend C. Likelihood of occurrence D. Data classification Suggested Answer: A
An organization has sustained significant losses from a series of cyber events. Which of the following control types would MOST likely help reduce further losses? A. Preventive controls B. Recovery controls C. Detective controls D. Directive controls Suggested Answer: A
What is the MOST important information provided by key performance indicators (KPIs) in a risk management program? A. Effectiveness of internal controls B. Effectiveness of risk ownership C. Performance of data loss controls D. Level of inherent business risk Suggested Answer: A
A large organization plans to take advantage of cloud computing to reduce costs; however, there are data-use restrictions that require certain data to remain on premise. Which cloud model should the risk practitioner recommend for this deployment? A. Community cloud B. Private cloud C. Hybrid cloud D. Public cloud Suggested Answer: C
Which of the following provides the BEST assurance that an organization will be able to defend against cyber attacks? A. Penetration testing B. Preparedness testing C. Vulnerability testing D. Compliance testing Suggested Answer: A
While participating in a scenario analysis exercise, a risk practitioner was asked to determine the reputational impact of a system outage. Which of the following would be the BEST approach? A. Determine the likelihood of negative media coverage and social media response. B. Calculate impact from third-party concerns about contractual obligations related to the outage. C. Report the value as high because cyber reputational impacts are significant. D. Work with the business to estimate the number and value of lost customers. Suggested Answer: D
Which of the following should be a risk practitioner's PRIMARY consideration when evaluating the possible impact of an adverse event affecting corporate information assets? A. Authentication and authorization requirements for personnel accessing the assets B. Potential regulatory fines as a result of the adverse event C. The amount of data processed by the assets D. Criticality classification of the assets needed for normal business operations Suggested Answer: D
During an after-hours compliance review, a risk practitioner discovers sensitive documents on an employee’s desk in violation of company policy. Which of the following should the risk practitioner’s do NEXT? A. Securely dispose of the documents. B. Recommend provision of secure document storage. C. Request an exception to the clear desk policy. D. Provide the employee with refresher training. Suggested Answer: B
Which of the following BEST reduces the likelihood of employees unintentionally disclosing sensitive information to outside parties? A. Regular employee security awareness training B. Anti-malware controls on endpoint devices C. Sensitive information classification and handling policies D. An egress intrusion detection system (IDS) Suggested Answer: A
Which of the following is the PRIMARY purpose of periodically updating an organization's risk profile? A. Inform senior management of changes in the risk environment. B. Provide a risk-based audit program. C. Identify gaps between policies and procedures. D. Prioritize management-initiated reviews. Suggested Answer: A
Continuous monitoring of key risk indicators (KRIs) will: A. ensure that risk tolerance and risk appetite are aligned. B. provide an early warning so that proactive action can be taken. C. ensure that risk will not exceed the defined risk appetite of the organization. D. provide a snapshot of the risk profile. Suggested Answer: B
Which of the following is the BEST way to ensure key risk indicators (KRIs) continue to help management make informed decisions? A. Develop repeatable and easily measurable KRIs. B. Implement a real-time dashboard for monitoring KRIs. C. Align KRIs to risk events identified in the risk register. D. Define a mix of leading and lagging KRIs. Suggested Answer: D
Which of the following aspects of risk can be transferred to a third party? A. Reputation impact B. Ownership C. Accountability D. Financial impact Suggested Answer: D
Which of the following has the GREATEST impact on backup policies for a system supporting a critical process? A. Impact of threats to the process B. Recovery time objective (RTO) C. Resource requirements of the process D. Recovery point objective (RPO) Suggested Answer: B
Which of the following provides the BEST indication that existing controls are effective? A. Control logging B. Control design C. Control testing D. Control documentation Suggested Answer: C
An organization has engaged an external consultant to assess its cybersecurity program. Which of the following findings would be MOST important to address? A. Lack of a cyber risk profile B. Lack of cyber risk awareness training C. Lack of a dedicated cybersecurity team D. Lack of accountability Suggested Answer: D
To enable effective integration of IT risk scenarios and enterprise risk management (ERM), it is MOST important to have a consistent approach to reporting: A. key risk indicators (KRIs). B. risk velocity. C. risk impact and likelihood. D. risk response plans and owners. Suggested Answer: C
The results of a risk assessment reveal risk scenarios with high impact and low likelihood of occurrence. Which of the following would be the BEST action to address these scenarios? A. Create a disaster recovery plan (DRP). B. Assemble an incident response team. C. Develop a risk response plan. D. Initiate a business impact analysis (BIA). Suggested Answer: C
Which of the following is MOST helpful in identifying appropriate business stakeholders to construct and assess IT risk scenarios? A. Reviewing the organization's business RACI charts B. Mapping each risk event to related business processes C. Consulting senior management for likely business candidates D. Conducting risk and business impact analyses Suggested Answer: B
Which of the following scenarios is MOST important to communicate to senior management? A. Risk scenarios that have been shared with vendors and third parties B. Accepted risk scenarios with detailed plans for monitoring C. Risk scenarios that have been identified, assessed, and responded to by the risk owners D. Accepted risk scenarios with impact exceeding the risk tolerance Suggested Answer: D
A risk practitioner has observed an increasing trend of phishing attempts directed at employees. Which of the following is the MOST important action to help mitigate the situation? A. Report phishing attempt data to appropriate regulatory agencies. B. Subscribe to cyber intelligence services. C. Implement a targeted security awareness campaign. D. Ensure anti-malware applications are up to date. Suggested Answer: C
Which of the following provides the BEST assurance of the effectiveness of internal controls? A. Balanced scorecard review B. Control self-assessments (CSAs) C. Compliance training metrics D. Continuous monitoring Suggested Answer: D
Which of the following is the MOST important attribute of a risk owner? A. Expertise in risk management B. Detailed knowledge of the business process C. Long tenure with the organization D. Detailed knowledge of controls Suggested Answer: B
As part of its risk strategy, an organization decided to transition its financial system from a cloud-based provider to an internally managed system. Which of the following should the risk practitioner do FIRST? A. Evaluate existing control test plans of the system for potential changes. B. Analyze the risk register to identify potential updates and changes. C. Reassess whether the risk responses properly address known risk and vulnerabilities. D. Update the processes within impacted financial control assessments. Suggested Answer: B
Which of the following would BEST support the integrity of online financial transactions? A. Implementing blockchain technology B. Developing an integrated audit facility C. Deploying multi-factor authentication D. Implementing audit trail logs Suggested Answer: C
Which of the following is MOST important to ensure before using risk reports in decision making? A. Real-time risk information is provided. B. Risk analysis results are validated. C. Root cause analysis is included. D. Quantitative risk data is provided. Suggested Answer: B
Which of the following would present the GREATEST risk when outsourcing the data processing of personally identifiable information (PII) to a vendor with subcontractors? A. The vendor's service level agreements (SLAs) are not defined. B. There have been no recent onsite visits to the vendor. C. The vendor does not have a third-party risk management program. D. The contract lacks a right-to-audit clause. Suggested Answer: C
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of IT policies? The number of: A. senior management approvals. B. processes covered by IT policies. C. IT policy exceptions granted. D. key technology controls covered by IT policies. Suggested Answer: C
Which of the following is the BEST reason to incorporate risk scenarios associated with a bring your own device (BYOD) policy into the enterprise-wide risk profile? A. High cost of mobile device management (MDM) implementation B. Increased exposure to sensitive data leakage C. Increased trend of organizations within the industry adopting BYOD policies D. Lack of internal expertise to monitor personal mobile devices Suggested Answer: B
The MOST important reason to periodically review key risk indicators (KRIs) is to: A. satisfy audit requirements. B. comply with risk-related laws and regulations. C. identify deviations from organizational tolerance. D. align with industry benchmarks. Suggested Answer: C
Which of the following is the BEST metric to determine the efficiency of an incident response process? A. Number of open incidents reported in weekly and monthly report B. Average number of incidents closed per month C. Average time between incident response and the event trigger D. Percentage of incidents closed Suggested Answer: C
A risk practitioner has observed that risk owners have approved a high number of exceptions to the information security policy. Which of the following should be the risk practitioner’s GREATEST concern? A. Vulnerabilities are not being mitigated. B. Security policies are being reviewed infrequently. C. Controls are not operating efficiently. D. Aggregate risk is approaching the tolerance threshold. Suggested Answer: D
An organization is concerned with the use of personally identifiable information (PII) in a test database. Which of the following would BEST address this concern? A. Privacy impact assessments B. Consent to collect C. Data use agreements D. Data anonymization Suggested Answer: D
An online retailer has decided to store its customer database with a cloud provider in an Infrastructure as a Service (IaaS) configuration. During an initial review of preliminary risk scenarios, a risk practitioner identifies instances where sensitive customer information is stored unencrypted. Who is accountable for ensuring this encryption? A. The data owner B. The chief information officer (CIO) C. The retailer’s IT department D. The cloud provider Suggested Answer: A
Which of the following BEST mitigates the risk associated with sensitive data loss due to theft of an organization's removable media? A. Data encryption B. Asset management policy C. Code of conduct policy D. Data loss prevention (DLP) system Suggested Answer: A
Which of the following is MOST important for a risk practitioner to confirm when reviewing the disaster recovery plan (DRP)? A. The DRP covers relevant scenarios. B. The business continuity plan (BCP) has been documented. C. Senior management has approved the DRP. D. The DRP has been tested by an independent third party. Suggested Answer: A
The implementation of automated controls is taking longer than expected. The risk owner is concerned about the materialization of risk before full implementation of the automated controls. As a result, the risk owner has established interim manual controls. Which of the following actions is MOST important for the risk practitioner to perform? A. Update the risk register to reflect the change in residual risk level. B. Perform a cost-benefit analysis of the manual controls. C. Ensure the same key risk indicators (KRIs) are used for both manual and automated controls. D. Assess the risk associated with changes in the effectiveness of the manual and automated controls. Suggested Answer: D
Which of the following is MOST important when creating a program to reduce ethical risk? A. Obtaining senior management commitment B. Developing an organizational communication plan C. Conducting a gap analysis D. Defining strict policies Suggested Answer: A
An organization recently implemented an extensive risk awareness program after a cybersecurity incident. Which of the following is MOST likely to be affected by the implementation of the program? A. Risk appetite B. Threat landscape C. Inherent risk D. Residual risk Suggested Answer: D
Which of the following should be of GREATEST concern to an organization planning to migrate its customer data warehouse to an offshore operation? A. Cross-border flow of information B. Inadequate vendor risk management C. Time zone differences and implications D. Increased business continuity costs Suggested Answer: A
Which of the following should be the PRIMARY consideration when quantifying the risk associated with regulatory noncompliance? A. Time requirements and cost of remediation B. Cost of continuous compliance activities C. Historical noncompliance events D. Value of punitive penalties and fines Suggested Answer: D
Which of the following is the MOST valuable data source to support the optimization of an existing key risk indicator (KRI)? A. Historical losses and incidents B. Organizational policies C. Industry benchmarks D. Frameworks and standards Suggested Answer: A
Static code analysis has been consistently finding a significant number of critical security issues throughout an organization's internally developed applications. The risk practitioner’s BEST recommendation would be to: A. provide training on secure programming practices. B. conduct penetration tests before code implementation. C. outsource software development. D. conduct security design reviews. Suggested Answer: A
Which of the following is the BEST way to maintain a current list of organizational risk scenarios? A. Conduct periodic risk reviews with stakeholders. B. Perform regular reviews of key controls. C. Conduct compliance reviews. D. Automate workflow for risk status updates. Suggested Answer: A
Which of the following is the PRIMARY objective of the risk identification process? A. To expand organizational awareness and knowledge of identified risk scenarios B. To reduce risk faced by the organization to an acceptable level C. To ensure control objectives align with business objectives D. To determine possible risk events that could jeopardize business objectives Suggested Answer: D
When developing a risk awareness training program, which of the following is the BEST way to promote a risk-aware culture? A. Challenge the effectiveness of business processes. B. Illustrate methods to identify threats and vulnerabilities. C. Emphasize individual responsibility for managing risk. D. Communicate incident escalation procedures. Suggested Answer: C
Which of the following is the PRIMARY reason to periodically assess risk management capabilities? A. To determine changes in risk profile B. To monitor risk factors C. To measure return on control investments D. To determine opportunities for improvement Suggested Answer: D
Which of the following is a PRIMARY benefit to an organization adopting a three lines of defense model? A. It establishes clear communication among stakeholders. B. It outlines a control layering approach. C. It provides a risk governance structure. D. It enforces a strong risk culture. Suggested Answer: C
Which of the following would be the MOST effective mitigating control when a legacy application does not have the capability to appropriately enforce separation of duties? A. Establish delegated authorities. B. Periodically validate user entitlements. C. Monitor transaction logs. D. Develop user access policies. Suggested Answer: B
Risk mitigation is MOST effective when which of the following is optimized? A. Inherent risk B. Residual risk C. Operational risk D. Regulatory risk Suggested Answer: B
Which of the following is the BEST way to assess the effectiveness of an access management process? A. Reviewing for compliance with acceptable use policy B. Reviewing access logs for user activity C. Comparing the actual process with the documented process D. Reconciling a list of accounts belonging to terminated employees Suggested Answer: C
Which of the following should be given the HIGHEST priority when developing a response plan for risk assessment results? A. Risk that has been untreated B. Items with the highest likelihood of occurrence C. Items with a high inherent risk D. Risk that exceeds risk appetite Suggested Answer: D
Which of the following is the MOST important consideration for a risk owner when deciding whether to accept IT-related risk? A. Industry risk standards B. Opinion of external audit C. The likelihood that the risk will materialize D. The organization’s risk appetite Suggested Answer: C
Which of the following is the GREATEST concern if the recovery time objective (RTO) is not achieved during a disaster recovery test? A. Potential loss of revenue B. Lack of network redundancy C. Inadequate system availability D. Lack of clear roles and responsibilities Suggested Answer: A
Which of the following is the MOST important action for a risk practitioner when a recovery test indicates control gaps? A. Verify test specifications. B. Review the recovery test report. C. Perform a root cause analysis. D. Develop an action plan. Suggested Answer: D
Which of the following would be the GREATEST risk associated with conducting a parallel run during the replacement of a legacy system? A. Loss of skills associated with the legacy system B. Undetected data inconsistency C. Lack of change management for new requirements D. Insufficient resource availability Suggested Answer: B
Which of the following should be a risk practitioner’s GREATEST concern upon learning of failures in a data migration activity? A. Integrity of data B. System performance C. Cost overruns D. Availability of test data Suggested Answer: A
Which of the following would be MOST helpful when determining the resources needed to mitigate risk identified as a result of a risk assessment? A. Cost-benefit analysis B. Root cause analysis C. Risk analysis D. Business impact analysis (BIA) Suggested Answer: A
A risk practitioner notes that the number of unauthorized disclosures of confidential data has been increasing. Which of the following is MOST important to examine for determining the root cause? A. The volume of data loss prevention (DLP) alerts B. Completeness of data classification schema C. Scope of security awareness training D. Updated regulations related to data protection Suggested Answer: C
An organization has established workflows in its service desk to support employee reports of security-related concerns. Which of the following is the MOST efficient approach to analyze these concerns? A. Sort concerns by likelihood. B. Align concerns to key vendors. C. Prioritize concerns based on frequency of reports. D. Map concerns to organizational assets. Suggested Answer: C
Which of the following is MOST important for a risk practitioner to review during an IT risk assessment? A. Information system control weaknesses and audit findings B. Information system assets and associated threats C. The organization's historical threats and monetary loss D. Published records of loss from peer organizations Suggested Answer: B
An organization’s Internet-facing server was successfully attacked because the server did not have the latest security patches. The risk associated with poor patch management had been documented in the risk register and accepted. Who should be accountable for any related losses to the organization? A. IT risk manager B. Risk practitioner C. Server administrator D. Risk owner Suggested Answer: D
A risk practitioner has been asked to evaluate a new cloud-based service to enhance an organization’s access management capabilities. When is the BEST time for the risk practitioner to provide opinions on control strength? A. After the initial design B. After a few weeks in use C. Before production rollout D. Before end-user testing Suggested Answer: C
A significant issue has occurred while moving an upgraded core business application to the production environment. The specific cause is unknown, and the outage window is about to expire. Which of the following is the risk practitioner's BEST recommendation to the business owner? A. Cut over to production despite the issue. B. Determine the root cause of the issue. C. Initiate a rollback to the last version. D. Extend the outage window. Suggested Answer: C
A risk practitioner identifies several servers that have not been updated with patches in over a year because the operating systems are no longer supported. Given these servers still run mission-critical applications, which of the following should be done FIRST? A. Accept the risk for the legacy servers. B. Upgrade the operating systems to a supported version. C. Inform key stakeholders about the increased risk. D. Advise the cyber team to isolate the servers. Suggested Answer: C
Which of the following provides the MOST reliable evidence to support conclusions after completing an information systems controls assessment? A. Information generated by the systems B. Confirmation from industry peers C. Control environment narratives D. Risk and control self-assessment (CSA) reports Suggested Answer: A
Which of the following is the MOST important outcome of a business impact analysis (BIA)? A. Determining availability requirements for systems used by the business B. Identifying sensitive data within business processes and applications C. Documenting the order and timing of restoration for critical systems D. Prioritizing critical business processes and applications Suggested Answer: D
To drive effective risk management, it is MOST important that an organization’s policy framework is: A. mapped to an industry-standard framework. B. aligned to the functional business structure. C. approved by relevant stakeholders. D. included in employee onboarding materials. Suggested Answer: C
Which of the following is the MOST important risk management activity during project initiation? A. Classify project data B. Identifying key risk stakeholders C. Establishing a risk mitigation plan D. Defining key risk indicators (KRIs) Suggested Answer: B
Which of the following provides a risk practitioner with the MOST reliable evidence of a third-party’s ability to protect the confidentiality of sensitive corporate information? A. External audit reports B. Internal audit reports C. Control self-assessment (CSA) results D. A signed nondisclosure agreement (NDA) Suggested Answer: A
An insurance company handling sensitive and personal information from its customers receives a large volume of telephone requests and electronic communications daily. Which of the following is MOST important to include in a risk awareness training session for the customer service department? A. Identifying social engineering attacks B. Archiving sensitive information C. Understanding the importance of using a secure password D. Understanding the incident management process Suggested Answer: A
Which of the following is the BEST approach to resolve a disagreement between stakeholders regarding the impact of a potential risk scenario? A. Calculate the historical impact of risk occurring at industry peers. B. Use the highest value of potential impact suggested by the stakeholders. C. Identify data that could be used to help quantify the risk. D. Modify the risk scenario to address stakeholder concerns. Suggested Answer: C
Which of the following is the BEST indication of a potential threat? A. Excessive activity in system logs B. Increase in identified system vulnerabilities C. Excessive policy and standard exceptions D. Ineffective risk treatment plans Suggested Answer: B
Which of the following is the MOST effective in mitigating the risk of rogue Internet of Things (IoT) devices in an organization’s network? A. Intrusion prevention system (IPS) B. Real-time network traffic monitoring C. Using a connection-oriented protocol D. Documentation of network architecture Suggested Answer: B
An organization is outsourcing data processing to a third-party data center facility to reduce costs. Who is responsible for the performance of data retention controls? A. The organization’s control owner B. The third-party senior management C. The third-party control owner D. The organization’s internal audit team Suggested Answer: C
An organization has recently corrected its machine-learning model that had been producing automated decisions that had adverse impact on its customers. Which of the following is the BEST course of action? A. Discontinue use of machine learning for customer-related decision making. B. Report the adverse impact to regulatory authorities. C. Request risk acceptance from senior management. D. Implement appropriate data governance to monitor decision-making outcomes. Suggested Answer: D
Which of the following is the MOST effective way to help ensure senior management is informed about the organization's risk environment? A. Recommend risk treatments to senior management to address risk. B. Implement a top-down approach to control implementation. C. Create a risk program that includes a bottom-up approach. D. Provide guidance to senior management on risk acceptance. Suggested Answer: D
Which of the following presents the GREATEST risk to an organization with a large number of Internet of Things (IoT) devices within its network? A. Network connectivity issues with IoT devices B. Increased instability and failure of IoT devices C. Insufficient IoT policies and procedures D. Interoperability between IoT devices Suggested Answer: C
An organization's IT department wants to complete a proof of concept (POC) for a security tool. The project lead has asked for approval to use the production data for testing purposes as it will yield the best results. Which of the following is the risk practitioner's BEST recommendation? A. Accept the risk of using the production data to ensure accurate results. B. Deny the request, as production data should not be used for testing purposes. C. Benchmark against what peer organizations are doing with POC testing environments. D. Assess the risk of using production data for testing before making a decision. Suggested Answer: D
An organization has purchased insurance coverage against potential unauthorized disclosure of personal data. What should be expected as a result of this risk response? A. Reduced impact of a data breach B. Removal of the scenario from further analysis C. Reduced likelihood of a data breach D. Increased tolerance against a data breach Suggested Answer: C
Who is ULTIMATELY accountable for the confidentiality of data in the event of a data breach within a Software as a Service (SaaS) environment? A. Vendor’s application owner B. Vendor’s information security officer C. Customer’s data owner D. Customer’s data privacy officer Suggested Answer: C
Which of the following is the GREATEST benefit of a risk-aware culture? A. Cost of controls is reduced over time. B. The organization is more resilient to threats. C. The number of audit findings is reduced over time. D. Relevant risk is reported in a timely manner. Suggested Answer: B
An organization has outsourced its backup and recovery procedures to a cloud service provider. The provider's controls are inadequate for the organization's level of risk tolerance. As a result, the organization has internally implemented additional backup and recovery controls. Which risk response has been adopted? A. Acceptance B. Transfer C. Avoidance D. Mitigation Suggested Answer: D
Which of the following presents the GREATEST risk associated with the use of emerging technologies? A. Obsolete security policies and procedures B. Irrelevant skill sets and job descriptions C. Disposal and replacement of IT equipment D. Introduction of known and unknown security vulnerabilities Suggested Answer: D
Which of the following would be MOST helpful to review when prioritizing the implementation of multiple IT-related initiatives? A. Risk policy B. Risk profile C. Risk assessment results D. Risk awareness program objectives Suggested Answer: C
Which of the following attributes of data provided to an automated log analysis tool is MOST important for effective risk monitoring? A. Retention B. Confidentiality C. Relevancy D. Scalability Suggested Answer: C
A control owner has decided to implement a compensating control instead of the control selected in the risk action plan. Which of the following is the risk practitioner's MOST important action after reassessing the risk? A. Notify senior management of the control owner's decision. B. Seek approval of the change from the risk owner. C. Update control ownership in the risk register. D. Update policies relevant to the risk. Suggested Answer: B
An organization wants to transfer risk by purchasing cyber insurance. Which of the following would be MOST important for the risk practitioner to communicate to senior management for contract negotiation purposes? A. Cyber insurance industry benchmarking report B. Most recent IT audit report results C. Current annualized loss expectancy report D. Replacement cost of IT assets Suggested Answer: C
Which of the following criteria is MOST important to include in an agreement with a penetration testing vendor? A. Scope of the systems to be assessed B. Steps to remediate identified vulnerabilities C. Expectations of code escrow safeguards D. Details of testing methods to be used Suggested Answer: A
Which of the following is the GREATEST risk associated with a blockchain implementation? A. Regulatory changes require increased transparency and centralization. B. Legacy systems require third-party operational support. C. Reviews of the underlying code have not been performed. D. The technology is used in emerging markets with many vulnerabilities. Suggested Answer: D
Which of the following would BEST enable a risk-based decision when considering the use of an emerging technology for data processing? A. Gap analysis B. Resource skills matrix C. Threat assessment D. Data quality assurance (QA) plan Suggested Answer: C
Which of the following is MOST helpful to facilitate the decision of recovery priorities in a disaster situation? A. Risk scenario analysis B. Key risk indicators (KRIs) C. Recovery point objective (RPO) D. Business impact analysis (BIA) Suggested Answer: D
An enterprise has taken delivery of software patches that address vulnerabilities in its core business software. Prior to implementation, which of the following is the MOST important task to be performed? A. Seek information from the software vendor to enable effective application of the patches. B. Assess the impact of applying the patches on the production environment. C. Determine in advance an off-peak period to apply the patches. D. Survey other enterprises regarding their experiences with applying these patches. Suggested Answer: B
Which of the following is the BEST method for assessing the current effectiveness of an organization’s risk management program against its desired level of capability? A. Risk management maturity model B. Risk management improvement program C. Internal audit review D. Benchmarking with peer organizations Suggested Answer: A
An organization has decided to migrate its critical system database containing customer information to branches located in other countries. Which of the following should be of MOST concern regarding the migration? A. Regional regulatory requirements regarding the protection of sensitive data B. Database synchronization and encryption policies C. Security configurations of the database system after migration D. Fault tolerance of each database with customer information Suggested Answer: A
Where should a risk practitioner document the current state and desired future state of organizational risk? A. Business continuity plan (BCP) B. Risk management strategy C. Risk action plan D. Risk register Suggested Answer: D
Which of the following would BEST prevent an unscheduled application of a patch? A. Segregation of duties B. Compensating controls C. Change management D. Network-based access controls Suggested Answer: C
Which of the following is MOST likely to trigger the need for a risk reassessment? A. Risk assessment tools have changed. B. Audit programs have changed. C. A vulnerability has been identified within the industry. D. The scheduled review period has passed. Suggested Answer: C
The BEST way to mitigate the high cost of retrieving electronic evidence associated with potential litigation is to implement policies and procedures for: A. data classification and labeling. B. data mining and analytics. C. data retention and destruction. D. data logging and monitoring. Suggested Answer: C
Which of the following would be the result of a significant increase in the motivation of a malicious threat actor? A. Increase in risk event likelihood B. Increase in mitigating control costs C. Increase in risk event impact D. Increase in cybersecurity premiums Suggested Answer: A
Which of the following is the MOST effective way to validate organizational awareness of cybersecurity risk? A. Implementing mock phishing exercises B. Requiring two-factor authentication C. Updating the information security policy D. Conducting security awareness training Suggested Answer: D
Which of the following is MOST likely to result in a major change to the overall risk profile of the organization? A. Changes in internal and external auditors B. Changes in vulnerability assessment and penetration testing C. Changes in risk appetite and risk tolerance D. Changes in internal and external risk factors Suggested Answer: C
A PRIMARY outcome of conducting a business impact analysis (BIA) is that the organization is able to determine: A. the data classification of IT assets. B. threat scenarios affecting IT asset recovery strategies. C. disaster recovery priorities for IT assets. D. the likelihood and impact of environmental threats. Suggested Answer: C
Which of the following is the ULTIMATE objective of utilizing key control indicators (KCIs) in the risk management process? A. To provide benchmarks for assessing control design effectiveness against industry peers B. To provide insight into the effectiveness of the internal control environment C. To provide early warning signs of a potential change in risk level D. To provide a basis for determining the criticality of risk mitigation controls Suggested Answer: B
An organization requires a third-party attestation report annually from all service providers. One service provider is unable to provide the required report due to recent changes in ownership. Which of the following is the BEST course of action for the risk practitioner? A. Verify that an exception has been approved. B. Implement additional controls to mitigate the risk. C. Approve an exception for the report and document associated controls. D. Execute an independent review of the service provider. Suggested Answer: C
Which of the following processes BEST enables a risk practitioner to gather evidence about the threat environment for further analysis? A. Risk assessment B. Threat modeling C. Vulnerability scanning D. Threat intelligence Suggested Answer: B
Which of the following BEST enables a risk practitioner to determine the appropriate risk treatment for a materialized event? A. Incident trend analysis B. Likelihood analysis C. Root cause analysis D. Impact analysis Suggested Answer: D
Optimized risk management is achieved when risk is reduced: A. with strategic initiatives. B. within resource availability. C. below risk appetite. D. to meet risk appetite. Suggested Answer: D
Which of the following should be done FIRST to enable consistent understanding of risk across the organization? A. Prepare relevant risk scenarios for use across the organization. B. Develop risk awareness communications for the organization. C. Establish a common risk taxonomy for the organization. D. Embed risk management practices throughout the organization. Suggested Answer: C
Which of the following is the BEST way to reduce the likelihood of an individual performing a potentially harmful action as the result of unnecessary entitlement? A. Least privilege B. Application monitoring C. Separation of duty D. Nonrepudiation Suggested Answer: A
Which of the following would have the GREATEST impact on reducing the risk associated with the implementation of a big data project? A. Data governance B. Data processing C. Data scalability D. Data quality Suggested Answer: A
A key performance indicator (KPI) has been established to monitor the number of software changes that fail and must be re-implemented. An increase in the KPI indicates an ineffective: A. preventive control. B. deterrent control. C. administrative control. D. corrective control. Suggested Answer: D
Which strategy employed by risk management would BEST help to prevent internal fraud? A. Require control owners to conduct an annual control certification. B. Require the information security officer to review unresolved incidents. C. Ensure segregation of duties are implemented within key systems or processes. D. Conduct regular internal and external audits on the systems supporting financial reporting Suggested Answer: C
Which of the following is the MOST effective way to identify changes in the performance of the control environment? A. Evaluate key performance indicators (KPIs). B. Perform a control self-assessment (CSA). C. Implement continuous monitoring. D. Adjust key risk indicators (KRIs). Suggested Answer: C
An organization is planning a project to replace several complex manual controls with automated processes. Which of the following is the risk practitioner's MOST important course of action? A. Test the automated processes to ensure results are accurate. B. Determine whether the automated processes adequately address the risk. C. Establish the degree of control efficiency improvement. D. Update the associated control assessments for the automated processes. Suggested Answer: B
A risk assessment of an organization’s architecture reveals that the middleware systems have a severe vulnerability that could compromise the confidentiality of record processing. Which of the following is the risk practitioner's BEST course of action? A. Recommend additional budget to cover the cost of an upgrade. B. Develop a remediation plan with the business process owner. C. Escalate the issue to senior management. D. Document the issue in the business impact analysis (BIA). Suggested Answer: B
Which of the following is MOST important when planning to implement a Software as a Service (SaaS) application to manage information? A. Determining if sensitive data will be included B. Assessing if adequate deconversion services are available C. Reviewing service level agreements (SLAs) D. Obtaining the service provider’s controls attestation Suggested Answer: A
Which of the following is MOST important for the organization to consider before implementing a new in-house developed artificial intelligence (AI) solution? A. Data feeds B. Expected algorithm outputs C. Industry trends in AI D. Alert functionality Suggested Answer: A
An organization is considering the adoption of an aggressive business strategy to achieve desired growth. From a risk management perspective, what should the risk practitioner do NEXT? A. Update risk awareness training to reflect current levels of risk appetite and tolerance. B. Identify new threats resulting from the new business strategy. C. Increase the scale for measuring impact due to threat materialization. D. Inform the board of potential risk scenarios associated with aggressive business strategies. Suggested Answer: D
Which of the following provides the BEST indication of risk management maturity? A. Comprehensive risk and control assessment methodology B. Risk management policy alignment with corporate culture C. Business continuity insurance coverage D. Presence of a risk management framework Suggested Answer: D
Which of the following is the MOST important document regarding the treatment of sensitive data? A. Organization risk profile B. Digital rights management policy C. Information classification policy D. Encryption policy Suggested Answer: C
In an organization that allows employee use of social media accounts for work purposes, which of the following is the BEST way to protect company sensitive information from being exposed? A. Taking punitive action against employees who expose confidential data B. Requiring employees to sign nondisclosure agreements (NDAs) C. Implementing a data loss prevention (DLP) solution D. Educating employees on what needs to be kept confidential Suggested Answer: C
In response to recent security incidents, the IT risk management team is promoting a global security plan that defines controls to be implemented in multiple regions. Which of the following BEST enables the successful deployment of this plan? A. Obtain the approval of each regional head. B. Engage an external auditor in each region before deployment. C. Provide each region with adequate funding. D. Allow each region to adapt the plan to its local requirements Suggested Answer: D
Which of the following is the BEST criteria to determine whether a control environment is effective? A. The controls increase the organization's tolerance for risk. B. The controls increase the projected amount of loss the organization would incur. C. The controls reduce the likelihood of realizing the associated risk scenario. D. The controls transfer the associated risk to a third party. Suggested Answer: C
Which of the following is the PRIMARY objective of aggregating the impact of IT risk scenarios and reflecting the results in the enterprise risk register? A. To ensure IT risk scenarios are consistently assessed within the organization B. To ensure IT risk ownership is assigned at the appropriate organizational level C. To ensure IT risk impact can be compared to the IT risk appetite D. To ensure IT risk appetite is communicated across the organization Suggested Answer: C
An IT risk threat analysis is BEST used to establish: A. risk scenarios. B. risk maps. C. risk ownership. D. risk appetite. Suggested Answer: A
A risk practitioner has been asked to mark an identified control deficiency as remediated, despite concerns that the risk level is still too high. Which of the following is the BEST way to address this concern? A. Recommend implementation of additional compensating controls. B. Review the organization’s risk appetite and tolerance. C. Assess the residual risk against the organization’s risk appetite. D. Prepare a risk acceptance proposal for senior management's consideration Suggested Answer: C
Which of the following will BEST help to ensure new IT policies address the enterprise’s requirements? A. Involve business owners in the policy development process. B. Provide policy owners with greater enforcement authority. C. Require business users to sign acknowledgment of the policies. D. Involve IT leadership in the policy development process. Suggested Answer: A
The PRIMARY objective of collecting information and reviewing documentation when performing periodic risk analyses should be to: A. survey and analyze historical risk data B. identify new or emerging risk issues C. understand internal and external threat agents D. satisfy audit requirements Suggested Answer: B
An organization is developing a risk universe to create a holistic view of its overall risk profile. Which of the following is the GREATEST barrier to achieving the initiative's objectives? A. Lack of common understanding of the organization's risk culture B. Lack of cross-functional risk assessment workshops within the organization C. Lack of quantitative methods to aggregate the total risk exposure D. Lack of an integrated risk management system to aggregate risk scenarios Suggested Answer: A
Which of the following is MOST important for managing ethical risk? A. Involving senior management in resolving ethical disputes B. Developing metrics to trend reported ethics violations C. Establishing a code of conduct for employee behavior D. Identifying the ethical concerns of each stakeholder Suggested Answer: C
Which of the following is PRIMARILY a risk management responsibility of the first line of defense? A. Implementing risk treatment plans B. Conducting independent reviews of risk assessment results C. Establishing risk policies and standards D. Validating the status of risk mitigation efforts Suggested Answer: C
Which of the following is the MOST important metric to monitor the performance of the change management process? A. Percentage of changes having segregation of duties in code deployment B. Percentage of changes having completed post-implementation verification C. Percentage of changes having to invoke the rollback plan D. Percentage of changes having user acceptance testing (UAT) sign-off Suggested Answer: D
Which of the following should be the PRIMARY basis for deciding whether to disclose information related to risk events that impact external stakeholders? A. Management assertions B. Contractual requirements C. Regulatory requirements D. Stakeholder preferences Suggested Answer: C
Which of the following is a risk practitioner’s BEST course of action upon learning that regulatory authorities have concerns with an emerging technology the organization is considering? A. Update risk responses. B. Perform a threat assessment. C. Redesign key risk indicators (KRIs). D. Conduct a SWOT analysis. Suggested Answer: B
Which of the following provides the BEST assurance of control effectiveness for security risk scenarios in a service provider’s environment? A. Independent assessment report B. Penetration testing C. Service-level monitoring D. Service provider’s control self-assessment (CSA) Suggested Answer: D
Which of the following BEST enables risk mitigation associated with software licensing noncompliance? A. Perform automated vulnerability scans. B. Conduct annual reviews of license expiration dates. C. Implement automated IT asset management controls D. Document IT inventory management procedures. Suggested Answer: B
As part of software development projects, risk assessments are MOST effective when performed: A. throughout the system development life cycle (SDLC). B. before the decision is made to develop or acquire the software. C. during system deployment and maintenance. D. before developing the project charter for the software. Suggested Answer: A
Which of the following MOST effectively ensures controls are built into applications during development? A. Independent post-implementation reviews of system development projects by internal audit B. Static code scanning throughout the systems development life cycle (SDLC) C. Dynamic security testing before applications move to production D. Engagement of security team early in the systems development life cycle (SDLC) Suggested Answer: D
Which of the following analyses is MOST useful for prioritizing risk scenarios associated with loss of IT assets? A. Cost-benefit analysis B. Business impact analysis (BIA) C. SWOT analysis D. Root cause analysis Suggested Answer: B
The PRIMARY reason to implement a formalized risk taxonomy is to: A. reduce subjectivity in risk management B. comply with regulatory requirements C. demonstrate best industry practice D. improve visibility of overall risk exposure Suggested Answer: A
Which of the following is the FIRST consideration to reduce risk associated with the storage of personal data? A. Normalize the personal data. B. Implement privacy training. C. Minimize the collection of data. D. Encrypt the personal data. Suggested Answer: C
After the announcement of a new IT regulatory requirement, it is MOST important for a risk practitioner to: A. prepare an IT risk mitigation strategy B. review the impact to the IT environment C. escalate to senior management D. perform a cost-benefit analysis Suggested Answer: B
Which of the following has the GREATEST impact on ensuring the alignment of the risk profile with business objectives? A. Incorporation of industry best practice benchmarks and standards B. An effective enterprise-wide risk awareness program C. Senior management approval of risk appetite and tolerance D. Stage gate reviews throughout the risk management process Suggested Answer: C
Which of the following is MOST helpful to review when assessing the risk exposure associated with ransomware? A. Potentially impacted business processes B. Recent changes in the environment C. Key performance indicators (KPIs) D. Suspected phishing events Suggested Answer: A
Which of the following should be the PRIMARY area of focus when reporting changes to an organization’s risk profile to executive management? A. Risk tolerance B. Risk management resources C. Risk trends D. Cyberattack threats Suggested Answer: C
When assembling IT risk scenarios, it is MOST important that the scenarios: A. describe worst-case situations and the inherent likelihood of risk. B. are linked to relevant business risk and corresponding information classification. C. can be used for efficient risk identification and subsequent risk analysis. D. consider the information criteria efficiency, effectiveness, and availability. Suggested Answer: B
Which of the following is the BEST method to mitigate the risk of an unauthorized employee viewing confidential data in a database? A. Implement a data masking process. B. Include sanctions in nondisclosure agreements (NDAs). C. Implement role-based access control. D. Install a data loss prevention (DLP) tool. Suggested Answer: C
Which of the following is the ULTIMATE goal of conducting a privacy impact analysis (PIA)? A. To identify gaps in data protection controls B. To identify personally identifiable information (PII) C. To develop a customer notification plan D. To determine gaps in data deidentification processes Suggested Answer: A
Which of the following provides the BEST assurance of the effectiveness of vendor security controls? A. Require independent control assessments. B. Review vendor service level agreement (SLA) metrics. C. Review vendor control self-assessments (CSA). D. Obtain vendor references from existing customers Suggested Answer: A
A risk practitioner recently discovered that personal information from the production environment is required for testing purposes in non-production environments. Which of the following is the BEST recommendation to address this situation? A. Enable data encryption in the test environment. B. Enforce multi-factor authentication within the test environment. C. Prevent the use of production data in the test environment. D. De-identify data before being transferred to the test environment. Suggested Answer: C
Who should be responsible for determining which stakeholders need to be involved in the development of a risk scenario? A. Risk owner B. Control owner C. Compliance manager D. Risk practitioner Suggested Answer: A
An organization recently implemented a machine learning-based solution to monitor IT usage and analyze user behavior in an effort to detect internal fraud. Which of the following is MOST likely to be reassessed as a result of this initiative? A. Risk likelihood B. Risk appetite C. Risk capacity D. Risk culture Suggested Answer: D
Which of the following provides the MOST useful information for developing key risk indicators (KRIs)? A. Business impact analysis (BIA) results B. Risk scenario ownership C. Possible causes of materialized risk D. Risk thresholds Suggested Answer: A
Which of the following is the GREATEST benefit of using IT risk scenarios? A. They support compliance with regulations. B. They provide evidence of risk assessment. C. They facilitate communication of risk. D. They enable the use of key risk indicators (KRIs). Suggested Answer: C
Which of the following is MOST important to determine when assessing the potential risk exposure of a loss event involving personal data? A. The cost associated with incident response activities B. The maximum levels of applicable regulatory fines C. The composition and number of records in the information asset D. The length of time between identification and containment of the incident Suggested Answer: B
Which of the following is the BEST evidence of the effectiveness of a security awareness program? A. An increase in the number of user-reported security issues B. A decrease in the number of security threats C. An increase in the number of key performance indicators (KPIs) D. A decrease in the number of failed login attempts Suggested Answer: A
Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner? A. The program has not decreased threat counts. B. The program uses non-customized training modules. C. The program has not considered business impact. D. The program has been significantly revised. Suggested Answer: C
Which of the following is the MOST effective way to reduce potential losses due to ongoing expense fraud? A. Implement user access controls. B. Develop and communicate fraud prevention policies. C. Perform regular internal audits. D. Conduct fraud prevention awareness training. Suggested Answer: D
Which of the following potential scenarios associated with the implementation of a new database technology presents the GREATEST risk to an organization? A. Application and data migration cost for backups may exceed budget. B. The organization may not have a sufficient number of skilled resources. C. Data may not be recoverable due to system failures. D. The database system may not be scalable in the future. Suggested Answer: C
Which of the following is MOST useful for measuring the existing risk management process against a desired date? A. Capability maturity model B. Risk scenario analysis C. Risk management framework D. Balanced scorecard Suggested Answer: C
Which of the following BEST enables senior management to compare the ratings of risk scenarios? A. Control self-assessment (CSA) B. Key risk indicators (KRIs) C. Risk heat map D. Key performance indicators (KPIs) Suggested Answer: C
Which of the following BEST reduces the probability of laptop theft? A. Acceptable use policy B. Asset tag with GPS C. Cable lock D. Data encryption Suggested Answer: C
Which of the following is the GREATEST benefit of having a mature enterprise architecture (EA) in place? A. Standards-based policies B. Efficient operations C. Regulatory compliance D. Audit readiness Suggested Answer: B
What is the MAIN benefit of using a top-down approach to develop risk scenarios? A. It describes risk events specific to technology used by the enterprise. B. It establishes the relationship between risk events and organizational objectives. C. It helps management and the risk practitioner to refine risk scenarios. D. It uses hypothetical and generic risk events specific to the enterprise. Suggested Answer: B
Management has determined that it will take significant time to remediate exposures in the current IT control environment. Which of the following is the BEST course of action? A. Reassess the risk periodically. B. Improve project management methodology. C. Implement control monitoring. D. Identify compensating controls. Suggested Answer: D
Which of the following is the BEST risk management approach for the strategic IT planning process? A. The IT strategic plan is developed from the organization-wide risk management plan. B. Risk scenarios associated with IT strategic initiatives are identified and assessed. C. Key performance indicators (KPIs) are established to track IT strategic initiatives. D. The IT strategic plan is reviewed by the chief information security officer (CISO) and enterprise risk management (ERM). Suggested Answer: B
The BEST indicator of the risk appetite of an organization is the: A. risk management capability of the organization. B. importance assigned to IT in meeting strategic goals. C. board of directors’ response to identified risk factors. D. regulatory environment of the organization. Suggested Answer: A
An organization’s business gap analysis reveals the need for a robust IT risk strategy. Which of the following should be the risk practitioner’s PRIMARY consideration when participating in development of the new strategy? A. Proposed risk budget B. Risk indicators C. Risk culture D. Scale of technology Suggested Answer: C
An organization has operations in a location that regularly experiences severe weather events. Which of the following would BEST help to mitigate the risk to operations? A. Conduct a business impact analysis (BIA) for an alternate location. B. Develop a business continuity plan (BCP). C. Prepare a disaster recovery plan (DRP). D. Prepare a cost-benefit analysis to evaluate relocation. Suggested Answer: B
Which of the following BEST balances the costs and benefits of managing IT risk? A. Eliminating risk through preventive and detective controls B. Prioritizing and addressing risk in line with risk appetite C. Considering risk that can be shared with a third party D. Evaluating the probability and impact of risk scenarios Suggested Answer: B
Which of the following would provide the MOST useful input when evaluating the appropriateness of risk responses? A. Cost-benefit analysis B. Control objectives C. Incident reports D. Risk tolerance Suggested Answer: A
Which of the following BEST enables effective IT control implementation? A. Information security policies B. Documented procedures C. Information security standards D. Key risk indicators (KRIs) Suggested Answer: B
An organization recently acquired a new business division. Which of the following is MOST likely to be affected? A. Risk tolerance B. Risk appetite C. Risk profile D. Risk culture Suggested Answer: D
One of an organization’s key IT systems cannot be patched because the patches interfere with critical business application functionalities. Which of the following would be the risk practitioner’s BEST recommendation? A. The associated IT risk should be accepted by management. B. The organization’s IT risk appetite should be adjusted. C. Additional mitigating controls should be identified. D. The system should not be used until the application is changed. Suggested Answer: C
Which of the following is the MAIN benefit to an organization using key risk indicators (KRIs)? A. KRIs assist in the preparation of the organization’s risk profile. B. KRIs signal that a change in the control environment has occurred. C. KRIs provide an early warning that a risk threshold is about to be reached. D. KRIs provide a basis to set the risk appetite for an organization. Suggested Answer: C
An organization has agreed to a 99% availability for its online services and will not accept availability that falls below 98.5%. This is an example of: A. risk mitigation. B. risk appetite. C. risk evaluation. D. risk tolerance. Suggested Answer: B
Which of the following would MOST likely cause management to unknowingly accept excessive risk? A. Lack of preventive controls B. Risk tolerance being set too low C. Inaccurate risk ratings D. Satisfactory audit results Suggested Answer: C
Which of the following is the MOST useful information for a risk practitioner when planning response activities after risk identification? A. Risk priorities B. Risk register C. Risk heat maps D. Risk appetite Suggested Answer: A
What is the BEST recommendation to reduce the risk associated with potential system compromise when a vendor stops releasing security patches and updates for a business-critical legacy system? A. Ensure regular backups take place. B. Install antivirus software on the system. C. Virtualize the system in the cloud. D. Segment the system on its own network. Suggested Answer: D
Which of the following would provide the MOST reliable evidence of the effectiveness of security controls implemented for a web application? A. Penetration testing B. Fault tree analysis C. Vulnerability assessment D. IT general controls audit Suggested Answer: A
A recent regulatory requirement has the potential to affect an organization’s use of a third party to supply outsourced business services. Which of the following is the BEST course of action? A. Identify compensating controls. B. Terminate the outsourcing agreement. C. Transfer risk to the third party. D. Conduct a gap analysis. Suggested Answer: D
A risk practitioner has identified that the agreed recovery time objective (RTO) with a Software as a Service (SaaS) provider is longer than the business expectation. Which of the following is the risk practitioner’s BEST course of action? A. Collaborate with the risk owner to determine the risk response plan. B. Include a right to audit clause in the service provider contract. C. Advise the risk owner to accept the risk. D. Document the gap in the risk register and report to senior management. Suggested Answer: A
Which of the following BEST enables a risk practitioner to understand management's approach to organizational risk? A. Industry best practices for risk management B. Risk appetite and risk tolerance C. Prior year’s risk assessment results D. Organizational structure and job descriptions Suggested Answer: B
An organization has been experiencing an increasing number of spear phishing attacks. Which of the following would be the MOST effective way to mitigate the risk associated with these attacks? A. Implement a security awareness program. B. Require strong password complexity. C. Implement two-factor authentication. D. Update firewall configuration. Suggested Answer: A
A poster has been displayed in a data center that reads, “Anyone caught taking photographs in the data center may be subject to disciplinary action.” Which of the following control types has been implemented? A. Preventative B. Corrective C. Detective D. Deterrent Suggested Answer: D
Which of the following is the MOST important characteristic of a key risk indicator (KRI) to enable decision-making? A. Listing alternative causes for risk events B. Setting minimum sample sizes to ensure accuracy C. Monitoring the risk until exposure is reduced D. Illustrating changes in risk trends Suggested Answer: C
Which of the following is the BEST way to protect sensitive data from administrators within a public cloud? A. Encrypt the data in the cloud database. B. Use an encrypted tunnel to connect to the cloud. C. Encrypt data before it leaves the organization. D. Encrypt physical hard drives within the cloud. Suggested Answer: A
Which of the following should be the FIRST consideration when establishing a new risk governance program? A. Creating policies and standards that are easy to comprehend B. Developing an ongoing awareness and training program C. Completing annual risk assessments on critical resources D. Embedding risk management into the organization Suggested Answer: D
A risk practitioner is reviewing accountability assignments for data risk in the risk register. Which of the following would pose the GREATEST concern? A. The risk owner is a staff member rather than a department manager. B. The risk owner is in a business unit and does not report through the IT department. C. The risk owner is not the control owner for associated data controls. D. The risk owner is listed as the department responsible for decision making. Suggested Answer: C
Which of the following is a risk practitioner’s BEST course of action after identifying risk scenarios related to noncompliance with new industry regulations? A. Recalculate the risk. B. Implement monitoring controls. C. Escalate to senior management. D. Transfer the risk. Suggested Answer: C
Which of the following should be the PRIMARY input to determine risk tolerance? A. Risk management costs B. Annual loss expectancy (ALE) C. Regulatory requirements D. Organizational objectives Suggested Answer: D
Which of the following should be considered FIRST when creating a comprehensive IT risk register? A. Risk mitigation policies B. Risk appetite C. Risk analysis techniques D. Risk management budget Suggested Answer: B
Which of the following is the PRIMARY reason to engage business unit managers in risk management processes? A. Improved alignment with technical risk B. Improved business operations efficiency C. Better-informed business decisions D. Enhanced understanding of enterprise architecture (EA) Suggested Answer: C
Which of the following would be the BEST way for a risk practitioner to validate the effectiveness of a patching program? A. Conduct vulnerability scans. B. Review change control board documentation. C. Interview IT operations personnel. D. Conduct penetration testing. Suggested Answer: A
An organization has allowed several employees to retire early in order to avoid layoffs. Many of these employees have been subject matter experts for critical assets. Which type of risk is MOST likely to materialize? A. Unauthorized access B. Confidentiality breach C. Intellectual property loss D. Institutional knowledge loss Suggested Answer: D
Which of the following is the result of a realized risk scenario? A. Threat event B. Technical event C. Loss event D. Vulnerability event Suggested Answer: C
Which of the following is the GREATEST concern when establishing key risk indicators (KRIs)? A. Nonexistent benchmark analysis B. Ineffective methods to assess risk C. Incomplete documentation for KRI monitoring D. High percentage of lagging indicators Suggested Answer: B
A penetration test reveals several vulnerabilities in a web-facing application. Which of the following should be the FIRST step in selecting a risk response? A. Assess the level of risk associated with the vulnerabilities. B. Communicate the vulnerabilities to the risk owner. C. Correct the vulnerabilities to mitigate potential risk exposure. D. Develop a risk response action plan with key stakeholders. Suggested Answer: B
Which of the following is the MOST important consideration for effectively maintaining a risk register? A. The register is updated frequently. B. Compensating controls are identified. C. The register is shared with executive management. D. An IT owner is assigned for each risk scenario. Suggested Answer: D
Which risk response strategy could management apply to both positive and negative risk that has been identified? A. Accept B. Exploit C. Mitigate D. Transfer Suggested Answer: A
Which of the following is MOST important to determine as a result of a risk assessment? A. Risk appetite statement B. Process ownership C. Risk response options D. Risk tolerance levels Suggested Answer: C
Which of the following is the BEST recommendation to address recent IT risk trends that indicate social engineering attempts are increasing in the organization? A. Update spam filters. B. Conduct a simulated phishing attack. C. Strengthen disciplinary procedures. D. Revise the acceptable use policy. Suggested Answer: B
Which of the following is MOST important for an organization to consider when developing its IT strategy? A. The organization's risk appetite statement B. Legal and regulatory requirements C. IT goals and objectives D. Organizational goals and objectives Suggested Answer: A
Which of the following is the MOST important course of action for a risk practitioner when reviewing the results of control performance monitoring? A. Analyze appropriateness of key performance indicators (KPIs). B. Evaluate changes to the organization’s risk profile. C. Confirm controls achieve regulatory compliance. D. Validate whether the controls effectively mitigate risk. Suggested Answer: D
Which stakeholder is MOST important to include when defining a risk profile during the selection process for a new third-party application? A. The information security manager B. The third-party risk manager C. The application vendor D. The business process owner Suggested Answer: D
Who is MOST appropriate to be assigned ownership of a control? A. The individual responsible for control operation B. The individual responsible for testing the control C. The individual informed of the control effectiveness D. The individual accountable for monitoring control effectiveness Suggested Answer: A
When developing a response plan to address security incidents regarding sensitive data loss; it is MOST important to: A. revalidate existing risk scenarios. B. revalidate current key risk indicators (KRIs). C. review the data classification policy. D. revise risk management procedures. Suggested Answer: C
Which of the following should be used as the PRIMARY basis for evaluating the state of an organization’s cloud computing environment against leading practices? A. The cloud environment’s risk register B. The cloud environment’s capability maturity model C. The organization’s strategic plans for cloud computing D. The cloud computing architecture Suggested Answer: B
Which of the following should be the PRIMARY basis for prioritizing risk responses? A. The replacement cost of the business asset B. The impact of the risk C. The classification of the business asset D. The cost of risk mitigation controls Suggested Answer: B
Of the following, who is responsible for approval when a change in an application system is ready for release to production? A. Business owner B. Information security officer C. Chief risk officer (CRO) D. IT risk manager Suggested Answer: A
An organization’ s recovery team is attempting to recover critical data backups following a major flood in its data center. However, key team members do not know exactly what steps should be taken to address this crisis. Which of the following is the MOST likely cause of this situation? A. Failure to test the disaster recovery plan (DRP) B. Lack of well-documented business impact analysis (BIA) C. Significant changes in management personnel D. Lack of annual updates to the disaster recovery plan (DRP) Suggested Answer: D
The MAIN reason for prioritizing IT risk responses is to enable an organization to: A. determine the risk appetite. B. determine the budget. C. define key performance indicators (KPIs). D. optimize resource utilization. Suggested Answer: D
Which of the following presents the GREATEST challenge to managing an organization’s end-user devices? A. Incompatible end-user devices B. Unsupported end-user applications C. Incomplete end-user device inventory D. Multiple end-user device models Suggested Answer: B
A risk practitioner has established that a particular control is working as desired, but the annual cost of maintenance has increased and now exceeds the expected annual loss exposure. The result is that the control is: A. inefficient. B. ineffective. C. optimized. D. mature. Suggested Answer: A
Which of the following is MOST important when determining risk appetite? A. Assessing regulatory requirements B. Identifying risk tolerance C. Benchmarking against industry standards D. Gaining management consensus Suggested Answer: B
Which of the following is the MOST effective way to help ensure accountability for managing risk? A. Assign process owners to key risk areas. B. Assign incident response action plan responsibilities. C. Create accurate process narratives. D. Obtain independent risk assessments. Suggested Answer: A
What is senior management’s role in the RACI model when tasked with reviewing monthly status reports provided by risk owners? A. Accountable B. Consulted C. Responsible D. Informed Suggested Answer: D
An organization uses one centralized single sign-on (SSO) control to cover many applications. Which of the following is the BEST course of action when a new application is added to the environment after testing of the SSO control has been completed? A. Initiate a retest of the full control. B. Re-evaluate the control during the next assessment. C. Review the corresponding change control documentation. D. Retest the control using the new application as the only sample. Suggested Answer: A
Which of the following observations from a third-party service provider review would be of GREATEST concern to a risk practitioner? A. The service contract is up for renewal in less than thirty days. B. Key third-party personnel have recently been replaced. C. Monthly service charges are significantly higher than industry norms. D. Service level agreements (SLAs) have not been met over the last quarter. Suggested Answer: D
A global organization has implemented an application that does not address all privacy requirements across multiple jurisdictions. Which of the following risk responses has the organization adopted with regard to privacy requirements? A. Risk mitigation B. Risk transfer C. Risk avoidance D. Risk acceptance Suggested Answer: D
An information security audit identified a risk resulting from the failure of an automated control. Who is responsible for ensuring the risk register is updated accordingly? A. The control owner B. The audit manager C. The risk practitioner D. The risk owner Suggested Answer: D
An internal audit report reveals that a legacy system is no longer supported. Which of the following is the risk practitioner’s MOST important action before recommending a risk response? A. Explore the feasibility of replacing the legacy system. B. Identify other legacy systems within the organization. C. Assess the potential impact and cost of mitigation. D. Review historical application downtime and frequency. Suggested Answer: C
Which of the following proposed benefits is MOST likely to influence senior management approval to reallocate budget for a new security initiative? A. Reduction in the number of incidents B. Reduction in inherent risk C. Reduction in residual risk D. Reduction in the number of known vulnerabilities Suggested Answer: C
Reviewing which of the following BEST helps an organization gain insight into its overall risk profile? A. Threat landscape B. Risk metrics C. Risk appetite D. Risk register Suggested Answer: A
Which of the following is the MOST effective way to promote organization-wide awareness of data security in response to an increase in regulatory penalties for data leakage? A. Enforce sanctions for noncompliance with security procedures. B. Require regular testing of the data breach response plan. C. Conduct organization-wide phishing simulations. D. Require training on the data handling policy. Suggested Answer: D
An organization is planning to outsource its payroll function to an external service provider. Which of the following should be the MOST important consideration when selecting the provider? A. Transparency of key performance indicators (KPIs) B. Right to audit the provider C. Disaster recovery plan (ORP) of the system D. Internal controls to ensure data privacy Suggested Answer: D
An incentive program is MOST likely implemented to manage the risk associated with loss of which organizational asset? A. Employees B. Reputation C. Data D. Customer lists Suggested Answer: A
An organization has experienced a cyber attack that exposed customer personally identifiable information (PII) and caused extended outages of network services. Which of the following stakeholders are MOST important to include in the cyber response team to determine response actions? A. Cyber risk remediation plan owners B. Enterprise risk management (ERM) team C. Security control owners based on control failures D. Risk owners based on risk impact Suggested Answer: D
Who is MOST important to include in the assessment of existing IT risk scenarios? A. Risk management consultants B. Business process owners C. Technology subject matter experts D. Business users of IT systems Suggested Answer: B
Which of the following BEST facilitates the identification of appropriate key performance indicators (KPIs) for a risk management program? A. Consulting risk owners B. Evaluating KPIs in accordance with risk appetite C. Aligning with industry best practices D. Reviewing control objectives Suggested Answer: B
An organization plans to implement a new Software as a Service (SaaS) speech-to-text solution. Which of the following is MOST important to mitigate risk associated with data privacy? A. Multi-factor authentication is set up for users. B. The solution architecture is approved by IT. C. A risk transfer clause is included in the contract. D. Secure encryption protocols are utilized. Suggested Answer: D
The MAIN purpose of selecting a risk response is to: A. mitigate the residual risk to be within tolerance. B. ensure organizational awareness of the risk level. C. demonstrate the effectiveness of risk management practices. D. ensure compliance with local regulatory requirements. Suggested Answer: A
An organization is adopting blockchain for a new financial system: Which of the following should be the GREATEST concern for a risk practitioner evaluating the system’s production readiness? A. Slow adoption of the technology across the financial industry B. Varying costs related to implementation and maintenance C. Lack of commercial software support D. Limited organizational knowledge of the underlying technology Suggested Answer: D
Which of the following is the BEST way to ensure data is properly sanitized while in cloud storage? A. Cryptographically scrambling the data B. Formatting the cloud storage at the block level C. Deleting the data from the file system D. Degaussing the cloud storage media Suggested Answer: A
Which of the following is the GREATEST benefit of a three lines of defense structure? A. Clear accountability for risk management processes B. An effective risk culture that empowers employees to report risk C. Improved effectiveness and efficiency of business operations D. Effective segregation of duties to prevent internal fraud Suggested Answer: A
What should be the PRIMARY consideration related to data privacy protection when there are plans for a business initiative to make use of personal information? A. Limit access to the personal data. B. Do not collect or retain data that is not needed. C. Redact data where possible. D. Ensure all data is encrypted at rest and during transit. Suggested Answer: B
Which of the following is the BEST approach for an organization in a heavily regulated industry to comprehensively test application functionality? A. Use production data in a non-production environment. B. Use anonymized data in a non-production environment. C. Use test data in a production environment. D. Use masked data in a non-production environment. Suggested Answer: B
Which of the following provides the MOST useful information to assess the magnitude of identified deficiencies in the IT control environment? A. Threat analysis results B. Peer benchmarks C. Business impact analysis (BIA) results D. Internal audit reports Suggested Answer: D
Which of the following is the PRIMARY purpose of creating and documenting control procedures? A. To help manage risk to acceptable tolerance levels B. To facilitate ongoing audit and control testing C. To establish and maintain a control inventory D. To increase the likelihood of effective control operation Suggested Answer: A
Of the following, who should be PRIMARILY responsible for performing user entitlement reviews? A. Data custodian B. IT personnel C. Data owner D. IT security manager Suggested Answer: C
The MAJOR reason to classify information assets is to: A. categorize data into groups. B. maintain a current inventory and catalog of information assets. C. determine their sensitivity and criticality. D. establish recovery time objectives (RTOs). Suggested Answer: C
Which of the following is MOST important to consider before determining a response to a vulnerability? A. Monetary value of the asset B. Lack of data to measure threat events C. The cost to implement the risk response D. The likelihood and impact of threat events Suggested Answer: D
Which of the following is the GREATEST benefit of centralizing IT systems? A. Risk reporting B. Risk identification C. Risk monitoring D. Risk classification Suggested Answer: C
Senior management is deciding whether to share confidential data with the organization’s business partners. The BEST course of action for a risk practitioner would be to submit a report to senior management containing the: A. project plan for classification of the data. B. summary of data protection and privacy legislation. C. design of controls to encrypt the data to be shared. D. possible risk and suggested mitigation plans. Suggested Answer: D
Which of the following would be of GREATEST concern regarding an organization’s asset management? A. Lack of a dedicated asset management team B. Decentralized asset lists C. Incomplete asset inventory D. Lack of a mature records management program Suggested Answer: C
Which of the following is the PRIMARY objective of risk management? A. Minimize business disruptions. B. Achieve business objectives. C. Identify and analyze risk. D. Identify threats and vulnerabilities. Suggested Answer: B
A risk practitioner implemented a process to notify management of emergency changes that may not be approved. Which of the following is the BEST way to provide this information to management? A. Change logs B. Key control indicators (KCIs) C. Key risk indicators (KRIs) D. Change management meeting minutes Suggested Answer: D
Which of the following is performed after a risk assessment is completed? A. Identifying vulnerabilities B. Conducting an impact analysis C. Defining risk response options D. Defining risk taxonomy Suggested Answer: C
A risk owner has identified a risk with high impact and very low likelihood. The potential loss is covered by insurance. Which of the following should the risk practitioner do NEXT? A. Validate the risk response with internal audit. B. Update the risk register. C. Evaluate outsourcing the process. D. Recommend avoiding the risk. Suggested Answer: B
Which of the following is the MOST comprehensive input to the risk assessment process specific to the effects of system downtime? A. Business continuity plan (BCP) testing results B. Recovery point objective (RPO) C. Business impact analysis (BIA) results D. Recovery time objective (RTO) Suggested Answer: C
Which of the following would provide the BEST evidence of an effective internal control environment? A. Independent audit results B. Regular stakeholder briefings C. Adherence to governing policies D. Risk assessment results Suggested Answer: A
Which of the following has the GREATEST influence on an organization’s risk appetite? A. Business objectives and strategies B. Internal and external risk factors C. Threats and vulnerabilities D. Management culture and behavior Suggested Answer: D
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery test of critical business processes? A. Number of issues and action items resolved during the recovery test B. Percentage of processes recovered within the recovery time and point objectives C. Percentage of job failures identified and resolved during the recovery process D. Number of current test plans and procedures Suggested Answer: A
Which of the following is the PRIMARY objective of establishing an organization’s risk tolerance and appetite? A. To assist management in decision making B. To create organization-wide risk awareness C. To minimize risk mitigation efforts D. To align with board reporting requirements Suggested Answer: A
Which of the following is the MOST effective way to identify an application backdoor prior to implementation? A. Vulnerability analysis B. Database activity monitoring C. User acceptance testing (UAT) D. Source code review Suggested Answer: D
Which of the following is MOST likely to introduce risk for financial institutions that use blockchain? A. Disruption to business processes B. Cost of implementation C. Implementation of unproven applications D. Increase in attack surface area Suggested Answer: C
After an annual risk assessment is completed, which of the following would be MOST important to communicate to stakeholders? A. A change in the risk profile B. A decrease in threats C. An increase in identified risk scenarios D. An increase in reported vulnerabilities Suggested Answer: A
Which of the following is the PRIMARY reason for an organization to include an acceptable use banner when users log in? A. To enable rapid discovery of insider threat B. To reduce the likelihood of insider threat C. To eliminate the possibility of insider threat D. To reduce the impact of insider threat Suggested Answer: B
The PRIMARY reason for periodic penetration testing of Internet-facing applications is to: A. verify Internet firewall control settings. B. ensure policy and regulatory compliance. C. identify vulnerabilities in the system. D. assess the proliferation of new threats. Suggested Answer: C
Which of the following is the PRIMARY objective of maintaining an information asset inventory? A. To facilitate risk assessments B. To protect information assets C. To provide input to business impact analyses (BIAs) D. To manage information asset licensing Suggested Answer: B
Which of the following would be of MOST concern to a risk practitioner reviewing risk action plans for documented IT risk scenarios? A. Many action plans were discontinued after senior management accepted the risk. B. Individuals outside IT are managing action plans for the risk scenarios. C. Target dates for completion are missing from some action plans. D. Senior management approved multiple changes to several action plans. Suggested Answer: C
Which of the following is MOST likely to deter an employee from engaging in inappropriate use of company-owned IT systems? A. A centralized computer security response team B. Communication of employee activity monitoring C. Regular performance reviews and management check-ins D. Code of ethics training for all employees Suggested Answer: B
Which of the following is MOST important to include when reporting the effectiveness of risk management to senior management? A. Impact due to changes in external and internal risk factors B. Gaps in best practices and implemented controls across the industry C. Changes in the organization’s risk appetite and risk tolerance levels D. Changes in residual risk levels against acceptable levels Suggested Answer: D
The PRIMARY objective of testing the effectiveness of a new control before implementation is to: A. comply with the organization’s policy. B. consider automating the control. C. evaluate the degree of risk mitigation. D. measure efficiency of the control process. Suggested Answer: D
Which of the following is the BEST approach for selecting controls to minimize risk? A. Industry best practice review B. Cost-benefit analysis C. Risk assessment D. Control-effectiveness evaluation Suggested Answer: B
Which of the following provides the MOST reliable evidence of a control’s effectiveness? A. Senior management’s attestation B. A detailed process walk-through C. A risk and control self-assessment D. A system-generated testing report Suggested Answer: B
Which of the following is the MOST important outcome of a business impact analysis (BIA)? A. Reduction of security and business continuity threats B. Completion of the business continuity plan (BCP) C. Understanding and prioritization of critical processes D. Identification of regulatory consequences Suggested Answer: C
Which component of a software inventory BEST enables the identification and mitigation of known vulnerabilities? A. Software licensing information B. Software version C. Software support contract expiration D. Assigned software manager Suggested Answer: A
Which of the following BEST reduces the risk associated with the theft of a laptop containing sensitive information? A. Data encryption B. Biometrics access control C. Periodic backup D. Cable lock Suggested Answer: A
The operational risk associated with attacks on a web application should be owned by the individual in charge of: A. network operations. B. the cybersecurity function. C. application development. D. the business function. Suggested Answer: D
Which of the following is the MOST important benefit of reporting risk assessment results to senior management? A. Facilitation of risk-aware decision making B. Alignment of business activities C. Compilation of a comprehensive risk register D. Promotion of a risk-aware culture Suggested Answer: A
Which of the following is the GREATEST benefit of implementing an enterprise risk management (ERM) program? A. A common view of enterprise risk is established. B. Risk-aware decision making is enabled. C. Risk management is integrated into the organization. D. Risk management controls are implemented. Suggested Answer: A
When confirming whether implemented controls are operating effectively, which of the following is MOST important to review? A. Maturity model B. Results of risk assessments C. Number of emergency change requests D. Results of benchmarking studies Suggested Answer: B
Which of the following is the PRIMARY reason for a risk practitioner to review an organization’s IT asset inventory? A. To plan for the replacement of assets at the end of their life cycles B. To understand vulnerabilities associated with the use of the assets C. To calculate mean time between failures (MTBF) for the assets D. To assess requirements for reducing duplicate assets Suggested Answer: B
When performing a risk assessment of a new service to support a core business process, which of the following should be done FIRST to ensure continuity of operations? A. Identity conditions that may cause disruptions. B. Evaluate the probability of risk events. C. Review incident response procedures. D. Define metrics for restoring availability. Suggested Answer: C
Which of the following is the MOST important information to cover in a business continuity awareness training program for all employees of the organization? A. Critical asset inventory B. Communication plan C. Segregation of duties D. Recovery time objectives (RTOs) Suggested Answer: B
Which of the following is the MOST effective way for a large and diversified organization to minimize risk associated with unauthorized software on company devices? A. Perform frequent internal audits of enterprise IT infrastructure. B. Scan end points for applications not included in the asset inventory. C. Conduct frequent reviews of software licenses. D. Prohibit the use of cloud-based virtual desktop software. Suggested Answer: B
An organization is implementing a project to automate the purchasing process, including the modification of approval controls. Which of the following tasks is the responsibility of the risk practitioner? A. Test approval process controls once the project is completed. B. Update the existing controls for changes in approval processes from this project. C. Perform a gap analysis of the impacted control processes. D. Verify that existing controls continue to properly mitigate defined risk. Suggested Answer: C
Which of the following situations presents the GREATEST challenge to creating a comprehensive IT risk profile of an organization? A. Manual vulnerability scanning processes B. Inaccurate documentation of enterprise architecture (EA) C. Organizational reliance on third-party service providers D. Risk-averse organizational risk appetite Suggested Answer: D
Which of the following roles should be assigned accountability for monitoring risk levels? A. Business manager B. Risk owner C. Control owner D. Risk practitioner Suggested Answer: B
A MAJOR advantage of using key risk indicators (KRIs) is that they: A. identity when risk exceeds defined thresholds. B. assess risk scenarios that exceed defined thresholds. C. help with internal control assessments concerning risk appetite. D. identify scenarios that exceed defined risk appetite. Suggested Answer: A
Which of the following is a risk practitioner’s BEST recommendation upon learning that an employee inadvertently disclosed sensitive data to a vendor? A. Enroll the employee in additional security training. B. Invoke the incident response plan. C. Conduct an internal audit. D. Instruct the vendor to delete the data. Suggested Answer: B
An employee lost a personal mobile device that may contain sensitive corporate information. What should be the risk practitioner’s recommendation? A. Conduct a risk analysis. B. Invoke the incident response plan. C. Disable the user account. D. Initiate a remote data wipe. Suggested Answer: B
Who is the BEST person to authorize access privileges to database tables for an application system used to process employee personal data? A. Compliance manager B. Data privacy manager C. System administrator D. Human resources (HR) manager Suggested Answer: D
Which of the following is the MOST important reason to validate that risk responses have been executed as outlined in the risk response plan? A. To ensure residual risk is at an acceptable level B. To ensure completion of the risk assessment cycle C. To ensure control costs do not exceed benefits D. To ensure controls are operating effectively Suggested Answer: A
A control process has been implemented in response to a new regulatory requirement, but has significantly reduced productivity. Which of the following is the BEST way to resolve this concern? A. Absorb the loss in productivity. B. Escalate the issue to senior management. C. Request a waiver to the requirements. D. Remove the control to accommodate business objectives. Suggested Answer: B
Which of the following is MOST helpful in providing a high-level overview of current IT risk severity? A. Risk mitigation plans B. Risk appetite statement C. Heat map D. Key risk indicators (KRIs) Suggested Answer: C
A legacy application used for a critical business function relies on software that has reached the end of extended support. Which of the following is the MOST effective control to manage this application? A. Increase the frequency of regular system and data backups. B. Segment the application within the existing network. C. Apply patches for a newer version of the application. D. Subscribe to threat intelligence to monitor external attacks. Suggested Answer: B
A segregation of duties control was found to be ineffective because it did not account for all applicable functions when evaluating access. Who is responsible for ensuring the control is designed to effectively address risk? A. Control tester B. Risk manager C. Risk owner D. Control owner Suggested Answer: C
The cost of maintaining a control has grown to exceed the potential loss. Which of the following BEST describes this situation? A. Effective risk management B. Optimized control management C. Over-controlled environment D. Insufficient risk tolerance Suggested Answer: C
When implementing an IT risk management program, which of the following is the BEST time to evaluate current control effectiveness? A. Before defining a framework B. During the risk assessment C. When evaluating risk response D. When updating the risk register Suggested Answer: B
Which of the following key performance indicators (KPIs) would BEST measure the risk of a service outage when using a Software as a Service (SaaS) vendor? A. Frequency and number of new software releases B. Frequency of business continuity plan (BCP) testing C. Frequency and duration of unplanned downtime D. Number of IT support staff available after business hours Suggested Answer: C
An organization has asked an IT risk practitioner to conduct an operational risk assessment on an initiative to outsource the organization’s customer service operations overseas. Which of the following would MOST significantly impact management’s decision? A. Time zone difference of the outsourcing location B. Ongoing financial viability of the outsourcing company C. Historical network latency between the organization and outsourcing location D. Cross-border information transfer restrictions in the outsourcing country Suggested Answer: D
Which of the following should be the GREATEST concern to a risk practitioner when process documentation is incomplete? A. Inability to identify the risk owner B. Inability to identify process experts C. Inability to allocate resources efficiently D. Inability to complete the risk register Suggested Answer: C
After entering a large number of low-risk scenarios into the risk register, it is MOST important for the risk practitioner to: A. reconfirm risk tolerance levels. B. analyze changes to aggregate risk. C. prepare a follow-up risk assessment. D. recommend acceptance of the risk scenarios. Suggested Answer: B
When classifying and prioritizing risk responses, the areas to address FIRST are those with: A. low cost effectiveness ratios and low risk levels. B. high cost effectiveness ratios and low risk levels. C. low cost effectiveness ratios and high risk levels. D. high cost effectiveness ratios and high risk levels. Suggested Answer: A
Which of the following controls will BEST mitigate risk associated with excessive access privileges? A. Frequent password expiration B. Segregation of duties C. Entitlement reviews D. Review of user access logs Suggested Answer: C
Which of the following provides the MOST comprehensive information when developing a risk profile for a system? A. Risk assessment results B. Key performance indicators (KPIs) C. A mapping of resources to business processes D. Results of a business impact analysis (BIA) Suggested Answer: C
An organization retains footage from its data center security camera for 30 days when the policy requires 90-day retention. The business owner challenges whether the situation is worth remediating. Which of the following is the risk manager’s BEST response? A. Evaluate the risk as a measure of probable loss. B. Identify the regulatory bodies that may highlight this gap. C. Verify if competitors comply with a similar policy. D. Highlight news articles about data breaches. Suggested Answer: A
Which of the following should be accountable for ensuring that media containing financial information are adequately destroyed per an organization’s data disposal policy? A. Data owner B. Chief information officer (CIO) C. Data architect D. Compliance manager Suggested Answer: A
The MOST important measure of the effectiveness of risk management in project implementation is the percentage of projects: A. introduced into production without high-risk issues. B. having the risk register updated regularly. C. having an action plan to remediate overdue issues. D. having key risk indicators (KRIs) established to measure risk. Suggested Answer: D
A zero-day vulnerability has been discovered in a globally used brand of hardware server that allows hackers to gain access to affected IT systems. Which of the following is MOST likely to change as a result of this situation? A. Control effectiveness B. Risk appetite C. Key risk indicator (KRI) D. Risk likelihood Suggested Answer: D
Which of the following would provide the MOST helpful input to develop risk scenarios associated with hosting an organization’s key IT applications in a cloud environment? A. Conducting a risk workshop with key stakeholders B. Reviewing the results of independent audits C. Performing a due diligence review D. Performing a site visit to the cloud provider’s data center Suggested Answer: A
Which of the following would present the GREATEST challenge for a risk practitioner during a merger of two organizations? A. Disparate platforms for governance, risk, and compliance (GRC) systems B. Variances between organizational risk appetites C. Dissimilar organizational risk acceptance protocols D. Different taxonomies to categorize risk scenarios Suggested Answer: D
Which of the following is the PRIMARY accountability for a control owner? A. Ensure the control operates effectively. B. Identify and assess control weaknesses. C. Own the associated risk the control is mitigating. D. Communicate risk to senior management. Suggested Answer: C
Risk appetite should be PRIMARILY driven by which of the following? A. Stakeholder requirements B. Enterprise security architecture roadmap C. Business impact analysis (BIA) D. Legal and regulatory requirements Suggested Answer: A
A risk practitioner is working with the incident management team to prioritize activities. Which of the following should be the FIRST priority of the incident response plan? A. Verify an incident actually occurred. B. Verify the recovery time objective (RTO). C. Brief the senior leadership team, D. Identify the root cause of the incident. Suggested Answer: A
An organization is required to comply with updates to an existing data protection regulation. Which of the following should the risk practitioner recommend be done FIRST? A. Perform effectiveness testing for the organization's data protection controls. B. Determine whether risk responses associated with the previous regulation are still adequate. C. Perform a gap analysis to determine if additional controls are required. D. Develop new internal control assessments for the updated regulation Suggested Answer: C
Which of the following is MOST important when conducting a post-implementation review as part of the system development life cycle (SDLC)? A. Verifying that project objectives are met B. Reviewing the project initiation risk matrix C. Identifying project cost overruns D. Leveraging an independent review team Suggested Answer: A
A recent change in accounting policy has the potential to impact a known risk related to an organization's financial software. Which of the following should the risk practitioner do FIRST? A. Analyze and update the risk register as needed. B. Conduct software testing for required code updates. C. Analyze and update associated control assessments. D. Determine whether the risk response is still adequate. Suggested Answer: D
Which of the following is BEST determined by analysis of incident reports? A. Changes in the external risk environment B. Effectiveness of internal controls C. Ranges for key performance indicators (KPIs) D. Thresholds for key risk indicators (KRIs) Suggested Answer: B
An organization is implementing robotic process automation (RPA) to streamline business processes. Given that implementation of this technology is expected to impact existing controls, which of the following is the risk practitioner’s BEST course of action? A. Perform a gap analysis of the impacted processes. B. Update the data governance policy to address the new technology. C. Reassess whether mitigating controls address the known risk in the processes. D. Update processes to address the new technology. Suggested Answer: A
Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds? A. Risk scenarios B. The risk tolerance level C. A performance measurement D. Occurrences of specific events Suggested Answer: D
Which of the following BEST represents the desired risk posture for an organization? A. Accepted risk is higher than risk tolerance. B. Operational risk is higher than risk tolerance. C. Inherent risk is lower than risk tolerance. D. Residual risk is lower than risk tolerance. Suggested Answer: D
A failed IT system upgrade project has resulted in the corruption of an organization’s asset inventory database. Which of the following controls BEST mitigates the impact of this incident? A. Authentication B. Encryption C. Backups D. Configuration Suggested Answer: C
When creating a separate IT risk register for a large organization, which of the following is MOST important to consider with regard to the existing corporate risk register? A. Relying on generic IT risk scenarios B. Describing IT risk in business terms C. Leveraging business risk professionals D. Using a common risk taxonomy Suggested Answer: D
Which of the following resources is MOST helpful to a risk practitioner when updating the likelihood rating in the risk register? A. Business impact analysis (BIA) B. Risk control assessment C. Penetration test results D. Audit reports with risk ratings Suggested Answer: B
Which of the following is MOST helpful in identifying loss magnitude during risk analysis of a new system? A. Recovery time objective (RTO) B. Business impact analysis (BIA) C. Cyber insurance coverage D. Cost-benefit analysis Suggested Answer: B
Which of the following is the BEST course of action when an organization wants to reduce likelihood in order to reduce a risk level? A. Implement preventive measures. B. Transfer the risk. C. Implement detective controls. D. Monitor risk controls. Suggested Answer: A
Which of the following is the PRIMARY reason for sharing risk assessment reports with senior stakeholders? A. To enable senior management to compile a risk profile B. To support decision-making for risk response C. To secure resourcing for risk treatment efforts D. To hold risk owners accountable for risk action plans Suggested Answer: B
An organization has decided to implement a new Internet of Things (IoT) solution. Which of the following should be done FIRST when addressing security concerns associated with this new technology? A. Engage external security reviews. B. Implement IoT device monitoring software. C. Develop new IoT risk scenarios. D. Introduce controls to the new threat environment. Suggested Answer: C
Which of the following is the BEST key performance indicator (KPI) to measure how effectively risk management practices are embedded in the project management office (PMO)? A. Reduction in audits involving external risk consultants B. Percentage of projects with key risk accepted by the project steering committee C. Percentage of projects with developed controls on scope creep D. Reduction in risk policy noncompliance findings Suggested Answer: D
To define the risk management strategy, which of the following MUST be set by the board of directors? A. Risk governance B. Annualized loss expectancy (ALE) C. Risk appetite D. Operational strategies Suggested Answer: A
Which of the following is MOST important to ensure when reviewing an organization's risk register? A. Vulnerabilities have separate entries. B. Control ownership is recorded. C. Risk ownership is recorded. D. Residual risk is less than inherent risk. Suggested Answer: C
Which of the following key control indicators (KCIs) BEST indicates whether security requirements are identified and managed throughout a project life cycle? A. Number of employees completing project-specific security training B. Number of projects going live without a security review C. Number of security projects started in core departments D. Number of security-related status reports submitted by project managers Suggested Answer: B
Which of the following will BEST ensure that controls adequately support business goals and objectives? A. Using the risk management process B. Enforcing strict disciplinary procedures in case of noncompliance C. Adopting internationally accepted controls D. Reviewing results of the annual company external audit Suggested Answer: A
To obtain support from senior management for an increase in the risk mitigation budget, it is BEST to prioritize risk scenarios in the risk register based on: A. open audit issues. B. residual risk. C. risk owner seniority. D. inherent risk. Suggested Answer: D
Which of the following is the PRIMARY reason to perform periodic vendor risk assessments? A. To assess the vendor's risk mitigation plans B. To verify the vendor's ongoing financial viability C. To monitor the vendor's control effectiveness D. To provide input to the organization's risk appetite Suggested Answer: C
Using key risk indicators (KRIs) to illustrate changes in the risk profile PRIMARILY helps to: A. assign ownership of emerging risk scenarios. B. identify threats to emerging technologies. C. communicate risk trends to stakeholders. D. highlight noncompliance with the risk policy. Suggested Answer: C
An organization's chief information officer (CIO) has proposed investing in a new, untested technology to take advantage of being first to market. Senior management has concerns about the success of the project and has set a limit for expenditures before final approval. This conditional approval indicates the organization's risk: A. management capability B. capacity C. treatment strategy D. appetite Suggested Answer: D
A hospital's Internet of Things (IoT) bio-medical devices were recently hacked. Which of the following methods would BEST assist in identifying the control deficiencies? A. SWOT analysis B. Countermeasure analysis C. Business impact analysis (BIA) D. Gap analysis Suggested Answer: B
A financial organization is considering a project to implement the use of blockchain technology. To help ensure the organization's management team can make informed decisions on the project, which of the following should the risk practitioner reassess? A. Risk tolerance B. Risk classification C. Business impact analysis (BIA) D. Risk profile Suggested Answer: D
Which of the following should be a risk practitioner's NEXT step after learning of an incident that has affected a competitor? A. Develop risk scenarios. B. Implement compensating controls. C. Activate the incident response plan. D. Update the risk register. Suggested Answer: A
Which of the following is the PRIMARY responsibility of a risk owner? A. Determining risk appetite and tolerance B. Developing relevant control procedures C. Deciding responses to identified risk D. Implementing risk action plans Suggested Answer: C
Which of the following is the BEST way for a risk practitioner to present an annual risk management update to the board? A. A summary of IT risk scenarios with business cases B. A summary of risk response plans with validation results C. A report with control environment assessment results D. A dashboard summarizing key risk indicators (KRIs) Suggested Answer: D
A risk assessment has determined that an organization is highly susceptible to a vulnerability in its IT infrastructure. Which of the following is MOST important to communicate to the board? A. Open source intelligence reports on successful attacks B. Impact to the organization if the vulnerability is exploited C. Results of the most recent penetration test D. Results of a root cause analysis of the vulnerability Suggested Answer: B
External auditors have found that management has not effectively monitored key security technologies that support regulatory objectives. Which type of indicator would BEST enable the organization to identify and correct this situation? A. Key management indicator (KMI) B. Key control indicator (KCI) C. Key performance indicator (KPI) D. Key risk indicator (KRI) Suggested Answer: B
An organization has outsourced its customer management database to an external service provider. Of the following, who should be accountable for ensuring customer data privacy? A. The organization's business process owner B. The organization's information security manager C. The organization's vendor management officer D. The vendor's risk manager Suggested Answer: A
Due to budget constraints, an organization cannot implement encryption to all databases. Which of the following is the MOST useful information to identify high- risk databases where encryption should be applied? A. Business impact assessment (BIA) B. Unsupported database list C. Penetration test results D. Data classification scheme Suggested Answer: A
Which of the following is MOST important to include in a report for senior management after resolving a significant IT incident? A. Incident resolution time and likelihood of recurrence B. A list of impacted business functions and estimated business loss C. Details of resolution methods and assessment of the incident D. A detailed information security root cause analysis Suggested Answer: D
Which of the following is the MOST likely reason for a significant year-over-year increase in inherent risk? A. Targeted cyberattacks against the organization's infrastructure B. A significant number of control failures identified during an audit C. A lack of defined risk ownership due to organizational changes D. An ineffective risk action plan validation process Suggested Answer: B
Which of the following is the MOST effective way to manage risk scenarios identified in the risk register? A. Ensure risk scenarios are regularly reviewed and updated in the risk register. B. Conduct risk assessment workshops across the organization. C. Present and discuss all risk scenarios in the register at regular risk committee meetings. D. Prepare risk treatment plans in accordance with the organization's risk appetite. Suggested Answer: A
Which of the following is the MOST important concern when assigning multiple risk owners for an identified risk? A. Risk ratings may be inconsistently applied. B. Accountability may not be clearly defined. C. Different risk taxonomies may be used. D. Mitigation efforts may be duplicated. Suggested Answer: B
Management has implemented two new preventative controls to address a risk found in an audit. Following closure of the issue, which of the following is MOST important to update in the risk register? A. Key controls B. Likelihood C. Inherent risk D. Impact Suggested Answer: A
A risk practitioner has collaborated with subject matter experts from the IT department to develop a large list of potential key risk indicators (KRIs) for all IT operations within the organization. Of the following, who should review the completed list and select the appropriate KRIs for implementation? A. IT security managers B. IT auditors C. IT risk owners D. IT control owners Suggested Answer: C
Which of the following BEST supports the effective adoption of risk management across the enterprise? A. Basing risk action plans on end user assessments of risk B. Assignment of risk-related responsibilities to end users C. Participation by functions responsible for the risk D. Comparison of risk assessment results with industry peers Suggested Answer: C
Which of the following would be a risk practitioner's GREATEST concern with the use of a vulnerability scanning tool? A. Increased time to remediate vulnerabilities B. Inaccurate reporting of results C. Increased number of vulnerabilities D. Network performance degradation Suggested Answer: B
Which of the following is the MOST important key performance indicator (KPI) to monitor the effectiveness of disaster recovery processes? A. Percentage of issues arising from the disaster recovery test resolved on time B. Percentage of IT systems included in the disaster recovery test scope C. Percentage of IT systems recovered within the mean time to restore (MTTR) during the disaster recovery test D. Percentage of IT systems meeting the recovery time objective (RTO) during the disaster recovery test Suggested Answer: C
Which of the following BEST enables an organization to develop a comprehensive key performance indicator (KPI) strategy to measure all key controls? A. Use KPIs that can be financially quantified. B. Align control performance goals to KPIs. C. Minimize the number of lagging performance indicators. D. Ensure controls have their own KPIs. Suggested Answer: B
An organization has outsourced its accounts payable function to an external service provider that does not have an effective business continuity pian (BCP) in place. Who owns the associated risk? A. Service provider B. Business continuity manager C. Business process owner D. The vendor's risk manager Suggested Answer: D
Which of the following would BEST enable senior management to make informed decisions about the effectiveness of existing controls to mitigate risk? A. Quantitative analysis of total control cost in monetary terms B. Quantitative measurement of the controls' ability to reduce the likelihood of risk events occurring C. Qualitative assessment of control effectiveness by surveying control owners D. Qualitative measurement of the impact on business operations should a risk event occur Suggested Answer: D
During a risk assessment, a risk practitioner learns that an IT risk factor is adequately mitigated by compensating controls in an associated business process. Which of the following would enable the MOST effective management of the residual risk? A. Recommend additional IT controls to further reduce residual risk. B. Request that ownership of the compensating controls is reassigned to IT. C. Schedule periodic reviews of the compensating controls' effectiveness. D. Report the use of compensating controls to senior management. Suggested Answer: C
What should be the PRIMARY objective of updating a risk awareness program in response to a steady rise in cybersecurity threats across the industry? A. To reduce the risk of insider threats that could compromise security practices B. To increase familiarity and understanding of potential security incidents C. To ensure compliance with risk management policies and procedures D. To lower the organization's risk appetite and tolerance levels Suggested Answer: B
Which of the following provides the MOST useful information when assessing whether an organization has appropriately managed its level of risk compared to its established risk appetite? A. Risk velocity B. Residual risk C. Inherent risk D. Risk trend Suggested Answer: B
Which of the following is the MOST important reason for a risk practitioner to identify stakeholders for each IT risk scenario? A. To ensure enterprise-wide risk management B. To identity key risk indicators (KRIs) C. To enable a comprehensive view of risk D. To establish control ownership Suggested Answer: C
What is the PRIMARY role of the application owner when changes are being introduced into an existing environment? A. Updating control procedures and documentation B. Notifying owners of affected systems after the changes are implemented C. Determining possible losses due to downtime during the changes D. Approving the proposed changes based on impact analysis Suggested Answer: D
Which of the following is the BEST way to evaluate the risk awareness of control owners? A. Conduct surveys and trend the results over time. B. Mandate risk awareness training for control owners. C. Include control owners in top-down risk workshops. D. Include control owners in risk committee meetings and risk reporting. Suggested Answer: D
Which of the following is the MOST effective key risk indicator (KRI) for monitoring problem management? A. Average duration to resolve incidents B. Time between recurring incidents C. Number of recurring incidents D. Average time to identify incidents Suggested Answer: C
From a risk management perspective, which of the following is the PRIMARY purpose of conducting a root cause analysis following an incident? A. To satisfy senior management expectations for incident response B. To reduce incident response times defined in service level agreements (SLAs) C. To minimize the likelihood of future occurrences D. To ensure risk has been reduced to acceptable levels Suggested Answer: C
Which of the following is MOST critical for a risk practitioner to continuously monitor to support senior management's risk-related decision making? A. Industry best practices in risk management B. Types of losses experienced by peer organizations C. The organization's risk profile D. Threat intelligence sources Suggested Answer: C
Risk avoidance is the BEST risk treatment strategy when: A. proposed mitigation strategies are not technically feasible. B. insurance can be obtained only with substantial premiums. C. transfer and mitigation options cost more than they save. D. the residual risk is outside the organizational risk appetite. Suggested Answer: D
Which of the following is the MOST important objective from a cost perspective for considering aggregated risk responses in an organization? A. Reduce likelihood B. Address more than one risk response C. Prioritize risk response options D. Reduce impact Suggested Answer: C
Which of the following provides the MOST useful information for regular reporting to senior management on the control environment's effectiveness? A. Capability maturity model B. Key risk indicators (KRIs) C. Balanced scorecard D. Key performance indicators (KPIs) Suggested Answer: B
The IT risk profile is PRIMARILY a communication tool for: A. external stakeholders. B. senior management. C. internal audit. D. regulators. Suggested Answer: B
Which of the following BEST promotes alignment between IT risk management and enterprise risk management? A. Using the same risk ranking methodology across IT and the business B. Obtaining senior management approval for IT policies and procedures C. Including IT risk scenarios in the organization's risk register D. Expressing risk treatment initiatives in financial terms Suggested Answer: C
Which of the following is MOST important for an IT risk practitioner to update once risk mitigation action plans have been verified as completed? A. Risk rating B. Control inventory C. Risk impact D. Control ownership Suggested Answer: C
An organization recently restructured its leadership team and implemented emerging technologies. Which of the following MUST be validated to ensure risk is managed to an acceptable level? A. Risk treatment decisions and approvals B. Technology architecture and processes C. External and internal risk factors D. Risk appetite and risk tolerance Suggested Answer: D
The objective of aligning mitigating controls to risk appetite is to ensure that: A. exposures are reduced to the fullest extent. B. insurance costs are minimized. C. exposures are reduced only for critical business systems. D. the cost of controls does not exceed the expected loss. Suggested Answer: A
Which of the following is MOST important for a risk practitioner to include in a report for senior management on the risk related to the adoption of cloud computing? A. Compliance with existing security controls B. Results of a cost-benefit analysis C. Comparison with competitive risk benchmarks D. Alignment with organizational risk appetite Suggested Answer: D
Which of the following is the PRIMARY risk management responsibility of the third line of defense? A. Providing assurance of the effectiveness of risk management activities B. Providing advisory services on enterprise risk management C. Providing benchmarking on other organizations' risk management programs D. Providing guidance on the design of effective controls Suggested Answer: A
Which of the following should be the PRIMARY concern when changes to firewall rules do not follow change management requirements? A. Inaccurate documentation B. Potential business impact C. Potential audit findings D. Insufficient risk governance Suggested Answer: B
Which of the following will provide the BEST measure of compliance with IT policies? A. Evaluate past policy review reports. B. Test staff on their compliance responsibilities. C. Perform penetration testing. D. Conduct regular independent reviews. Suggested Answer: D
A risk assessment has identified concerns about vulnerabilities associated with an Internet-facing application. Which of the following is the risk practitioner's BEST recommendation? A. Review the configurations. B. Verify the access controls. C. Perform a penetration test. D. Determine compensating controls. Suggested Answer: D
Which of the following is the PRIMARY objective of engaging key stakeholders in the IT risk assessment process? A. Increasing the quality of analysis B. Ensuring proper budget allocation for risk remediation C. Building a risk aware culture D. Reducing the time required for risk analysis Suggested Answer: C
Which of the following would be of GREATEST concern to a risk practitioner following an annual review of the risk monitoring process? A. There is a lack of reporting when a key risk indicator (KRI) exceeds its thresholds. B. The list of stakeholders for alert notifications is outdated. C. There is a significant number of manual risk monitoring processes. D. The frequency of reporting to management is misaligned with corporate standards. Suggested Answer: D
An organization wants to launch a campaign to advertise a new product. Using data analytics, the campaign can be targeted to reach potential customers. Which of the following should be of GREATEST concern to the risk practitioner? A. Purpose limitation B. Data minimization C. Accuracy D. Accountability Suggested Answer: A
What is the BEST information to present to business risk owners when justifying costs related to controls? A. Compliance with security policy B. The previous year's budget and actuals C. Industry benchmarks D. Loss event frequency and magnitude Suggested Answer: D
An organization has outsourced a critical process involving highly regulated data to a third party with servers located in a foreign country. Who is accountable for the confidentiality of this data? A. Regional office executive B. Data owner C. Data custodian D. Third-party data custodian Suggested Answer: B
Which of the following is a risk practitioner's BEST course of action if a risk assessment identifies a risk that is extremely unlikely but would have a severe impact should it occur? A. Address the risk by analyzing treatment options. B. Rate the risk as high priority based on the severe impact. C. Ignore the risk due to the extremely low likelihood. D. Obtain management's consent to accept the risk. Suggested Answer: A
Which of the following is MOST important for senior management to review during an acquisition? A. Key risk indicator (KRI) thresholds B. Risk framework and methodology C. Risk communication plan D. Risk appetite and tolerance Suggested Answer: B
Which of the following is MOST likely to be impacted when a global organization is required by law to implement a new data protection regulation across its operations? A. Risk ownership assignments B. Threat profile C. Vulnerability assessment results D. Risk profile Suggested Answer: D
Which of the following is the PRIMARY reason to conduct risk assessments at periodic intervals? A. To promote a risk-aware culture among staff B. To ensure emerging risk is identified and monitored C. To ensure risk trend data is collected and reported D. To establish the maturity level of risk assessment processes Suggested Answer: B
A risk practitioner is utilizing a risk heat map during a risk assessment. Risk events that are coded with the same color will have a similar: A. risk response. B. risk impact. C. risk likelihood. D. risk score. Suggested Answer: D
Which of the following is the BEST way to ensure controls are maintained consistently across the environment? A. Performing a gap analysis on process deviations B. Conducting annual control assessments C. Monitoring key risk indicators (KRIs) D. Training operational staff on risk control procedures Suggested Answer: C
Which of the following is MOST important to promoting a risk-aware culture? A. Communication of audit findings B. Open communication of risk reporting C. Procedures for security monitoring D. Regular testing of risk controls Suggested Answer: B
When a risk practitioner is determining a system's criticality, it is MOST helpful to review the associated: A. process flow. B. business impact analysis (BIA). C. system architecture. D. service level agreement (SLA). Suggested Answer: B
Which of the following MOST effectively enables senior management to communicate risk appetite? A. Budget and resource allocation B. Risk awareness training C. Policies and procedures D. Risk heat map Suggested Answer: D
Which activity would BEST enable a risk manager to verify the scope of responsibilities for stakeholders in IT risk scenarios? A. Tabletop exercise B. Risk assessment C. Vulnerability assessment D. Interviews with IT staff Suggested Answer: A
Which of the following provides the MOST useful input when developing IT risk scenarios? A. Recent external IT audit findings B. Internal security events and incidents C. History of IT risk policy noncompliance D. Internal and external risk factors Suggested Answer: D
What is the PRIMARY purpose of reporting residual risk from two consecutive IT risk assessments to management? A. To enable decisions regarding risk treatment plans B. To prevent new risk from impacting the organization's information assets C. To ensure management will adjust the acceptable level of risk D. To monitor the effectiveness of controls over time Suggested Answer: D
Which of the following should be of MOST concern to a risk practitioner reviewing a recent audit report of an organization's data center? A. Ownership of action plans has not been assigned B. The data center is not fully redundant C. Audit scope was not communicated to senior management D. Key risk indicators (KRIs) are not leading indicators Suggested Answer: A
Which of the following is the BEST way to mitigate the risk of inappropriate access to personally identifiable information (PII) by third-party cloud service personnel? A. Utilize data encryption standards throughout the information life cycle B. Ensure security clearance is in place within the third-party hiring process C. Choose a third-party provider in a jurisdiction with few privacy regulations D. Include data security requirements in the service level agreement (SLA) Suggested Answer: D
An organization is participating in an industry benchmarking study that involves providing customer transaction records for analysis. Which of the following is the MOST important control to ensure the privacy of customer information? A. Data anonymization B. Data cleansing C. Data encryption D. Nondisclosure agreements (NDAs) Suggested Answer: A
Which of the following is the BEST way to ensure adequate resources will be allocated to manage identified risk? A. Assigning risk ownership to appropriate roles B. Promoting an organizational culture of risk awareness C. Reviewing risk ranking methodology D. Prioritizing risk within each business unit Suggested Answer: D
An information security manager has advocated for the purchase of a data loss prevention (DLP) system to reduce the impact of a potential data breach. Which of the following is the BEST way for the risk practitioner to support this recommendation? A. Map the DLP system to existing risk scenarios B. Assign an IT owner for the DLP system C. Quantify the costs of the risk mitigation effort D. Determine the likelihood of potential loss Suggested Answer: A
As part of its vendor management program, an organization has commissioned an audit of a vendor's control framework for the purpose of implementing compensating controls into its environment. Which risk response option has been decided? A. Transfer B. Avoidance C. Acceptance D. Mitigation Suggested Answer: D
Which of the following would be MOST helpful to management when reviewing enterprise risk appetite and tolerance? A. SWOT analysis results B. Risk mitigation plans C. Internal audit recommendations D. Threat analysis results Suggested Answer: D
Which of the following are the MOST important inputs when determining the desired state of IT risk during gap analysis? A. IT risk appetite and tolerance B. IT risk strategy and organizational requirements C. IT risk and control assessment results D. IT vulnerability and penetration testing results Suggested Answer: A
Which of the following should be of GREATEST concern when reviewing the results of an independent control assessment to determine the effectiveness of a vendor's control environment? A. The controls had recurring noncompliance B. The report was provided directly from the vendor C. The control owners disagreed with the auditor's recommendations D. The risk associated with multiple control gaps was accepted Suggested Answer: A
What should be the PRIMARY objective for a risk practitioner performing a post-implementation review of an IT risk mitigation project? A. Confirming that the project budget was not exceeded B. Documenting project lessons learned C. Validating that the risk mitigation project has been completed D. Verifying that the risk level has been lowered Suggested Answer: D
A multinational organization is developing a risk awareness program to promote a unified risk culture across all regions. Which of the following will BEST enable the achievement of this objective? A. Applying risk policies in a consistent manner across regions B. Introducing the same control framework across regions C. Centralizing the risk management function D. Identifying jurisdictions of cross-border trading processes Suggested Answer: C
Which of the following will BEST help to ensure key risk indicators (KRIs) provide value to risk owners? A. Ongoing training B. Timely notification C. Cost minimization D. Return on investment (ROI) Suggested Answer: B
Which of the following is the MOST relevant information to include in a risk management strategy? A. Data security regulations B. Cost of controls C. Peer benchmarks D. Organizational goals Suggested Answer: D
A risk practitioner has been hired to establish risk management practices to be embedded across an organization. Which of the following should be the FIRST course of action? A. Integrate risk management into operational procedures. B. Engage key stakeholders in risk identification. C. Implement risk management controls throughout the organization. D. Establish an organization-wide risk taxonomy. Suggested Answer: D
An IT risk profile should be reviewed and updated when a new: A. risk scenario has been developed. B. vulnerability assessment tool is implemented. C. IT asset has been procured. D. audit finding has been issued. Suggested Answer: A
Which of the following is the GREATEST benefit of using key control indicators (KCIs)? A. The ability to focus on key controls related to one strategic risk B. Notification when the established risk appetite level has been reached C. The ability to track key controls related to risk scenarios D. Notification when the established risk tolerance level has been reached Suggested Answer: C
Which of the following is the MOST effective approach for an organization to establish and promote a strong risk culture? A. Map risk management policies and procedures to business objectives B. Appoint a risk management steering committee with business representation C. Incorporate risk management objectives into job descriptions D. Obtain senior management commitment for organization-wide risk awareness Suggested Answer: C
Which of the following is the MOST important responsibility of an IT risk committee charged with overseeing IT risk management? A. Conduct regular surveys to assess organizational risk awareness B. Implement an industry-recognized IT risk management framework C. Ensure significant risk scenarios are elevated to the board D. Develop and communicate an IT risk RACI chart. Suggested Answer: B
Of the following, whose input is ESSENTIAL when developing risk scenarios for the implementation of a third-party mobile application that stores customer data? A. Business process owner B. IT vendor manager C. Information security manager D. IT compliance manager Suggested Answer: A
An organization's senior management is considering whether to acquire cyber insurance. Which of the following is the BEST way for the risk practitioner to enable management's decision? A. Provide data on the number of risk events from the last year B. Conduct a SWOT analysis C. Report on recent losses experienced by industry peers D. Perform a cost-benefit analysis Suggested Answer: D
Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities? A. Document and implement a patching process B. Identify the vulnerabilities and applicable OS patches C. Temporarily mitigate the OS vulnerabilities D. Evaluate permanent fixes such as patches and upgrades Suggested Answer: B
Which of the following should be the PRIMARY basis for prioritizing two risk scenarios related to network service disruption that have the same impact? A. Recovery time objectives (RTOs) B. Recovery point objectives (RPOs) C. Mean time between failures (MTBF) D. Mean time to restore (MTTR) Suggested Answer: D
In order to efficiently execute a risk response action plan, it is MOST important for the emergency response team members to understand: A. system architecture in target areas B. business objectives of the organization C. defined roles and responsibilities D. IT management policies and procedures Suggested Answer: C
Which of the following is the MOST important consideration when communicating the risk associated with technology end-of-life to business owners? A. Cost and benefit B. Performance and productivity C. Maintainability and reliability D. Security and availability Suggested Answer: A
Which of the following should be the PRIMARY basis for the development of an IT risk scenario? A. IT risk registers B. IT objectives C. IT risk owner input D. IT threats and vulnerabilities Suggested Answer: C
An organization has just implemented changes to close an identified vulnerability that impacted a critical business process. What should be the NEXT course of action? A. Update the risk register B. Review the risk tolerance C. Perform a business impact analysis (BIA) D. Redesign the heat map. Suggested Answer: A
Which of the following is the MOST critical factor to consider when determining an organization's risk appetite? A. Budget for implementing security B. Business maturity C. Fiscal management practices D. Management culture Suggested Answer: D
Senior management wants to increase investment in the organization's cybersecurity program in response to changes in the external threat landscape. Which of the following would BEST help to prioritize investment efforts? A. Reviewing the outcome of the latest security risk assessment B. Increasing the frequency of updates to the risk register C. Engaging independent cybersecurity consultants D. Analyzing cyber intelligence reports Suggested Answer: A
A vendor manager reports that a previously compliant service provider had issues with its most recent security audit. Which of the following is the MOST important course of action? A. Determine whether credits are due under the service level agreement (SLA) B. Schedule an independent audit of the vendor C. Ensure that the vendor remediates all identified issues D. Determine whether any of the issues could impact the business Suggested Answer: C
Which of the following is a corrective control? A. Requiring management approval B. Isolating an infected host from the network C. Encrypting data within a system D. Logging activity on a system Suggested Answer: B
Which of the following elements of a risk register is MOST useful to share with key stakeholders to influence informed decision-making? A. Threat source B. Risk owner C. Control owner D. Mitigation plan Suggested Answer: B
Which of the following elements is MOST essential when creating risk scenarios? A. Identified vulnerabilities B. Business impact and cost analysis C. Historical organizational and industry risk factors D. A comprehensive control framework Suggested Answer: B
When presenting risk, the BEST method to ensure that the risk is measurable against the organization's risk appetite is through the use of a: A. technology strategy plan B. cause-and-effect diagram C. risk map D. maturity model Suggested Answer: C
What would be MOST helpful to ensuring the effective implementation of a new cybersecurity program? A. Creating metrics to report the number of security incidents B. Hiring subject matter experts for the program C. Assigning clear ownership of the program D. Establishing a budget for additional resources Suggested Answer: C
Which of the following is MOST likely to be identified from an information systems audit report? A. Data ownership B. Resiliency C. Vulnerabilities D. Regulatory requirements Suggested Answer: C
Which of the following would MOST effectively mitigate the risk of data loss when production data is being used in a testing environment? A. Data obfuscation B. Database encryption C. Access management D. Data cleansing and normalization Suggested Answer: A
During a risk assessment, a key external technology supplier refuses to provide control design and effectiveness information, citing confidentiality concerns. What should the risk practitioner do NEXT? A. Escalate the non-cooperation to management B. Exclude applicable controls from the assessment C. Review the supplier's contractual obligations D. Request risk acceptance from the business process owner Suggested Answer: C
When implementing a key performance indicator (KPI) for control performance monitoring, it is MOST important to: A. define the unit of measurement B. define the target or planned value C. benchmark the target value against an industry standard D. define data sources and reporting frequency Suggested Answer: D
The PRIMARY reason for defining risk ownership in an organization is to ensure: A. responsibility for risk treatment B. accountability for risk management C. responsibility for risk assessments D. accountability for risk register updates Suggested Answer: B
Which of the following is the MOST important step to ensure regulatory requirements are adequately addressed within an organization? A. Employ IT solutions that meet regulatory requirements B. Perform a gap analysis against regulatory requirements C. Obtain necessary resources to address regulatory requirements D. Develop a policy framework that addresses regulatory requirements Suggested Answer: D
A large organization is replacing its enterprise resource planning (ERP) system and has decided not to deploy the payroll module of the new system. Instead, the current payroll system will continue to be used. Of the following, who should own the risk if the ERP and payroll systems fail to operate as expected? A. The ERP administrator B. The business owner C. The project steering committee D. The IT project manager Suggested Answer: B
Which of the following BEST enables risk-based decision making in support of a business continuity plan (BCP)? A. Control analysis B. Root cause analysis C. Threat analysis D. Impact analysis Suggested Answer: D
A process maturity model is MOST useful to the risk management process because it helps: A. reduce audit and regulatory findings B. determine the cost of control improvements C. benchmark maturity against industry standards D. determine the gap between actual and desired state Suggested Answer: D
When evaluating a number of potential controls for treating risk, it is MOST important to consider: A. risk tolerance and control complexity B. inherent risk and control effectiveness C. risk appetite and control efficiency D. residual risk and cost of control Suggested Answer: D
A recent vulnerability assessment of a web-facing application revealed several weaknesses. Which of the following should be done NEXT to determine the risk exposure? A. Gap assessment B. Business impact analysis (BIA) C. Code review D. Penetration test Suggested Answer: A
Which of the following is MOST useful when performing a quantitative risk assessment? A. Management support B. RACI matrix C. Industry benchmarking D. Financial models Suggested Answer: D
Following an acquisition, the acquiring company's risk practitioner has been asked to update the organization's IT risk profile. What is the MOST important information to review from the acquired company to facilitate this task? A. Risk assessment and risk register B. Risk disclosures in financial statements C. Business objectives and strategies D. Internal and external audit reports Suggested Answer: A
Which of the following provides the MOST mitigation value for an organization implementing new Internet of Things (IoT) devices? A. Implementing key risk indicators (KRIs) for IoT devices B. Designing IoT architecture with IT security controls from the start C. Performing a vulnerability assessment on the IoT devices D. Creating an IoT-specific risk register Suggested Answer: B
Which of the following is the BEST control to minimize the risk associated with scope creep in software development? A. An established process for project change management B. Business management's review of functional requirements C. Segregation between development, test, and production D. Retention of test data and results for review purposes Suggested Answer: A
An organization is reviewing a contract for a Software as a Service (SaaS) sales application with a 99.9% uptime service level agreement (SLA). Which of the following BEST describes ownership of availability risk? A. The liability for the risk is owned by the cloud provider B. The liability for the risk is owned by the sales department C. The risk is transferred to the cloud provider D. The risk is shared by both organizations Suggested Answer: D
During an acquisition, which of the following would provide the MOST useful input to the parent company's risk practitioner when developing risk scenarios for the post-acquisition phase? A. IT balanced scorecard of each company B. Most recent internal audit findings from both companies C. Risk registers of both companies D. Risk management framework adopted by each company Suggested Answer: C
Which of the following should a risk practitioner recommend be done prior to disposal of server hardware containing confidential data? A. Update the asset inventory B. Encrypt the backup C. Remove all user access D. Destroy the hard drives Suggested Answer: D
A vendor's planned maintenance schedule will cause a critical application to temporarily lose failover capabilities. Of the following, who should approve this proposed schedule? A. Business application owner B. IT infrastructure manager C. Chief risk officer (CRO) D. Business continuity manager Suggested Answer: A
An organization is measuring the effectiveness of its change management program to reduce the number of unplanned production changes. Which of the following would be the BEST metric to determine if the program is performing as expected? A. Decrease in number of changes without a fallback plan B. Ratio of emergency fixes to total changes C. Decrease in the time to move changes to production D. Ratio of system changes to total changes Suggested Answer: B
An organization recently implemented a cybersecurity awareness program that includes anti-phishing exercises for all employees. What type of control is being utilized? A. Detective B. Preventive C. Compensating D. Deterrent Suggested Answer: B
A recently purchased IT application does not meet project requirements. Of the following, who is accountable for the potential impact? A. Business analyst B. IT project team C. IT project management office D. Project sponsor Suggested Answer: D
A company has recently acquired a customer relationship management (CRM) application from a certified software vendor. Which of the following will BEST help to prevent technical vulnerabilities from being exploited? A. Verify the software agreement indemnifies the company from losses. B. Update the software with the latest patches and updates. C. Review the source code and error reporting of the application. D. Implement code reviews and quality assurance on a regular basis. Suggested Answer: B
Which of the following MOST effectively limits the impact of a ransomware attack? A. End user training B. Cyber insurance C. Data backups D. Cryptocurrency reserve Suggested Answer: C
A risk practitioner is presenting the risk profile to management, indicating an increase in the number of successful network attacks. This information would be MOST helpful to: A. determine the availability of network resources. B. justify additional controls. C. justify investing in a log collection system. D. determine the frequency of monitoring. Suggested Answer: B
Which of the following BEST helps to identify significant events that could impact an organization? A. Vulnerability analysis B. Scenario analysis C. Heat map analysis D. Control analysis Suggested Answer: B
A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner's NEXT step? A. Identify resources for implementing responses. B. Prepare a business case for the response options. C. Update the risk register with the results. D. Develop a mechanism for monitoring residual risk. Suggested Answer: C
Which of the following would present the MOST significant risk to an organization when updating the incident response plan? A. Undefined assignment of responsibility B. Obsolete response documentation C. Increased stakeholder turnover D. Failure to audit third-party providers Suggested Answer: A
An organization has provided legal text explaining the rights and expected behavior of users accessing a system from geographic locations that have strong privacy regulations. Which of the following control types has been applied? A. Detective B. Preventive C. Compensating D. Directive Suggested Answer: D
An organization will be impacted by a new data privacy regulation due to the location of its production facilities. What action should the risk practitioner take when evaluating the new regulation? A. Perform an analysis of the new regulation to ensure current risk is identified. B. Evaluate if the existing risk responses to the previous regulation are still adequate. C. Assess the validity and perform update testing on data privacy controls. D. Develop internal control assessments over data privacy for the new regulation. Suggested Answer: A
Which of the following is MOST helpful in preventing risk events from materializing? A. Maintaining the risk register B. Reviewing and analyzing security incidents C. Establishing key risk indicators (KRIs) D. Prioritizing and tracking issues Suggested Answer: D
Who is PRIMARILY accountable for risk treatment decisions? A. Risk manager B. Business manager C. Data owner D. Risk owner Suggested Answer: C
Which of the following is the GREATEST benefit of identifying appropriate risk owners? A. Accountability is established for risk treatment decisions B. Risk owners are informed of risk treatment options C. Responsibility is established for risk treatment decisions D. Stakeholders are consulted about risk treatment options Suggested Answer: A
The risk related to the abuse of administrator privileges can BEST be reduced by: A. assigning the privileges to management only B. implementing two-factor authentication C. logging the activities performed with the privilege D. signing the organization's acceptable use policy Suggested Answer: C
In the three lines of defense model, which of the following activities would be completed by the FIRST line of defense? A. A risk practitioner executes an annual assessment of key controls that impact financial statements B. Internal control activities are reviewed monthly by a risk management committee C. Control owners review a monthly report on the operation of high-risk controls D. Internal audit reviews high-risk areas to ensure controls are executed in a timely manner Suggested Answer: B
Which of these documents is MOST important to request from a cloud service provider during a vendor risk assessment? A. Business impact analysis (BIA) B. Service level agreement (SLA) C. Independent audit report D. Nondisclosure agreement (NDA) Suggested Answer: D
A new risk practitioner finds that decisions for implementing risk response plans are not being made. Which of the following would MOST likely explain this situation? A. The organization's risk awareness program is ineffective. B. The organization has a high level of risk appetite. C. Risk ownership is not being assigned properly. D. Risk management procedures are outdated. Suggested Answer: C
Which of the following is the BEST indicator of executive management's support for IT risk mitigation efforts? A. The number of executives attending IT security awareness training B. The percentage of incidents presented to the board C. The percentage of corporate budget allocated to IT risk activities D. The number of stakeholders involved in IT risk identification workshops Suggested Answer: D
The BEST metric to demonstrate that servers are configured securely is the total number of servers: A. experiencing hardware failures B. exceeding availability thresholds C. exceeding current patching standards D. meeting the baseline for hardening. Suggested Answer: D
Which of the following is the MOST important goal of a security awareness program? A. To enforce consequences related to the organization's security policy B. To reduce costs associated with security incidents C. To strengthen the security culture by changing user behavior D. To strengthen control performance related to regulatory requirements Suggested Answer: C
A recent big data project has resulted in the creation of an application used to support important investment decisions. Which of the following should be of GREATEST concern to the risk practitioner? A. Data redundancy B. Maintenance costs C. Data quality D. System integration Suggested Answer: C
An organization has initiated quarterly briefings for executive management with a focus on increasing risk awareness. Which of the following is MOST relevant to include in this briefing? A. The risk register B. Risk management best practices C. Updates to security policies D. Recent security incidents Suggested Answer: B
Which of the following is MOST important to consider when determining the value of an asset during the risk identification process? A. The vulnerability profile of the asset B. The size of the asset's user base C. The criticality of the asset D. The monetary value of the asset Suggested Answer: C
Risk acceptance of an exception to a security control would MOST likely be justified when: A. the end-user license agreement has expired. B. automation cannot be applied to the control. C. the control is difficult to enforce in practice. D. business benefits exceed the loss exposure. Suggested Answer: D
Which of the following standard operating procedure (SOP) statements BEST illustrates appropriate risk register maintenance? A. Remove risk that management has decided to accept. B. Remove risk only following a significant change in the risk environment. C. Remove risk when mitigation results in residual risk within tolerance levels. D. Remove risk that has been mitigated by third-party transfer. Suggested Answer: B
It is MOST important that security controls for a new system be documented in: A. the security policy B. testing requirements C. system requirements D. the implementation plan Suggested Answer: C
Which of the following is MOST important to review when determining whether a potential IT service provider's control environment is effective? A. Control self-assessment (CSA) B. Service level agreements (SLAs) C. Key performance indicators (KPIs) D. Independent audit report Suggested Answer: D
Which of the following will BEST help to ensure the continued effectiveness of the IT risk management function within an organization experiencing high employee turnover? A. Change and release management B. Well documented policies and procedures C. Risk and issue tracking D. An IT strategy committee Suggested Answer: B
The PRIMARY purpose of using a framework for risk analysis is to: A. help define risk tolerance B. help develop risk scenarios C. improve consistency D. improve accountability. Suggested Answer: C
Within the three lines of defense model, the accountability for the system of internal controls resides with: A. enterprise risk management (ERM). B. the risk practitioner. C. the chief information officer (CIO). D. the board of directors. Suggested Answer: D
Before assigning sensitivity levels to information, it is MOST important to: A. define the information classification policy. B. conduct a sensitivity analysis. C. identify information custodians. D. define recovery time objectives (RTOs). Suggested Answer: A
Which of the following risk-related information is MOST valuable to senior management when formulating an IT strategic plan? A. Risk mitigation plans B. IT risk appetite statement C. Emerging IT risk scenarios D. Key risk indicators (KRIs) Suggested Answer: D
What information related to a system vulnerability would be MOST useful to management in making an effective risk-based decision? A. Consequences if the vulnerability is exploited B. Availability of patches to mitigate the vulnerability C. Vulnerability scanning tools currently in place D. Risk mitigation plans for the vulnerability Suggested Answer: A
Which of the following is MOST helpful to understand the consequences of an IT risk event? A. Fault tree analysis B. Root cause analysis C. Business impact analysis (BIA) D. Historical trend analysis Suggested Answer: C
An organization striving to be on the leading edge in regard to risk monitoring would MOST likely implement: A. a tool for monitoring critical activities and controls B. procedures to monitor the operation of controls C. real-time monitoring of risk events and control exceptions D. monitoring activities for all critical assets. Suggested Answer: C
Which of the following is MOST important for an organization to update following a change in legislation requiring notification to individuals impacted by data breaches? A. Security awareness training B. Policies and standards C. Risk appetite and tolerance D. Insurance coverage Suggested Answer: B
Which of the following is the PRIMARY responsibility of the first line of defense related to computer-enabled fraud? A. Ensuring that risk and control assessments consider fraud B. Implementing processes to detect and deter fraud C. Providing oversight of risk management processes D. Monitoring the results of actions taken to mitigate fraud Suggested Answer: B
Which of the following is the BEST way to quantify the likelihood of risk materialization? A. Balanced scorecard B. Business impact analysis (BIA) C. Threat and vulnerability assessment D. Compliance assessments Suggested Answer: C
In order to determine if a risk is under-controlled, the risk practitioner will need to: A. determine the sufficiency of the IT risk budget B. monitor and evaluate IT performance C. identify risk management best practices D. understand the risk tolerance Suggested Answer: D
A third-party vendor has offered to perform user access provisioning and termination. Which of the following control accountabilities is BEST retained within the organization? A. Reviewing access control lists B. Performing user access recertification C. Authorizing user access requests D. Terminating inactive user access Suggested Answer: A
The PRIMARY reason for prioritizing risk scenarios is to: A. facilitate risk response decisions. B. support risk response tracking. C. assign risk ownership. D. provide an enterprise-wide view of risk. Suggested Answer: A
A risk practitioner has been asked to evaluate the adoption of a third-party blockchain integration platform based on the value added by the platform and the organization's risk appetite. Which of the following is the risk practitioner's BEST course of action? A. Update the risk register with the process changes. B. Review risk related to standards and regulations. C. Conduct a risk assessment with stakeholders. D. Conduct third-party resilience tests. Suggested Answer: C
A global company's business continuity plan (BCP) requires the transfer of its customer information systems to an overseas cloud service provider in the event of a disaster. Which of the following should be the MOST important risk consideration? A. The lack of a service level agreement (SLA) in the vendor contract B. The cloud computing environment is shared with another company C. The organizational culture differences between each country D. The difference in the management practices between each company Suggested Answer: A
Which of the following will MOST effectively align IT controls with corporate risk tolerance? A. Benchmarks against industry leading practices B. Internal policies approved by stakeholders C. Key performance indicators (KPIs) approved by stakeholders D. Risk management framework Suggested Answer: C
Which of the following is MOST likely to be impacted as a result of a new policy which allows staff members to remotely connect to the organization's IT systems via personal or public computers? A. Risk tolerance B. Risk appetite C. Inherent risk D. Key risk indicator (KRI) Suggested Answer: C
Which of the following is the MOST important success factor when introducing risk management in an organization? A. Establishing executive management support B. Implementing a risk register C. Assigning risk ownership D. Defining a risk mitigation strategy and plan Suggested Answer: C
When developing risk scenarios using a list of generic scenarios based on industry best practices, it is MOST important to: A. assess generic risk scenarios with business users. B. validate the generic risk scenarios for relevance. C. select the maximum possible risk scenarios from the list. D. identify common threats causing generic ask scenarios. Suggested Answer: B
The MOST significant benefit of using a consistent risk ranking methodology across an organization is that it enables: A. assignment of risk to the appropriate owners. B. allocation of available resources. C. risk to be expressed in quantifiable terms. D. clear understanding of risk levels. Suggested Answer: C
Which of the following is MOST important for a risk practitioner to consider when evaluating plans for changes to IT services? A. User acceptance testing (UAT) B. Impact assessment of the change C. Change communication plan D. Change testing schedule Suggested Answer: B
Which of the following should be the FIRST step to investigate an IT monitoring system that has a decreasing alert rate? A. Adjust the sensitivity to trigger more alerts. B. Determine the root cause for the change in alert rate. C. Conduct regression testing to ensure alerts can be triggered. D. Review and adjust the timing of the reporting window. Suggested Answer: B
When formulating a social media policy to address information leakage, which of the following is the MOST important concern to address? A. Using social media to maintain contact with business associates B. Using social media for personal purposes during working hours C. Sharing company information on social media D. Sharing personal information on social media Suggested Answer: C
Which of the following should be the risk practitioner's FIRST course of action when an organization plans to adopt a cloud computing strategy? A. Perform a controls assessment. B. Request a budget for implementation. C. Conduct a threat analysis. D. Create a cloud computing policy. Suggested Answer: C
Which element of an organization's risk register is MOST important to update following the commissioning of a new financial reporting system? A. The owner of the financial reporting process B. The list of relevant financial controls C. Key risk indicators (KRIs) D. The risk rating of affected financial processes Suggested Answer: C
Which of the following is the BEST way to address a board's concern about the organization's cybersecurity posture? A. Update security risk scenarios B. Create a new security risk officer role C. Assess security capabilities against an industry framework D. Contract with a third party to perform vulnerability testing Suggested Answer: D
Which of the following is MOST influential when management makes risk response decisions? A. Detection risk B. Risk appetite C. Audit risk D. Residual risk Suggested Answer: B
Which of the following would MOST likely drive the need to review and update key performance indicators (KPIs) for critical IT assets? A. Changes in service level objectives B. Findings from continuous monitoring C. The outsourcing of related IT processes D. Outcomes of periodic risk assessments Suggested Answer: B
Which of the following is the MOST important component of effective security incident response? A. A documented communications plan B. Identification of attack sources C. Network time protocol synchronization D. Early detection of breaches Suggested Answer: D
An organization has an approved bring your own device (BYOD) policy. Which of the following would BEST mitigate the security risk associated with the inappropriate use of enterprise applications on the devices? A. Enable a remote wipe capability for BYOD devices. B. Periodically review applications on BYOD devices. C. Include BYOD in organizational awareness programs. D. Implement BYOD mobile device management (MDM) controls. Suggested Answer: D
When is the BEST time to identify risk associated with major projects to determine a mitigation plan? A. Project execution phase B. Project closing phase C. Project planning phase D. Project initiation phase Suggested Answer: C
Which of the following is a risk practitioner's BEST recommendation to address an organization's need to secure multiple systems with limited IT resources? A. Perform a vulnerability analysis. B. Schedule a penetration test. C. Apply available security patches. D. Conduct a business impact analysis (BIA). Suggested Answer: D
Which of the following is MOST important to include in a risk assessment of an emerging technology? A. Key controls B. Risk and control ownership C. Risk response plans D. Impact and likelihood ratings Suggested Answer: D
Which of the following would MOST electively reduce risk associated with an increased volume of online transactions on a retailer website? A. Transaction limits B. Scalable infrastructure C. A hot backup site D. Website activity monitoring Suggested Answer: B
To mitigate the risk of using a spreadsheet to analyze financial data, IT has engaged a third-party vendor to deploy a standard application to automate the process. Which of the following parties should own the risk associated with calculation errors? A. Third-party provider B. Business owner C. IT department D. Risk manager Suggested Answer: B
Which of the following provides the BEST evidence that risk responses are effective? A. Compliance breaches are addressed in a timely manner B. Risk with low impact is accepted C. Risk ownership is identified and assigned D. Residual risk is within risk tolerance Suggested Answer: A
A risk practitioner has just learned about new malware that has severely impacted industry peers worldwide. Which of the following should be done FIRST? A. Notify executive management. B. Update the IT risk register. C. Design IT risk mitigation plans. D. Analyze the impact to the organization. Suggested Answer: D
Which of the following is the MAIN purpose of monitoring risk? A. Benchmarking B. Risk analysis C. Decision support D. Communication Suggested Answer: C
What is the PRIMARY benefit of risk monitoring? A. It facilitates communication of threat levels. B. It provides statistical evidence of control efficiency. C. It facilitates risk-aware decision making. D. It reduces the number of audit findings. Suggested Answer: C
An organization's control environment is MOST effective when: A. controls operate efficiently. B. controls are implemented consistently. C. controls perform as intended. D. control designs are reviewed periodically. Suggested Answer: C
When reviewing the business continuity plan (BCP) of an online sales order system, a risk practitioner notices that the recovery time objective (RTO) has a shorter time than what is defined in the disaster recovery plan (DRP). Which of the following is the BEST way for the risk practitioner to address this concern? A. Update the risk register to reflect the discrepancy. B. Adopt the RTO defined in the BCP. C. Adopt the RTO defined in the DRP. D. Communicate the discrepancy to the DR manager for follow-up. Suggested Answer: D
Which of the following should be the PRIMARY consideration when assessing the risk of using Internet of Things (IoT) devices to collect and process personally identifiable information (PII)? A. Costs and benefits B. Security features and support C. Local laws and regulations D. Business strategies and needs Suggested Answer: C
During a risk assessment of a financial institution, a risk practitioner discovers that tellers can initiate and approve transactions of significant value. This team is also responsible for ensuring transactions are recorded and balances are reconciled by the end of the day. Which of the following is the risk practitioner's BEST recommendation to mitigate the associated risk? A. Require a code of ethics. B. Implement continuous monitoring. C. Implement segregation of duties. D. Require a second level of approval. Suggested Answer: D
Due to a change in business processes, an identified risk scenario no longer requires mitigation. Which of the following is the MOST important reason the risk should remain in the risk register? A. To track historical risk assessment results B. To prevent the risk scenario in the current environment C. To monitor for potential changes to the risk scenario D. To support regulatory requirements Suggested Answer: C
Reviewing which of the following provides the BEST indication of an organization's risk tolerance? A. Risk sharing strategy B. Risk assessments C. Risk transfer agreements D. Risk policies Suggested Answer: B
Which of the following is MOST helpful in defining an early-warning threshold associated with insufficient network bandwidth? A. Bandwidth used during business hours B. Average bandwidth usage C. Total bandwidth usage D. Peak bandwidth usage Suggested Answer: D
When developing a risk awareness training program, which of the following training topics would BEST facilitate a thorough understanding of risk scenarios? A. Mapping threats to organizational objectives B. Reviewing past audits C. Analyzing key risk indicators (KRIs) D. Identifying potential sources of risk Suggested Answer: A
Which of the following would provide the MOST objective assessment of the effectiveness of an organization's security controls? A. A third-party audit B. Internal penetration testing C. Security operations center review D. An internal audit Suggested Answer: A
Which of the following is the MOST important information to be communicated during security awareness training? A. Corporate risk profile B. Recent security incidents C. Management's expectations D. The current risk management capability Suggested Answer: C
Which of the following is the GREATEST critical success factor (CSF) of an IT risk management program? A. Identifying enterprise risk events B. Conducting focus group meetings with key stakeholders C. Aligning with business objectives D. Identifying IT risk scenarios Suggested Answer: C
Which of the following should be the risk practitioner's FIRST course of action when an organization has decided to expand into new product areas? A. Review existing risk scenarios with stakeholders. B. Present a business case for new controls to stakeholders. C. Revise the organization's risk and control policy. D. Identify any new business objectives with stakeholders. Suggested Answer: A
Which of the following BEST supports the management of identified risk scenarios? A. Using key risk indicators (KRIs) B. Maintaining a risk register C. Collecting risk event data D. Defining risk parameters Suggested Answer: A
A risk practitioner observed that a high number of policy exceptions were approved by senior management. Which of the following is the risk practitioner's BEST course of action to determine root cause? A. Perform control testing. B. Review policy change history. C. Review the risk profile. D. Interview the control owner. Suggested Answer: D
An organization has decided to use an external auditor to review the control environment of an outsourced service provider. The BEST control criteria to evaluate the provider would be based on: A. the service provider's existing controls. B. guidance provided by the external auditor. C. a recognized industry control framework. D. the organization's specific control requirements. Suggested Answer: D
Which of the following would BEST facilitate the implementation of data classification requirements? A. Implementing technical controls over the assets B. Implementing a data loss prevention (DLP) solution C. Scheduling periodic audits D. Assigning a data owner Suggested Answer: D
An organization has used generic risk scenarios to populate its risk register. Which of the following presents the GREATEST challenge to assigning ownership of the associated risk entries? A. The volume of risk scenarios is too large. B. Risk scenarios are not applicable. C. The risk analysis for each scenario is incomplete. D. Risk aggregation has not been completed. Suggested Answer: B
An organization's business process requires the verbal verification of personal information in an environment where other customers may overhear this information. Which of the following is the MOST significant risk? A. The customer may view the process negatively. B. The information could be used for identity theft. C. The process could result in intellectual property theft. D. The process could result in compliance violations. Suggested Answer: B
An organization has initiated a project to launch an IT-based service to customers and take advantage of being the first to market. Which of the following should be of GREATEST concern to senior management? A. The project is likely to deliver the product late. B. More time has been allotted for testing. C. A new project manager is handling the project. D. The cost of the project will exceed the allotted budget. Suggested Answer: A
Which of the following is the MOST important objective of embedding risk management practices into the initiation phase of the project management life cycle? A. To deliver projects on time and on budget B. To assess inherent risk C. To assess risk throughout the project D. To include project risk in the enterprise-wide IT risk profile Suggested Answer: C
Which of the following is the MOST significant indicator of the need to perform a penetration test? A. An increase in the number of infrastructure changes B. An increase in the number of security incidents C. An increase in the number of high-risk audit findings D. An increase in the percentage of turnover in IT personnel Suggested Answer: C
Which of the following provides the MOST reliable information to ensure a newly acquired company has appropriate IT controls in place? A. Vulnerability assessment B. Information system audit C. Penetration testing D. IT risk assessment Suggested Answer: C
Print jobs containing confidential information are sent to a shared network printer located in a secure room. Which of the following is the BEST control to prevent the inappropriate disclosure of confidential information? A. Ensuring printer parameters are properly configured B. Using video surveillance in the printer room C. Using physical controls to access the printer room D. Requiring a printer access code for each user Suggested Answer: C
Which of the following would be MOST helpful when communicating roles associated with the IT risk management process? A. Skills matrix B. RACI chart C. Organizational chart D. Job descriptions Suggested Answer: B
The PRIMARY benefit of conducting a risk workshop using a top-down approach instead of a bottom-up approach is the ability to: A. incorporate subject matter expertise. B. identify specific project risk. C. understand risk associated with complex processes. D. obtain a holistic view of IT strategy risk. Suggested Answer: A
A bank recently incorporated blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner's BEST course of action? A. Analyze and update control assessments with the new processes. B. Conduct testing of the controls that mitigate the existing risk. C. Determine whether risk responses are still adequate. D. Analyze the risk and update the risk register as needed. Suggested Answer: D
Of the following, who is BEST suited to assist a risk practitioner in developing a relevant set of risk scenarios? A. Control owner B. Internal auditor C. Asset owner D. Finance manager Suggested Answer: C
The risk associated with an asset after controls are applied can be expressed as: A. the likelihood of a given threat. B. the magnitude of an impact. C. a function of the likelihood and impact. D. a function of the cost and effectiveness of controls. Suggested Answer: C
A risk practitioner notices a trend of noncompliance with an IT-related control. Which of the following would BEST assist in making a recommendation to management? A. Reviewing the IT policy with the risk owner B. Reviewing the roles and responsibilities of control process owners C. Assessing noncompliance with control best practices D. Assessing the degree to which the control hinders business objectives Suggested Answer: D
Which key performance indicator (KPI) BEST measures the effectiveness of an organization's disaster recovery program? A. Number of service level agreement (SLA) violations. B. Percentage of critical systems recovered within the recovery time objective (RTO). C. Percentage of recovery issues identified during the exercise. D. Number of total systems recovered within the recovery point objective (RPO). Suggested Answer: B
The PRIMARY advantage of involving end users in continuity planning is that they: A. can see the overall impact to the business. B. have a better understanding of specific business needs. C. can balance the overall technical and business concerns. D. are more objective than information security management. Suggested Answer: B
Which of the following is the PRIMARY risk management responsibility of the second line of defense? A. Applying risk treatments B. Providing assurance of control effectiveness C. Implementing internal controls D. Monitoring risk responses Suggested Answer: B
Which of the following is the BEST way to ensure ongoing control effectiveness? A. Periodically reviewing control design B. Establishing policies and procedures C. Measuring trends in control performance D. Obtaining management control attestations Suggested Answer: D
Who should have the authority to approve an exception to a control? A. Information security manager B. Risk manager C. Control owner D. Risk owner Suggested Answer: D
Which of the following is a responsibility of the second line of defense in the three lines of defense model? A. Owning risk scenarios and bearing the consequences of loss B. Alerting operational management to emerging issues C. Implementing corrective actions to address deficiencies D. Performing duties independently to provide assurance Suggested Answer: A
Which of the following would be the GREATEST concern for an IT risk practitioner when an employee has transferred to another department? A. Company equipment has not been retained by IT. B. The organization's structure has not been updated. C. Unnecessary access permissions have not been removed. D. Job knowledge was not transferred to employees in the former department. Suggested Answer: C
An organization is planning to implement a guest wireless network granting internet access only. Which of the following is the MOST important consideration to effectively mitigate the risk of guests gaining access to the organization's internal network? A. The wireless network is not available outside the office areas. B. The networks are properly segregated from each other. C. Guests are required to accept terms and conditions. D. Only approved equipment is allowed on the guest network. Suggested Answer: B
Which of the following should be determined FIRST when a new security vulnerability is made public? A. How pervasive the vulnerability is within the organization B. Whether the affected technology is Internet-facing C. Whether the affected technology is used within the organization D. What mitigating controls are currently in place Suggested Answer: C
When should be a risk practitioner's PRIMARY focus when evaluating a proposed robotic process automation of a business service? A. License availability B. Cost-benefit analysis C. Code review D. Control capability Suggested Answer: D
Which of the following stakeholders are typically included as part of a line of defense within the three lines of defense model? A. Regulators B. Legal team C. Vendors D. Board of directors Suggested Answer: A
Which of the following is the MOST important data attribute of key risk indicators (KRIs)? A. The data is calculated continuously. B. The data is measurable. C. The data is relevant. D. The data is automatically produced. Suggested Answer: C
What should a risk practitioner do FIRST when a shadow IT application is identified in a business owner's business impact analysis (BIA)? A. Include the application in the business continuity plan (BCP). B. Report the finding to management. C. Segregate the application from the network. D. Determine the business purpose of the application. Suggested Answer: D
An organization is planning to move its application infrastructure from on-premise to the cloud. Which of the following is the BEST course of action to address the risk associated with data transfer if the relationship is terminated with the vendor? A. Work closely with the information security officer to ensure the company has the proper security controls in place. B. Collect requirements for the environment to ensure the Infrastructure as a Service (IaaS) is configured appropriately. C. Meet with the business leaders to ensure the classification of their transferred data is in place. D. Ensure the language in the contract explicitly states who is accountable for each step of the data transfer process. Suggested Answer: D
Which of the following would BEST mitigate an identified risk scenario? A. Establishing an organization's risk tolerance B. Conducting awareness training C. Performing periodic audits D. Executing a risk response plan Suggested Answer: D
Which of the following is MOST important for mitigating ethical risk when establishing accountability for control ownership? A. Ensuring processes are documented to enable effective control execution B. Ensuring schedules and deadlines for control-related deliverables are strictly monitored C. Ensuring performance metrics balance business goals with risk appetite D. Ensuring regular risk messaging is included in business communications from leadership Suggested Answer: A
Which of the following is the MOST appropriate action when a tolerance threshold is exceeded? A. Verify the response plan is adequate. B. Communicate potential impact to decision makers. C. Increase human resources to respond in the interim. D. Research the root cause of similar incidents. Suggested Answer: B
A risk practitioner has been asked to recommend a key performance indicator (KPI) to assess the effectiveness of a manual process to terminate user access. Which of the following is the BEST KPI to recommend? A. Percent increase in number of access termination requests B. Timeframe of notification from business management to IT C. Timeframe from user termination to access revocation D. Ratio of successful log-in attempts to unsuccessful log-in attempts Suggested Answer: C
Which of the following would BEST help to address the risk associated with malicious outsiders modifying application data? A. Role-based access controls B. Multi-factor authentication C. Activation of control audits D. Acceptable use policies Suggested Answer: B
Which of the following issues found during the review of a newly created disaster recovery plan (DRP) should be of MOST concern? A. The chief information security officer (CISO) has not approved the plan. B. Several recovery activities will be outsourced. C. Some critical business applications are not included in the plan. D. The plan is not based on an internationally recognized framework. Suggested Answer: C
A key risk indicator (KRI) flags an exception for exceeding a threshold but remains within risk appetite. Which of the following should be done NEXT? A. Adjust the risk threshold level to match risk appetite. B. Review the risk appetite level to ensure it is appropriate. C. Review the trend to determine whether action is needed. D. Document that the KRI is within risk appetite. Suggested Answer: C
An organization's capability to implement a risk management framework is PRIMARILY influenced by the: A. guidance of the risk practitioner B. approval of senior management C. competence of the staff involved D. maturity of its risk culture Suggested Answer: B
An organization is concerned that its employees may be unintentionally disclosing data through the use of social media sites. Which of the following will MOST effectively mitigate this risk? A. Conducting user awareness training B. Requiring employee agreement of the acceptable use policy C. Establishing a data classification policy D. Requiring the use of virtual private networks (VPNs) Suggested Answer: A
Which of the following contributes MOST to the effective implementation of risk responses? A. Clear understanding of the risk. B. Detailed standards and procedures. C. Comparable industry risk trends. D. Appropriate resources. Suggested Answer: B
Which of the following BEST indicates the risk appetite and tolerance level for the risk associated with business interruption caused by IT system failures? A. IT system criticality classification B. Mean time to recover (MTTR) C. Incident management service level agreement (SLA) D. Recovery time objective (RTO) Suggested Answer: D
Which of the following is the MOST important consideration when developing risk strategies? A. Long-term organizational goals B. Organization's industry sector C. Concerns of the business process owners D. History of risk events Suggested Answer: A
A maturity model is MOST useful to an organization when it: A. defines a qualitative measure of risk. B. provides a reference for progress. C. benchmarks against other organizations. D. provides risk metrics. Suggested Answer: B
It was determined that replication of a critical database used by two business units failed. Which of the following should be of GREATEST concern? A. The cost of recovering the data B. The lack of integrity of the data C. The loss of data confidentiality D. The underutilization of the replicated link Suggested Answer: B
Which of the following is the BEST control to mitigate the risk when a critical customer-facing application has been susceptible to recent credential stuffing attacks? A. Block IP addresses from foreign countries. B. Increase monitoring of account usage. C. Implement multi-factor authentication. D. Increase password complexity requirements. Suggested Answer: C
Which of the following is MOST important to the effective monitoring of key risk indicators (KRIs)? A. Updating the threat inventory with new threats B. Automating log data analysis C. Preventing the generation of false alerts D. Determining threshold levels Suggested Answer: D
A multinational organization is considering implementing standard background checks for all new employees. A KEY concern regarding this approach is that it may: A. fail to identify all relevant issues. B. be too costly. C. violate laws in other countries. D. be too time consuming. Suggested Answer: C
A core data center went offline abruptly for several hours, affecting many transactions across multiple locations. Which of the following would provide the MOST useful information to determine mitigating controls? A. Root cause analysis B. Risk assessment C. Business impact analysis (BIA) D. Forensic analysis Suggested Answer: A
A recent internal risk review reveals the majority of core IT application recovery time objectives (RTOs) have exceeded the maximum time defined by the business application owners. Which of the following is MOST likely to change as a result? A. Risk tolerance B. Risk likelihood C. Risk appetite D. Risk forecasting Suggested Answer: D
A project team recommends accepting the residual risk associated with known regulatory control deficiencies. Which of the following is the risk practitioner's MOST important recommendation to the project manager? A. Present the remaining deficiencies to the project steering committee for sign-off. B. Assess the risk of the remaining deficiencies and develop an action plan. C. Update the project risk register with the remaining deficiencies and remediation actions. D. Confirm a timeline to remediate the remaining deficiencies after the project goes live. Suggested Answer: A
The BEST key performance indicator (KPI) to measure the effectiveness of the security patching process is the percentage of patches installed: A. successfully within the expected time frame. B. successfully during the first attempt. C. by the security administration team. D. without causing an unplanned system outage. Suggested Answer: D
Which of the following is the BEST recommendation of a risk practitioner for an organization that recently changed its organizational structure? A. Re-validate the corporate risk appetite. B. Communicate the new risk profile. C. Review and adjust key risk indicators (KRIs). D. Implement a new risk assessment process. Suggested Answer: C
The PRIMARY goal of conducting a business impact analysis (BIA) as part of an overall continuity planning process is to: A. map the business processes to supporting IT and other corporate resources. B. document the disaster recovery process. C. obtain the support of executive management. D. identify critical business processes and the degree of reliance on support services. Suggested Answer: D
A financial institution has identified high risk of fraud in several business applications. Which of the following controls will BEST help reduce the risk of fraudulent internal transactions? A. Segregation of duties B. Periodic internal audits C. Log monitoring D. Periodic user privileges review Suggested Answer: A
A new regulatory requirement imposes severe fines for data leakage involving customers' personally identifiable information (PII). The risk practitioner has recommended avoiding the risk. Which of the following actions would BEST align with this recommendation? A. Implement strong encryption for PII. B. Modify business processes to stop collecting PII. C. Move PII to a highly secured outsourced site. D. Reduce retention periods for PII data. Suggested Answer: B
As part of business continuity planning, which of the following is MOST important to include in a business impact analysis (BIA)? A. An assessment of threats to the organization B. An assessment of recovery scenarios C. Industry standard framework D. Documentation of testing procedures Suggested Answer: A
When documenting a risk response, which of the following provides the STRONGEST evidence to support the decision? A. A memo indicating risk acceptance B. Verbal majority acceptance of risk by committee C. List of compensating controls D. IT audit follow-up responses Suggested Answer: C
Which of the following is the MOST important activity when identifying relevant risk data? A. Performing peer reviews of the risk register B. Interpreting IT assessment findings and data C. Checking and maintaining data of incident response plans D. Mapping IT resource data to business processes Suggested Answer: D
An organization has made a decision to purchase a new IT system. During which phase of the system development life cycle (SDLC) will identified risk MOST likely lead to architecture and design trade-offs? A. Acquisition B. Implementation C. Initiation D. Operation and maintenance Suggested Answer: C
From a risk management perspective, which of the following is the PRIMARY benefit of using automated system configuration validation tools? A. Staff costs are reduced. B. Operational costs are reduced. C. Inherent risk is reduced. D. Residual risk is reduced. Suggested Answer: D
Which of the following is the BEST approach to mitigate the risk associated with a control deficiency? A. Perform a business case analysis. B. Conduct a control self-assessment (CSA). C. Build a provision for risk. D. Implement compensating controls. Suggested Answer: D
Who should be responsible for strategic decisions on risk management? A. Audit committee B. Executive management team C. Chief information officer (CIO) D. Business process owner Suggested Answer: D
Which of the following should be management's PRIMARY focus when key risk indicators (KRIs) begin to rapidly approach defined thresholds? A. Determining what has changed in the environment B. Assessing the effectiveness of the incident response plan C. Determining if KRIs have been updated recently D. Designing compensating controls Suggested Answer: A
Which of the following is a risk practitioner's MOST important responsibility in managing risk acceptance that exceeds risk tolerance? A. Increase the risk appetite to align with the current risk level. B. Verify authorization by senior management. C. Update the risk response in the risk register. D. Ensure the acceptance is set to expire over time. Suggested Answer: B
A risk practitioner has discovered a deficiency in a critical system that cannot be patched. Which of the following should be the risk practitioner's FIRST course of action? A. Submit a request to change management. B. Report the issue to internal audit. C. Review the business impact assessment. D. Conduct a risk assessment. Suggested Answer: D
Which of the following will BEST help to ensure implementation of corrective action plans? A. Assigning accountability to risk owners B. Establishing employee awareness training C. Contracting to third parties D. Setting target dates to complete actions Suggested Answer: A
What is the PRIMARY reason an organization should include background checks on roles with elevated access to production as part of its hiring process? A. Eliminate risk associated with personnel. B. Ensure new hires have the required skills. C. Reduce exposure to vulnerabilities. D. Reduce internal threats. Suggested Answer: D
An organization has implemented a system capable of comprehensive employee monitoring. Which of the following should direct how the system is used? A. Industry best practices B. Organizational strategy C. Organizational policy D. Employee code of conduct Suggested Answer: C
Legal and regulatory risk associated with business conducted over the Internet is driven by: A. the laws and regulations of each individual country. B. the jurisdiction in which an organization has its principal headquarters. C. international law and a uniform set of regulations. D. international standard-setting bodies. Suggested Answer: A
An organization is developing a security risk awareness training program for the IT help desk and has asked the risk practitioner for suggestions. In addition to technical topics, which of the following is MOST important to recommend be included in the training? A. Identity verification procedures B. Incident reporting procedures C. Security policy review D. Password selection options Suggested Answer: B
Which of the following should be the PRIMARY goal of developing information security metrics? A. identifying security threats B. Ensuring regulatory compliance C. Enabling continuous improvement D. Raising security awareness Suggested Answer: C
Which of the following is a drawback in the use of quantitative risk analysis? A. It produces the results in numeric form B. It is based on impact analysis of information assets C. It requires more resources than other methods D. It assigns numeric values to exposures of assets Suggested Answer: C
A large organization needs to report risk at all levels for a new centralized virtualization project to reduce cost and improve performance. Which of the following would MOST effectively represent the overall risk of the project to senior management? A. Risk heat map B. Centralized risk register C. Key risk indicators (KRIs) D. Aggregated key performance indicators (KPIs) Suggested Answer: A
Which of the following would be the GREATEST challenge when implementing a corporate risk framework for a global organization? A. Business continuity B. Risk taxonomy C. Management support D. Privacy risk controls Suggested Answer: D
Which of the following is the PRIMARY reason to adopt key control indicators (KCIs) in the risk monitoring and reporting process? A. To provide assurance of adherence to risk management policies B. To provide measurements on the potential for risk to occur C. To provide data for establishing the risk profile D. To provide assessments of mitigation effectiveness Suggested Answer: A
Which of the following management actions will MOST likely change the likelihood rating of a risk scenario related to remote network access? A. Implementing multi-factor authentication B. Updating the organizational policy for remote access C. Creating metrics to track remote connections D. Updating remote desktop software Suggested Answer: A
An organization has completed a risk assessment of one of its service providers. Who should be accountable for ensuring that risk responses are implemented? A. IT risk practitioner B. The relationship owner C. Third-party security team D. Legal representation of the business Suggested Answer: B
A risk practitioner identifies a database application that has been developed and implemented by the business independently of IT. Which of the following is the BEST course of action? A. Document the reasons for the exception. B. Include the application in IT risk assessments. C. Propose that the application be transferred to IT. D. Escalate the concern to senior management. Suggested Answer: C
Which of the following would be a risk practitioner's BEST course of action when a project team has accepted a risk outside the established risk appetite? A. Monitor the residual risk level of the accepted risk. B. Escalate the risk decision to the project sponsor for review. C. Document the risk decision in the project risk register. D. Reject the risk acceptance and require mitigating controls. Suggested Answer: C
Who should be responsible for evaluating the residual risk after a compensating control has been applied? A. Risk practitioner B. Compliance manager C. Risk owner D. Control owner Suggested Answer: C
Which of the following should a risk practitioner validate FIRST when a mitigating control cannot be implemented fully to support business objectives? A. If the risk owner has accepted the risk B. If compensating controls have been implemented C. If insurance coverage has been obtained D. If business objectives continue to align with organizational goals Suggested Answer: B
Which of the following is the BEST way to determine whether system settings are in alignment with control baselines? A. Internal audit review B. Control attestation C. Penetration testing D. Configuration validation Suggested Answer: D
Which of the following is the BEST method for assessing control effectiveness against technical vulnerabilities that could be exploited to compromise an information system? A. Vulnerability scanning B. Penetration testing C. Systems log correlation analysis D. Monitoring of intrusion detection system (IDS) alerts Suggested Answer: B
Which of the following is the MOST effective control to ensure user access is maintained on a least-privilege basis? A. Change log review B. User recertification C. Access log monitoring D. User authorization Suggested Answer: D
Which of the following is MOST important when considering risk in an enterprise risk management (ERM) process? A. Risk identified by industry benchmarking is included. B. Financial risk is given a higher priority. C. Risk with strategic impact is included. D. Security strategy is given a higher priority. Suggested Answer: C
Which of the following is MOST important when developing risk scenarios? A. Conducting vulnerability assessments B. Reviewing business impact analysis (BIA) C. Collaborating with IT audit D. Obtaining input from key stakeholders Suggested Answer: B
Which of the following BEST protects an organization against breaches when using a software as a service (SaaS) application? A. Security information and event management (SIEM) solutions B. Control self-assessment (CSA) C. Data privacy impact assessment (DPIA) D. Data loss prevention (DLP) tools Suggested Answer: D
Which of the following is the GREATEST risk associated with the misclassification of data? A. Data disruption B. Inadequate resource allocation C. Unauthorized access D. Inadequate retention schedules Suggested Answer: C
Which of the following would BEST mitigate the risk associated with reputational damage from inappropriate use of social media sites by employees? A. Disabling social media access from the organization's technology B. Validating employee social media accounts and passwords C. Implementing training and awareness programs D. Monitoring Internet usage on employee workstations Suggested Answer: C
Which of the following should be the FIRST step when a company is made aware of new regulatory requirements impacting IT? A. Perform a risk assessment. B. Prioritize impact to the business units. C. Perform a gap analysis. D. Review the risk tolerance and appetite. Suggested Answer: C
The design of procedures to prevent fraudulent transactions within an enterprise resource planning (ERP) system should be based on: A. benchmarking criteria. B. stakeholder risk tolerance. C. the control environment. D. suppliers used by the organization. Suggested Answer: A
A vulnerability assessment of a vendor-supplied solution has revealed that the software is susceptible to cross-site scripting and SQL injection attacks. Which of the following will BEST mitigate this issue? A. Require the software vendor to remediate the vulnerabilities. B. Approve exception to allow the software to continue operating. C. Monitor the databases for abnormal activity. D. Accept the risk and let the vendor run the software as is. Suggested Answer: A
Which of the following represents a vulnerability? A. An employee recently fired for insubordination B. An identity thief seeking to acquire personal financial data from an organization C. Media recognition of an organization's market leadership in its industry D. A standard procedure for applying software patches two weeks after release Suggested Answer: D
An organization has detected unauthorized logins to its client database servers. Which of the following should be of GREATEST concern? A. Potential increase in regulatory scrutiny B. Potential theft of personal information C. Potential legal risk D. Potential system downtime Suggested Answer: B
The PRIMARY benefit of using a maturity model is that it helps to evaluate the: A. control requirements. B. evolution of process improvements. C. capability to implement new processes. D. degree of compliance with policies and procedures. Suggested Answer: B
Which of the following would be a risk practitioner's BEST recommendation upon learning of an updated cybersecurity regulation that could impact the organization? A. Update security policies B. Conduct system testing C. Implement compensating controls D. Perform a gap analysis Suggested Answer: D
Which of the following practices would be MOST effective in protecting personally identifiable information (PII) from unauthorized access in a cloud environment? A. Apply data classification policy. B. Require logical separation of company data. C. Obtain the right to audit. D. Utilize encryption with logical access controls. Suggested Answer: D
Which of the following is the BEST way for an organization to enable risk treatment decisions? A. Establish clear accountability for risk. B. Develop comprehensive policies and standards. C. Allocate sufficient funds for risk remediation. D. Promote risk and security awareness. Suggested Answer: B
Which of the following is the BEST method of creating risk awareness in an organization? A. Making the risk register available to project stakeholders B. Ensuring senior management commitment to risk training C. Providing regular communication to risk managers D. Appointing the risk manager from the business units Suggested Answer: B
Which of the following will be the GREATEST concern when assessing the risk profile of an organization? A. The risk profile does not contain historical loss data. B. The risk profile was last reviewed two years ago. C. The risk profile was not updated after a recent incident. D. The risk profile was developed without using industry standards. Suggested Answer: C
Which of the following is the PRIMARY benefit of stakeholder involvement in risk scenario development? A. Awareness of emerging business threats B. Up-to-date knowledge on risk responses C. Ability to determine business impact D. Decision-making authority for risk treatment Suggested Answer: C
Which of the following is the BEST metric to demonstrate the effectiveness of an organization's software testing program? A. Percentage of applications covered the testing team B. Average time to complete software test cases C. The number of personnel dedicated to software testing D. Number of incidents resulting from software changes Suggested Answer: D
Which of the following is the GREATEST risk associated with an environment that lacks documentation of the architecture? A. Network isolation B. Overlapping threats C. Unknown vulnerabilities D. Legacy technology systems Suggested Answer: C
Which of the following will be MOST effective in uniquely identifying the originator of electronic transactions? A. Edit checks B. Encryption C. Multifactor authentication D. Digital signature Suggested Answer: D
Which of the following BEST assists in justifying an investment in automated controls? A. Alignment of investment with risk appetite B. Reduction in personnel costs C. Elimination of compensating controls D. Cost-benefit analysis Suggested Answer: D
Which of the following statements BEST illustrates the relationship between key performance indicators (KPIs) and key control indicators (KCIs)? A. KPIs measure manual controls, while KCIs measure automated controls. B. KPIs and KCIs both contribute to understanding of control effectiveness. C. KCIs are applied at the operational level, while KPIs are at the strategic level. D. A robust KCI program will replace the need to measure KPIs. Suggested Answer: B
Which of the following is necessary to enable an IT risk register to be consolidated with the rest of the organization's risk register? A. Risk appetite B. Risk response C. Risk taxonomy D. Risk ranking Suggested Answer: C
The GREATEST benefit of including low-probability, high-impact events in a risk assessment is the ability to: A. identify root causes for relevant events. B. develop understandable and realistic risk scenarios. C. perform an aggregated cost-benefit analysis. D. develop a comprehensive risk mitigation strategy. Suggested Answer: B
Which of the following will BEST help in communicating strategic risk priorities? A. Heat map B. Business impact analysis (BIA) C. Risk register D. Balanced scorecard Suggested Answer: B
What is the PRIMARY purpose of a business impact analysis (BIA)? A. To determine the likelihood and impact of threats to business operations B. To evaluate the priority of business operations in case of disruption C. To estimate resource requirements for related business processes D. To identify important business processes in the organization Suggested Answer: A
Which of the following is the BEST way to determine whether new controls mitigate security gaps in a business system? A. Conduct a compliance check against standards. B. Perform a vulnerability assessment. C. Measure the change in inherent risk. D. Complete an offsite business continuity exercise. Suggested Answer: B
Which of the following criteria associated with key risk indicators (KRIs) BEST enables effective risk monitoring? A. Use of industry risk data sources B. Sensitivity to changes in risk levels C. Low cost of development and maintenance D. Approval by senior management Suggested Answer: A
Which of the following is the BEST indication of a mature organizational risk culture? A. Corporate risk appetite is communicated to staff members. B. Risk policy has been published and acknowledged by employees. C. Management encourages the reporting of policy breaches. D. Risk owners understand and accept accountability for risk. Suggested Answer: D
The BEST key performance indicator (KPI) for monitoring adherence to an organization's user accounts provisioning practices is the percentage of: A. active accounts belonging to former personnel. B. accounts with dormant activity. C. accounts without documented approval. D. user accounts with default passwords. Suggested Answer: A
Which of the following facilitates a completely independent review of test results for evaluating control effectiveness? A. Segregation of duties B. Compliance review C. Three lines of defense D. Quality assurance review Suggested Answer: C
Which of the following is a KEY consideration for a risk practitioner to communicate to senior management evaluating the introduction of artificial intelligence (AI) solutions into the organization? A. Third-party AI solutions increase regulatory obligations. B. AI requires entirely new risk management processes. C. AI will result in changes to business processes. D. AI potentially introduces new types of risk. Suggested Answer: D
An organization has decided to postpone the assessment and treatment of several risk scenarios because stakeholders are unavailable. As a result of this decision, the risk associated with these new entries has been: A. accepted B. mitigated C. deferred D. transferred Suggested Answer: C
To communicate the risk associated with IT in business terms, which of the following MUST be defined? A. Risk appetite of the organization B. Compliance objectives C. Organizational objectives D. Inherent and residual risk Suggested Answer: C
An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack? A. Verify the data backup process and confirm which backups are the most recent ones available. B. Identify systems that are vulnerable to being exploited by the attack. C. Confirm with the antivirus solution vendor whether the next update will detect the attack. D. Obtain approval for funding to purchase a cyber insurance plan. Suggested Answer: B
Which of the following is MOST important to the successful development of IT risk scenarios? A. Control effectiveness assessment B. Threat and vulnerability analysis C. Internal and external audit reports D. Cost-benefit analysis Suggested Answer: D
While reviewing an organization's monthly change management metrics, a risk practitioner notes that the number of emergency changes has increased substantially. Which of the following would be the BEST approach for the risk practitioner to take? A. Temporarily suspend emergency changes. B. Continue monitoring change management metrics. C. Conduct a root cause analysis. D. Document the control deficiency in the risk register. Suggested Answer: C
Which of the following MUST be updated to maintain an IT risk register? A. Risk appetite B. Risk tolerance C. Expected frequency and potential impact D. Enterprise-wide IT risk assessment Suggested Answer: C
Which of the following is the PRIMARY reason for monitoring activities performed in a production database environment? A. Preventing system developers from accessing production data B. Deterring illicit actions of database administrators C. Enforcing that changes are authorized D. Ensuring that database changes are correctly applied Suggested Answer: B
Which of the following is MOST important to the integrity of a security log? A. Least privilege access B. Encryption C. Inability to edit D. Ability to overwrite Suggested Answer: C
Which of the following provides the MOST useful information to determine risk exposure following control implementations? A. Risk escalation and process for communication B. Strategic plan and risk management integration C. Risk limits, thresholds, and indicators D. Policies, standards, and procedures Suggested Answer: C
Reviewing historical risk events is MOST useful for which of the following processes within the risk management life cycle? A. Risk mitigation B. Risk assessment C. Risk monitoring D. Risk aggregation Suggested Answer: B
Which of the following is the BEST key control indicator (KCI) for a vulnerability management program? A. Percentage of high-risk vulnerabilities addressed B. Percentage of high-risk vulnerabilities missed C. Defined thresholds for high-risk vulnerabilities D. Number of high-risk vulnerabilities outstanding Suggested Answer: A
Which of the following is the BEST approach when a risk practitioner has been asked by a business unit manager for special consideration during a risk assessment of a system? A. Conduct an abbreviated version of the assessment. B. Recommend an internal auditor perform the review. C. Perform the assessment as it would normally be done. D. Report the business unit manager for a possible ethics violation. Suggested Answer: D
Upon learning that the number of failed back-up attempts continually exceeds the current risk threshold, the risk practitioner should: A. keep monitoring the situation as there is evidence that this is normal. B. adjust the risk threshold to better reflect actual performance. C. inquire about the status of any planned corrective actions. D. initiate corrective action to address the known deficiency. Suggested Answer: C
A highly regulated organization acquired a medical technology startup company that processes sensitive personal information with weak data protection controls. Which of the following is the BEST way for the acquiring company to reduce its risk while still enabling the flexibility needed by the startup company? A. Implement a firewall and isolate the environment from the parent company's network. B. Classify and protect the data according to the parent company's internal standards. C. Have the data privacy officer review the startup company's data protection policies. D. Identify previous data breaches using the startup company's audit reports. Suggested Answer: C
An organization has outsourced its billing function to an external service provider. Who should own the risk of customer data leakage caused by the service provider? A. The service provider B. Business process owner C. Vendor risk manager D. Legal counsel Suggested Answer: B
Which of the following is the MOST important component in a risk treatment plan? A. Target completion date B. Treatment plan ownership C. Treatment plan justification D. Technical details Suggested Answer: C
Which of the following is the BEST course of action to help reduce the probability of an incident recurring? A. Perform root cause analysis. B. Update the incident response plan. C. Perform a risk assessment. D. Initiate disciplinary action. Suggested Answer: A
An organization is preparing to transfer a large number of customer service representatives to the sales department. Of the following, who is responsible for mitigating the risk associated with residual system access? A. IT service desk manager B. Access control manager C. Customer service manager D. Sales manager Suggested Answer: B
Which of the following would BEST assist in reconstructing the sequence of events following a security incident across multiple IT systems in the organization's network? A. Centralized log management B. Centralized vulnerability management C. Network monitoring infrastructure D. Incident management process Suggested Answer: A
Which of the following should be done FIRST when information is no longer required to support business objectives? A. Assess the information against the retention policy. B. Archive the information to a backup database. C. Securely and permanently erase the information. D. Protect the information according to the classification policy. Suggested Answer: A
A deficient control has been identified which could result in great harm to an organization should a low frequency threat event occur. When communicating the associated risk to senior management, the risk practitioner should explain: A. the current level of risk is within tolerance. B. mitigation plans for threat events should be prepared in the current planning period. C. an increase in threat events could cause a loss sooner than anticipated. D. this risk scenario is equivalent to more frequent, but lower impact risk scenarios. Suggested Answer: C
Which of the following is the MOST important reason to link an effective key control indicator (KCI) to relevant key risk indicators (KRIs)? A. To obtain business buy-in for investment in risk mitigation measures B. To monitor the accuracy of threshold levels in metrics C. To monitor changes in the risk environment D. To provide input to management for the adjustment of risk appetite Suggested Answer: B
Which of the following BEST facilitates the mitigation of identified gaps between current and desired risk environment states? A. Develop a risk treatment plan. B. Include the current and desired states in the risk register. C. Review results of prior risk assessments. D. Validate organizational risk appetite. Suggested Answer: A
The MOST important objective of information security controls is to: A. enforce strong security solutions. B. identify threats and vulnerabilities. C. provide measurable risk reduction. D. ensure alignment with industry standards. Suggested Answer: C
Which of the following controls BEST enables an organization to ensure a complete and accurate IT asset inventory? A. Requesting an asset list from business owners B. Prohibiting the use of personal devices for business C. Performing network scanning for unknown devices D. Documenting asset configuration baselines Suggested Answer: C
Which of the following scenarios represents a threat? A. Storing corporate data in unencrypted form on a laptop B. Visitors not signing in as per policy C. A virus transmitted on a USB thumb drive D. Connecting a laptop to a free, open, wireless access point (hotspot) Suggested Answer: A
Which of the following should be done FIRST when developing a data protection management plan? A. Identify critical data. B. Conduct a risk analysis. C. Perform a cost-benefit analysis. D. Establish a data inventory. Suggested Answer: D
An organization recently received an independent security audit report of its cloud service provider that indicates significant control weaknesses. What should be done NEXT in response to this report? A. Conduct a follow-up audit to verify the provider's control weaknesses. B. Review the contract to determine if penalties should be levied against the provider. C. Analyze the impact of the provider's control weaknesses to the business. D. Migrate all data to another compliant service provider. Suggested Answer: C
The MOST important reason for implementing change control procedures is to ensure: A. an audit trail exists. B. timely evaluation of change events. C. that emergency changes are logged. D. only approved changes are implemented. Suggested Answer: D
An organization planning to transfer and store its customer data with an offshore cloud service provider should be PRIMARILY concerned with: A. data quality. B. data privacy. C. data aggregation. D. data validation. Suggested Answer: B
Which of the following BEST measures the impact of business interruptions caused by an IT service outage? A. Duration of service outage B. Cost of remediation efforts C. Sustained financial loss D. Average time to recovery Suggested Answer: C
An organization automatically approves exceptions to security policies on a recurring basis. This practice is MOST likely the result of: A. a lack of mitigating actions for identified risk. B. ineffective IT governance. C. ineffective service delivery. D. decreased threat levels. Suggested Answer: B
Which of the following is the BEST reason to use qualitative measures to express residual risk levels related to emerging threats? A. Qualitative measures are easier to update. B. Qualitative measures are better aligned to regulatory requirements. C. Qualitative measures are better able to incorporate expert judgment. D. Qualitative measures require less ongoing monitoring. Suggested Answer: C
When reporting on the performance of an organization's control environment, including which of the following would BEST inform stakeholders' risk decision- making? A. A report of deficiencies noted during controls testing B. Spend to date on mitigating control implementation C. A status report of control deployment D. The audit plan for the upcoming period Suggested Answer: A
Which of the following should be the MOST important consideration for senior management when developing a risk response strategy? A. Risk appetite B. Cost of controls C. Risk tolerance D. Probability definition Suggested Answer: C
Which of the following is the GREATEST benefit when enterprise risk management (ERM) provides oversight of IT risk management? A. Prioritizing internal departments that provide service to customers B. Ensuring the IT budget and resources focus on risk management C. Ensuring senior management's primary focus is on the impact of identified risk D. Aligning IT with short-term and long-term goals of the organization Suggested Answer: D
Which of the following is the MOST effective control to maintain the integrity of system configuration files? A. Implementing automated vulnerability scanning B. Restricting access to configuration documentation C. Recording changes to configuration files D. Monitoring against the configuration standard Suggested Answer: D
An IT risk practitioner has been asked to regularly report on the overall status and effectiveness of the IT risk management program. Which of the following is MOST useful for this purpose? A. Capability maturity level B. Balanced scorecard C. Control self-assessment (CSA) D. Internal audit plan Suggested Answer: B
Which of the following is the STRONGEST indication an organization has ethics management issues? A. Employees face sanctions for not signing the organization's acceptable use policy. B. The organization has only two lines of defense. C. Internal IT auditors report to the chief information security officer (CISO). D. Employees do not report IT risk issues for fear of consequences. Suggested Answer: D
The BEST way to obtain senior management support for investment in a control implementation would be to articulate the reduction in: A. vulnerabilities. B. detected incidents. C. inherent risk. D. residual risk. Suggested Answer: C
Which of the following is the BEST way to manage the risk associated with malicious activities performed by database administrators (DBAs)? A. Activity logging and monitoring B. Awareness training and background checks C. Two-factor authentication D. Periodic access review Suggested Answer: A
Which of the following should be implemented to BEST mitigate the risk associated with infrastructure updates? A. Change management audit B. Change control process C. Role-specific technical training D. Risk assessment Suggested Answer: A
Which of the following methods is an example of risk mitigation? A. Outsourcing the IT activities and infrastructure B. Taking out insurance coverage for IT-related incidents C. Enforcing change and configuration management processes D. Not providing capability for employees to work remotely Suggested Answer: C
Which of the following is the MOST important objective of establishing an enterprise risk management (ERM) function within an organization? A. To have a standard risk management process for complying with regulations B. To ensure risk profiles are presented in a consistent format within the organization C. To have a unified approach to risk management across the organization D. To optimize risk management resources across the organization Suggested Answer: A
Several newly identified risk scenarios are being integrated into an organization's risk register. The MOST appropriate risk owner would be the individual who: A. is accountable for loss if the risk materializes. B. is in charge of information security. C. is responsible for enterprise risk management (ERM). D. can implement remediation action plans. Suggested Answer: A
An organization practices the principle of least privilege. To ensure access remains appropriate, application owners should be required to review user access rights on a regular basis by obtaining: A. security logs to determine the cause of invalid login attempts. B. documentation indicating the intended users of the application. C. an access control matrix and approval from the user's manager. D. business purpose documentation and software license counts. Suggested Answer: B
A new international data privacy regulation requires personal data to be disposed after the specified retention period, which is different from the local regulatory requirement. Which of the following is the risk practitioner's BEST recommendation to resolve the disparity? A. Adopt the international standard. B. Adopt the standard determined by legal counsel. C. Adopt the local standard. D. Adopt the least stringent standard determined by the risk committee. Suggested Answer: B
Which of the following should be the MAIN consideration when validating an organization's risk appetite? A. Cost of risk mitigation options. B. Maturity of the risk culture. C. Capacity to withstand loss. D. Comparison against regulations. Suggested Answer: B
Which of the following would MOST likely result in updates to an IT risk profile? A. Changes in senior management. B. Establishment of a risk committee. C. External audit findings. D. Feedback from focus groups. Suggested Answer: C
A risk practitioner notices a risk scenario associated with data loss at the organization's cloud provider is assigned to the provider. Who should the risk scenario be reassigned to? A. Chief risk officer B. Vendor manager C. Data owner D. Senior management Suggested Answer: C
Who is MOST likely to be responsible for the coordination between the IT risk strategy and the business risk strategy? A. Information security director B. Internal audit director C. Chief information officer D. Chief financial officer Suggested Answer: A
Which of the following is MOST important for an organization that wants to reduce IT operational risk? A. Decentralizing IT infrastructure. B. Increasing the frequency of data backups. C. Increasing senior management's understanding of IT operations. D. Minimizing complexity of IT infrastructure. Suggested Answer: C
The MAIN goal of the risk analysis process is to determine the: A. potential severity of impact. B. control deficiencies. C. frequency and magnitude of loss. D. threats and vulnerabilities. Suggested Answer: D
An IT organization is replacing the customer relationship management (CRM) system. Who should own the risk associated with customer data leakage caused by insufficient IT security controls for the new system? A. Chief risk officer (CRO) B. IT controls manager C. Chief information security officer (CISO) D. Business process owner Suggested Answer: D
An organization has identified that terminated employee accounts are not disabled or deleted within the time required by corporate policy. Unsure of the reason, the organization has decided to monitor the situation for three months to obtain more information. As a result of this decision, the risk has been: A. accepted. B. transferred. C. avoided. D. mitigated. Suggested Answer: A
Which of the following is the BEST key performance indicator (KPI) for determining how well an IT policy is aligned to business requirements? A. Total cost of policy breaches. B. Total cost to support the policy. C. Number of exceptions to the policy. D. Number of inquiries regarding the policy. Suggested Answer: C
The PRIMARY purpose of a maturity model is to compare the: A. current state of key processes to their desired state. B. organization to peers. C. organization to industry best practices. D. actual KPIs with target KPIs. Suggested Answer: A
Which of the following is the MAIN reason for analyzing risk scenarios? A. Establishing a risk appetite B. Identifying additional risk scenarios C. Updating the heat map D. Assessing loss expectancy Suggested Answer: B
Which of the following would be the BEST justification to invest in the development of a governance, risk, and compliance (GRC) solution? A. Facilitating risk-aware decision making by stakeholders. B. Demonstrating management commitment to mitigate risk. C. Closing audit findings on a timely basis. D. Ensuring compliance to industry standards. Suggested Answer: A
Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are: A. authorized to select risk mitigation options. B. independent from the business operations. C. accountable for the affected processes. D. members of senior management. Suggested Answer: B
Which of the following is the MOST important technology control to reduce the likelihood of fraudulent payments committed internally? A. Daily transaction reconciliation B. Role-based user access model C. Rule-based data analytics D. Automated access revocation Suggested Answer: A
Which of the following tasks should be completed prior to creating a disaster recovery plan (DRP)? A. Procuring a recovery site B. Conducting a business impact analysis (BIA) C. Assigning sensitivity levels to data D. Identifying the recovery response team Suggested Answer: B
Which of the following should be the FIRST consideration when a business unit wants to use personal information for a purpose other than for which it was originally collected? A. Informed consent B. Data breach protection C. Cross border controls D. Business impact analysis (BIA) Suggested Answer: A
Which of the following is the PRIMARY reason to use key control indicators (KCIs) to evaluate control operating effectiveness? A. To raise awareness of operational issues B. To identify control vulnerabilities C. To measure business exposure to risk D. To monitor the achievement of set objectives Suggested Answer: D
Which of the following BEST indicates whether security awareness training is effective? A. Course evaluation B. User behavior after training C. User self-assessment D. Quality of training materials Suggested Answer: B
A service provider is managing a client's servers. During an audit of the service, a noncompliant control is discovered that will not be resolved before the next audit because the client cannot afford the downtime required to correct the issue. The service provider's MOST appropriate action would be to: A. develop a risk remediation plan overriding the client's decision. B. ask the client to document the formal risk acceptance for the provider. C. insist that the remediation occur for the benefit of other customers. D. make a note for this item in the next audit explaining the situation. Suggested Answer: B
Which of the following is MOST important to ensure when continuously monitoring the performance of a client-facing application? A. Performance information in the log is encrypted. B. Control owners approve control changes. C. Objectives are confirmed with the business owner. D. End-user acceptance testing has been conducted. Suggested Answer: C
An organization has four different projects competing for funding to reduce overall IT risk. Which project should management defer?A. Project Alpha B. Project Bravo C. Project Charlie D. Project Delta Suggested Answer: C
Controls should be defined during the design phase of system development because: A. technical specifications are defined during this phase. B. structured programming techniques require that controls be designed before coding begins. C. its more cost-effective to determine controls in the early design phase. D. structured analysis techniques exclude identification of controls. Suggested Answer: B
Which of the following will BEST support management reporting on risk? A. A risk register. B. Key performance indicators. C. Control self-assessment. D. Risk policy requirements. Suggested Answer: B
Which of the following provides the BEST evidence that a selected risk treatment plan is effective? A. Evaluating the residual risk level. B. Identifying key risk indicators (KRIs). C. Evaluating the return on investment (ROI). D. Performing a cost-benefit analysis. Suggested Answer: A
Which of the following conditions presents the GREATEST risk to an application? A. Application development is outsourced. B. Developers have access to production environment. C. Source code is escrowed. D. Application controls are manual. Suggested Answer: D
To reduce costs, an organization is combining the second and third lines of defense in a new department that reports to a recently appointed C-level executive. Which of the following is the GREATEST concern with this situation? A. The risk governance approach of the second and third lines of defense may differ. B. The independence of the internal third line of defense may be compromised. C. The new structure is not aligned to the organization's internal control framework. D. Cost reductions may negatively impact the productivity of other departments. Suggested Answer: B
Which of the following is the BEST way for a risk practitioner to verify that management has addressed control issues identified during a previous external audit? A. Inspect external audit documentation. B. Review management's detailed action plans. C. Observe the control enhancements in operation. D. Interview control owners. Suggested Answer: C
Which of the following is MOST important to have in place to ensure the effectiveness of risk and security metrics reporting? A. Organizational reporting process. B. Incident reporting procedures. C. Regularly scheduled audits. D. Incident management policy. Suggested Answer: B
Which of the following is the MOST appropriate key risk indicator (KRI) for backup media that is recycled monthly? A. Time required for backup restoration testing. B. Change in size of data backed up. C. Successful completion of backup operations. D. Percentage of failed restore tests. Suggested Answer: D
Which of the following BEST indicates the efficiency of a process for granting access privileges? A. Average time to grant access privileges. B. Number of changes in access granted to users. C. Average number of access privilege exceptions. D. Number and type of locked obsolete accounts. Suggested Answer: A
Which of the following BEST indicates the effectiveness of anti-malware software? A. Number of staff hours lost due to malware attacks. B. Number of patches made to anti-malware software. C. Number of successful attacks by malicious software. D. Number of downtime hours in business-critical servers. Suggested Answer: A
When establishing an enterprise IT risk management program, it is MOST important to: A. review alignment with the organization's strategy. B. understand the organization's information security policy. C. validate the organization's data classification scheme. D. report identified IT risk scenarios to senior management. Suggested Answer: A
Which of the following is the BEST way to determine software license compliance? A. Conduct periodic compliance reviews. B. List non-compliant systems in the risk register. C. Monitor user software download activity. D. Review whistleblower reports of noncompliance. Suggested Answer: A
Which of the following is the GREATEST benefit of updating the risk register to include outcomes from a risk assessment? A. It facilitates timely risk-based decisions. B. It helps to mitigate internal and external risk factors. C. It validates the organization's risk appetite. D. It maintains evidence of compliance with risk policy. Suggested Answer: A
A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site? A. The alternative site does not reside on the same fault no matter how far the distance apart. B. The contingency plan provides for backup media to be taken to the alternative site. C. The contingency plan for high priority applications does not involve a shared cold site. D. The alternative site is a hot site with equipment ready to resume processing immediately. Suggested Answer: A
Which of the following provides the MOST important information to facilitate a risk response decision? A. Risk appetite. B. Industry best practices. C. Key risk indicators. D. Audit findings. Suggested Answer: C
Which of the following BEST contributes to the implementation of an effective risk response action plan? A. A business impact analysis. B. An IT tactical plan. C. Disaster recovery and continuity testing. D. Assigned roles and responsibilities. Suggested Answer: B
Implementing which of the following controls would BEST reduce the impact of a vulnerability that has been exploited? A. Preventive control B. Deterrent control C. Corrective control D. Detective control Suggested Answer: C
Which of the following is the MOST important reason to test new controls? A. To verify controls work as intended. B. To justify the cost of control investment. C. To identify exceptions that elevate risk. D. To ensure an accurate and up-to-date controls register. Suggested Answer: A
The BEST metric to monitor the risk associated with changes deployed to production is the percentage of: A. changes not requiring user acceptance testing. B. changes that cause incidents. C. changes due to emergencies. D. personnel that have rights to make changes in production. Suggested Answer: B
A global organization is planning to collect customer behavior data through social media advertising. Which of the following is the MOST important business risk to be considered? A. Regulatory requirements may differ in each country. B. Business advertising will need to be tailored by country. C. The data analysis may be ineffective in achieving objectives. D. Data sampling may be impacted by various industry restrictions. Suggested Answer: A
Which of the following should be the PRIMARY objective of a risk awareness training program? A. To promote awareness of the risk governance function. B. To clarify fundamental risk management principles. C. To enable risk-based decision making. D. To ensure sufficient resources are available. Suggested Answer: A
Which of the following is MOST important for evaluating the operational effectiveness of a newly implemented control? A. Continuous auditing techniques are used to ensure ongoing control monitoring. B. Control owners are conducting timely monitoring and reporting of the control results. C. The source data used for control performance is accurate and complete. D. Self-assessment testing results are regularly verified by independent control testes. Suggested Answer: A
An organization must implement changes as the result of new regulations. Which of the following should the risk practitioner do FIRST to prepare for these changes? A. Engage the legal department. B. Conduct a gap analysis. C. Implement compensating controls. D. Review the risk profile. Suggested Answer: B
What should a risk practitioner do NEXT if an ineffective key control is identified on a critical system? A. Revalidate the risk assessment. B. Escalate to senior management. C. Propose acceptance of the risk. D. Conduct a gap analysis. Suggested Answer: D
Performing a background check on a new employee candidate before hiring is an example of what type of control? A. Compensating B. Preventive C. Detective D. Corrective Suggested Answer: B
An organization has introduced risk ownership to establish clear accountability for each process. To ensure effective risk ownership, it is MOST important that: A. risk owners have decision-making authority. B. senior management has oversight of the process. C. segregation of duties exists between risk and process owners. D. process ownership aligns with IT system ownership. Suggested Answer: C
Which of the following would MOST likely require a risk practitioner to update the risk register? A. An alert being reported by the security operations center. B. Development of a project schedule for implementing a risk response. C. Engagement of a third party to conduct a vulnerability scan. D. Completion of a project for implementing a new control. Suggested Answer: D
A peer review of a risk assessment finds that a relevant threat community was not included. Mitigation of the risk will require substantial changes to a software application. Which of the following is the BEST course of action? A. Ask the business to make a budget request to remediate the problem. B. Research the types of attacks the threat can present. C. Determine the impact of the missing threat. D. Build a business case to remediate the fix. Suggested Answer: C
Which of the following is MOST important when developing key risk indicators (KRIs)? A. Availability of qualitative data. B. Alignment with regulatory requirements. C. Property set thresholds. D. Alignment with industry benchmarks. Suggested Answer: B
Which of the following provides the MOST up-to-date information about the effectiveness of an organization's overall IT control environment? A. Periodic penetration testing. B. Key performance indicators (KPIs). C. Internal audit findings. D. Risk heat maps. Suggested Answer: D
Which of the following MUST be assessed before considering risk treatment options for a scenario with significant impact? A. Cost-benefit analysis. B. Incident probability. C. Risk magnitude. D. Risk appetite. Suggested Answer: C
Which of the following would be a risk practitioner's GREATEST concern related to the monitoring of key risk indicators (KRIs)? A. Logs are retained for a longer duration than the data retention policy requires. B. Logs are encrypted during transmission from the system to analysis tools. C. Logs are modified before analysis is conducted. D. Logs are collected from a small number of systems. Suggested Answer: D
The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of: A. new vulnerabilities identified. B. recurring vulnerabilities. C. vulnerabilities remediated. D. vulnerability scans. Suggested Answer: B
Which of the following is the PRIMARY purpose of analyzing log data collected from systems? A. To identify risk that may materialize. B. To facilitate incident investigation. C. To detect changes in risk ownership. D. To prevent incidents caused by materialized risk. Suggested Answer: A
Which of the following BEST indicates the condition of a risk management program? A. Number of controls. B. Amount of residual risk. C. Number of risk register entries. D. Level of financial support. Suggested Answer: B
A risk practitioner has become aware of production data being used in a test environment. Which of the following should be the practitioner's PRIMARY concern? A. Security of the test environment. B. Readability of test data. C. Sensitivity of the data. D. Availability of data to authorized staff. Suggested Answer: C
An internal audit report reveals that not all IT application databases have encryption in place. Which of the following information would be MOST important for assessing the risk impact? A. The reason some databases have not been encrypted. B. A list of unencrypted databases which contain sensitive data. C. The cost required to enforce encryption. D. The number of users who can access sensitive data. Suggested Answer: A
The PRIMARY purpose of IT control status reporting is to: A. assist internal audit in evaluating and initiating remediation efforts. B. ensure compliance with IT governance strategy. C. facilitate the comparison of the current and desired states. D. benchmark IT controls with industry standards. Suggested Answer: C
Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party? A. Obtain an objective view of process gaps and systemic errors. B. Ensure the risk profile is defined and communicated. C. Validate the threat management process. D. Obtain objective assessment of the control environment. Suggested Answer: A
Which of the following activities should be performed FIRST when establishing IT risk management processes? A. Conduct a high-level risk assessment based on the nature of business. B. Collect data of past incidents and lessons learned. C. Identify the risk appetite of the organization. D. Assess the goals and culture of the organization. Suggested Answer: D
Which of the following is the BEST way to validate whether controls to reduce user device vulnerabilities have been implemented according to management's action plan? A. Survey device owners. B. Review awareness training assessment results. C. Re-scan the user environment. D. Require annual end user policy acceptance. Suggested Answer: C
An organization moved its payroll system to a Software as a Service (SaaS) application. A new data privacy regulation stipulates that data can only be processed within the country where it is collected. Which of the following should be done FIRST when addressing this situation? A. Analyze data protection methods. B. Understand data flows. C. Include a right-to-audit clause. D. Implement strong access controls. Suggested Answer: B
The FIRST task when developing a business continuity plan should be to: A. identify critical business functions and resources. B. determine data backup and recovery availability at an alternate site. C. define roles and responsibilities for implementation. D. identify recovery time objectives (RTOs) for critical business applications. Suggested Answer: A
Which of the following is the BEST indicator of the effectiveness of IT risk management processes? A. Time between when IT risk scenarios are identified and the enterprise's response. B. Percentage of business users completing risk training. C. Percentage of high-risk scenarios for which risk action plans have been developed. D. Number of key risk indicators (KRIs) defined. Suggested Answer: C
Which of the following should be a risk practitioner's NEXT step upon learning the organization is not in compliance with a specific legal regulation? A. Assess the likelihood and magnitude of the associated risk. B. Identify mitigation activities and compensating controls. C. Notify senior compliance executives of the associated risk. D. Determine the penalties for lack of compliance. Suggested Answer: A
Which of the following would be of GREATEST assistance when justifying investment in risk response strategies? A. Cost-benefit analysis B. Business impact analysis C. Total cost of ownership D. Resource dependency analysis Suggested Answer: A
Which of the following is the MOST important consideration when determining whether to accept residual risk after security controls have been implemented on a critical system? A. Cost of the information control system. B. Cost versus benefit of additional mitigating controls. C. Annualized loss expectancy (ALE) for the system. D. Frequency of business impact. Suggested Answer: C
The BEST criteria when selecting a risk response is the: A. effectiveness of risk response options B. alignment of response to industry standards C. importance of IT risk within the enterprise D. capability to implement the response Suggested Answer: A
The BEST indication that risk management is effective is when risk has been reduced to meet: A. risk appetite B. risk capacity C. risk levels D. risk budgets Suggested Answer: A
What is the GREATEST concern with maintaining decentralized risk registers instead of a consolidated risk register? A. Aggregated risk may exceed the enterprise's risk appetite and tolerance. B. Duplicate resources may be used to manage risk registers. C. Standardization of risk management practices may be difficult to enforce. D. Risk analysis may be inconsistent due to non-uniform impact and likelihood scales. Suggested Answer: D
Which of the following is MOST important to include in regulatory and risk updates when a new legal requirement affects the organization? A. Recommended key risk indicator (KRI) thresholds. B. Cost of changes to critical business processes. C. Risk associated with noncompliance. D. Time frame to remediate noncompliance risk. Suggested Answer: C
Who should be accountable for monitoring the control environment to ensure controls are effective? A. Risk owner B. Security monitoring operations C. Impacted data owner D. System owner Suggested Answer: B
Who is accountable for risk treatment? A. Risk owner B. Risk mitigation manager C. Enterprise risk management team D. Business process owner Suggested Answer: A
Which of the following BEST enables the risk profile to serve as an effective resource to support business objectives? A. Updating the risk profile with risk assessment results. B. Assigning quantitative values to qualitative metrics in the risk register. C. Engaging external risk professionals to periodically review the risk. D. Prioritizing global standards over local requirements in the risk profile. Suggested Answer: B
The risk associated with a high-risk vulnerability in an application is owned by the: A. security department. B. vendor. C. business unit. D. IT department. Suggested Answer: C
Which of the following IT key risk indicators (KRIs) provides management with the BEST feedback on IT capacity? A. Trends in IT resource usage. B. Increased resource availability. C. Trends in IT maintenance costs. D. Increased number of incidents. Suggested Answer: D
The PRIMARY goal of a risk management program is to: A. facilitate resource availability. B. safeguard corporate assets. C. help ensure objectives are met. D. help prevent operational losses. Suggested Answer: B
An organization's chief technology officer (CTO) has decided to accept the risk associated with the potential loss from a denial-of-service (DoS) attack. In this situation, the risk practitioner's BEST course of action is to: A. validate the CTO's decision wish the business process owner. B. recommend that the CTO revisit the risk acceptance decision. C. identify key risk indicators (KRIs) for ongoing monitoring. D. update the risk register with the selected risk response. Suggested Answer: A
Which of the following is an example of the second line in the three lines of defense model? A. External auditors B. Internal auditors C. Risk management committee D. Risk owners Suggested Answer: C
A risk practitioner is reviewing the status of an action plan to mitigate an emerging IT risk and finds the risk level has increased. The BEST course of action would be to: A. evaluate whether selected controls are still appropriate. B. implement the planned controls and accept the remaining risk. C. suspend the current action plan in order to reassess the risk. D. revise the action plan to include additional mitigating controls. Suggested Answer: A
Mapping open risk issues to an enterprise risk heat map BEST facilitates: A. risk ownership. B. risk identification. C. risk response. D. control monitoring. Suggested Answer: A
After recent updates to the risk register, management has requested that the overall level of residual risk be reduced. Which of the following is the risk practitioner's BEST course of action? A. Prioritize remediation plans. B. Recommend the acceptance of low-level risk. C. Develop new risk action plans with risk owners. D. Implement additional controls. Suggested Answer: D
Which of the following is the MOST important topic to cover in a risk awareness training program for all staff? A. The risk department's roles and responsibilities. B. Policy compliance requirements and exceptions process. C. The organization's information security risk profile. D. Internal and external information security incidents. Suggested Answer: B
Which of the following would be MOST helpful to a risk practitioner when ensuring that mitigated risk remains within acceptable limits? A. Implementing a process for ongoing monitoring of control effectiveness. B. Designing a process for risk owners to periodically review identified risk. C. Ensuring risk owners participate on a periodic control testing process. D. Building an organizational risk profile after updating the risk register. Suggested Answer: A
Which of the following is MOST important for maintaining the effectiveness of an IT risk register? A. Recording and tracking the status of risk response plans within the register. B. Communicating the register to key stakeholders. C. Performing regular reviews and updates to the register. D. Removing entries from the register after the risk has been treated. Suggested Answer: C
Which of the following should be a risk practitioner's NEXT action after identifying a high probability of data loss in a system? A. Conduct a control assessment. B. Purchase cyber insurance from a third party. C. Increase the frequency of incident reporting. D. Enhance the security awareness program. Suggested Answer: A
The PRIMARY objective for requiring an independent review of an organizations IT risk management process should be to: A. ensure IT risk management is focused on mitigating potential risk. B. confirm that IT risk assessment results are expressed as business impact. C. assess gaps in IT risk management operations and strategic focus. D. verify implemented controls to reduce the likelihood of threat materialization. Suggested Answer: C
After the implementation of Internet of Things (IoT) devices, new risk scenarios were identified. What is the PRIMARY reason to report this information to risk owners? A. To reevaluate continued use of IoT devices. B. To recommend changes to the IoT policy. C. To confirm the impact to the risk profile. D. To add new controls to mitigate the risk. Suggested Answer: C
Which of the following is the BEST indication of the effectiveness of a business continuity program? A. Business continuity tests are performed successfully and issues are addressed. B. Business continuity and disaster recovery plans are regularly updated. C. Business impact analyses (BIAs) are reviewed and updated in a timely manner. D. Business units are familiar with the business continuity plans (BCPs) and process. Suggested Answer: C
Several network user accounts were recently created without the required management approvals. Which of the following would be the risk practitioner's BEST recommendation to address this situation? A. Investigate the root cause of noncompliance. B. Declare a security breach and inform management. C. Develop incident response procedure for noncompliance. D. Conduct a comprehensive compliance review. Suggested Answer: A
Which of the following is MOST important when discussing risk within an organization? A. Adopting a common risk taxonomy. B. Creating a risk communication policy. C. Using key performance indicators (KPIs). D. Using key risk indicators (KRIs). Suggested Answer: D
Which of the following tools is MOST helpful when mapping IT risk management outcomes to organizational objectives? A. Risk dashboard B. RACI chart C. Information security risk map D. Strategic business plan Suggested Answer: D
An organization has just started accepting credit card payments from customers via the corporate website. Which of the following is MOST likely to increase as a result of this new initiative? A. Risk appetite B. Residual risk C. Risk tolerance D. Inherent risk Suggested Answer: D
An application runs a scheduled job that compiles financial data from multiple business systems and updates the financial reporting system. If this job runs too long, it can delay financial reporting. Which of the following is the risk practitioner's BEST recommendation? A. Implement database activity and capacity monitoring. B. Consider providing additional system resource to this job. C. Ensure the enterprise has a process to detect such situations. D. Ensure the business is aware of the risk. Suggested Answer: C
Which of the following can be used to assign a monetary value to risk? A. Annual loss expectancy (ALE) B. Business impact analysis C. Cost-benefit analysis D. Inherent vulnerabilities Suggested Answer: A
Which of the following would BEST help secure online financial transactions from improper users? A. Multi-factor authentication B. Periodic review of audit trails C. Multi-level authorization D. Review of log-in attempts Suggested Answer: A
Which of the following is the BEST indication that an organization is following a mature risk management process? A. Executive management receives periodic risk awareness training. B. Attributes of each risk scenario have been documented within the risk register. C. The risk register is frequently utilized for decision-making. D. A dashboard has been developed for senior management to provide real-time risk values. Suggested Answer: D
Which of the following BEST indicates that an organization has implemented IT performance requirements? A. Vendor references B. Accountability matrix C. Benchmarking data D. Service level agreements Suggested Answer: C
Which of the following BEST - describes the role of the IT risk profile in strategic IT-related decisions? A. It compares performance levels of IT assets to value delivered. B. It provides input to business managers when preparing a business case for new IT projects. C. It facilitates the alignment of strategic IT objectives to business objectives. D. It helps assess the effects of IT decisions on risk exposure. Suggested Answer: B
Which of the following roles would provide the MOST important input when identifying IT risk scenarios? A. Operational risk managers B. Internal auditors C. Information security managers D. Business process owners Suggested Answer: D
Accountability for a particular risk is BEST represented in a: A. risk register. B. RACI matrix. C. risk catalog. D. risk scenario. Suggested Answer: A
Which of the following should be the PRIMARY consideration when implementing controls for monitoring user activity logs? A. Building correlations between logs collected from different sources B. Ensuring the control is proportional to the risk C. Implementing log analysis tools to automate controls D. Ensuring availability of resources for log analysis Suggested Answer: D
In addition to the risk register, what should a risk practitioner review to develop an understanding of the organization's risk profile? A. The asset profile B. Business objectives C. The control catalog D. Key risk indicators (KRIs) Suggested Answer: D
Which of the following should be included in a risk scenario to be used for risk analysis? A. Residual risk B. Risk tolerance C. Risk appetite D. Threat type Suggested Answer: D
The PRIMARY objective for selecting risk response options is to: A. minimize residual risk. B. reduce risk factors. C. reduce risk to an acceptable level. D. identify compensating controls. Suggested Answer: C
A PRIMARY function of the risk register is to provide supporting information for the development of an organization's risk: A. map. B. process. C. profile. D. strategy. Suggested Answer: C
A data processing center operates in a jurisdiction where new regulations have significantly increased penalties for data breaches. Which of the following elements of the risk register is MOST important to update to reflect this change? A. Risk impact B. Risk trend C. Risk appetite D. Risk likelihood Suggested Answer: C
Which of the following would BEST help identify the owner for each risk scenario in a risk register? A. Allocating responsibility for risk factors equally to asset owners. B. Determining resource dependency of assets. C. Mapping identified risk factors to specific business processes. D. Determining which departments contribute most to risk. Suggested Answer: C
To effectively support business decisions, an IT risk register MUST: A. reflect the results of risk assessments. B. effectively support a business maturity model. C. be available to operational risk groups. D. be reviewed by the IT steering committee. Suggested Answer: B
Which of the following is the STRONGEST indication that controls implemented as part of a risk action plan are not effective? A. A security breach occurs. B. Internal audit identifies recurring exceptions. C. Changes are put into production without management approval. D. A sample is used to validate the action plan. Suggested Answer: B
Which of the following issues regarding an organization's IT incident response plan would be the GREATEST concern? A. The incident response capability is outsourced. B. Teams are not operational until an incident occurs. C. Not all employees have attended incident response training. D. Roles and responsibilities are not clearly defined. Suggested Answer: D
Prudent business practice requires that risk appetite not exceed: A. risk capacity. B. inherent risk. C. risk tolerance. D. residual risk. Suggested Answer: A
Which of the following BEST illustrates the relationship of actual risk exposure to appetite? A. Residual risk that exceeds appetite. B. Risk events in the risk profile. C. Percentage of high risk scenarios. D. Controls that exceed risk appetite. Suggested Answer: D
Which of the following is MOST important to include when identifying risk scenarios for inclusion in a risk review of a third-party service provider? A. Open vendor issues. B. Purchasing agreements. C. Supplier questionnaires. D. Process mapping. Suggested Answer: D
The purpose of requiring source code escrow in a contractual agreement is to: A. ensure that the source code is available if the vendor ceases to exist. B. ensure the source code is available when bugs occur. C. review the source code for adequacy of controls. D. ensure that the source code is valid and exists. Suggested Answer: A
Which of the following will BEST help an organization evaluate the control environment of several third-party vendors? A. Review vendors' performance metrics on quality and delivery of processes. B. Review vendors' internal risk assessments covering key risk and controls. C. Obtain independent control reports from high-risk vendors. D. Obtain vendor references from third parties. Suggested Answer: A
Which of the following should an organization perform to forecast the effects of a disaster? A. Analyze capability maturity model gaps. B. Define recovery time objectives (RTOs). C. Develop a business impact analysis (BIA). D. Simulate a disaster recovery. Suggested Answer: C
Implementing which of the following will BEST help ensure that systems comply with an established baseline before deployment? A. Continuous monitoring and alerting. B. Access controls and active logging. C. Configuration management. D. Vulnerability scanning. Suggested Answer: A
Which of the following is the PRIMARY objective of providing an aggregated view of IT risk to business management? A. To provide consistent and clear terminology B. To allow for proper review of risk tolerance C. To identify dependencies for reporting risk D. To enable consistent data on risk to be obtained Suggested Answer: B
An organization has implemented a preventive control to lock user accounts after three unsuccessful login attempts. This practice has been proven to be unproductive, and a change in the control threshold value has been recommended. Who should authorize changing this threshold? A. Control owner B. IT security manager C. Risk owner D. IT system owner Suggested Answer: A
A rule-based data loss prevention (DLP) tool has recently been implemented to reduce the risk of sensitive data leakage. Which of the following is MOST likely to change as a result of this implementation? A. Risk velocity B. Risk impact C. Risk likelihood D. Risk appetite Suggested Answer: C
An organization has completed a project to implement encryption on all databases that host customer data. Which of the following elements of the risk register should be updated to reflect this change? A. Risk tolerance B. Inherent risk C. Risk appetite D. Risk likelihood Suggested Answer: B
A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register? A. Action plans to address risk scenarios requiring treatment B. The team that performed the risk assessment C. An assigned risk manager to provide oversight D. The methodology used to perform the risk assessment Suggested Answer: D
Which of the following is the MOST critical element to maximize the potential for a successful security implementation? A. Industry-leading security tools B. The organization's culture C. Ease of implementation D. The organization's knowledge Suggested Answer: B
Senior management has asked a risk practitioner to develop technical risk scenarios related to a recently developed enterprise resource planning (ERP) system. These scenarios will be owned by the system manager. Which of the following would be the BEST method to use when developing the scenarios? A. Bottom-up approach B. Cause-and-effect diagram C. Top-down approach D. Delphi technique Suggested Answer: D
Which of the following is the MAIN reason for documenting the performance of controls? A. Justifying return on investment B. Demonstrating effective risk mitigation C. Providing accurate risk reporting D. Obtaining management sign-off Suggested Answer: B
Which of the following is the MOST important element of a successful risk awareness training program? A. Mapping to a recognized standard B. Providing metrics for measurement C. Customizing content for the audience D. Providing incentives to participants Suggested Answer: B
Whether the results of risk analysis should be presented in quantitative or qualitative terms should be based PRIMARILY on the: A. specific risk analysis framework being used. B. results of the risk assessment. C. requirements of management. D. organizational risk tolerance. Suggested Answer: A
Which of the following is the BEST way for a risk practitioner to help management prioritize risk response? A. Assess risk against business objectives. B. Implement an organization-specific risk taxonomy. C. Align business objectives to the risk profile. D. Explain risk details to management. Suggested Answer: C
Which of the following will BEST quantify the risk associated with malicious users in an organization? A. Business impact analysis B. Threat risk assessment C. Vulnerability assessment D. Risk analysis Suggested Answer: B
IT risk assessments can BEST be used by management: A. to measure organizational success. B. as input for decision-making. C. as a basis for cost-benefit analysis. D. for compliance with laws and regulations. Suggested Answer: B
Which of the following risk management practices BEST facilitates the incorporation of IT risk scenarios into the enterprise-wide risk register? A. Key risk indicators (KRIs) are developed for key IT risk scenarios. B. IT risk scenarios are developed in the context of organizational objectives. C. IT risk scenarios are assessed by the enterprise risk management team. D. Risk appetites for IT risk scenarios are approved by key business stakeholders. Suggested Answer: B
Which of the following would be the BEST recommendation if the level of risk in the IT risk profile has decreased and is now below management's risk appetite? A. Decrease the number of related risk scenarios. B. Optimize the control environment. C. Realign risk appetite to the current risk level. D. Reduce the risk management budget. Suggested Answer: B
Which of the following is the MOST important key performance indicator (KPI) to establish in the service agreement (SLA) for an outsourced data center? A. Number of key systems hosted B. Percentage of system availability C. Average response time to resolve system incidents D. Percentage of systems included in recovery processes Suggested Answer: B
A trusted third party service provider has determined that the risk of a client's systems being hacked is low. Which of the following would be the client's BEST course of action? A. Perform an independent audit of the third party. B. Accept the risk based on the third party's risk assessment. C. Perform their own risk assessment. D. Implement additional controls to address the risk. Suggested Answer: A
From a business perspective, which of the following is the MOST important objective of a disaster recovery test? A. All business-critical systems are successfully tested. B. Errors are discovered in the disaster recovery process. C. All critical data is recovered within recovery time objectives (RTOs). D. The organization gains assurance it can recover from a disaster. Suggested Answer: D
In an organization with a mature risk management program, which of the following would provide the BEST evidence that the IT risk profile is up to date? A. Risk questionnaire B. Risk register C. Compliance manual D. Management assertion Suggested Answer: B
Which of the following should be the PRIMARY focus of a risk owner once a decision is made to mitigate a risk? A. Determining processes for monitoring the effectiveness of the controls B. Confirming to management the controls reduce the likelihood of the risk C. Updating the risk register to include the risk mitigation plan D. Ensuring that control design reduces risk to an acceptable level Suggested Answer: D
A risk practitioner recently discovered that sensitive data from the production environment is required for testing purposes in non-production environments. Which of the following is the BEST recommendation to address this situation? A. Mask data before being transferred to the test environment. B. Implement equivalent security in the test environment. C. Enable data encryption in the test environment. D. Prevent the use of production data for test purposes. Suggested Answer: B
Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated? A. Control chart B. Trend analysis C. Sensitivity analysis D. Decision tree Suggested Answer: D
Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development? A. Utilize the change management process. B. Validate functionality by running in a test environment. C. Perform an in-depth code review with an expert. D. Implement a service level agreement. Suggested Answer: C
After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option? A. The risk practitioner B. The risk owner C. The control owner D. The business process owner Suggested Answer: A
Which of the following is the MOST important requirement for monitoring key risk indicators (KRIs) using log analysis? A. Collecting logs from the entire set of IT systems B. Providing accurate logs in a timely manner C. Implementing an automated log analysis tool D. Obtaining logs in an easily readable format Suggested Answer: A
Who is the MOST appropriate owner for newly identified IT risk? A. The manager responsible for IT operations that will support the risk mitigation efforts B. The individual with the most IT risk-related subject matter knowledge C. The individual with authority to commit organizational resources to mitigate the risk D. A project manager capable of prioritizing the risk remediation efforts Suggested Answer: B
A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session? A. Senior management allocation of risk management resources B. Senior management roles and responsibilities C. The organization's strategic risk management projects D. The organization's risk appetite and tolerance Suggested Answer: B
An IT license audit has revealed that there are several unlicensed copies of commercial applications installed on company laptops. The risk practitioner's BEST course of action would be to: A. immediately uninstall the unlicensed software from the laptops. B. procure the requisite licenses for the software to minimize business impact. C. report the issue to management so appropriate action can be taken. D. centralize administration rights on laptops so that installations are controlled. Suggested Answer: D
Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss? A. Customer database manager B. Audit committee C. Data privacy officer D. Customer data custodian Suggested Answer: C
Which of the following BEST indicates effective information security incident management? A. Frequency of information security incident response plan testing B. Percentage of high risk security incidents C. Monthly trend of information security-related incidents D. Average time to identify critical information security incidents Suggested Answer: D
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)? A. Percentage of issues resolved as a result of DRP testing B. Number of users that participated in the DRP testing C. Number of issues identified during DRP testing D. Percentage of applications that met the recovery time objective (RTO) during DRP testing Suggested Answer: D
An organization is considering allowing users to access company data from their personal devices. Which of the following is the MOST important factor when assessing the risk? A. Classification of the data B. Type of device C. Remote management capabilities D. Volume of data Suggested Answer: C
Whose risk tolerance matters MOST when making a risk decision? A. Customers who would be affected by a breach B. The information security manager C. The business process owner of the exposed assets D. Auditors, regulators, and standards organizations Suggested Answer: D
Which of the following is the MOST effective way to mitigate identified risk scenarios? A. Document the risk tolerance of the organization. B. Assign ownership of the risk response plan. C. Provide awareness in early detection of risk. D. Perform periodic audits on identified risk areas. Suggested Answer: D
Management has required information security awareness training to reduce the risk associated with credential compromise. What is the BEST way to assess the effectiveness of the training? A. Conduct social engineering testing. B. Perform a vulnerability assessment. C. Audit security awareness training materials. D. Administer an end-of-training quiz. Suggested Answer: A
Which of the following is the MOST important outcome of reviewing the risk management process? A. Improving the competencies of employees who performed the review B. Assuring the risk profile supports the IT objectives C. Determining what changes should be made to IS policies to reduce risk D. Determining that procedures used in risk assessment are appropriate Suggested Answer: B
Which of the following is the MOST important characteristic of an effective risk management program? A. Risk response plans are documented. B. Key risk indicators are defined. C. Risk ownership is assigned. D. Controls are mapped to key risk scenarios. Suggested Answer: D
The BEST key performance indicator (KPI) to measure the effectiveness of a backup process would be the number of: A. backup recovery requests. B. resources to monitor backups. C. restoration monitoring reports. D. recurring restore failures. Suggested Answer: C
When prioritizing risk response, management should FIRST: A. evaluate the organization's ability and expertise to implement the solution. B. evaluate the risk response of similar organizations. C. determine which risk factors have high remediation costs. D. address high risk factors that have efficient and effective solutions. Suggested Answer: A
Which of the following is the PRIMARY reason to perform ongoing risk assessments? A. The risk environment is subject to change. B. The information security budget must be justified. C. Emerging risk must be continuously reported to management. D. New system vulnerabilities emerge at frequent intervals. Suggested Answer: A
Which of the following is MOST critical when designing controls? A. Involvement of process owner B. Involvement of internal audit C. Identification of key risk indicators D. Quantitative impact of the risk Suggested Answer: D
An organization has procured a managed hosting service and just discovered the location is likely to be flooded every 20 years. Of the following, who should be notified of this new information FIRST? A. The risk owner who also owns the business service enabled by this infrastructure B. The site manager who is required to provide annual risk assessments under the contract C. The data center manager who is also employed under the managed hosting services contract D. The chief information officer (CIO) who is responsible for the hosted services Suggested Answer: A
Which of the following BEST enables a risk practitioner to enhance understanding of risk among stakeholders? A. Threat analysis B. Key risk indicators C. Risk scenarios D. Business impact analysis Suggested Answer: A
Which of the following would BEST provide early warning of a high-risk condition? A. Risk assessment B. Key risk indicator (KRI) C. Risk register D. Key performance indicator (KPI) Suggested Answer: B
Quantifying the value of a single asset helps the organization to understand the: A. necessity of developing a risk strategy. B. consequences of risk materializing. C. organization's risk threshold. D. overall effectiveness of risk management. Suggested Answer: A
Calculation of the recovery time objective (RTO) is necessary to determine the: A. annual loss expectancy (ALE). B. priority of restoration. C. point of synchronization. D. time required to restore files. Suggested Answer: B
When reporting risk assessment results to senior management, which of the following is MOST important to include to enable risk-based decision making? A. A list of assets exposed to the highest risk B. Potential losses compared to treatment cost C. Recent audit and self-assessment results D. Risk action plans and associated owners Suggested Answer: B
What can be determined from the risk scenario chart?A. The multiple risk factors addressed by a chosen response B. Relative positions on the risk map C. Capability of enterprise to implement D. Risk treatment options Suggested Answer: A
When collecting information to identify IT-related risk, a risk practitioner should FIRST focus on IT: A. security policies. B. process maps. C. risk tolerance level, D. risk appetite. Suggested Answer: A
The MOST important characteristic of an organization's policies is to reflect the organization's: A. risk appetite B. capabilities C. asset value D. risk assessment methodology Suggested Answer: A
Which of the following is the BEST method for assessing control effectiveness? A. Ad hoc reporting B. Predictive analytics C. Continuous monitoring D. Control self-assessment Suggested Answer: B
The acceptance of control costs that exceed risk exposure is MOST likely demonstrates: A. corporate culture alignment. B. corporate culture misalignment. C. low risk tolerance. D. high risk tolerance. Suggested Answer: B
A management team is on an aggressive mission to launch a new product to penetrate new markets and overlooks IT risk factors, threats, and vulnerabilities. This scenario BEST demonstrates an organization's risk: A. management. B. analysis. C. culture. D. tolerance. Suggested Answer: C
The risk associated with an asset before controls are applied can be expressed as: A. the likelihood of a given threat. B. the magnitude of an impact. C. a function of the likelihood and impact. D. a function of the cost and effectiveness of controls. Suggested Answer: C
Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform: A. a vulnerability assessment. B. a root cause analysis. C. an impact assessment. D. a gap analysis. Suggested Answer: B
When using a third party to perform penetration testing, which of the following is the MOST important control to minimize operational impact? A. Require the vendor to have liability insurance. B. Perform a background check on the vendor. C. Require the vendor to sign a nondisclosure agreement. D. Clearly define the project scope. Suggested Answer: D
Which of the following is the BEST way to promote adherence to the risk tolerance level set by management? A. Avoiding risks that could materialize into substantial losses B. Increasing organizational resources to mitigate risks C. Defining expectations in the enterprise risk policy D. Communicating external audit results Suggested Answer: C
An external security audit has reported multiple findings related to control noncompliance. Which of the following would be MOST important for the risk practitioner to communicate to senior management? A. Plans for mitigating the associated risk B. Suggestions for improving risk awareness training C. A recommendation for internal audit validation D. The impact to the organization's risk profile Suggested Answer: D
A risk practitioner is organizing a training session to communicate risk assessment methodologies to ensure a consistent risk view within the organization. Which of the following is the MOST important topic to cover in this training? A. Applying risk factors B. Applying risk appetite C. Understanding risk culture D. Referencing risk event data Suggested Answer: C
An organization wants to assess the maturity of its internal control environment. The FIRST step should be to: A. identify key process owners. B. validate control process execution. C. determine if controls are effective. D. conduct a baseline assessment. Suggested Answer: D
A key risk indicator (KRI) is reported to senior management on a periodic basis as exceeding thresholds, but each time senior management has decided to take no action to reduce the risk. Which of the following is the MOST likely reason for senior management's response? A. The underlying data source for the KRI is using inaccurate data and needs to be corrected. B. The KRI threshold needs to be revised to better align with the organization's risk appetite. C. Senior management does not understand the KRI and should undergo risk training. D. The KRI is not providing useful information and should be removed from the KRI inventory. Suggested Answer: B
Which of the following should be the HIGHEST priority when developing a risk response? A. The risk response is accounted for in the budget. B. The risk response aligns with the organization's risk appetite. C. The risk response is based on a cost-benefit analysis. D. The risk response addresses the risk with a holistic view. Suggested Answer: C
Risk mitigation procedures should include: A. buying an insurance policy. B. acceptance of exposures. C. deployment of countermeasures. D. enterprise architecture implementation Suggested Answer: C
Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security? A. Establishing e-discovery and data loss prevention (DLP) B. Sending notifications when near storage quota C. Implementing record retention tools and techniques D. Implementing a bring your own device (BYOD) policy Suggested Answer: B
Which of the following would be the BEST key performance indicator (KPI) for monitoring the effectiveness of the IT asset management process? A. Percentage of unpatched IT assets B. The number of IT assets procured during the previous month C. The number of IT assets securely disposed during the past year D. Percentage of IT assets without ownership Suggested Answer: C
The MAIN purpose of having a documented risk profile is to: A. enable well-informed decision making. B. comply with external and internal requirements. C. keep the risk register up-to-date. D. prioritize investment projects. Suggested Answer: A
Which of the following is the MOST important foundational element of an effective three lines of defense model for an organization? A. A well-established risk management committee B. A robust risk aggregation tool set C. Well-documented and communicated escalation procedures D. Clearly defined roles and responsibilities Suggested Answer: D
Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan? A. Return on investment (ROI) B. Risk mitigation budget C. Cost-benefit analysis D. Business impact analysis (BIA) Suggested Answer: C
Which of the following is MOST critical to the design of relevant risk scenarios? A. The scenarios are linked to probable organizational situations. B. The scenarios are based on past incidents. C. The scenarios are aligned with risk management capabilities. D. The scenarios are mapped to incident management capabilities. Suggested Answer: A
Which of the following will BEST mitigate the risk associated with IT and business misalignment? A. Introducing an established framework for IT architecture B. Establishing business key performance indicators (KPIs) C. Involving the business process owner in IT strategy D. Establishing key risk indicators (KRIs) Suggested Answer: A
Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment? A. Redundant compensating controls are in place. B. Asset custodians are responsible for defining controls instead of asset owners. C. A high number of approved exceptions exist with compensating controls. D. Successive assessments have the same recurring vulnerabilities. Suggested Answer: D
An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan. Which of the following is the risk practitioner's BEST course of action? A. Revert the implemented mitigation measures until approval is obtained. B. Validate the adequacy of the implemented risk mitigation measures. C. Report the observation to the chief risk officer (CRO). D. Update the risk register with the implemented risk mitigation actions. Suggested Answer: A
Which of the following is the BEST course of action when risk is found to be above the acceptable risk appetite? A. Execute the risk response plan. B. Analyze the effectiveness of controls. C. Maintain the current controls. D. Review risk tolerance levels. Suggested Answer: B
A risk assessment has identified that departments have installed their own WiFi access points on the enterprise network. Which of the following would be MOST important to include in a report to senior management? A. Planned remediation actions B. The network security policy C. The WiFi access point configuration D. Potential business impact Suggested Answer: D
Which of the following would be a risk practitioner's BEST recommendation for preventing cyber intrusion? A. Implement data loss prevention (DLP) tools. B. Implement network segregation. C. Establish a cyber response plan. D. Strengthen vulnerability remediation efforts. Suggested Answer: A
Which of the following should be the risk practitioner's PRIMARY focus when determining whether controls are adequate to mitigate risk? A. Cost-benefit analysis B. Sensitivity analysis C. Level of residual risk D. Risk appetite Suggested Answer: C
An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system. The risk practitioner is documenting the risk in the risk register. The risk should be owned by the: A. business process owner. B. chief information officer. C. project manager. D. chief risk officer. Suggested Answer: A
The MAIN reason for creating and maintaining a risk register is to: A. account for identified key risk factors. B. ensure assets have low residual risk. C. define the risk assessment methodology. D. assess effectiveness of different projects. Suggested Answer: A
A risk practitioner's PRIMARY focus when validating a risk response action plan should be that risk response: A. advances business objectives. B. quantifies risk impact. C. reduces risk to an acceptable level. D. aligns with business strategy. Suggested Answer: D
Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)? A. Leveraging existing metrics B. Optimizing risk treatment decisions C. Obtaining buy-in from risk owners D. Improving risk awareness Suggested Answer: C
Which of the following would BEST help to ensure that identified risk is efficiently managed? A. Reviewing the maturity of the control environment B. Maintaining a key risk indicator for each asset in the risk register C. Regularly monitoring the project plan D. Periodically reviewing controls per the risk treatment plan Suggested Answer: A
After identifying new risk events during a project, the project manager's NEXT step should be to: A. continue with a quantitative risk analysis B. determine if the scenarios need to be accepted or responded to C. continue with a qualitative risk analysis D. record the scenarios into the risk register Suggested Answer: A
An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations? A. The organization's vendor management office B. The organization's management C. The control operators at the third party D. The third party's management Suggested Answer: B
IT management has asked for a consolidated view into the organization's risk profile to enable project prioritization and resource allocation. Which of the following materials would be MOST helpful? A. List of key risk indicators B. Internal audit reports C. IT risk register D. List of approved projects Suggested Answer: C
In an organization dependent on data analytics to drive decision-making, which of the following would BEST help to minimize the risk associated with inaccurate data? A. Evaluating each of the data sources for vulnerabilities B. Establishing an intellectual property agreement C. Benchmarking to industry best practice D. Periodically reviewing big data strategies Suggested Answer: A
Which of the following is the MOST important consideration when multiple risk practitioners capture risk scenarios in a single risk register? A. Using a consistent method for risk assessment B. Developing risk escalation and reporting procedures C. Maintaining up-to-date risk treatment plans D. Aligning risk ownership and control ownership Suggested Answer: A
Which of the following approaches will BEST help to ensure the effectiveness of risk awareness training? A. Reviewing content with senior management B. Using reputable third-party training programs C. Piloting courses with focus groups D. Creating modules for targeted audiences Suggested Answer: D
Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation? A. Inherent risk is increased. B. Risk tolerance is decreased. C. Risk appetite is decreased. D. Residual risk is increased. Suggested Answer: D
Which of the following is the GREATEST benefit of analyzing logs collected from different systems? A. Developing threats are detected earlier. B. Forensic investigations are facilitated. C. Security violations can be identified. D. A record of incidents is maintained. Suggested Answer: D
Which of the following is the MOST useful indicator to measure the efficiency of an identity and access management process? A. Average time to provision user accounts B. Password reset volume per month C. Number of tickers for provisioning new accounts D. Average account lockout time Suggested Answer: A
When developing a new risk register, a risk practitioner should focus on which of the following risk management activities? A. Risk response planning B. Risk identification C. Risk monitoring and control D. Risk management strategy planning Suggested Answer: C
The head of a business operations department asks to review the entire IT risk register. Which of the following would be the risk manager's BEST approach to this request before sharing the register? A. Determine the purpose of the request. B. Require a nondisclosure agreement. C. Sanitize portions of the register. D. Escalate to senior management. Suggested Answer: A
Which of the following is MOST effective against external threats to an organization's confidential information? A. Single sign-on B. Strong authentication C. Data integrity checking D. Intrusion detection system Suggested Answer: D
Which of the following will BEST ensure that information security risk factors are mitigated when developing in-house applications? A. Include information security control specifications in business cases. B. Identify key risk indicators (KRIs) as process output. C. Identify information security controls in the requirements analysis. D. Design key performance indicators (KPIs) for security in system specifications. Suggested Answer: C
A risk practitioner has identified that the organization's secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk? A. Business continuity director B. Business application owner C. Disaster recovery manager D. Data center manager Suggested Answer: B
The GREATEST concern when maintaining a risk register is that: A. executive management does not perform periodic reviews. B. significant changes in risk factors are excluded. C. IT risk is not linked with IT assets. D. impacts are recorded in qualitative terms. Suggested Answer: B
Which of the following would BEST help an enterprise prioritize risk scenarios? A. Industry best practices B. Degree of variances in the risk C. Cost of risk mitigation D. Placement on the risk map Suggested Answer: D
Which of the following is MOST useful when communicating risk to management? A. Risk policy B. Risk map C. Maturity model D. Audit report Suggested Answer: B
Which of the following should be the PRIMARY input when designing IT controls? A. Internal and external risk reports B. Outcome of control self-assessments C. Benchmark of industry standards D. Recommendations from IT risk experts Suggested Answer: A
A control for mitigating risk in a key business area cannot be implemented immediately. Which of the following is the risk practitioner's BEST course of action when a compensating control needs to be applied? A. Record the risk as accepted in the risk register. B. Obtain the risk owner's approval. C. Inform senior management. D. Update the risk response plan. Suggested Answer: B
Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data? A. Conduct an awareness program for data owners and users B. Maintain and review the classified data inventory C. Implement mandatory encryption on data D. Define and implement a data classification policy Suggested Answer: A
Which of the following would BEST ensure that identified risk scenarios are addressed? A. Performing real-time monitoring of threats B. Creating a separate risk register for key business units C. Performing regular risk control self-assessments D. Reviewing the implementation of the risk response Suggested Answer: D
The MOST effective approach to prioritize risk scenarios is by: A. assessing impact to the strategic plan B. soliciting input from risk management experts C. aligning with industry best practices D. evaluating the cost of risk response Suggested Answer: A
Which of the following is the MAIN reason to continuously monitor IT-related risk? A. To ensure risk levels are within acceptable limits of the organization's risk appetite and risk tolerance B. To redefine the risk appetite and risk tolerance levels based on changes in risk factors C. To help identify root causes of incidents and recommend suitable long-term solutions D. To update the risk register to reflect changes in levels of identified and new IT-related risk Suggested Answer: A
A risk practitioner discovers several key documents detailing the design of a product currently in development have been posted on the Internet. What should be the risk practitioner's FIRST course of action? A. Perform a root cause analysis B. Conduct an immediate risk assessment C. Invoke the established incident response plan D. Inform internal audit Suggested Answer: D
Which of the following is the MOST important consideration when sharing risk management updates with executive management? A. Using an aggregated view of organizational risk B. Relying on key risk indicator (KRI) data C. Ensuring relevance to organizational goals D. Including trend analysis of risk metrics Suggested Answer: C
During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns? A. Recommend the formation of an executive risk council to oversee IT risk B. Provide an estimate of IT system downtime if IT risk materializes C. Describe IT risk scenarios in terms of business risk D. Educate business executives on IT risk concepts Suggested Answer: C
An organization operates in an environment where reduced time-to-market for new software products is a top business priority. Which of the following should be the risk practitioner's GREATEST concern? A. Email infrastructure does not have proper rollback plans B. Sufficient resources are not assigned to IT development projects C. The corporate email system does not identify and store phishing emails D. Customer support help desk staff does not have adequate training Suggested Answer: B
Which of the following is MOST effective in continuous risk management process improvement? A. Policy updates B. Periodic assessments C. Awareness training D. Change management Suggested Answer: B
While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach. Which of the following controls will BEST reduce the risk associated with such a data breach? A. Engaging a third party to validate operational controls B. Using the same cloud vendor as a competitor C. Using field-level encryption with a vendor-supplied key D. Ensuring the vendor does not know the encryption key Suggested Answer: A
When reviewing a risk response strategy, senior management's PRIMARY focus should be placed on the: A. investment portfolio B. alignment with risk appetite C. key performance indicators (KPIs) D. cost-benefit analysis Suggested Answer: D
After the review of a risk record, internal audit questioned why the risk was lowered from medium to low. Which of the following is the BEST course of action in responding to this inquiry? A. Notify the business at the next risk briefing B. Obtain industry benchmarks related to the specific risk C. Provide justification for the lower risk rating D. Reopen the risk issue and complete a full assessment Suggested Answer: C
Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment? A. An increase in control vulnerabilities B. An increase in inherent risk C. A decrease in control layering effectiveness D. An increase in the level of residual risk Suggested Answer: B
Which of the following key risk indicators (KRIs) is MOST effective for monitoring risk related to a bring your own device (BYOD) program? A. Number of incidents originating from BYOD devices B. Budget allocated to the BYOD program security controls C. Number of devices enrolled in the BYOD program D. Number of users who have signed a BYOD acceptable use policy Suggested Answer: A
The PRIMARY benefit of maintaining an up-to-date risk register is that it helps to: A. ensure business unit risk uniformly distributed B. build a risk profile for management review C. quantify the organization's risk appetite D. implement uniform controls for common risk scenarios Suggested Answer: B
Which of the following is the MOST relevant input to an organization's risk profile? A. External audit's risk assessment B. Management's risk self-assessment C. Internal audit's risk assessment D. Information security's vulnerability assessment Suggested Answer: A
The annualized loss expectancy (ALE) method of risk analysis: A. uses qualitative risk rankings such as low, medium, and high B. can be used to determine the indirect business impact C. helps in calculating the expected cost of controls D. can be used in a cost-benefit analysis Suggested Answer: D
An organization delegates its data processing to the internal IT team to manage information through its applications. Which of the following is the role of the internal IT team in this situation? A. Data owners B. Data custodians C. Data controllers D. Data processors Suggested Answer: B
An organization is planning to engage a cloud-based service provider for some of its data-intensive business processes. Which of the following is MOST important to help define the IT risk associated with this outsourcing activity? A. Service level agreement B. Right to audit the provider C. Customer service reviews D. Scope of services provided Suggested Answer: A
An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action? A. Invoke the disaster recovery plan (DRP) during an incident B. Reduce the recovery time by strengthening the response team C. Prepare a cost-benefit analysis of alternatives available D. Implement redundant infrastructure for the application Suggested Answer: D
Which of the following is MOST helpful in identifying new risk exposures due to changes in the business environment? A. Industry benchmarking B. Standard operating procedures C. Control gap analysis D. SWOT analysis Suggested Answer: D
During testing, a risk practitioner finds the IT department's recovery time objective (RTO) for a key system does not align with the enterprise's business continuity plan (BCP). Which of the following should be done NEXT? A. Complete a risk exception form B. Report the gap to senior management C. Consult with the business owner to update the BCP D. Consult with the IT department to update the RTO Suggested Answer: B
A global organization is considering the acquisition of a competitor. Senior management has requested a review of the overall risk profile from the targeted organization. Which of the following components of this review would provide the MOST useful information? A. Risk appetite statement B. Risk management policies C. Risk register D. Enterprise risk management framework Suggested Answer: D
Which of the following helps ensure compliance with a non-repudiation policy requirement for electronic transactions? A. Digital signatures B. Digital certificates C. One-time passwords D. Encrypted passwords Suggested Answer: A
A risk practitioner observes that hardware failure incidents have been increasing over the last few months. However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that: A. no action is required as there was no impact B. a root cause analysis is required C. hardware needs to be upgraded D. controls are effective for ensuring continuity Suggested Answer: D
Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds? A. A control self-assessment B. Benchmarking against peers C. Transaction logging D. Continuous monitoring Suggested Answer: D
Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment? A. A quantitative presentation of risk assessment results B. A qualitative presentation of risk assessment results C. A comparison of risk assessment results to the desired state D. An assessment of organizational maturity levels and readiness Suggested Answer: C
A business unit has decided to accept the risk of implementing an off-the-shelf, commercial software package that uses weak password controls. The BEST course of action would be to: A. obtain management approval for policy exception B. continue the implementation with no changes C. develop an improved password software routine D. select another application with strong password controls Suggested Answer: C
Who is BEST suited to determine whether a new control properly mitigates data loss risk within a system? A. Control owner B. Risk owner C. Data owner D. System owner Suggested Answer: D
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of an anti-virus program? A. Frequency of anti-virus software updates B. Number of alerts generated by the anti-virus software C. Percentage of IT assets with current malware definitions D. Number of false positives detected over a period of time Suggested Answer: C
A risk manager has determined there is excessive risk with a particular technology. Who is the BEST person to own the unmitigated risk of the technology? A. Business process owner B. Chief financial officer (CFO) C. Chief risk officer (CRO) D. IT system owner Suggested Answer: A
Which of the following BEST provides an early warning that network access of terminated employees is not being revoked in accordance with the service level agreement (SLA)? A. Monitoring key access control performance indicators B. Updating multi-factor authentication C. Analyzing access control logs for suspicious activity D. Revising the service level agreement (SLA) Suggested Answer: A
Which of the following is the MOST important factor when deciding on a control to mitigate risk exposure? A. Comparison against best practice B. Relevance to the business process C. Regulatory compliance requirements D. Cost-benefit analysis Suggested Answer: D
Which of the following controls will BEST detect unauthorized modification of data by a database administrator? A. Reviewing database access rights B. Reviewing changes to edit checks C. Comparing data to input records D. Reviewing database activity logs Suggested Answer: C
Which of the following is the PRIMARY purpose of periodically reviewing an organization's risk profile? A. Design and implement risk response action plans B. Align business objectives with risk appetite C. Enable risk-based decision making D. Update risk responses in the risk register Suggested Answer: C
Which of the following risk register updates is MOST important for senior management to review? A. Avoiding a risk that was previously accepted B. Extending the date of a future action plan by two months C. Retiring a risk scenario no longer used D. Changing a risk owner Suggested Answer: B
Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management? A. To continuously improve risk management processes B. To build an organizational risk-aware culture C. To comply with legal and regulatory requirements D. To identify gaps in risk management practices Suggested Answer: A
A risk practitioner is assisting with the preparation of a report on the organization's disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile? A. The percentage of systems meeting recovery target times has increased B. The number of systems requiring a recovery plan has increased C. The number of systems tested in the last year has increased D. The percentage of systems with long recovery target times has decreased Suggested Answer: B
While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the: A. control is ineffective and should be strengthened B. risk is inefficiently controlled C. risk is efficiently controlled D. control is weak and should be removed Suggested Answer: B
Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring? A. Frequency of failure of control B. Contingency plan for residual risk C. Cost-benefit analysis of automation D. Impact due to failure of control Suggested Answer: D
A review of an organization's controls has determined its data loss prevention (DLP) system is currently failing to detect outgoing emails containing credit card data. Which of the following would be MOST impacted? A. Risk appetite B. Residual risk C. Key risk indicators (KRIs) D. Inherent risk Suggested Answer: B
During an IT department reorganization, the manager of a risk mitigation action plan was replaced. The new manager has begun implementing a new control after identifying a more effective option. Which of the following is the risk practitioner's BEST course of action? A. Communicate the decision to the risk owner for approval B. Identify an owner for the new control C. Modify the action plan in the risk register D. Seek approval from the previous action plan manager Suggested Answer: B
A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption. Which of the following would be the MOST effective approach to mitigate the risk associated with data loss? A. Implement a tool to create and distributive violation reports B. Block unencrypted outgoing emails which contain sensitive data C. Implement a progressive disciplinary process for email violations D. Raise awareness of encryption requirements for sensitive data Suggested Answer: B
Following a significant change to a business process, a risk practitioner believes the associated risk has been reduced. The risk practitioner should advise the risk owner to FIRST: A. reallocate risk response resources B. review the key risk indicators C. conduct a risk analysis D. update the risk register Suggested Answer: C
Which of the following would be considered a vulnerability? A. Delayed removal of employee access B. Corruption of files due to malware C. Authorized administrative access to HR files D. Server downtime due to a denial of service (DoS) attack Suggested Answer: A
Which of the following tools is MOST effective in identifying trends in the IT risk profile? A. Risk dashboard B. Risk register C. Risk self-assessment D. Risk map Suggested Answer: D
After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to: A. inform the IT manager of the concerns and propose measures to reduce them B. inform the process owner of the concerns and propose measures to reduce them C. inform the development team of the concerns, and together formulate risk reduction measures D. recommend a program that minimizes the concerns of that production system Suggested Answer: B
A newly hired risk practitioner finds that the risk register has not been updated in the past year. What is the risk practitioner's BEST course of action? A. Implement a process improvement and replace the old risk register B. Outsource the process for updating the risk register C. Identify changes in risk factors and initiate risk reviews D. Engage an external consultant to redesign the risk management process Suggested Answer: C
Reviewing results from which of the following is the BEST way to identify information systems control deficiencies? A. Control self-assessment (CSA) B. Vulnerability and threat analysis C. User acceptance testing (UAT) D. Control remediation planning Suggested Answer: B
Which of the following would prompt changes in key risk indicator (KRI) thresholds? A. Changes in risk appetite or tolerance B. Modification to risk categories C. Knowledge of new and emerging threats D. Changes to the risk register Suggested Answer: A
Which of the following is MOST important for a risk practitioner to provide to the internal audit department during the audit planning process? A. Closed management action plans from the previous audit B. Annual risk assessment results C. An updated vulnerability management report D. A list of identified generic risk scenarios Suggested Answer: B
Which of the following provides the BEST evidence of the effectiveness of an organization's account provisioning process? A. User provisioning B. Security log monitoring C. Entitlement reviews D. Role-based access controls Suggested Answer: A
A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk: A. treatment B. identification C. communication D. assessment Suggested Answer: D
A risk practitioner has been asked to advise management on developing a log collection and correlation strategy. Which of the following should be the MOST important consideration when developing this strategy? A. Ensuring the inclusion of all computing resources as log sources B. Ensuring time synchronization of log sources C. Ensuring read-write access to all log sources D. Ensuring the inclusion of external threat intelligence log sources Suggested Answer: B
The BEST way to justify the risk mitigation actions recommended in a risk assessment would be to: A. focus on the business drivers B. reference best practice C. benchmark with competitor's actions D. align with audit results Suggested Answer: A
Which of the following is the MOST cost-effective way to test a business continuity plan? A. Conduct a tabletop exercise B. Conduct interviews with key stakeholders C. Conduct a disaster recovery exercise D. Conduct a full functional exercise Suggested Answer: A
Which of the following is the MOST important consideration when developing an organization's risk taxonomy? A. IT strategy B. Leading industry frameworks C. Business context D. Regulatory requirements Suggested Answer: C
Who should be accountable for ensuring effective cybersecurity controls are established? A. Security management function B. Enterprise risk function C. Risk owner D. IT management Suggested Answer: C
Which of the following can be interpreted from a single data point on a risk heat map? A. Risk appetite B. Risk magnitude C. Risk response D. Risk tolerance Suggested Answer: B
Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to: A. provide a current reference to stakeholders for risk-based decisions B. minimize the number of risk scenarios for risk assessment C. aggregate risk scenarios identified across different business units D. build a threat profile of the organization for management review Suggested Answer: A
Which of the following BEST measures the efficiency of an incident response process? A. Number of incidents lacking responses B. Number of incidents escalated to management C. Average time between changes and updating of escalation matrix D. Average gap between actual and agreed response times Suggested Answer: D
Which of the following is the MOST common concern associated with outsourcing to a service provider? A. Combining incompatible duties B. Unauthorized data usage C. Denial of service (DoS) attacks D. Lack of technical expertise Suggested Answer: B
An effective control environment is BEST indicated by controls that: A. minimize senior management's risk tolerance B. manage risk within the organization's risk appetite C. are cost-effective to implement D. reduce the thresholds of key risk indicators (KRIs) Suggested Answer: D
Which of the following attributes of a key risk indicator (KRI) is MOST important? A. Repeatable B. Qualitative C. Automated D. Quantitative Suggested Answer: D
An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action? A. Develop a compensating control B. Identify risk responses C. Allocate remediation resources D. Perform a cost-benefit analysis Suggested Answer: A
Which of the following statements BEST describes risk appetite? A. Acceptable variation between risk thresholds and business objectives B. The amount of risk an organization is willing to accept C. The effective management of risk and internal control environments D. The acceptable variation relative to the achievement of objectives Suggested Answer: B
A contract associated with a cloud service provider MUST include: A. a business recovery plan B. ownership of responsibilities C. provision for source code escrow D. the provider's financial statements Suggested Answer: B
Which of the following is MOST helpful in aligning IT risk with business objectives? A. Performing a business impact analysis (BIA) B. Integrating the results of top-down risk scenario analyses C. Introducing an approved IT governance framework D. Implementing a risk classification system Suggested Answer: C
Establishing an organizational code of conduct is an example of which type of control? A. Directive B. Preventive C. Detective D. Compensating Suggested Answer: A
Which of the following is the BEST indication of an improved risk-aware culture following the implementation of a security awareness training program for all employees? A. An increase in the number of identified system flaws B. A reduction in the number of help desk calls C. An increase in the number of incidents reported D. A reduction in the number of user access resets Suggested Answer: C
Which of the following is the BEST way to validate the results of a vulnerability assessment? A. Perform a penetration test B. Perform a root cause analysis C. Conduct a threat analysis D. Review security logs Suggested Answer: A
Which of the following is the MOST important data source for monitoring key risk indicators (KRIs)? A. Audit reports from internal information systems audits B. Directives from legal and regulatory authorities C. Trend analysis of external risk factors D. Automated logs collected from different systems Suggested Answer: D
Which of the following is a risk practitioner's BEST recommendation to help ensure cyber risk is assessed and reflected in the enterprise-level risk profile? A. Conduct cyber risk awareness training tailored specifically for senior management B. Implement a cyber risk program based on industry best practices C. Manage cyber risk according to the organization's risk management framework D. Define cyber roles and responsibilities across the organization Suggested Answer: C
Which of the following roles is BEST suited to help a risk practitioner understand the impact of IT-related events on business objectives? A. Process owners B. IT management C. Senior management D. Internal audit Suggested Answer: A
It is MOST appropriate for changes to be promoted to production after they are: A. approved by the business owner B. tested by business owners C. communicated to business management D. initiated by business users Suggested Answer: A
Which of the following BEST enables the identification of trends in risk levels? A. Measurements for key risk indicators (KRIs) are repeatable B. Qualitative definitions for key risk indicators (KRIs) are used C. Quantitative measurements are used for key risk indicators (KRIs) D. Correlation between risk levels and key risk indicators (KRIs) is positive Suggested Answer: D
To implement the MOST effective monitoring of key risk indicators (KRIs), which of the following needs to be in place? A. Automated data feed B. Controls monitoring C. Escalation procedures D. Threshold definition Suggested Answer: B
Which of the following would MOST likely result in updates to an IT risk appetite statement? A. Changes in senior management B. External audit findings C. Feedback from focus groups D. Self-assessment reports Suggested Answer: B
Which of the following would be MOST helpful to understand the impact of a new technology system on an organization's current risk profile? A. Conduct a gap analysis B. Review existing risk mitigation controls C. Perform a risk assessment D. Hire consultants specializing in the new technology Suggested Answer: D
Which of the following is the PRIMARY factor in determining a recovery time objective (RTO)? A. Response time of the emergency action plan B. Cost of downtime due to a disaster C. Cost of offsite backup premises D. Cost of testing the business continuity plan Suggested Answer: B
To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to: A. clearly define the project scope B. perform background checks on the vendor C. notify network administrators before testing D. require the vendor to sign a nondisclosure agreement (NDA) Suggested Answer: A
From a risk management perspective, the PRIMARY objective of using maturity models is to enable: A. solution delivery B. strategic alignment C. resource utilization D. performance evaluation Suggested Answer: D
Which of the following is the BEST indication of an effective risk management program? A. Risk action plans are approved by senior management B. Mitigating controls are designed and implemented C. Residual risk is within the organizational risk appetite D. Risk is recorded and tracked in the risk register Suggested Answer: B
A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management? A. An increase in attempted distributed denial of service (DDoS) attacks B. An increase in attempted website phishing attacks C. A decrease in remediated web security vulnerabilities D. A decrease in achievement of service level agreements (SLAs) Suggested Answer: A
Participants in a risk workshop have become focused on the financial cost to mitigate risk rather than choosing the most appropriate response. Which of the following is the BEST way to address this type of issue in the long term? A. Review the risk register and risk scenarios B. Calculate annualized loss expectancy of risk scenarios C. Raise the maturity of organizational risk management D. Perform a return on investment analysis Suggested Answer: B
Which of the following is the BEST key performance indicator (KPI) to measure the maturity of an organization's security incident handling process? A. The number of resolved security incidents B. The number of security incidents escalated to senior management C. The number of newly identified security incidents D. The number of recurring security incidents Suggested Answer: D
In response to the threat of ransomware, an organization has implemented cybersecurity awareness activities. The risk practitioner's BEST recommendation to further reduce the impact of ransomware attacks would be to implement: A. encryption for data at rest B. encryption for data in motion C. two-factor authentication D. continuous data backup controls Suggested Answer: D
Which of the following would be MOST useful when measuring the progress of a risk response action plan? A. Resource expenditure against budget B. An up-to-date risk register C. Percentage of mitigated risk scenarios D. Annual loss expectancy (ALE) changes Suggested Answer: C
An organization uses a vendor to destroy hard drives. Which of the following would BEST reduce the risk of data leakage? A. Implement an encryption policy for the hard drives B. Require the vendor to degauss the hard drives C. Use an accredited vendor to dispose of the hard drives D. Require confirmation of destruction from the IT manager Suggested Answer: A
When evaluating enterprise IT risk management, it is MOST important to: A. create new control processes to reduce identified IT risk scenarios B. review alignment with the organization's investment plan C. report identified IT risk scenarios to senior management D. confirm the organization's risk appetite and tolerance Suggested Answer: B
Which of the following is MOST important to communicate to senior management during the initial implementation of a risk management program? A. Risk ownership B. Best practices C. Desired risk level D. Regulatory compliance Suggested Answer: C
Which of the following should be management's PRIMARY consideration when approving risk response action plans? A. Prioritization for implementing the action plans B. Ability of the action plans to address multiple risk scenarios C. Ease of implementing the risk treatment solution D. Changes in residual risk after implementing the plans Suggested Answer: A
An unauthorized individual has socially engineered entry into an organization's secured physical premises. Which of the following is the BEST way to prevent future occurrences? A. Require security access badges B. Employ security guards C. Install security cameras D. Conduct security awareness training Suggested Answer: D
A risk owner should be the person accountable for: A. implementing actions B. managing controls C. the risk management process D. the business process Suggested Answer: A
Which of the following is the MOST effective key performance indicator (KPI) for change management? A. Percentage of successful changes B. Number of changes implemented C. Percentage of changes with a fallback plan D. Average time required to implement a change Suggested Answer: A
Which of the following is the BEST way to identify changes to the risk landscape? A. Access reviews B. Root cause analysis C. Internal audit reports D. Threat modeling Suggested Answer: D
Which of the following is the BEST evidence that a user account has been properly authorized? A. Notification from human resources that the account is active B. Formal approval of the account by the user's manager C. User privileges matching the request form D. An email from the user accepting the account Suggested Answer: C
Which of the following elements of a risk register is MOST likely to change as a result of change in management's risk appetite? A. Risk likelihood and impact B. Risk velocity C. Inherent risk D. Key risk indicator (KRI) thresholds Suggested Answer: D
Which of the following is the BEST method to ensure a terminated employee's access to IT systems is revoked upon departure from the organization? A. Login attempts are reconciled to a list of terminated employees B. A process to remove employee access during the exit interview is implemented C. The human resources (HR) system automatically revokes system access D. A list of terminated employees is generated for reconciliation against current IT access Suggested Answer: D
Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios? A. Gather scenarios from senior management B. Derive scenarios from IT risk policies and standards C. Benchmark scenarios against industry peers D. Map scenarios to a recognized risk management framework Suggested Answer: D
Which of the following approaches to bring your own device (BYOD) service delivery provides the BEST protection from data loss? A. Implement penetration testing and session timeouts B. Implement remote monitoring C. Enforce strong passwords and data encryption D. Enable data wipe capabilities Suggested Answer: C
Which of the following is the MOST effective way to incorporate stakeholder concerns when developing risk scenarios? A. Evaluating risk impact B. Creating quarterly risk reports C. Establishing key performance indicators (KPIs) D. Conducting internal audits Suggested Answer: C
Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the corporate risk register? A. Corporate incident escalation protocols are established B. The organization-wide control budget is expanded C. Exposure is integrated into the organization's risk profile D. Risk appetite cascades to business unit management Suggested Answer: C
Risk management strategies are PRIMARILY adopted to: A. achieve compliance with legal requirements B. take necessary precautions for claims and losses C. avoid risk for business and IT assets D. achieve acceptable residual risk levels Suggested Answer: B
Which of the following is the BEST way to mitigate the risk associated with fraudulent use of an enterprise's brand on Internet sites? A. Utilizing data loss prevention technology B. Scanning the Internet to search for unauthorized usage C. Monitoring the enterprise's use of the Internet D. Developing training and awareness campaigns Suggested Answer: B
Which of the following is the GREATEST risk associated with using unmasked data for testing purposes? A. Confidentiality B. Integrity C. Availability D. Accountability Suggested Answer: A
An organization is implementing encryption for data at rest to reduce the risk associated with unauthorized access. Which of the following MUST be considered to assess the residual risk? A. Data destruction requirements B. Cloud storage architecture C. Data retention requirements D. Key management Suggested Answer: D
Which of the following is a KEY outcome of risk ownership? A. Risk-related information is communicated B. Risk responsibilities are addressed C. Risk-oriented tasks are defined D. Business process risk is analyzed Suggested Answer: B
Which of the following should be an element of the risk appetite of an organization? A. The enterprise's capacity to absorb loss B. The effectiveness of compensating controls C. The amount of inherent risk considered appropriate D. The residual risk affected be preventive controls Suggested Answer: A
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability management process? A. Percentage of vulnerabilities remediated within the agreed service level B. Number of vulnerabilities identified during the period C. Number of vulnerabilities re-opened during the period D. Percentage of vulnerabilities escalated to senior management Suggested Answer: A
An organization operates in a jurisdiction where heavy fines are imposed for leakage of customer data. Which of the following provides the BEST input to assess the inherent risk impact? A. Number of customer records held B. Number of databases that host customer data C. Number of encrypted customer databases D. Number of staff members having access to customer data Suggested Answer: D
An organization has allowed its cyber risk insurance to lapse while seeking a new insurance provider. The risk practitioner should report to management that the risk has been: A. accepted B. mitigated C. transferred D. avoided Suggested Answer: A
A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to: A. collaborate with management to meet compliance requirements B. conduct a gap analysis against compliance criteria C. identify necessary controls to ensure compliance D. modify internal assurance activities to include control validation Suggested Answer: A
What is the BEST information to present to business control owners when justifying costs related to controls? A. Return on IT security-related investments B. The previous year's budget and actuals C. Industry benchmarks and standards D. Loss event frequency and magnitude Suggested Answer: D
Which of the following is the GREATEST concern when using a generic set of IT risk scenarios for risk analysis? A. Inherent risk might not be considered B. Implementation costs might increase C. Risk factors might not be relevant to the organization D. Quantitative analysis might not be possible Suggested Answer: C
An organization is considering acquiring a new line of business and wants to develop new IT risk scenarios to guide its decisions. Which of the following would add the MOST value to the new risk scenarios? A. Audit findings B. Expected losses C. Cost-benefit analysis D. Organizational threats Suggested Answer: D
For the first time, the procurement department has requested that IT grant remote access to third-party suppliers. Which of the following is the BEST course of action for IT in responding to the request? A. Propose a solution after analyzing IT risk B. Design and implement key authentication controls C. Design and implement a secure remote access process D. Adequate internal standards to fit the new business case Suggested Answer: A
Which of the following is the BEST control to detect an advanced persistent threat (APT)? A. Monitoring social media activities B. Conducting regular penetration tests C. Utilizing antivirus systems and firewalls D. Implementing automated log monitoring Suggested Answer: B
What is the PRIMARY reason to periodically review key performance indicators (KPIs)? A. Identify trends B. Optimize resources needed for controls C. Ensure compliance D. Promote a risk-aware culture Suggested Answer: B
Which of the following would be MOST helpful to an information security management team when allocating resources to mitigate exposures? A. Internal audit findings B. Relevant risk case studies C. Risk assessment results D. Penetration testing results Suggested Answer: C
Which of the following controls would BEST decrease exposure if a password is compromised? A. Passwords have format restrictions B. Passwords are masked C. Password changes are mandated D. Passwords are encrypted Suggested Answer: D
Who should be responsible for implementing and maintaining security controls? A. Data custodian B. Internal auditor C. Data owner D. End user Suggested Answer: A
Which of the following activities would BEST contribute to promoting an organization-wide risk-aware culture? A. Communicating components of risk and their acceptable levels B. Performing a benchmark analysis and evaluating gaps C. Participating in peer reviews and implementing best practices D. Conducting risk assessments and implementing controls Suggested Answer: D
Which of the following is the BEST key performance indicator (KPI) to measure the ability to deliver uninterrupted IT services? A. Mean time between failures B. Unplanned downtime C. Mean time to recover D. Planned downtime Suggested Answer: A
An organization has engaged a third party to provide an Internet gateway encryption service that protects sensitive data uploaded to a cloud service. This is an example of risk: A. transfer B. acceptance C. mitigation D. avoidance Suggested Answer: A
After mapping generic risk scenarios to organizational security policies, the NEXT course of action should be to: A. record risk scenarios in the risk register for analysis B. validate the risk scenarios for business applicability C. reduce the number of risk scenarios to a manageable set D. perform a risk analysis on the risk scenarios Suggested Answer: B
A risk practitioner has observed that risk owners have approved a high number of exceptions to the information security policy. Which of the following should be the risk practitioner's GREATEST concern? A. Aggregate risk approaching the tolerance threshold B. Vulnerabilities are not being mitigated C. Security policies are not being reviewed periodically D. Risk owners are focusing more on efficiency Suggested Answer: A
Which of the following is MOST helpful to ensure effective security controls for a cloud service provider? A. Internal audit reports from the vendor B. A control self-assessment C. A third-party security assessment report D. Service level agreement monitoring Suggested Answer: C
An audit reveals that several terminated employee accounts maintain access. Which of the following should be the FIRST step to address the risk? A. Perform a risk assessment B. Disable user access C. Perform root cause analysis D. Develop an access control policy Suggested Answer: D
Which of the following is a detective control? A. Limit check B. Access control software C. Periodic access review D. Rerun procedures Suggested Answer: D
A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT? A. Invoke the incident response plan B. Modify the design of the control C. Document the finding in the risk register D. Re-evaluate key risk indicators Suggested Answer: C
Which of the following would be MOST helpful when estimating the likelihood of negative events? A. Business impact analysis B. Cost-benefit analysis C. Risk response analysis D. Threat analysis Suggested Answer: D
Improvements in the design and implementation of a control will MOST likely result in an update to: A. risk tolerance B. risk appetite C. inherent risk D. residual risk Suggested Answer: D
A risk practitioner is preparing a report to communicate changes in the risk and control environment. The BEST way to engage stakeholder attention is to: A. include a roadmap to achieve operational excellence B. include a summary linking information to stakeholder needs C. publish the report on-demand for stakeholders D. include detailed deviations from industry benchmarks Suggested Answer: A
An organization's internal auditors have identified a new IT control deficiency in the organization's identity and access management (IAM) system. It is most important for the risk practitioner to: A. perform a follow-up risk assessment to quantify the risk impact B. verify that applicable risk owners understand the risk C. implement compensating controls to address the deficiency D. recommend replacement of the deficient system Suggested Answer: C
The MOST effective way to increase the likelihood that risk responses will be implemented is to: A. review progress reports B. create an action plan C. perform regular audits D. assign ownership Suggested Answer: D
The BEST method to align an organization's business continuity plan (BCP) and disaster recovery plan (DRP) with core business needs to: A. outsource the maintenance of the BCP and DRP to a third party B. include BCP and DRP responsibilities as part of the new employee training C. execute periodic walk-throughs of the BCP and DRP D. update the business impact analysis (BIA) for significant business changes Suggested Answer: C
Which of the following is the BEST method to identify unnecessary controls? A. Evaluating existing controls against audit requirements B. Reviewing system functionalities associated with business processes C. Monitoring existing key risk indicators (KRIs) D. Evaluating the impact of removing existing controls Suggested Answer: B
The best way to test the operational effectiveness of a data backup procedure is to: A. inspect a selection of audit trails and backup logs B. conduct an audit of files stored offsite C. demonstrate a successful recovery from backup files D. interview employees to compare actual with expected procedures Suggested Answer: C
During a control review, the control owner states that an existing control has deteriorated over time. What is the BEST recommendation to the control owner? A. Escalate the issue to senior management B. Discuss risk mitigation options with the risk owner C. Certify the control after documenting the concern D. Implement compensating controls to reduce residual risk Suggested Answer: D
An organization has experienced several incidents of extended network outages that have exceeded tolerance. Which of the following should be the risk practitioner's FIRST step to address this situation? A. Recommend a root cause analysis of the incidents B. Update the risk tolerance level to acceptable thresholds C. Recommend additional controls to address the risk D. Update the incident-related risk trend in the risk register Suggested Answer: A
Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited. Which of the following would be the BEST response to this scenario? A. Assess the vulnerability management process B. Conduct a control self-assessment C. Reassess the inherent risk of the target D. Conduct a vulnerability assessment Suggested Answer: D
The compensating control that MOST effectively addresses the risk associated with piggybacking into a restricted area without a dead-man door is: A. using two-factor authentication B. using biometric door locks C. requiring employees to wear ID badges D. security awareness training Suggested Answer: D
During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if: A. a control mitigation plan is in place B. residual risk is accepted C. compensating controls are in place D. risk management is effective Suggested Answer: A
An IT control gap has been identified in a key process. Who would be the MOST appropriate owner of the risk associated with this gap? A. Business process owner B. Chief information security officer C. Operational risk manager D. Key control owner Suggested Answer: A
Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data? A. Audit trails for updates and deletions B. Encrypted storage of data C. Links to source data D. Check totals on data records and data fields Suggested Answer: D
An assessment of information security controls has identified ineffective controls. Which of the following should be the risk practitioner's FIRST course of action? A. Deploy a compensating control to address the identified deficiencies B. Report the ineffective control for inclusion in the next audit report C. Determine if the impact is outside the risk appetite D. Request a formal acceptance of risk from senior management Suggested Answer: A
Which of the following is the GREATEST advantage of implementing a risk management program? A. Promoting a risk-aware culture B. Improving security governance C. Enabling risk-aware decisions D. Reducing residual risk Suggested Answer: A
Which of the following should be of MOST concern to a risk practitioner reviewing findings from a recent audit of an organization's data center? A. Ownership of an audit finding has not been assigned B. The data center is not fully redundant C. Audit findings were not communicated to senior management D. Key risk indicators (KRIs) for the data center do not include critical components Suggested Answer: C
A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable? A. Chief risk officer (CRO) B. Business continuity manager (BCM) C. Human resources manager (HRM) D. Chief information officer (CIO) Suggested Answer: D
When developing risk scenarios, it is MOST important to ensure they are: A. structured and reportable B. flexible and scalable C. relevant and realistic D. comprehensive and detailed Suggested Answer: C
An organization is planning to acquire a new financial system. Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution? A. Process owner B. Internal auditor C. Risk manager D. Project sponsor Suggested Answer: A
Which of the following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system? A. Conduct user acceptance testing B. Perform a post-implementation review C. Interview process owners D. Review the key performance indicators (KPIs) Suggested Answer: B
An organization has outsourced its lease payment process to a service provider who lacks evidence of compliance with a necessary regulatory standard. Which risk treatment was adopted by the organization? A. Acceptance B. Transfer C. Mitigation D. Avoidance Suggested Answer: A
Which of the following is the BEST method to maintain a common view of IT risk within an organization? A. Establishing and communicating the IT risk profile B. Performing and publishing an IT risk analysis C. Collecting data for IT risk assessment D. Utilizing a balanced scorecard Suggested Answer: B
The FIRST step for a startup company when developing a disaster recovery plan should be to identify: A. current vulnerabilities B. a suitable alternate site C. recovery time objectives D. critical business processes Suggested Answer: D
An organization has outsourced an application to a Software as a Service (SaaS) provider. The risk associated with the use of this service should be owned by the: A. service provider's IT manager B. service provider's risk manager C. organization's business process manager D. organization's vendor manager Suggested Answer: C
Which of the following should be done FIRST when a new risk scenario has been identified? A. Assess the risk awareness program B. Assess the risk training program C. Identify the risk owner D. Estimate the residual risk Suggested Answer: A
Which of the following is MOST important to update when an organization's risk appetite changes? A. Key risk indicators (KRIs) B. Risk taxonomy C. Key performance indicators (KPIs) D. Risk reporting methodology Suggested Answer: C
Which of the following is the BEST way to validate whether controls have been implemented according to the risk mitigation action plan? A. Implement key risk indicators (KRIs) B. Test the control design C. Test the control environment D. Implement key performance indicators (KPIs) Suggested Answer: A
The PRIMARY reason, a risk practitioner would be interested in an internal audit report is to: A. maintain a risk register based on noncompliances B. plan awareness programs for business managers C. assist in the development of a risk profile D. evaluate maturity of the risk management process Suggested Answer: D
Which of the following is the PRIMARY consideration when establishing an organization's risk management methodology? A. Risk tolerance level B. Benchmarking information C. Resource requirements D. Business context Suggested Answer: D
Which of the following is the BEST metric to demonstrate the effectiveness of an organization's change management process? A. Average time to complete changes B. Increase in the number of emergency changes C. Percent of unauthorized changes D. Increase in the frequency of changes Suggested Answer: A
Which of the following is MOST helpful in developing key risk indicator thresholds? A. Loss expectancy information B. IT service level agreements C. Control performance results D. Remediation activity progress Suggested Answer: A
Which of the following is the BEST course of action to reduce risk impact? A. Create an IT security policy B. Implement detective controls C. Implement corrective measures D. Leverage existing technology Suggested Answer: C
What is the PRIMARY reason to categorize risk scenarios by business process? A. To determine aggregated risk levels by risk owner B. To identify situations that result in over-control C. To enable management to implement cost-effective risk mitigation D. To show business activity deficiencies that need to be improved Suggested Answer: C
Which of the following BEST indicates the effectiveness of an organization's data loss prevention (DLP) program? A. Reduction in financial impact associated with data loss incidents B. Reduction in the number of false positives and false negatives C. Reduction in the number of approved exceptions to the DLP policy D. Reduction in the severity of detected data loss events Suggested Answer: D
An organization has outsourced its IT security management function to an external service provider. The BEST party to own the IT security controls under this arrangement is the: A. organization's risk function B. service provider's audit function C. organization's IT management D. service provider's IT security function Suggested Answer: A
Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace? A. Develop risk awareness training B. Monitor employee usage C. Identify the potential risk D. Assess the potential risk Suggested Answer: A
A risk practitioner has populated the risk register with industry-based generic risk scenarios to be further assessed by risk owners. Which of the following is the GREATEST concern with this approach? A. Risk scenarios in the generic list may not help in building risk awareness B. Risk scenarios that are not relevant to the organization may be assessed C. Developing complex risk scenarios using the generic list will be difficult D. Relevant risk scenarios that do not appear in the generic list may not be assessed Suggested Answer: B
An identified high-probability risk scenario involving a critical, proprietary business function has an annualized cost of control higher than the annual loss expectancy (ALE). Which of the following is the BEST risk response? A. Avoid B. Transfer C. Accept D. Mitigate Suggested Answer: C
Which of the following should be the PRIMARY focus of an IT risk awareness program? A. Cultivate long-term behavioral change B. Demonstrate regulatory compliance C. Ensure compliance with the organization's internal policies D. Communicate IT risk policy to the participants Suggested Answer: A
Which of the following is the BEST indicator of an effective IT security awareness program? A. Decreased success rate of internal phishing tests B. Number of employees that complete security training C. Number of disciplinary actions issued for security violations D. Decreased number of reported security incidents Suggested Answer: A
Which of the following is the MOST important benefit of key risk indicators (KRIs)? A. Assisting in continually optimizing risk governance B. Providing an early warning to take proactive actions C. Enabling the documentation and analysis of trends D. Ensuring compliance with regulatory requirements Suggested Answer: A
Which of the following is the GREATEST concern associated with redundant data in an organization's inventory system? A. Data inconsistency B. Unnecessary data storage usage C. Poor access control D. Unnecessary costs of program changes Suggested Answer: C
Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior BEST represents: A. a vulnerability B. a control C. an impact D. a threat Suggested Answer: A
Which of the following would BEST help minimize the risk associated with social engineering threats? A. Reviewing the organization's risk appetite B. Enforcing employee sanctions C. Enforcing segregation of duties D. Conducting phishing exercises Suggested Answer: D
When reviewing a business continuity plan (BCP), which of the following would be the MOST significant deficiency? A. BCP is often tested using the walkthrough method B. BCP testing is not in conjunction with the disaster recovery plan (DRP) C. Each business location has separate, inconsistent BCPs D. Recovery time objectives (RTOs) do not meet business requirements Suggested Answer: B
An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to: A. communicate the consequences for violations B. implement industry best practices C. reduce the organization's risk appetite D. reduce the risk to an acceptable level Suggested Answer: D
Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization? A. Enabling risk-based decision making B. Increasing process control efficiencies C. Better understanding of the risk appetite D. Improving audit results Suggested Answer: A
The BEST control to mitigate the risk associated with project scope creep is to: A. consult with senior management on a regular basis B. apply change management procedures C. ensure extensive user involvement D. deploy CASE tools in software development Suggested Answer: A
As part of an overall IT risk management plan, an IT risk register BEST helps management: A. stay current with existing control status B. align IT processes with business objectives C. understand the organizational risk profile D. communicate the enterprise risk management policy Suggested Answer: A
Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data? A. Reviewing logs for unauthorized data transfers B. Configuring the DLP control to block credit card numbers C. Testing the transmission of credit card numbers D. Testing the DLP rule change control process Suggested Answer: A Reference: https://www.esecurityplanet.com/network-security/data-loss-prevention-dlp.html <img src="https://www.examtopics.com/assets/media/exam-media/04284/0029700001.png" alt="Reference Image" />
An IT department has organized training sessions to improve user awareness of organizational information security policies. Which of the following is the BEST key performance indicator (KPI) to reflect effectiveness of the training? A. Number of training sessions completed B. Percentage of staff members who complete the training with a passing score C. Percentage of attendees versus total staff D. Percentage of staff members who attend the training with positive feedback Suggested Answer: B
Which of the following is a PRIMARY benefit of engaging the risk owner during the risk assessment process? A. Accurate measurement of loss impact B. Early detection of emerging threats C. Identification of controls gaps that may lead to noncompliance D. Prioritization of risk action plans across departments Suggested Answer: A
An organization has been notified that a disgruntled, terminated IT administrator has tried to break into the corporate network. Which of the following discoveries should be of GREATEST concern to the organization? A. A brute force attack has been detected B. An external vulnerability scan has been detected C. An increase in support requests has been observed D. Authentication logs have been disabled Suggested Answer: D
When preparing a risk status report for periodic review by senior management, it is MOST important to ensure the report includes: A. recommendations by an independent risk assessor B. a summary of incidents that have impacted the organization C. a detailed view of individual risk exposures D. risk exposure in business terms Suggested Answer: D
The PRIMARY objective of testing the effectiveness of a new control before implementation is to: A. comply with the organization's policy B. ensure that risk is mitigated by the control C. confirm control alignment with business objectives D. measure efficiency of the control process Suggested Answer: D
An organization has granted a vendor access to its data in order to analyze customer behavior. Which of the following would be the MOST effective control to mitigate the risk of customer data leakage? A. Restrict access to customer data on a ג€need to knowג€ basis B. Enforce criminal background checks C. Mask customer data fields D. Require vendor to sign a confidentiality agreement Suggested Answer: A
An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented in procedure manuals for use by the part-time employees. Which of the following BEST describes this situation? A. Risk B. Policy violation C. Threat D. Vulnerability Suggested Answer: D
The PRIMARY advantage of implementing an IT risk management framework is the: A. alignment of business goals with IT objectives B. improvement of controls within the organization and minimized losses C. compliance with relevant legal and regulatory requirements D. establishment of a reliable basis for risk-aware decision making Suggested Answer: B
It is MOST important for a risk practitioner to have an awareness of an organization's processes in order to: A. perform a business impact analysis (BIA) B. establish risk guidelines C. understand control design D. identify potential sources of risk Suggested Answer: D
The MAIN purpose of conducting a control self-assessment (CSA) is to: A. reduce the dependency on external audits B. gain a better understanding of the risk in the organization C. gain a better understanding of the control effectiveness in the organization D. adjust the controls prior to an external audit Suggested Answer: C
An organization is considering modifying its system to enable acceptance of credit card payments. To reduce the risk of data exposure, which of the following should the organization do FIRST? A. Implement additional controls B. Conduct a risk assessment C. Update the risk register D. Update the security strategy Suggested Answer: B
Which of the following would present the GREATEST challenge when assigning accountability for control ownership? A. Unclear reporting relationships B. Weak governance structures C. Senior management scrutiny D. Complex regulatory environment Suggested Answer: A
If preventive controls cannot be implemented due to technology limitations, which of the following should be done FIRST to reduce risk? A. Redefine the business process to reduce the risk B. Evaluate alternative controls C. Develop a plan to upgrade technology D. Define a process for monitoring risk Suggested Answer: B
Which of the following is the BEST way to identify changes in the risk profile of an organization? A. Monitor key risk indicators (KRIs) B. Monitor key performance indicators (KPIs) C. Conduct a gap analysis D. Interview the risk owner Suggested Answer: C
The PRIMARY benefit of conducting continuous monitoring of access controls is the ability to identify. A. possible noncompliant activities that lead to data disclosure B. leading or lagging key risk indicators (KRIs) C. inconsistencies between security policies and procedures D. unknown threats to undermine existing access controls Suggested Answer: B
Which of the following is MOST important for successful incident response? A. The quantity of data logged by the attack control tools B. The ability to trace the source of the attack C. The timeliness of attack recognition D. Blocking the attack route immediately Suggested Answer: C
Effective risk communication BEST benefits an organization by: A. improving the effectiveness of IT controls B. helping personnel make better-informed decisions C. increasing participation in the risk assessment process D. assisting the development of a risk register Suggested Answer: B
All business units within an organization have the same risk response plan for creating local disaster recovery plans. In an effort to achieve cost effectiveness., the BEST course of action would be to: A. outsource disaster recovery to an external provider B. select a provider to standardize the disaster recovery plans C. evaluate opportunities to combine disaster recovery plans D. centralize the risk response function at the enterprise level Suggested Answer: C
Which of the following approaches would BEST help to identify relevant risk scenarios? A. Engage line management in risk assessment workshops B. Escalate the situation to risk leadership C. Engage internal audit for risk assessment workshops D. Review system and process documentation Suggested Answer: A
When developing IT risk scenarios, it is CRITICAL to involve: A. process owners B. IT managers C. internal auditors D. senior management Suggested Answer: A
Before implementing instant messaging within an organization using a public solution, which of the following should be in place to mitigate data leakage risk? A. An access control list B. An acceptable usage policy C. An intrusion detection system (IDS) D. A data extraction tool Suggested Answer: B
Which of the following would be an IT business owner's BEST course of action following an unexpected increase in emergency changes? A. Conducting a root-cause analysis B. Validating the adequacy of current processes C. Evaluating the impact to control objectives D. Reconfiguring the IT infrastructure Suggested Answer: A
Which of the following would require updates to an organization's IT risk register? A. Discovery of an ineffectively designed key IT control B. Management review of key risk indicators (KRIs) C. Changes to the team responsible for maintaining the register D. Completion of the latest internal audit Suggested Answer: A
IT stakeholders have asked a risk practitioner for IT risk profile reports associated with specific departments to allocate resources for risk mitigation. The BEST way to address this request would be to use: A. historical risk assessments B. key risk indicators (KRIs) C. the cost associated with each control D. information from the risk register Suggested Answer: A
To help ensure the success of a major IT project, it is MOST important to: A. obtain approval from business process owners B. obtain the appropriate stakeholders' commitment C. update the risk register on a regular basis D. align the project with the IT risk framework Suggested Answer: B
A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management. The BEST way to support risk-based decisions by senior management would be to: A. quantify key risk indicators (KRIs) B. recommend risk tolerance thresholds C. provide a quantified detailed analysis D. map findings to objectives Suggested Answer: D
When determining which control deficiencies are most significant, which of the following would provide the MOST useful information? A. Exception handling policy B. Benchmarking assessments C. Vulnerability assessment results D. Risk analysis results Suggested Answer: D
A program manager has completed an unsuccessful disaster recovery test. Which of the following should the risk practitioner recommend as the NEXT course of action? A. Identify what additional controls are needed B. Update the business impact analysis (BIA) C. Prioritize issues noted during the testing window D. Communicate test results to management Suggested Answer: B
Which of the following should be the MOST important consideration when determining controls necessary for a highly critical information system? A. The number of vulnerabilities to the system B. The level of acceptable risk to the organization C. The organization's available budget D. The number of threats to the system Suggested Answer: A
When defining thresholds for control key performance indicators (KPIs), it is MOST helpful to align: A. key risk indicators (KRIs) with risk appetite of the business B. the control key performance indicators (KPIs) with audit findings C. control performance with risk tolerance of business owners D. information risk assessments with enterprise risk assessments Suggested Answer: A
Which of the following is MOST important to understand when determining an appropriate risk assessment approach? A. Threats and vulnerabilities B. Value of information assets C. Complexity of the IT infrastructure D. Management culture Suggested Answer: B
A PRIMARY advantage of involving business management in evaluating and managing risk is that management: A. can make better informed business decisions B. better understands the system architecture C. can balance technical and business risk D. is more objective than risk management Suggested Answer: A
The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner's BEST recommendation? A. Implement training on coding best practices B. Perform a code review C. Perform a root cause analysis D. Implement version control software Suggested Answer: B
Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time? A. Ability to predict trends B. Ongoing availability of data C. Availability of automated reporting systems D. Ability to aggregate data Suggested Answer: D
An organization has raised the risk appetite for technology risk. The MOST likely result would be: A. lower risk management cost B. decreased residual risk C. higher risk management cost D. increased inherent risk Suggested Answer: B
Which of the following provides an organization with the MOST insight with regard to operational readiness associated with risk? A. Capability maturity assessment results B. Minutes of the enterprise risk committee meetings C. Benchmarking against industry standards D. Self-assessment of capabilities Suggested Answer: D
To help ensure all applicable risk scenarios are incorporated into the risk register, it is MOST important to review the: A. risk assessment results B. cost-benefit analysis C. vulnerability assessment results D. risk mitigation approach Suggested Answer: A
An organization is considering outsourcing user administration controls for a critical system. The potential vendor has offered to perform quarterly self-audits of its controls instead of having annual independent audits. Which of the following should be of GREATEST concern to the risk practitioner? A. The vendor will not achieve best practices B. The vendor will not ensure against control failure C. The controls may not be properly tested D. Lack of a risk-based approach to access control Suggested Answer: B
The analysis of which of the following will BEST help validate whether suspicious network activity is malicious? A. Intrusion detection system (IDS) rules B. Penetration test reports C. Vulnerability assessment reports D. Logs and system events Suggested Answer: D
Which of the following activities would BEST facilitate effective risk management throughout the organization? A. Performing a business impact analysis B. Performing frequent audits C. Reviewing risk-related process documentation D. Conducting periodic risk assessments Suggested Answer: A
Which of the following data would be used when performing a business impact analysis (BIA)? A. Cost of regulatory compliance B. Expected costs for recovering the business C. Cost-benefit analysis of running the current business D. Projected impact of current business on future business Suggested Answer: B
Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management? A. A decrease in the number of key controls B. Changes in control design C. An increase in residual risk D. Changes in control ownership Suggested Answer: D
Which of the following is the MOST important factor affecting risk management in an organization? A. The risk manager's expertise B. Regulatory requirements C. Board of director's expertise D. The organization's culture Suggested Answer: D
Which of the following provides the BEST measurement of an organization's risk management maturity level? A. IT alignment to business objectives B. Level of residual risk C. Key risk indicators (KRIs) D. The results of a gap analysis Suggested Answer: A
When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action? A. Propose mitigating controls B. Assess management's risk tolerance C. Recommend management accept the low risk scenarios D. Re-evaluate the risk scenarios associated with the control Suggested Answer: A
The BEST way to determine the likelihood of a system availability risk scenario is by assessing the: A. availability of fault tolerant software B. strategic plan for business growth C. vulnerability scan results of critical systems D. redundancy of technical infrastructure Suggested Answer: D
When an organization's disaster recovery plan has a reciprocal agreement, which of the following risk treatment options is being applied? A. Transfer B. Avoidance C. Acceptance D. Mitigation Suggested Answer: D
The BEST reason to classify IT assets during a risk assessment is to determine the: A. appropriate level of protection B. enterprise risk profile C. priority in the risk register D. business process owner Suggested Answer: A
Which of the following would BEST help to ensure that suspicious network activity is identified? A. Analyzing server logs B. Coordinating events with appropriate agencies C. Analyzing intrusion detection system (IDS) logs D. Using a third-party monitoring provider Suggested Answer: C
Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system? A. Implement segregation of duties B. Enforce an internal data access policy C. Enforce the use of digital signatures D. Apply single sign-on for access control Suggested Answer: D
A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when: A. identifying risk mitigation controls B. documenting the risk scenarios C. validating the risk scenarios D. updating the risk register Suggested Answer: C
Which of the following is MOST important to the effectiveness of key performance indicators (KPIs)? A. Management approval B. Automation C. Annual review D. Relevance Suggested Answer: D
What should be PRIMARILY responsible for establishing an organization's IT risk culture? A. Risk management B. IT management C. Business process owner D. Executive management Suggested Answer: D Reference: https://www.casact.org/education/infocus/2014/handouts/Paper_3464_handout_2190_0.pdf <img src="https://www.examtopics.com/assets/media/exam-media/04284/0028600001.png" alt="Reference Image" />
Which of the following is the GREATEST benefit to an organization when updates to the risk register are made promptly after the completion of a risk assessment? A. Improved senior management communication B. Enhanced awareness of risk management C. Optimized risk treatment decisions D. Improved collaboration among risk professionals Suggested Answer: B
After a high-profile systems breach at an organization's key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment? A. External audit B. Internal audit C. Vendor performance scorecard D. Regulatory examination Suggested Answer: B
A change management process has recently been updated with new testing procedures. The NEXT course of action is to: A. communicate to those who test and promote changes B. assess the maturity of the change management process C. conduct a cost-benefit analysis to justify the cost of the control D. monitor processes to ensure recent updates are being followed Suggested Answer: A
For a large software development project, risk assessments are MOST effective when performed: A. during the development of the business case B. at each stage of the system development life cycle (SDLC) C. at system development D. before system development begins Suggested Answer: B
Malicious code protection is which type control? A. Configuration management control B. System and information integrity control C. Media protection control D. Personal security control Suggested Answer: B Malware, short for malicious software, is software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. As malicious code protection lists steps to protect against malware, it preserves the information integrity of the enterprise. Hence Malicious code protection is System and information integrity control. This family of controls provides information to maintain the integrity of systems and data. Incorrect Answers: A: Malicious code protection is not a Configuration management control. Configuration management control is the family of controls that addresses both configuration management and change management. Change control practices prevent unauthorized changes. C: Malicious code protection is not a Media protection control. Media Protection includes removable digital media such as tapes, external hard drives, and USB flash drives. It also includes non-digital media such as paper and film. This family of controls covers the access, marking, storage, transport, and sanitization of media. D: Malicious code protection is not a Personal security control. The Personal security control is a family of controls including aspects of personnel security. It includes personnel screening, termination, and transfer.
If one says that the particular control or monitoring tool is sustainable, then it refers to what ability? A. The ability to adapt as new elements are added to the environment B. The ability to ensure the control remains in place when it fails C. The ability to protect itself from exploitation or attack D. The ability to be applied in same manner throughout the organization Suggested Answer: A Sustainability of the controls or monitoring tools refers to its ability to function as expected over time or when changes are made to the environment. Incorrect Answers: B: Sustainability ensures that controls changes with the conditions, so as not to fail in any circumstances. Hence this in not a valid answer. C: This is not a valid answer. D: This is not a valid definition for defining sustainability of a tool.
You work as a Project Manager for Company Inc. You are incorporating a risk response owner to take the job for each agreed-to and funded risk response. On which of the following processes are you working? A. Quantitative Risk Analysis B. Identify Risks C. Plan risk response D. Qualitative Risk Analysis Suggested Answer: C The plan risk response project management process aims to reduce the threats to the project objectives and to increase opportunities. It follows the perform qualitative risk analysis process and perform quantitative risk analysis process. Plan risk response process includes the risk response owner to take the job for each agreed-to and funded risk response. This process addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget. The inputs to the plan risk response process are as follows: ✑ Risk register ✑ Risk management plan Incorrect Answers: A: Quantitative analysis is the use of numerical and statistical techniques rather than the analysis of verbal material for analyzing risks. Some of the quantitative methods of risk analysis are: ✑ Internal loss method ✑ External data analysis Business process modeling (BPM) and simulation <img src="https://www.examtopics.com/assets/media/exam-media/04284/0026900005.png" alt="Reference Image" /> ✑ Statistical process control (SPC) B: Identify Risks is the process of determining which risks may affect the project. It also documents risks' characteristics. The Identify Risks process is part of the Project Risk Management knowledge area. As new risks may evolve or become known as the project progresses through its life cycle, Identify Risks is an iterative process. The process should involve the project team so that they can develop and maintain a sense of ownership and responsibility for the risks and associated risk response actions. Risk Register is the only output of this process. D: Qualitative analysis is the definition of risk factors in terms of high/medium/low or a numeric scale (1 to 10). Hence it determines the nature of risk on a relative scale. Some of the qualitative methods of risk analysis are: ✑ Scenario analysis- This is a forward-looking process that can reflect risk for a given point in time. ✑ Risk Control Self -assessment (RCSA) - RCSA is used by enterprises (like banks) for the identification and evaluation of operational risk exposure. It is a logical first step and assumes that business owners and managers are closest to the issues and have the most expertise as to the source of the risk. RCSA is a constructive process in compelling business owners to contemplate, and then explain, the issues at hand with the added benefit of increasing their accountability.
Which of the following is NOT the method of Qualitative risk analysis? A. Scorecards B. Attribute analysis C. Likelihood-impact matrix D. Business process modeling (BPM) and simulation Suggested Answer: D Business process modeling (BPM) and simulation is a method of Quantitative risk analysis and not Qualitative risk analysis. The BPM and simulation discipline is an effective method of identifying and quantifying the operational risk in enterprise business processes. It improves business process efficiency and effectiveness. Incorrect Answers: A, B, C: These three are the methods of Qualitative risk analysis.
You are the project manager of the NHQ project in Bluewell Inc. The project has an asset valued at $200,000 and is subjected to an exposure factor of 45 percent. If the annual rate of occurrence of loss in this project is once a month, then what will be the Annual Loss Expectancy (ALE) of the project? A. $ 2,160,000 B. $ 95,000 C. $ 108,000 D. $ 90,000 Suggested Answer: C The ALE of this project will be $ 108,000. Single Loss Expectancy is a term related to Quantitative Risk Assessment. It can be defined as the monetary value expected from the occurrence of a risk on an asset. It is mathematically expressed as follows: SLE = Asset value * Exposure factor Therefore, SLE = 200,000 * 0.45 - = $ 90,000 As the loss is occurring once every month, therefore ARO is 12. Now ALE can be calculated as follows: ALE = SLE * ARO - = 90,000 * 12 = $ 108,000
Which of the following is a performance measure that is used to evaluate the efficiency of an investment or to compare the efficiency of a number of different investments? A. Return On Security Investment B. Total Cost of Ownership C. Return On Investment D. Redundant Array of Inexpensive Disks Suggested Answer: C Return On Investment (ROI) is a performance measure used to evaluate the efficiency of an investment or to compare the efficiency of a number of different investments. To calculate ROI, the benefit (return) of an investment is divided by the cost of the investment; the result is expressed as a percentage or a ratio. The return on investment formula: ROI = (Gain from investment - Cost of investment) / Cost of investment In the above formula "gains from investment", refers to the proceeds obtained from selling the investment of interest. Incorrect Answers: A, B: These options are not related to the measurement of efficiency of an investment. D: RAID is described as a redundant array of inexpensive disks. It is a technology that allows computer users to achieve high levels of storage reliability from low- cost and less reliable PC-class disk-drive components, via the technique of arranging the devices into arrays for redundancy.
You are the program manager for your organization and you are working with Alice, a project manager in her program. Alice calls you and insists you to add a change to program scope. You agree for that the change. What must Alice do to move forward with her change request? A. Add the change to the program scope herself, as she is a project manager B. Create a change request charter justifying the change request C. Document the change request in a change request form. D. Add the change request to the scope and complete integrated change control Suggested Answer: C Change requests must be documented to be considered. Alice should create a change request form and follow the procedures of the change control system.
Which of the following business requirements MOST relates to the need for resilient business and information systems processes? A. Confidentiality B. Effectiveness C. Integrity D. Availability Suggested Answer: D Availability relates to information being available when required by the business process in present as well as in future. Resilience is the ability to provide and maintain an acceptable level of service during disasters or when facing operational challenges. Hence they are most closely related. Incorrect Answers: A: Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations. While the lack of system resilience can in some cases affect data integrity, resilience is more closely linked to the business information requirement of availability. B: Confidentiality deals with the protection of sensitive information from unauthorized disclosure. While the lack of system resilience can in some cases affect data confidentiality, resilience is more closely linked to the business information requirement of availability. C: Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner. While the lack of system resilience can in some cases affect effectiveness, resilience is more closely linked to the business information requirement of availability.
Which of the following serve as the authorization for a project to begin? A. Approval of project management plan B. Approval of a risk response document C. Approval of risk management document D. Approval of a project request document Suggested Answer: D Approval of a project initiation document (PID) or a project request document (PRD) is the authorization for a project to begin. Incorrect Answers: A: Project management plan is being made after the project is being authorized. B: Risk response document comes under risk management process, hence the latter phase in project development process. C: Risk management document is being prepared later after the project initiation, during the risk management plan. It has no scope during project initialization.
In which of the following conditions business units tend to point the finger at IT when projects are not delivered on time? A. Threat identification in project B. System failure C. Misalignment between real risk appetite and translation into policies D. Existence of a blame culture Suggested Answer: D In a blame culture, business units tend to point the finger at IT when projects are not delivered on time or do not meet expectations. In doing so, they fail to realize how the business unit's involvement up front affects project success. In extreme cases, the business unit may assign blame for a failure to meet the expectations that the unit never clearly communicated. Incorrect Answers: A, B, C: These are not relevant to the pointing of finger at IT when projects are not delivered on time.
Which of the following methods involves the use of predictive or diagnostic analytical tool for exposing risk factors? A. Scenario analysis B. Sensitivity analysis C. Fault tree analysis D. Cause and effect analysis Suggested Answer: D Cause-and-effect analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes. These tools also help in identifying potential risk. Incorrect Answers: A: This analysis is not a method for exposing risk factors. It is used for analyzing scenarios. B: Sensitivity analysis is the quantitative risk analysis technique that: ✑ Assist in determination of risk factors that have the most potential impact ✑ Examines the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline values C: Fault tree analysis (FIA) is a technique that provides a systematic description of the combination of possible occurrences in a system, which can result in an undesirable outcome. It combines hardware failures and human failures.
Sammy is the project manager for her organization. She would like to rate each risk based on its probability and affect on time, cost, and scope. Harry, a project team member, has never done this before and thinks Sammy is wrong to attempt this approach. Harry says that an accumulative risk score should be created, not three separate risk scores. Who is correct in this scenario? A. Sammy is correct, because she is the project manager. B. Sammy is correct, because organizations can create risk scores for each objective of the project. C. Harry is correct, the risk probability and impact matrix is the only approach to risk assessment. D. Harry is correct, because the risk probability and impact considers all objectives of the project. Suggested Answer: B Sammy She certainly can create an assessment for a risk event for time cost, and scope. It is probable that a risk event may have an effect on just one or more objectives so an assessment of the objective is acceptable. Incorrect Answers: A: Just because Sammy is the project manager, it is not necessary that she is right. C: Harry is incorrect as there are multiple approaches to risk assessment for a project D: Harry's reasoning is flawed as each objective can be reviewed for the risk's impact rather than the total project.
When developing a business continuity plan (BCP), it is MOST important to: A. develop a multi-channel communication plan B. prioritize critical services to be restored C. identify a geographically dispersed disaster recovery site D. identify an alternative location to host operations Suggested Answer: C
During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised? A. Authentication B. Identification C. Data validation D. Data integrity Suggested Answer: A
Which of the following is MOST important when developing key performance indicators (KPIs)? A. Alignment to management reports B. Alignment to risk responses C. Alerts when risk thresholds are reached D. Identification of trends Suggested Answer: D Monitor and analyze key performance indicators (KPIs) to identify changes or trends related to the control environment and determine the efficiency and effectiveness of controls.
The PRIMARY benefit associated with key risk indicators (KRIs) is that they: A. identify trends in the organization's vulnerabilities B. provide ongoing monitoring of emerging risk C. help an organization identify emerging threats D. benchmark the organization's risk profile Suggested Answer: C
Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation? A. Availability of in-house resources B. Completeness of system documentation C. Variances between planned and actual cost D. Results of end-user acceptance testing Suggested Answer: D
Which of the following is the BEST indicator of the effectiveness of a control action plan's implementation? A. Increased risk appetite B. Increased number of controls C. Reduced risk level D. Stakeholder commitment Suggested Answer: C
When updating the risk register after a risk assessment, which of the following is MOST important to include? A. Actor and threat type of the risk scenario B. Historical losses due to past risk events C. Cost to reduce the impact and likelihood D. Likelihood and impact of the risk scenario Suggested Answer: D
An organization maintains independent departmental risk registers that are not automatically aggregated. Which of the following is the GREATEST concern? A. Resources may be inefficiently allocated B. Management may be unable to accurately evaluate the risk profile C. Multiple risk treatment efforts may be initiated to treat a given risk D. The same risk factor may be identified in multiple areas Suggested Answer: B
You are the project manager of your enterprise. You have identified several risks. Which of the following responses to risk is considered the MOST appropriate? A. Any of the above B. Insuring C. Avoiding D. Accepting Suggested Answer: A The appropriate response to the risk is decided by the risk itself, the company's attitude and appetite of risk, and the threat and opportunity combination of the risk. Incorrect Answers: B, C, D: Depending upon the condition, that is, the risk itself, the company's attitude and appetite of risk, and the threat and opportunity combination of the risk, these response options can be chosen.
John is the project manager of the HGH Project for her company. He and his project team have agreed that if the vendor is late by more than ten days they will cancel the order and hire the NBG Company to fulfill the order. The NBG Company can guarantee orders within three days, but the costs of their products are significantly more expensive than the current vendor. What type of response does John adopt here? A. Contingent response strategy B. Risk avoidance C. Risk mitigation D. Expert judgment Suggested Answer: A As in this case John and his team mates have pre-planned the alternative if the vendor would late in placing the order. Therefore, it is contingent response strategy. Contingent response strategy, also known as contingency planning, involves adopting alternatives to deal with the risks in case of their occurrence. Unlike the mitigation planning in which mitigation looks to reduce the probability of the risk and its impact, contingency planning doesn't necessarily attempt to reduce the probability of a risk event or its impacts. Contingency comes into action when the risk event actually occurs. Incorrect Answers: B: Risk avoidance is the method which involves creating solutions that ensure a specific risk in not realized. C: Risk mitigation attempts to eliminate or significantly decrease the level of risk present. Here no alternatives are pre-planned. D: Expert judgment is utilized in developing risk responses, including feedback and guidance from risk management experts and those internal to the project qualified to provide assistance in this process.
You work as a project manager for BlueWell Inc. You are preparing for the risk identification process. You will need to involve several of the project's key stakeholders to help you identify and communicate the identified risk events. You will also need several documents to help you and the stakeholders identify the risk events. Which one of the following is NOT a document that will help you identify and communicate risks within the project? A. Stakeholder registers B. Activity duration estimates C. Activity cost estimates D. Risk register Suggested Answer: D Risk register is not an input to risk identification, but it is an output of risk identification. Incorrect Answers: A, B, C: These are an input to risk identification. Identify Risks is the process of determining which risks may affect the project. It also documents risks' characteristics. The Identify Risks process is part of the Project Risk Management knowledge area. As new risks may evolve or become known as the project progresses through its life cycle, Identify Risks is an iterative process. The process should involve the project team so that they can develop and maintain a sense of ownership and responsibility for the risks and associated risk response actions. Risk Register is the only output of this process.
Which of the following is the greatest risk to reporting? A. Integrity of data B. Availability of data C. Confidentiality of data D. Reliability of data Suggested Answer: D Reporting risks are caused due to wrong reporting which leads to bad decision. This bad decision due to wrong report hence causes a risk on the functionality of the organization. Therefore, the greatest risk to reporting is reliability of data. Reliability of data refers to the accuracy, robustness, and timing of the data. Incorrect Answers: A, B, C: Integrity, availability, and confidentiality of data are also important, but these three in combination comes under reliability itself.
Which negative risk response usually has a contractual agreement? A. Sharing B. Transference C. Mitigation D. Exploiting Suggested Answer: B Transference is the risk response that transfers the risk to a third party, usually for a fee. Insurance and subcontracting of dangerous works are two common examples of transference with a contractual obligation. Incorrect Answers: A: Sharing is a positive risk response. Note that sharing may also have contractual obligations, sometimes called teaming agreements. C: Mitigation is a negative risk response used to lower the probability and/or impact of a risk event. D: Exploiting is a positive risk response and not a negative response and doesn't have contractual obligations.
You work as a project manager for TechSoft Inc. You are working with the project stakeholders on the qualitative risk analysis process in your project. You have used all the tools to the qualitative risk analysis process in your project. Which of the following techniques is NOT used as a tool in qualitative risk analysis process? A. Risk Urgency Assessment B. Risk Reassessment C. Risk Data Quality Assessment D. Risk Categorization Suggested Answer: B You will not need the Risk Reassessment technique to perform qualitative risk analysis. It is one of the techniques used to monitor and control risks. Incorrect Answers: A, C, D: The tools and techniques for Qualitative Risk Analysis process are as follows: ✑ Risk Probability and Impact Assessment: Risk probability assessment investigates the chances of a particular risk to occur. ✑ Risk Impact Assessment investigates the possible effects on the project objectives such as cost, quality, schedule, or performance, including positive opportunities and negative threats. ✑ Probability and Impact Matrix: Estimation of risk's consequence and priority for awareness is conducted by using a look-up table or the probability and impact matrix. This matrix specifies the mixture of probability and impact that directs to rating the risks as low, moderate, or high priority. ✑ Risk Data Quality Assessment: Investigation of quality of risk data is a technique to calculate the degree to which the data about risks are useful for risk management. ✑ Risk Categorization: Risks to the projects can be categorized by sources of risk, the area of project affected and other valuable types to decide the areas of the project most exposed to the effects of uncertainty. ✑ Risk Urgency Assessment: Risks that requires near-term responses are considered more urgent to address. ✑ Expert Judgment: It is required to categorize the probability and impact of each risk to determine its location in the matrix.
Which of the following is the MOST important aspect to ensure that an accurate risk register is maintained? A. Publish the risk register in a knowledge management platform with workflow features that periodically contacts and polls risk assessors to ensure accuracy of content B. Perform regular audits by audit personnel and maintain risk register C. Submit the risk register to business process owners for review and updating D. Monitor key risk indicators, and record the findings in the risk register Suggested Answer: A A knowledge management platform with workflow and polling feature will automate the process of maintaining the risk registers. Hence this ensures that an accurate and updated risk register is maintained. Incorrect Answers: B: Audit personnel may not have the appropriate business knowledge in risk assessment, hence cannot properly identify risk. Regular audits may also cause hindrance to the business activities. C: Business process owners typically cannot effectively identify risk to their business processes. They may not have the ability to be unbiased and may not have the appropriate skills or tools for evaluating risks. D: Monitoring key risk indicators, and record the findings in the risk register will only provide insights to known and identified risk and will not account for obscure risk, i.e. , risk that has not been identified yet.
Which of the following test is BEST to map for confirming the effectiveness of the system access management process? A. user accounts to human resources (HR) records. B. user accounts to access requests. C. the vendor database to user accounts. D. access requests to user accounts. Suggested Answer: B Tying user accounts to access requests confirms that all existing accounts have been approved. Hence, the effectiveness of the system access management process can be accounted. Incorrect Answers: A: Tying user accounts to human resources (HR) records confirms whether user accounts are uniquely tied to employees, not accounts for the effectiveness of the system access management process. C: Tying vendor records to user accounts may confirm valid accounts on an e-commerce application, but it does not consider user accounts that have been established without the supporting access request. D: Tying access requests to user accounts confirms that all access requests have been processed; however, the test does not consider user accounts that have been established without the supporting access request.
Which of the following is the way to verify control effectiveness? A. The capability of providing notification of failure. B. Whether it is preventive or detective. C. Its reliability. D. The test results of intended objectives. Suggested Answer: D Control effectiveness requires a process to verify that the control process worked as intended and meets the intended control objectives. Hence the test result of intended objective helps in verifying effectiveness of control. Incorrect Answers: A: Notification of failure does not determine control strength, hence this option is not correct. B: The type of control, like preventive or detective, does not help determine control effectiveness. C: Reliability is not an indication of control strength; weak controls can be highly reliable, even if they do not meet the control objective.
What is the most important benefit of classifying information assets? A. Linking security requirements to business objectives B. Allotting risk ownership C. Defining access rights D. Identifying controls that should be applied Suggested Answer: D All of the options are directly or indirectly are the advantages of classifying information assets, but the most important benefit amongst them is that appropriate controls can be identified. Incorrect Answers: A, B, C: These all are less significant than identifying controls.
You are the project manager of GHT project. A risk event has occurred in your project and you have identified it. Which of the following tasks you would do in reaction to risk event occurrence? Each correct answer represents a part of the solution. (Choose three.) A. Monitor risk B. Maintain and initiate incident response plans C. Update risk register D. Communicate lessons learned from risk events Suggested Answer: ABD When the risk events occur then following tasks have to done to react to it: ✑ Maintain incident response plans ✑ Monitor risk ✑ Initiate incident response ✑ Communicate lessons learned from risk events Incorrect Answers: C: Risk register is updated after applying appropriate risk response and at the time of risk event occurrence.
Which of the following parameters would affect the prioritization of the risk responses and development of the risk response plan? Each correct answer represents a complete solution. (Choose three.) A. Importance of the risk B. Time required to mitigate risk. C. Effectiveness of the response D. Cost of the response to reduce risk within tolerance levels Suggested Answer: ACD The prioritization of the risk responses and development of the risk response plan is influenced by several parameters: ✑ Cost of the response to reduce risk within tolerance levels ✑ Importance of the risk ✑ Capability to implement the response ✑ Effectiveness of the response ✑ Efficiency of the response Incorrect Answers: B: Time required to mitigate risk does not influence the prioritization of the risk and development of the risk response plan. It affects the scheduled time of the project.
Which of the following come under the management class of controls? Each correct answer represents a complete solution. (Choose two.) A. Risk assessment control B. Audit and accountability control C. Program management control D. Identification and authentication control Suggested Answer: AC The Management class of controls includes five families. These families include over 40 individual controls. Following is a list of each of the families in the Management class: ✑ Certification, Accreditation, and Security Assessment (CA): This family of controls addresses steps to implement a security and assessment program. It includes controls to ensure only authorized systems are allowed on a network. It includes details on important security concepts, such as continuous monitoring and a plan of action and milestones. ✑ Planning (PL): The PL family focuses on security plans for systems. It also covers Rules of Behaviour for users. Rules of Behaviour are also called an acceptable use policy. ✑ Risk Assessment (RA): This family of controls provides details on risk assessments and vulnerability scanning. ✑ System and Services Acquisition (SA): The SA family includes any controls related to the purchase of products and services. It also includes controls related to software usage and user installed software. ✑ Program Management (PM): This family is driven by the Federal Information Security Management Act (FISMA). It provides controls to ensure compliance with FISMA. These controls complement other controls. They don't replace them. Incorrect Answers: B, D: Identification and authentication, and audit and accountability control are technical class of controls.
Which of the following parameters are considered for the selection of risk indicators? Each correct answer represents a part of the solution. (Choose three.) A. Size and complexity of the enterprise B. Type of market in which the enterprise operates C. Risk appetite and risk tolerance D. Strategy focus of the enterprise Suggested Answer: ABD Risk indicators are placed at control points within the enterprise and are used to collect data. These collected data are used to measure the risk levels at that point. They also track events or incidents that may indicate a potentially harmful situation. Risk indicators can be in form of logs, alarms and reports. Risk indicators are selected depending on a number of parameters in the internal and external environment, such as: ✑ Size and complexity of the enterprise ✑ Type of market in which the enterprise operates ✑ Strategy focus of the enterprise Incorrect Answers: C: Risk appetite and risk tolerance are considered when applying various risk responses.
David is the project manager of HRC project. He concluded while HRC project is in process that if he adopts e-commerce, his project can be more fruitful. But he did not engage in electronic commerce (e-commerce) so that he would escape from risk associated with that line of business. What type of risk response had he adopted? A. Acceptance B. Avoidance C. Exploit D. Enhance Suggested Answer: B As David did not engage in e-commerce in order to avoid risk, hence he is following risk avoidance strategy.
Which of the following is the final step in the policy development process? A. Management approval B. Continued awareness activities C. Communication to employees D. Maintenance and review Suggested Answer: D Organizations should create a structured ISG document development process. A formal process gives many areas the opportunity to comment on a policy. This is very important for high-level policies that apply to the whole organization. A formal process also makes sure that final policies are communicated to employees. It also provides organizations with a way to make sure that policies are reviewed regularly. In general, a policy development process should include the following steps: 1. Development 2. Stakeholder review 3. Management approval 4. Communication to employees 5. Documentation of compliance or exceptions 6. Continued awareness activities 7. Maintenance and review Incorrect Answers: A, B, C: These are the earlier phases in policy development process.
You are the project manager of GHT project. Your project utilizes a machine for production of goods. This machine has the specification that if its temperature would rise above 450 degree Fahrenheit then it may result in burning of windings. So, there is an alarm which blows when machine's temperature reaches 430 degree Fahrenheit and the machine is shut off for 1 hour. What role does alarm contribute here? A. Of risk indicator B. Of risk identification C. Of risk trigger D. Of risk response Suggested Answer: A Here in this scenario alarm indicates the potential risk that the rising temperature of machine can cause, hence it is enacting as a risk indicator. Risk indicators are metrics used to indicate risk thresholds, i.e., it gives indication when a risk level is approaching a high or unacceptable level of risk. The main objective of a risk indicator is to ensure tracking and reporting mechanisms that alert staff about the potential risks. Incorrect Answers: B: The first thing we must do in risk management is to identify the areas of the project where the risks can occur. This is termed as risk identification. Listing all the possible risks is proved to be very productive for the enterprise as we can cure them before it can occur. In risk identification both threats and opportunities are considered, as both carry some level of risk with them. C: The temperature 430 degrees in scenario is the risk trigger. A risk trigger is a warning sign or condition that a risk event is about to happen. As in this scenario the 430-degree temperature is the indication of upcoming risks, hence 430 degree temperature is a risk trigger. D: Risk response is the action taken to reduce the risk event occurrence. Hence here risk response is shutting off of machine.
When does the Identify Risks process take place in a project? A. At the Planning stage. B. At the Executing stage. C. At the Initiating stage. D. Throughout the project life-cycle. Suggested Answer: D Identify Risks is the process of determining which risks may affect the project. It also documents risks' characteristics. The Identify Risks process is part of the Project Risk Management knowledge area. As new risks may evolve or become known as the project progresses through its life cycle, Identify Risks is an iterative process. The process should involve the project team so that they can develop and maintain a sense of ownership and responsibility for the risks and associated risk response actions. Risk Register is the only output of this process. Incorrect Answers: A, B, C: Identify Risks process takes place at all the stages of a project, because risk changes over time.
In the project initiation phase of System Development Life Cycle, there is information on project initiated by which of the following role carriers? A. CRO B. Sponsor C. Business management D. CIO Suggested Answer: B Project initiation section of SDLC contains information on projects initiated by sponsors who gather the information required to gain approval for the project to be created.
Which of the following are the responsibilities of Enterprise risk committee? Each correct answer represents a complete solution. (Choose three.) A. React to risk events B. Analyze risk C. Risk aware decision D. Articulate risk Suggested Answer: BCD Risk aware decision, analyzing risk, and articulating risk are the responsibilities of Enterprise risk committee. They are the executives who are accountable for the enterprise level collaboration and consensus required to support enterprise risk management (ERM) activities and decisions. An IT risk council may be established to consider IT risk in more detail and advise the enterprise risk committee. ERC ensure that these activities are completed successfully. Incorrect Answers: A: ERM is not responsible for reaction over risk events. Business process owners are accounted for this task.
You are the project manager of GHT project. A stakeholder of this project requested a change request in this project. What are your responsibilities as the project manager that you should do in order to approve this change request? Each correct answer represents a complete solution. (Choose two.) A. Archive copies of all change requests in the project file. B. Evaluate the change request on behalf of the sponsor C. Judge the impact of each change request on project activities, schedule and budget. D. Formally accept the updated project plan Suggested Answer: AC Project manager responsibilities related to the change request approval process is judging the impact of each change request on project activities, schedule and budget, and also archiving copies of all change requests in the project file. Incorrect Answers: B: This is the responsibility of Change advisory board. D: Pm has not the authority to formally accept the updated project plan. This is done by project sponsors so as to approve the change request.
Natural disaster is BEST associated to which of the following types of risk? A. Short-term B. Long-term C. Discontinuous D. Large impact Suggested Answer: C Natural disaster can be a long-term or short-term and can have large or small impact on the company. However, as the natural disasters are unpredictable and infrequent, they are best considered as discontinuous. Incorrect Answers: A: Natural disaster can be a short-term, but it is not the best answer. B: Natural disaster can be a long-term, but it is not the best answer. D: Natural disaster can be of large impact depending upon its nature, but it is not the best answer.
Which of the following controls focuses on operational efficiency in a functional area sticking to management policies? A. Internal accounting control B. Detective control C. Administrative control D. Operational control Suggested Answer: C Administrative control is one of the objectives of internal control and is concerned with ensuring efficiency and compliance with management policies. Incorrect Answers: A: It controls accounting operations, including safeguarding assets and financial records. B: Detective control simply detects and reports on the occurrence of an error, omission or malicious act. D: It focuses on day-to-day operations, functions, and activities. It also ensures that all the organization's objectives are being accomplished.
You are the project manager of HJT project. You want to measure the operational effectiveness of risk management capabilities. Which of the following is the BEST option to measure the operational effectiveness? A. Key risk indicators B. Capability maturity models C. Key performance indicators D. Metric thresholds Suggested Answer: C Key performance indicators are a set of quantifiable measures that a company or industry uses to gauge or compare performance in terms of meeting their strategic and operational goals. Key performance indicators (KPIs) provide insights into the operational effectiveness of the concept or capability that they monitor. Incorrect Answers: A: Key risk Indicators (KRIs) only provide insights into potential risks that may exist or be realized within a concept or capability that they monitor. B: Capability maturity models (CMMs) assess the maturity of a concept or capability and do not provide insights into operational effectiveness. D: Metric thresholds are decision or action points that are enacted when a KPI or KRI reports a specific value or set of values.
What are the functions of the auditor while analyzing risk? Each correct answer represents a complete solution. (Choose three.) A. Aids in determining audit objectives B. Identify threats and vulnerabilities to the information system C. Provide information for evaluation of controls in audit planning D. Supporting decision based on risks Suggested Answer: ACD A risk analysis involves identifying the most probable threats to an organization and analyzing the related vulnerabilities of the organization to these threats. A risk from an organizational perspective consists of: ✑ Threats to various processes of organization. ✑ Threats to physical and information assets. ✑ Likelihood and frequency of occurrence from threat. ✑ Impact on assets from threat and vulnerability. ✑ Risk analysis allows the auditor to do the following tasks : ✑ Threats to various processes of organization. ✑ Threats to physical and information assets. ✑ Likelihood and frequency of occurrence from threat. ✑ Impact on assets from threat and vulnerability. ✑ Risk analysis allows the auditor to do the following tasks : ✑ Identify threats and vulnerabilities to the enterprise and its information system. ✑ Provide information for evaluation of controls in audit planning. ✑ Aids in determining audit objectives. ✑ Supporting decision based on risks. Incorrect Answers: B: Auditors identify threats and vulnerability not only in the IT but the whole enterprise as well.
What are the key control activities to be done to ensure business alignment? Each correct answer represents a part of the solution. (Choose two.) A. Define the business requirements for the management of data by IT B. Conduct IT continuity tests on a regular basis or when there are major changes in the IT infrastructure C. Periodically identify critical data that affect business operations D. Establish an independent test task force that keeps track of all events Suggested Answer: AC Business alignment require following control activities: ✑ Defining the business requirements for the management of data by IT. ✑ Periodically identifying critical data that affect business operations, in alignment with the risk management model and IT service as well as the business continuity plan. Incorrect Answers: B: Conducting IT continuity tests on a regular basis or when there are major changes in the IT infrastructure is done for testing IT continuity plan. It does not ensure alignment with business. D: This is not a valid answer.
Which of the following statements is true for risk analysis? A. Risk analysis should assume an equal degree of protection for all assets. B. Risk analysis should give more weight to the likelihood than the size of loss. C. Risk analysis should limit the scope to a benchmark of similar companies D. Risk analysis should address the potential size and likelihood of loss. Suggested Answer: D A risk analysis deals with the potential size and likelihood of loss. A risk analysis involves identifying the most probable threats to an organization and analyzing the related vulnerabilities of the organization to these threats. A risk from an organizational perspective consists of: ✑ Threats to various processes of organization. ✑ Threats to physical and information assets. Likelihood and frequency of occurrence from threat. <img src="https://www.examtopics.com/assets/media/exam-media/04284/0024500005.png" alt="Reference Image" /> ✑ Impact on assets from threat and vulnerability. ✑ Risk analysis allows the auditor to do the following tasks : ✑ Identify threats and vulnerabilities to the enterprise and its information system. ✑ Provide information for evaluation of controls in audit planning. ✑ Aids in determining audit objectives. ✑ Supporting decision based on risks. Incorrect Answers: A: Assuming equal degree of protection would only be rational in the rare event that all the assets are similar in sensitivity and criticality. Hence this is not practiced in risk analysis. B: Since the likelihood determines the size of the loss, hence both elements must be considered in the calculation. C: A risk analysis would not normally consider the benchmark of similar companies as providing relevant information other than for comparison purposes.
Henry is the project manager of the QBG Project for his company. This project has a budget of $4,576,900 and is expected to last 18 months to complete. The CIO, a stakeholder in the project, has introduced a scope change request for additional deliverables as part of the project work. What component of the change control system would review the proposed changes' impact on the features and functions of the project's product? A. Cost change control system B. Configuration management system C. Scope change control system D. Integrated change control Suggested Answer: B The configuration management system ensures that proposed changes to the project's scope are reviewed and evaluated for their affect on the project's product. Configure management process is important in achieving business objectives. Ensuring the integrity of hardware and software configurations requires the establishment and maintenance of an accurate and complete configuration repository. This process includes collecting initial configuration information, establishing baselines, verifying and auditing configuration information, and updating the configuration repository as needed. Effective configuration management facilitates greater system availability minimizes production issues and resolves issues more quickly. Incorrect Answers: A: The cost change control system is responsible for reviewing and controlling changes to the project costs. C: The scope change control system focuses on reviewing the actual changes to the project scope. When a change to the project's scope is proposed, the configuration management system is also invoked. D: Integrated change control examines the affect of a proposed change on the project as a whole.
You are working in Bluewell Inc. which make advertisement Websites. Someone had made unauthorized changes to your Website. Which of the following terms refers to this type of loss? A. Loss of confidentiality B. Loss of integrity C. Loss of availability D. Loss of revenue Suggested Answer: B Loss of integrity refers to the following types of losses: ✑ An e-mail message is modified in transit ✑ A virus infects a file ✑ Someone makes unauthorized changes to a Web site Incorrect Answers: A: Someone sees a password or a company's secret formula, this is referred to as loss of confidentiality. C: An e-mail server is down and no one has e-mail access, or a file server is down so data files aren't available comes under loss of availability. D: This refers to the events which would eventually cause loss of revenue.
Which of the following is NOT true for Key Risk Indicators? A. They are selected as the prime monitoring indicators for the enterprise B. They help avoid having to manage and report on an excessively large number of risk indicators C. The complete set of KRIs should also balance indicators for risk, root causes and business impact. D. They are monitored annually Suggested Answer: D They are monitored on regular basis as they indicate high probability and high impact risks. As risks change over time, hence KRIs should also be monitored regularly for its effectiveness on these changing risks. Incorrect Answers: A, B, C: These all are true for KRIs. Key Risk Indicators are the prime monitoring indicators of the enterprise. KRIs are highly relevant and possess a high probability of predicting or indicating important risk. KRIs help in avoiding excessively large number of risk indicators to manage and report that a large enterprise may have. The complete set of KRIs should also balance indicators for risk, root causes and business impact, so as to indicate the risk and its impact completely.
Which of the following is the BEST way to determine the ongoing efficiency of control processes? A. Interview process owners B. Review the risk register C. Perform annual risk assessments D. Analyze key performance indicators (KPIs) Suggested Answer: D
You are the project manager of the GHT project. You are accessing data for further analysis. You have chosen such a data extraction method in which management monitors its own controls. Which of the following data extraction methods you are using here? A. Extracting data directly from the source systems after system owner approval B. Extracting data from the system custodian (IT) after system owner approval C. Extracting data from risk register D. Extracting data from lesson learned register Suggested Answer: A Direct extraction from the source system involves management monitoring its own controls, instead of auditors/third parties monitoring management's controls. It is preferable over extraction from the system custodian. Incorrect Answers: B: Extracting data from the system custodian (IT) after system owner approval, involves auditors or third parties monitoring management's controls. Here, in this management does not monitors its own control. C, D: These are not data extraction methods.
You are the project manager for your organization to install new workstations, servers, and cabling throughout a new building, where your company will be moving into. The vendor for the project informs you that the cost of the cabling has increased due to some reason. This new cost will cause the cost of your project to increase by nearly eight percent. What change control system should the costs be entered into for review? A. Cost change control system B. Contract change control system C. Scope change control system D. Only changes to the project scope should pass through a change control system. Suggested Answer: A Because this change deals with the change of the deliverable, it should pass through the cost change control system. The cost change control system reviews the reason why the change has happened, what the cost affects, and how the project should respond. Incorrect Answers: B: This is not a contract change. According to the evidence that a contract exists or that the cost of the materials is outside of the terms of a contract if one existed. Considered a time and materials contract, where a change of this nature could be acceptable according to the terms of the contract. If the vendor wanted to change the terms of the contract then it would be appropriate to enter the change into the contract change control system. C: The scope of the project will not change due to the cost of the materials. D: There are four change control systems that should always be entertained for change: schedule, cost, scope, and contract.
When a risk cannot be sufficiently mitigated through manual or automatic controls, which of the following options will BEST protect the enterprise from the potential financial impact of the risk? A. Updating the IT risk registry B. Insuring against the risk C. Outsourcing the related business process to a third party D. Improving staff-training in the risk area Suggested Answer: B An insurance policy can compensate the enterprise up to 100% by transferring the risk to another company. Hence in this stem risk is being transferred. Incorrect Answers: A: Updating the risk registry (with lower values for impact and probability) will not actually change the risk, only management's perception of it. C: Outsourcing the process containing the risk does not necessarily remove or change the risk. While on other hand, insurance will completely remove the risk. D: Staff capacity to detect or mitigate the risk may potentially reduce the financial impact, but insurance allows for the risk to be mitigated up to 100%.
You are the risk official at Bluewell Inc. There are some risks that are posing threat on your enterprise. You are measuring exposure of those risk factors, which has the highest potential, by examining the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline values. Which type of analysis you are performing? A. Sensitivity analysis B. Fault tree analysis C. Cause-and-effect analysis D. Scenario analysis Suggested Answer: A Sensitivity analysis is the quantitative risk analysis technique that: ✑ Assist in determination of risk factors that have the most potential impact ✑ Examines the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline values Incorrect Answers: B: Fault tree analysis provides a systematic description of the combination of possible undesirable occurrences in a system. It does not measure the extent of uncertainty. C: Cause-and-effect analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes, and not the extent of uncertainty. D: Scenario analysis provides ability to see a range of values across several scenarios to identify risk in specific situation. It provides ability to identify those inputs which will provide the greatest level of uncertainty. But it plays no role in determining the extent of uncertainty.
You are the risk professional of your enterprise. Your enterprise has introduced new systems in many departments. The business requirements that were to be addressed by the new system are still unfulfilled, and the process has been a waste of resources. Even if the system is implemented, it will most likely be underutilized and not maintained making it obsolete in a short period of time. What kind of risk is it? A. Inherent risk B. Business risk C. Project risk D. Residual risk Suggested Answer: B Business risk relates to the likelihood that the new system may not meet the user business needs, requirements and expectations. Here in this stem it is said that the business requirements that were to be addressed by the new system are still unfulfilled, therefore it is a business risk. Incorrect Answers: A: This is one of the components of risk. Inherent risk is the risk level or exposure without applying controls or other management actions into account. But here in this stem no description of control is given, hence it cannot be concluded whether it is an inherent risk or not. C: Project risk are related to the delay in project deliverables. The project activities to design and develop the system exceed the limits of the financial resources set aside for the project. As a result, the project completion will be delayed. They are not related to fulfillment of business requirements. D: This is one of the components of risk. Residual risk is the risk that remains after applying controls. But here in this stem no description of control is given, hence it cannot be concluded whether it is a residual risk or not.
Which of the following risk responses include feedback and guidance from well-qualified risk officials and those internal to the project? A. Contingent response strategy B. Risk Acceptance C. Expert judgment D. Risk transfer Suggested Answer: C Expert judgment is utilized in developing risk responses, including feedback and guidance from risk management experts and those internal to the project qualified to provide assistance in this process. Expert judgment is a technique based on a set of criteria that has been acquired in a specific knowledge area or product area. It is obtained when the project manager or project team requires specialized knowledge that they do not possess. Expert judgment involves people most familiar with the work of creating estimates. Preferably, the project team member who will be doing the task should complete the estimates. Expert judgment is applied when performing administrative closure activities, and experts should ensure the project or phase closure is performed to the appropriate standards. Incorrect Answers: A: Contingent response strategy, also known as contingency planning, involves adopting alternatives to deal with the risks in case of their occurrence. Unlike the mitigation planning in which mitigation looks to reduce the probability of the risk and its impact, contingency planning doesn't necessarily attempt to reduce the probability of a risk event or its impacts. Contingency comes into action when the risk event actually occurs. B: Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider who can accept the risk. Risk should be accepted only by senior management in relationship with senior management and the board. There are two alternatives to the acceptance strategy, passive and active. ✑ Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk but willing to accept the consequences of the risk. ✑ Active acceptance is the second strategy and might include developing contingency plans and reserves to deal with risks. D: Risk transfer means that impact of risk is reduced by transferring or otherwise sharing a portion of the risk with an external organization or another internal entity. Transfer of risk can occur in many forms but is most effective when dealing with financial risks. Insurance is one form of risk transfer.
Qualitative risk assessment uses which of the following terms for evaluating risk level? Each correct answer represents a part of the solution. (Choose two.) A. Impact B. Annual rate of occurrence C. Probability D. Single loss expectancy Suggested Answer: AC Unlike the quantitative risk assessment, qualitative risk assessment does not assign dollar values. Rather, it determines risk's level based on the probability and impact of a risk. These values are determined by gathering the opinions of experts. ✑ Probability- establishing the likelihood of occurrence and reoccurrence of specific risks, independently, and combined. The risk occurs when a threat exploits vulnerability. Scaling is done to define the probability that a risk will occur. The scale can be based on word values such as Low, Medium, or High. Percentage can also be assigned to these words, like 10% to low and 90% to high. ✑ Impact- Impact is used to identify the magnitude of identified risks. The risk leads to some type of loss. However, instead of quantifying the loss as a dollar value, an impact assessment could use words such as Low, Medium, or High. Impact is expressed as a relative value. For example, low could be 10, medium could be 50, and high could be 100. Risk level = Probability * Impact Incorrect Answers: B, D: These are used for calculating Annual loss expectancy (ALE) in quantitative risk assessment. Formula is given as follows: ALE= SLE * ARO
You are working in an enterprise. Your enterprise is willing to accept a certain amount of risk. What is this risk called? A. Hedging B. Aversion C. Appetite D. Tolerance Suggested Answer: C Risk appetite considers the qualitative and quantitative aspects of accepting risks in an organization. The term refers to the type of risks the organization is willing to pursue, as well as amount of risk and the level of risk. Risk appetite is the amount of risk a company or other entity is willing to accept in pursuit of its mission. This is the responsibility of the board to decide risk appetite of an enterprise. When considering the risk appetite levels for the enterprise, the following two major factors should be taken into account: ✑ The enterprise's objective capacity to absorb loss, e.g., financial loss, reputation damage, etc. ✑ The culture towards risk taking-cautious or aggressive. In other words, the amount of loss the enterprise wants to accept in pursue of its objective fulfillment. Incorrect Answers: A, B: Aversion and hedging are related to each other and represents the avoidance of risk within the organization. D: The acceptable variation relative to the achievement of an objective is termed as risk tolerance. In other words, risk tolerance is the acceptable deviation from the level set by the risk appetite and business objectives. Risk tolerance is defined at the enterprise level by the board and clearly communicated to all stakeholders. A process should be in place to review and approve any exceptions to such standards.
You are the project manager of the NNN Project. Stakeholders in the two-year project have requested to send status reports to them via. email every week. You have agreed and send reports every Thursday. After six months of the project, the stakeholders are pleased with the project progress and they would like you to reduce the status reports to every two weeks. What process will examine the change to this project process and implement it in the project? A. Configuration management B. Communications management C. Perform integrated change control process D. Project change control process Suggested Answer: C Although this appears to be a simple change the project manager must still follow the rules of the project's change control system. Integrated change control is a way to manage the changes incurred during a project. It is a method that manages reviewing the suggestions for changes and utilizing the tools and techniques to evaluate whether the change should be approved or rejected. Integrated change control is a primary component of the project's change control system that examines the affect of a proposed change on the entire project. Incorrect Answers: A: Configuration management is the documentation and control of the product's features and functions. B: Communications management is the execution of the communications management plan. D: The project change control process not valid as it's the parent of the integrated change control process, which is more accurate for this question.
Which of the following role carriers has to account for collecting data on risk and articulating risk? A. Enterprise risk committee B. Business process owner C. Chief information officer (CIO) D. Chief risk officer (CRO) Suggested Answer: D CRO is the individual who oversees all aspects of risk management across the enterprise. Chief risk officer has the main accountability for collecting data and articulating risk. If there is any fault in these processes, then CRO should be answerable. Incorrect Answers: A: Enterprise risk committee are the executives who are accountable for the enterprise level collaboration and consensus required to support enterprise risk management (ERM). They are to some extent responsible for articulating risk but are not accounted for it. They are neither responsible nor accounted for collecting data on risk. B: Business process owner is an individual responsible for identifying process requirements, approving process design and managing process performance. He/ she is responsible for collecting data and articulating risk but is not accounted for them. C: CIO is the most senior official of the enterprise who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services and information and the deployment of associated human resources. CIO has some responsibility towards collecting data and articulating risk but is not accounted for them.
Which of the following is NOT true for effective risk communication? A. Risk information must be known and understood by all stakeholders. B. Use of technical terms of risk C. Any communication on risk must be relevant D. For each risk, critical moments exist between its origination and its potential business consequence Suggested Answer: B For effective communication, information communicated should not inundate the recipients. All ground rules of good communication apply to communication on risk. This includes the avoidance of jargon and technical terms regarding risk because the intended audiences are generally not deeply technologically skilled. Hence use of technical terms is avoided for effective communication Incorrect Answers: A, C, D: These all are true for effective risk communication. For effective risk communication the risk information should be clear, concise, useful and timely. Risk information must be known and understood by all the stakeholders. Information or communication should not overwhelm the recipients. This includes the avoidance of technical terms regarding risk because the intended audiences are generally not much technologically skilled. Any communication on risk must be relevant. Technical information that is too detailed or is sent to inappropriate parties will hinder, rather than enable, a clear view of risk. For each risk, critical moments exist between its origination and its potential business consequence. Information should also be aimed at the correct target audience and available on need-to-know basis. Hence for effective risk communication risk information should be: ✑ Clear ✑ Concise ✑ Useful ✑ Timely given ✑ Aimed at the correct audience ✑ Available on need-to-know basis
Which of the following interpersonal skills has been identified as one of the biggest reasons for project success or failure? A. Motivation B. Influencing C. Communication D. Political and cultural awareness Suggested Answer: C Communication has been identified as one of the biggest reasons for why projects succeeds or fails. Effective communication is essential for good project management. Communication is a process in which information is passed from one person to another. A manager asks his subordinates to accomplish the task assigned to them. He should successfully pass the information to his subordinates. It is a means of motivating and guiding the employees of an enterprise. Incorrect Answers: A: While motivation is one of the important interpersonal skill, but it is not the best answer. B: Influencing the project stakeholders is a needed interpersonal skill, but it is not the best answer. D: Political and cultural awareness is an important part of every project, but it is not the best answer for this question
You are the project manager of the GHY project for your organization. You are working with your project team to begin identifying risks for the project. As part of your preparation for identifying the risks within the project you will need eleven inputs for the process. Which one of the following is NOT an input to the risk identification process? A. Quality management plan B. Stakeholder register C. Cost management plan D. Procurement management plan Suggested Answer: D The procurement management plan is not one of the eleven inputs for the risk identification process. The eleven inputs to this process are: ✑ risk management plan ✑ activity cost estimates ✑ activity duration estimates ✑ scope baseline ✑ stakeholder register ✑ cost management plan ✑ schedule management plan ✑ quality management plan ✑ project documents ✑ enterprise environmental factors ✑ organizational process assets.
Which of the following come under the phases of risk identification and evaluation? Each correct answer represents a complete solution. (Choose three.) A. Maintain a risk profile B. Collecting data C. Analyzing risk D. Applying controls Suggested Answer: ABC Risk identification is the process of determining which risks may affect the project. It also documents risks' characteristics. Following are high-level phases that are involved in risk identification and evaluation: ✑ Collecting data- Involves collecting data on the business environment, types of events, risk categories, risk scenarios, etc., to identify relevant data to enable effective risk identification, analysis and reporting. ✑ Analyzing risk- Involves analyzing risk to develop useful information which is used while taking risk-decisions. Risk-decisions take into account the business relevance of risk factors. ✑ Maintain a risk profile- Requires maintaining an up-to-date and complete inventory of known threats and their attributes (e.g., expected likelihood, potential impact, and disposition), IT resources, capabilities, and controls as understood in the context of business products, services and processes to effectively monitor risk over time. Incorrect Answers: D: It comes under risk management process, and not in risk identification and evaluation process.
How are the potential choices of risk based decisions are represented in decision tree analysis? A. End node B. Root node C. Event node D. Decision node Suggested Answer: D The potential choices of risk based decisions are represented in decision tree analysis via. Decision node, as decision nodes refers to the available choices. Incorrect Answers: A: End nodes are the final outcomes of the entire decision tree framework, especially in multilayered decision-making situations. B: Root nodes represent the start of a decision tree. C: Event nodes represents the possible uncertain outcomes of the decision, and not the available choices.
You are the project manager of the HJK Project for your organization. You and the project team have created risk responses for many of the risk events in the project. Where should you document the proposed responses and the current status of all identified risks? A. Stakeholder management strategy B. Lessons learned documentation C. Risk register D. Risk management plan Suggested Answer: C Risks and the corresponding responses are documented in the risk register for the project. Risk register is a document that contains the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning. Description, category, cause, probability of occurring, impact on objectives, proposed responses, owner, and the current status of all identified risks are put in the risk register. Incorrect Answers: A: The stakeholder management strategy defines how stakeholders and their threats, perceived threats, opinions, and influence over the project objectives will be addressed and managed. B: The outcome of risk events and the corresponding risk responses may be documented in the project's lessons learned documented, but the best answer is to document the risk responses as part of the risk register. D: The risk management plan defines how risks will be identified and analyzed, the available responses, and the monitoring and controlling of the risk events. The actual risk responses are included in the risk register.
Which is the MOST important parameter while selecting appropriate risk response? A. Cost of response B. Capability to implement response C. Importance of risk D. Efficiency of response Suggested Answer: A The cost of the response, which is applied so as to reduce risk within tolerance levels, is one of the most important parameter. By considering the cost of response, it is decided whether or not benefits of applying response is greater than accepting the risk; and according to this analysis it is decided whether the certain response should be applied or not. For example, if risk transfer response is applied by using insurance, then cost would be the cost of insurance. Incorrect Answers: B: This parameter is considered after analyzing the cost of response, which will further decide the level of sophistication of risk response. The enterprise's capability to implement the response means that if the risk management process is mature then the risk response is more C: This is one of the parameters that is considered but is not as important as considering cost of response. The importance of the risk is determined by the combination of likelihood and magnitude levels along with its position on the risk map. D: Efficiency of response can only be analyzed after applying the response. So it is the latter stage in selection of response.
You are the project manager of HFD project. You have identified several project risks. You have adopted alternatives to deal with these risks which do not attempt to reduce the probability of a risk event or its impacts. Which of the following response have you implemented? A. Acceptance B. Mitigation C. Avoidance D. Contingent response Suggested Answer: D Contingent response strategy, also known as contingency planning, involves adopting alternatives to deal with the risks in case of their occurrence. Unlike the mitigation planning in which mitigation looks to reduce the probability of the risk and its impact, contingency planning doesn't necessarily attempt to reduce the probability of a risk event or its impacts. Contingency comes into action when the risk event actually occurs. Incorrect Answers: A: Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider who can accept the risk. Risk should be accepted only by senior management in relationship with senior management and the board. There are two alternatives to the acceptance strategy, passive and active. ✑ Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk but willing to accept the consequences of the risk. ✑ Active acceptance is the second strategy and might include developing contingency plans and reserves to deal with risks. B: Risk mitigation attempts to reduce the probability of a risk event and its impacts to an acceptable level. Risk mitigation can utilize various forms of control carefully integrated together. The main control types are: ✑ Managerial(e.g.,policies) ✑ Technical (e.g., tools such as firewalls and intrusion detection systems) ✑ Operational (e.g., procedures, separation of duties) ✑ Preparedness activities C: Risk avoidance means to evade risk altogether, eliminate the cause of the risk event, or change the project plan to protect the project objectives from the risk event.
In which of the following risk management capability maturity levels risk appetite and tolerance are applied only during episodic risk assessments? A. Level 3 B. Level 2 C. Level 4 D. Level 1 Suggested Answer: D An enterprise's risk management capability maturity level is 1 when: ✑ There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk. ✑ Any risk identification criteria vary widely across the enterprise. ✑ Risk appetite and tolerance are applied only during episodic risk assessments. ✑ Enterprise risk policies and standards are incomplete and/or reflect only external requirements and lack defensible rationale and enforcement mechanisms. Risk management skills exist on an ad hoc basis, but are not actively developed. <img src="https://www.examtopics.com/assets/media/exam-media/04284/0023200011.png" alt="Reference Image" /> ✑ Ad hoc inventories of controls that are unrelated to risk are dispersed across desktop applications. Incorrect Answers: A: In level 3 of risk management capability maturity model, local tolerances drive the enterprise risk tolerance. B: In level 2 of risk management capability maturity model, risk tolerance is set locally and may be difficult to aggregate. C: In level 4 of risk management capability maturity model, business risk tolerance is reflected by enterprise policies and standards reflect.
A project team member has just identified a new project risk. The risk event is determined to have significant impact but a low probability in the project. Should the risk event happen it'll cause the project to be delayed by three weeks, which will cause new risk in the project. What should the project manager do with the risk event? A. Add the identified risk to a quality control management chart. B. Add the identified risk to the issues log. C. Add the identified risk to the risk register. D. Add the identified risk to the low-level risk watch-list. Suggested Answer: C All identified risks, their characteristics, responses, and their status should be added and monitored as part of the risk register. A risk register is an inventory of risks and exposure associated with those risks. Risks are commonly found in project management practices, and provide information to identify, analyze, and manage risks. Typically a risk register contains: ✑ A description of the risk ✑ The impact should this event actually occur ✑ The probability of its occurrence ✑ Risk Score (the multiplication of Probability and Impact) ✑ A summary of the planned response should the event occur ✑ A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the event) ✑ Ranking of risks by Risk Score so as to highlight the highest priority risks to all involved. Incorrect Answers: A: Control management charts are not the place where risk events are recorded. B: This is a risk event and should be recorded in the risk register. D: Risks that have a low probability and a low impact may go on the low-level risk watch-list.
A teaming agreement is an example of what type of risk response? A. Acceptance B. Mitigation C. Transfer D. Share Suggested Answer: D Teaming agreements are often coming under sharing risk response, as they involves joint ventures to realize an opportunity that an organization would not be able to seize otherwise. Sharing response is where two or more entities share a positive risk. Teaming agreements are good example of sharing the reward that comes from the risk of the opportunity. Incorrect Answers: A: Acceptance is a risk response that is appropriate for positive or negative risk events. It does not pursue the risk, but documents the event and allows the risk to happen. Often acceptance is used for low probability and low impact risk events. B: Risk mitigation attempts to reduce the probability of a risk event and its impacts to an acceptable level. Risk mitigation can utilize various forms of control carefully integrated together. C: Transference is a negative risk response where the project manager hires a third party to own the risk event.
You are the project manager of HJT project. Important confidential files of your project are stored on a computer. Keeping the unauthorized access of this computer in mind, you have placed a hidden CCTV in the room, even on having protection password. Which kind of control CCTV is? A. Technical control B. Physical control C. Administrative control D. Management control Suggested Answer: B CCTV is a physical control. Physical controls protect the physical environment. They include basics such as locks to protect access to secure areas. They also include environmental controls. This section presents the following examples of physical controls: ✑ Locked doors, guards, access logs, and closed-circuit television ✑ Fire detection and suppression ✑ Temperature and humidity detection ✑ Electrical grounding and circuit breakers ✑ Water detection Incorrect Answers: A, C, D CCTV is a physical control.
You are preparing to complete the quantitative risk analysis process with your project team and several subject matter experts. You gather the necessary inputs including the project's cost management plan. Why is it necessary to include the project's cost management plan in the preparation for the quantitative risk analysis process? A. The project's cost management plan provides control that may help determine the structure for quantitative analysis of the budget. B. The project's cost management plan can help you to determine what the total cost of the project is allowed to be. C. The project's cost management plan provides direction on how costs may be changed due to identified risks. D. The project's cost management plan is not an input to the quantitative risk analysis process. Suggested Answer: A The cost management plan is an input to the quantitative risk analysis process because of the cost management control it provides. The cost management plan sets how the costs on a project are managed during the project's life cycle. It defines the format and principles by which the project costs are measured, reported, and controlled. The cost management plan identifies the person responsible for managing costs, those who have the authority to approve changes to the project or its budget, and how cost performance is quantitatively calculated and reported upon. Incorrect Answers: B: The cost management plan defines the estimating, budgeting, and control of the project's cost. C: While the cost management plan does define the cost change control system, this is not the best answer for this D: This is not a valid statement. The cost management plan is an input to the quantitative risk analysis process.
You are the project manager for BlueWell Inc. Your current project is a high priority and high profile project within your organization. You want to identify the project stakeholders that will have the most power in relation to their interest on your project. This will help you plan for project risks, stakeholder management, and ongoing communication with the key stakeholders in your project. In this process of stakeholder analysis, what type of a grid or model should you create based on these conditions? A. Stakeholder power/interest grid B. Stakeholder register C. Influence/impact grid D. Salience model Suggested Answer: A The power/interest grid groups stakeholders based on their level of authority (power) and their level of interest in your project. The power/interest grid forms a group of the stakeholders based on their level of authority (power) and their level of interest in the project. Interest accounts to what degree the stakeholders are affected by examining the project or policy change, and to what degree of interest or concern they have about it. Power accounts for the influence the stakeholders have over the project or policy, and to what degree they can help to accomplish, or block, the preferred change. Stakeholders, who have high power and interests associated with the project, are the people or organizations that are fully engaged with the project. When trying to generate strategic change, this community is the target of any operation. Incorrect Answers: B: The stakeholder register is a listing of stakeholder information and communication requirements. C: The influence/impact grid charts is based on the stakeholder's involvement and ability to effect changes to the project's planning and execution. D: The salience model groups the stakeholders based on their power, urgency, and legitimacy in the project.
You work as a project manager for BlueWell Inc. You have declined a proposed change request because of the risk associated with the proposed change request. Where should the declined change request be documented and stored? A. Change request log B. Project archives C. Lessons learned D. Project document updates Suggested Answer: A The change request log records the status of all change requests, approved or declined. The change request log is used as an account for change requests and as a means of tracking their disposition on a current basis. The change request log develops a measure of consistency into the change management process. It encourages common inputs into the process and is a common estimation approach for all change requests. As the log is an important component of project requirements, it should be readily available to the project team members responsible for project delivery. It should be maintained in a file with read-only access to those who are not responsible for approving or disapproving project change requests. Incorrect Answers: B: The project archive includes all project documentation and is created through the close project or phase process. It is not the best choice for this question. C: Lessons learned are not the correct place to document the status of a declined, or approved, change request. D: The project document updates is not the best choice for this to be fleshed into the project documents, but the declined changes are part of the change request log.
Which of the following comes under phases of risk management? A. Assessing risk B. Prioritization of risk C. Identify risk D. Monitoring risk E. Developing risk Suggested Answer: ABCD Risk management provides an approach for individuals and groups to make a decision on how to deal with potentially harmful situations. Following are the four phases involved in risk management: 1. Risk identification: The first thing we must do in risk management is to identify the areas of the project where the risks can occur. This is termed as risk identification. Listing all the possible risks is proved to be very productive for the enterprise as we can cure them before it can occur. In risk identification both threats and opportunities are considered, as both carry some level of risk with them. 2. Risk Assessment and Evaluation: Risk assessment use quantitative and qualitative analysis approaches to evaluate each significant risk identified. 3. Risk Prioritization and Response: As many risks are being identified in an enterprise, it is best to give each risk a score based on its likelihood and significance in form of ranking. This concludes whether the risk with high likelihood and high significance must be given greater attention as compared to similar risk with low likelihood and low significance. Hence, risks can be prioritized and appropriate responses to those risks are created. 4. Risk Monitoring: Risk monitoring is an activity which oversees the changes in risk assessment. Over time, the likelihood or significance originally attributed to a risk may change. This is especially true when certain responses, such as mitigation, have been made. <img src="https://www.examtopics.com/assets/media/exam-media/04284/0023800001.png" alt="Reference Image" />
You are the project manager in your enterprise. You have identified occurrence of risk event in your enterprise. You have pre-planned risk responses. You have monitored the risks that had occurred. What is the immediate step after this monitoring process that has to be followed in response to risk events? A. Initiate incident response B. Update the risk register C. Eliminate the risk completely D. Communicate lessons learned from risk events Suggested Answer: A When the risk events occur then following tasks have to done to react to it: ✑ Maintain incident response plans ✑ Monitor risk ✑ Initiate incident response ✑ Communicate lessons learned from risk events
You are the project manager for GHT project. You need to perform the Qualitative risk analysis process. When you have completed this process, you will produce all of the following as part of the risk register update output except which one? A. Probability of achieving time and cost estimates B. Priority list of risks C. Watch list of low-priority risks D. Risks grouped by categories Suggested Answer: A Probability of achieving time and cost estimates is an update that is produced from the Quantitative risk analysis process. In Qualitative risk analysis probability of occurrence of a specific risk is identified but not of achieving time and cost estimates.
You have been assigned as the Project Manager for a new project that involves building of a new roadway between the city airport to a designated point within the city. However, you notice that the transportation permit issuing authority is taking longer than the planned time to issue the permit to begin construction. What would you classify this as? A. Project Risk B. Status Update C. Risk Update D. Project Issue Suggested Answer: D This is a project issue. It is easy to confuse this as a project risk; however, a project risk is always in the future. In this case, the delay by the permitting agency has already happened; hence this is a project issue. The possible impact of this delay on the project cost, schedule, or performance can be classified as a project risk. Incorrect Answers: A: It is easy to confuse this as a project risk; however, a project risk is always in the future. In this case, the delay by the permitting agency has already happened; hence this is a project issue. B, C: These are options are not valid.
Which of the following assets are the examples of intangible assets of an enterprise? Each correct answer represents a complete solution. (Choose two.) A. Customer trust B. Information C. People D. Infrastructure Suggested Answer: AB Assets are the economic resources owned by business or company. Anything tangible or intangible that one possesses, usually considered as applicable to the payment of one's debts, is considered an asset. An asset can also be defined as a resource, process, product, computing infrastructure, and so forth that an organization has determined must be protected. Tangible asset: Tangible are those assets that has physical attributes and can be detected with the senses, e.g., people, infrastructure, and finances. Intangible asset: Intangible are those assets that has no physical attributes and cannot be detected with the senses, e.g., information, reputation and customer trust.
You are the project manager of the GHY project for your company. This project has a budget of $543,000 and is expected to last 18 months. In this project, you have identified several risk events and created risk response plans. In what project management process group will you implement risk response plans? A. Monitoring and Controlling B. In any process group where the risk event resides C. Planning D. Executing Suggested Answer: A The monitor and control project risk process resides in the monitoring and controlling project management process group. This process is responsible for implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness through the project. Incorrect Answers: B: Risk response plans are implemented as part of the monitoring and controlling process group. C: Risk response plans are not implemented as part of project planning. D: Risk response plans are not implemented as part of project execution.
During which of the following processes, probability and impact matrix are prepared? A. Risk response B. Monitoring and Control Risk C. Quantitative risk assessment D. Qualitative risk assessment Suggested Answer: D The probability and impact matrix is a technique to prioritize identified risks of the project on their risk rating, and are being prepared while performing qualitative risk analysis. Evaluation of each risk's importance and, hence, priority for attention, is typically conducted using a look-up table or a probability and impact matrix. This matrix specifies combinations of probability and impact that lead to rating the risks as low, moderate, or high priority. Incorrect Answers: A, B: These processes are part of Risk Management. The probability and impact matrix is prepared during the qualitative risk analysis for further quantitative analysis and response based on their risk rating. C: SLE, ARO and ALE are used in quantitative risk assessment.
You are the project manager of GRT project. You discovered that by bringing on more qualified resources or by providing even better quality than originally planned, could result in reducing the amount of time required to complete the project. If your organization seizes this opportunity, it would be an example of what risk response? A. Enhance B. Exploit C. Accept D. Share Suggested Answer: B Exploit response is one of the strategies to negate risks or threats that appear in a project. This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. Exploiting a risk event provides opportunities for positive impact on a project. Assigning more talented resources to the project to reduce the time to completion is an example of exploit response. Incorrect Answers: A: The enhance strategy closely watches the probability or impact of the risk event to assure that the organization realizes the benefits. The primary point of this strategy is to attempt to increase the probability and/or impact of positive C: Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. D: The share strategy is similar as transfer because in this a portion of the risk is shared with an external organization or another internal entity.
Your project has several risks that may cause serious financial impact if they occur. You have studied the risk events and made some potential risk responses for the risk events but management wants you to do more. They'd like you to create some type of a chart that identified the risk probability and impact with a financial amount for each risk event. What is the likely outcome of creating this type of chart? A. Risk response plan B. Contingency reserve C. Risk response D. Quantitative analysis Suggested Answer: B This chart is a probability-impact matrix in a quantitative analysis process. The probability and financial impact of each risk is learned through research, testing, and subject matter experts. The probability of the event is multiplied by the financial impact to create a risk event value for each risk. The sum of the risk event values will lead to the contingency reserve for the project. Incorrect Answers: A: The risk response plan is based on the risk responses, not the risk probability-impact matrix. C: The risk responses are needed but this chart doesn't help the project manager to create them. D: This chart is created as part of quantitative analysis.
Which of the following are parts of SWOT Analysis? Each correct answer represents a complete solution. (Choose four.) A. Weaknesses B. Tools C. Threats D. Opportunities E. Strengths Suggested Answer: ACDE SWOT analysis is a strategic planning method used to evaluate the Strengths, Weaknesses, Opportunities, and Threats involved in a project or in a business venture. It involves specifying the objective of the business venture or project and identifying the internal and external factors that are favorable and unfavorable to achieving that objective. The technique is credited to Albert Humphrey, who led a research project at Stanford University in the 1960s and 1970s using data from Fortune 500 companies. Incorrect Answers: B: Tools are not the parts of SWOT analysis.
What is the FIRST phase of IS monitoring and maintenance process? A. Report result B. Prioritizing risks C. Implement monitoring D. Identifying controls Suggested Answer: B Following are the phases that are involved in Information system monitoring and maintenance: ✑ Prioritize risk: The first phase involves the prioritization of risk which in turn involves following task: - Analyze and prioritize risks to organizational objectives. - Identify the necessary application components and flow of information through the system. - Examine and understand the functionality of the application by reviewing the application system documentation and interviewing appropriate personnel. ✑ Identify controls: After prioritizing risk now the controls are identified, and this involves following tasks: - Key controls are identified across the internal control system that addresses the prioritized risk. - Applications control strength is identified. - Impact of the control weaknesses is being evaluated. - Testing strategy is developed by analyzing the accumulated information. ✑ Identify information: Now the IS control information should be identified: - Identify information that will persuasively indicate the operating effectiveness of the internal control system. - Observe and test user performing procedures. ✑ Implement monitoring: Develop and implement cost-effective procedures to evaluate the persuasive information. ✑ Report results: After implementing monitoring process the results are being reported to relevant stakeholders. Incorrect Answers: A, C, D: These all phases occur in IS monitoring and maintenance process after prioritizing risks.
You are the project manager for the NHH project. You are working with your project team to examine the project from four different defined perspectives to increase the breadth of identified risks by including internally generated risks. What risk identification approach are you using in this example? A. Root cause analysis B. Influence diagramming techniques C. SWOT analysis D. Assumptions analysis Suggested Answer: C This is an example of SWOT analysis. SWOT analysis examines the strengths, weaknesses, opportunities, and threats within the project and generated from within the organization. SWOT stands for Strengths, Weaknesses, Opportunities, and Threats. It is a part of business policy that helps an individual or a company to make decisions. It includes the strategies to build the strength of a company and use the opportunities to make the company successful. It also includes the strategies to overcome the weaknesses of and threats to the company. Incorrect Answers: A: Root cause analysis examines causal factors for events within the project. B: Influence diagramming techniques examines the relationships between things and events within the project. D: Assumptions analysis does not use four pre-defined perspectives for review.
You are working in an enterprise. Assuming that your enterprise periodically compares finished goods inventory levels to the perpetual inventories in its ERP system. What kind of information is being provided by the lack of any significant differences between perpetual levels and actual levels? A. Direct information B. Indirect information C. Risk management plan D. Risk audit information Suggested Answer: B The lack of any significant differences between perpetual levels and actual levels provides indirect information that its billing controls are operating. It does not provide any direct information. Incorrect Answers: A: It does not provide direct information as there is no information about the propriety of cutoff. C, D: These are not the types of information.
In which of the following risk management capability maturity levels does the enterprise takes major business decisions considering the probability of loss and the probability of reward? Each correct answer represents a complete solution. (Choose two.) A. Level 0 B. Level 2 C. Level 5 D. Level 4 Suggested Answer: CD Enterprise having risk management capability maturity level 4 and 5 takes business decisions considering the probability of loss and the probability of reward, i.e., considering all the aspects of risk. Incorrect Answers: A: Enterprise having risk management capability maturity level 0 takes business decisions without considering risk credential information. B: At this low level of risk management capability the enterprise takes decisions considering specific risk issues within functional and business silos (e.g., security, business continuity, operations).
Henry is the project sponsor of the JQ Project and Nancy is the project manager. Henry has asked Nancy to start the risk identification process for the project, but Nancy insists that the project team be involved in the process. Why should the project team be involved in the risk identification? A. So that the project team can develop a sense of ownership for the risks and associated risk responsibilities. B. So that the project manager can identify the risk owners for the risks within the project and the needed risk responses. C. So that the project manager isn't the only person identifying the risk events within the project. D. So that the project team and the project manager can work together to assign risk ownership. Suggested Answer: A The best answer to include the project team members is that they'll need to develop a sense of ownership for the risks and associated risk responsibilities. Incorrect Answers: B: The reason to include the project team is that the project team needs to develop a sense of ownership for the risks and associated risk responsibilities, not to assign risk ownership and risk responses at this point. C: While the project manager shouldn't be the only person to identify the risk events, this isn't the best answer. D: The reason to include the project team is that the project team needs to develop a sense of ownership for the risks and associated risk responsibilities, not to assign risk ownership.
Which of the following establishes mandatory rules, specifications and metrics used to measure compliance against quality, value, etc.? A. Framework B. Legal requirements C. Standard D. Practices Suggested Answer: C Standard establishes mandatory rules, specifications and metrics used to measure compliance against quality, value, etc. Standards are usually intended for compliance purposes and to provide assurance to others who interact with a process or outputs of a process. Incorrect Answers: A: Frameworks are generally accepted, business-process-oriented structures that establish a common language and enable repeatable business processes. B: These are legal rules underneath which project has to be. D: Practices are frequent or usual actions performed as an application of knowledge. A leading practice would be defined as an action that optimally applies knowledge in a particular area. They are issued by a "recognized authority" that is appropriate to the subject matter. issuing bodies may include professional associations and academic institutions or commercial entities such as software vendors. They are generally based on a combination of research, expert insight and peer review.
You are the project manager of your enterprise. While performing risk management, you are given a task to identify where your enterprise stands in certain practice and also to suggest the priorities for improvements. Which of the following models would you use to accomplish this task? A. Capability maturity model B. Decision tree model C. Fishbone model D. Simulation tree model Suggested Answer: A Capability maturity models are the models that are used by the enterprise to rate itself in terms of the least mature level (having nonexistent or unstructured processes) to the most mature (having adopted and optimized the use of good practices). The levels within a capability maturity model are designed to allow an enterprise to identify descriptions of its current and possible future states. In general, the purpose is to: ✑ Identify, where enterprises are in relation to certain activities or practices. ✑ Suggest how to set priorities for improvements Incorrect Answers: D: There is no such model exists in risk management process. B: Decision tree analysis is a risk analysis tool that can help the project manager in determining the best risk response. The tool can be used to measure probability, impact, and risk exposure and how the selected risk response can affect the probability and/or impact of the selected risk event. It helps to form a balanced image of the risks and opportunities connected with each possible course of action. This makes them mostly useful for choosing between different strategies, projects, or investment opportunities particularly when the resources are limited. A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible consequences, including chance event outcomes, resource costs, and utility. C: Fishbone diagrams or Ishikawa diagrams shows the relationships between the causes and effects of problems.
You are the risk official in Techmart Inc. You are asked to perform risk assessment on the impact of losing a server. For this assessment you need to calculate monetary value of the server. On which of the following bases do you calculate monetary value? A. Cost to obtain replacement B. Original cost to acquire C. Annual loss expectancy D. Cost of software stored Suggested Answer: A The monetary value of the server should be based on the cost of its replacement. However, the financial impact to the enterprise may be much broader, based on the function that the server performs for the business and the value it brings to the enterprise. Incorrect Answers: B, C, D: Cost of software is not been counted because it can be restored from the back-up media. On the other hand' Ale for all risk related to the server does not represent the server's value. Lastly, the original cost may be significantly different from the current cost and, therefore, not relevant to this.
Which of the following is the BEST way of managing risk inherent to wireless network? A. Enabling auditing on every host that connects to a wireless network B. Require private, key-based encryption to connect to the wireless network C. Require that every host that connect to this network have a well-tested recovery plan D. Enable auditing on every connection to the wireless network Suggested Answer: B As preventive control and prevention is preferred over detection and recovery, therefore, private and key-based encryption should be adopted for managing risks. Incorrect Answers: A, C, D: As explained in above section preventive control and prevention is preferred over detection and recovery, hence these are less preferred way.
You are elected as the project manager of GHT project. You have to initiate the project. Your Project request document has been approved, and now you have to start working on the project. What is the FIRST step you should take to initialize the project? A. Conduct a feasibility study B. Acquire software C. Define requirements of project D. Plan project management Suggested Answer: A Conducting a feasibility study begins once initial approval has been given to move forward with a project. It includes an analysis to clearly define the need and to identify alternatives for addressing the need. Incorrect Answers: B: Acquiring software involves building new or modifying existing hardware or software after final approval by the stakeholder, which is not a phase in the standard SDLC process. If a decision was reached to acquire rather than develop software, this task should occur after feasibility study and defining requirements. C: Requirements of the project is being defined after conducting feasibility study. D: This is latter phase in project development process.
John is the project manager of the NHQ Project for his company. His project has 75 stakeholders, some of which are external to the organization. John needs to make certain that he communicates about risk in the most appropriate method for the external stakeholders. Which project management plan will be the best guide for John to communicate to the external stakeholders? A. Risk Response Plan B. Communications Management Plan C. Project Management Plan D. Risk Management Plan Suggested Answer: B The Communications Management Plan will direct John on the information to be communicated, when to communicate, and how to communicate with external stakeholders. The Communications Management Plan aims to define the communication necessities for the project and how the information will be circulated. The Communications Management Plan sets the communication structure for the project. This structure provides guidance for communication throughout the project's life and is updated as communication needs change. The Communication Managements Plan identifies and defines the roles of persons concerned with the project. It includes a matrix known as the communication matrix to map the communication requirements of the project. Incorrect Answers: A: The Risk Response Plan identifies how risks will be responded to. C: The Project Management Plan is the parent of all subsidiary management plans and it is not the most accurate choice for this question D: The Risk Management Plan defines how risks will be identified, analyzed, responded to, and controlled throughout the project.
You are the administrator of your enterprise. Which of the following controls would you use that BEST protects an enterprise from unauthorized individuals gaining access to sensitive information? A. Monitoring and recording unsuccessful logon attempts B. Forcing periodic password changes C. Using a challenge response system D. Providing access on a need-to-know basis Suggested Answer: D Physical or logical system access should be assigned on a need-to-know basis, where there is a legitimate business requirement based on least privilege and segregation of duties. This is done by user authentication. Incorrect Answers: A: Monitoring and recording unsuccessful logon attempts does not address the risk of appropriate access rights. In other words, it does not prevent unauthorized access. B: Forcing users to change their passwords does not ensure that access control is appropriately assigned. C: Challenge response system is used to verify the user's identification but does not completely address the issue of access risk if access was not appropriately designed in the first place.
Adrian is a project manager for a new project using a technology that has recently been released and there's relatively little information about the technology. Initial testing of the technology makes the use of it look promising, but there's still uncertainty as to the longevity and reliability of the technology. Adrian wants to consider the technology factors a risk for her project. Where should she document the risks associated with this technology so she can track the risk status and responses? A. Project scope statement B. Project charter C. Risk low-level watch list D. Risk register Suggested Answer: D A risk register is an inventory of risks and exposure associated with those risks. Risks are commonly found in project management practices, and provide information to identify, analyze, and manage risks. Typically a risk register contains: ✑ A description of the risk ✑ The impact should this event actually occur ✑ The probability of its occurrence ✑ Risk Score (the multiplication of Probability and Impact) A summary of the planned response should the event occur <img src="https://www.examtopics.com/assets/media/exam-media/04284/0022300005.png" alt="Reference Image" /> ✑ A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the event) ✑ Ranking of risks by Risk Score so as to highlight the highest priority risks to all involved. ✑ It records the initial risks, the potential responses, and tracks the status of each identified risk in the project. Incorrect Answers: A: The project scope statement does document initially defined risks but it is not a place that will record risks responses and status of risks. B: The project charter does not define risks. C: The risk low-level watch list is for identified risks that have low impact and low probability in the project.
You are the project manager of GHT project. You have identified a risk event on your current project that could save $670,000 in project costs if it occurs. Your organization is considering hiring a vendor to help establish proper project management techniques in order to assure it realizes these savings. Which of the following statements is TRUE for this risk event? A. This risk event should be accepted because the rewards outweigh the threat to the project. B. This risk event should be mitigated to take advantage of the savings. C. This risk event is an opportunity to the project and should be exploited. D. This is a risk event that should be shared to take full advantage of the potential savings. Suggested Answer: D This risk event has the potential to save money on project costs and organization is hiring a vendor to assure that all these saving are being realized. Hence this risk event involves sharing with a third party to help assure that the opportunity take place. Incorrect Answers: A: This risk event is not accepted as this event has potential to save money as well as it is shared with a vendor so that all these savings are being realized. B: The risk event is mitigated when it has negative impacts. But here it is positive consequences (i.e., saving), therefore it is not mitigated. C: This risk event can be exploited but as here in this scenario, it is stated that organization is hiring vendor, therefore event is being shared not exploited.
You work as a Project Manager for Company Inc. You have to conduct the risk management activities for a project. Which of the following inputs will you use in the plan risk management process? Each correct answer represents a complete solution. (Choose three.) A. Quality management plan B. Schedule management plan C. Cost management plan D. Project scope statement Suggested Answer: BCD The inputs to the plan risk management process are as follows: ✑ Project scope statement: It provides a clear sense of the range of possibilities associated with the project and establishes the framework for how significant the risk management effort may become. ✑ Cost management plan: It describes how risk budgets, contingencies, and management reserves will be reported and accessed. ✑ Schedule management plan: It describes how the schedule contingencies will be reported and assessed. ✑ Communication management plan: It describes the interactions, which occurs on the project and determines who will be available to share information on various risks and responses at different times. ✑ Enterprise environmental factors: It include, but are not limited to, risk attitudes and tolerances that describe the degree of risk that an organization withstand. ✑ Organizational process assets: It includes, but are not limited to, risk categories, risk statement formats, standard templates, roles and responsibilities, authority levels for decision-making, lessons learned, and stakeholder registers. Incorrect Answers: A: It is not an input for Plan risk management process.
Which of the following documents is described in the statement below? "It is developed along with all processes of the risk management. It contains the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning." A. Quality management plan B. Risk management plan C. Risk register D. Project charter Suggested Answer: C Risk register is a document that contains the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning. Risk register is developed along with all processes of the risk management from Plan Risk Management through Monitor and Control Risks. Incorrect Answers: A: The quality management plan is a component of the project management plan. It describes how the project team will implement the organization's quality policy. The quality management plan addresses quality control (QC), quality assurance (QA), and continuous process improvement for the project. Based on the requirement of the project, the quality management plan may be formal or informal, highly detailed or broadly framed. B: Risk management plan includes roles and responsibilities, risk analysis definitions, timing for reviews, and risk threshold. The Plan Risk Responses process takes input from risk management plan and risk register to define the risk response. D: The project charter is the document that formally authorizes a project. The project charter provides the project manager with the authority to apply organizational resources to project activities.
You have identified several risks in your project. You have opted for risk mitigation in order to respond to identified risk. Which of the following ensures that risk mitigation method that you have chosen is effective? A. Reduction in the frequency of a threat B. Minimization of inherent risk C. Reduction in the impact of a threat D. Minimization of residual risk Suggested Answer: B The inherent risk of a process is a given and cannot be affected by risk reduction or risk mitigation efforts. Hence it should be reduced as far as possible. Incorrect Answers: A: Risk reduction efforts can focus on either avoiding the frequency of the risk or reducing the impact of a risk. C: Risk reduction efforts can focus on either avoiding the frequency of the risk or reducing the impact of a risk. D: The objective of risk reduction is to reduce the residual risk to levels below the enterprise's risk tolerance level.
Which of the following control is used to ensure that users have the rights and permissions they need to perform their jobs, and no more? A. System and Communications protection control B. Audit and Accountability control C. Access control D. Identification and Authentication control Suggested Answer: C Access control helps an organization implement effective access control. They ensure that users have the rights and permissions they need to perform their jobs, and no more. It includes principles such as least privilege and separation of duties. Incorrect Answers: A: System and Communications protection control is a large group of controls that cover many aspects of protecting systems and communication channels. Denial of service protection and boundary protection controls are included. Transmission integrity and confidentiality controls are also included. B: Audit and Accountability control helps an organization implement an effective audit program. It provides details on how to determine what to audit. It provides details on how to protect the audit logs. It also includes information on using audit logs for non-repudiation. D: Identification and Authentication control cover different practices to identify and authenticate users. Each user should be uniquely identified. In other words, each user has one account. This account is only used by one user. Similarly, device identifiers uniquely identify devices on the network.
You are working in an enterprise. Your enterprise owned various risks. Which among the following is MOST likely to own the risk to an information system that supports a critical business process? A. System users B. Senior management C. IT director D. Risk management department Suggested Answer: B Senior management is responsible for the acceptance and mitigation of all risk. Hence they will also own the risk to an information system that supports a critical business process. Incorrect Answers: A: The system users are responsible for utilizing the system properly and following procedures, but they do not own the risk. C: The IT director manages the IT systems on behalf of the business owners. D: The risk management department determines and reports on level of risk, but does not own the risk. Risk is owned by senior management.
Which of the following components ensures that risks are examined for all new proposed change requests in the change control system? A. Configuration management B. Scope change control C. Risk monitoring and control D. Integrated change control Suggested Answer: D Integrated change control is the component that is responsible for reviewing all aspects of a change's impact on a project - including risks that may be introduced by the new change. Integrated change control is a way to manage the changes incurred during a project. It is a method that manages reviewing the suggestions for changes and utilizing the tools and techniques to evaluate whether the change should be approved or rejected. Integrated change control is a primary component of the project's change control system that examines the affect of a proposed change on the entire project. Incorrect Answers: A: Configuration management controls and documents changes to the features and functions of the product scope. B: Scope change control focuses on the processes to allow changes to enter the project scope. C: Risk monitoring and control is not part of the change control system, so this choice is not valid.
Which of the following are true for threats? Each correct answer represents a complete solution. (Choose three.) A. They can become more imminent as time goes by, or it can diminish B. They can result in risks from external sources C. They are possibility D. They are real E. They will arise and stay in place until they are properly dealt. Suggested Answer: ABD Threat is an act of coercion wherein an act is proposed to elicit a negative response. Threats are real, while the vulnerabilities are a possibility. They can result in risks from external sources, and can become imminent by time or can diminish. Incorrect Answers: C, E: These two are true for vulnerability, but not threat. Unlike the threat, vulnerabilities are possibility and can result in risks from internal sources. They will arise and stay in place until they are properly dealt.
Which of the following statements BEST describes policy? A. A minimum threshold of information security controls that must be implemented B. A checklist of steps that must be completed to ensure information security C. An overall statement of information security scope and direction D. A technology-dependent statement of best practices Suggested Answer: C A policy is an executive mandate which helps in identifying a topic that contains particular risks to avoid or prevent. Policies are high-level documents signed by a person of high authority with the power to force cooperation. The policy is a simple document stating that a particular high-level control objective is important to the organization's success. Policies are usually only one page in length. The authority of the person mandating a policy will determine the scope of implementation. Hence in other words, policy is an overall statement of information security scope and direction. Incorrect Answers: A, B, D: These are not the valid definitions of the policy.
You are the project manager of GHT project. You have analyzed the risk and applied appropriate controls. In turn, you got residual risk as a result of this. Residual risk can be used to determine which of the following? A. Status of enterprise's risk B. Appropriate controls to be applied next C. The area that requires more control D. Whether the benefits of such controls outweigh the costs Suggested Answer: CD Residual risk can be used by management to determine: ✑ Which areas require more control Whether the benefits of such controls outweigh the costs ✑ As residual risk is the output that comes after applying appropriate controls, so it can also estimate the area which need more sophisticated control. If the cost of control is large that its benefits then no control is applied, hence residual risk can determine benefits of these controls over cost. Incorrect Answers: A: Status of enterprise's risk can be determined only after risk monitoring. B: Appropriate control can only be determined as the result of risk assessment, not through residual risk.
When it appears that a project risk is going to happen, what is this term called? A. Issue B. Contingency response C. Trigger D. Threshold Suggested Answer: C A trigger is a warning sign or a condition that a risk event is likely to occur within the project. Incorrect Answers: A: Issues are events that come about as a result of risk events. Risks become issues only after they have actually occurred. B: A contingency response is a pre-planned response for a risk event, such as a rollback plan. D: A threshold is a limit that the risk passes to actually become an issue in the project.
You work as a project manager for SoftTech Inc. You are working with the project stakeholders to begin the qualitative risk analysis process. Which of the following inputs will be needed for the qualitative risk analysis process in your project? Each correct answer represents a complete solution. (Choose three.) A. Project scope statement B. Cost management plan C. Risk register D. Organizational process assets Suggested Answer: ACD The primary goal of qualitative risk analysis is to determine proportion of effect and theoretical response. The inputs to the Qualitative Risk Analysis process are: ✑ Organizational process assets ✑ Project Scope Statement ✑ Risk Management Plan ✑ Risk Register Incorrect Answers: B: The cost management plan is the input to the perform quantitative risk analysis process.
Which of the following will significantly affect the standard information security governance model? A. Currency with changing legislative requirements B. Number of employees C. Complexity of the organizational structure D. Cultural differences between physical locations Suggested Answer: C Complexity of the organizational structure will have the most significant impact on the Information security governance model. Some of the elements that impact organizational structure are multiple business units and functions across the organization. Incorrect Answers: A: Currency with changing legislative requirements should not have major impact once good governance models are placed, hence, governance will help in effective management of the organization's ongoing compliance. B, D: The numbers of employees and the distance between physical locations have less impact on Information security models as well-defined process, technology and people components together provide the proper governance.
You are the risk professional in Bluewell Inc. You have identified a risk and want to implement a specific risk mitigation activity. What you should PRIMARILY utilize? A. Vulnerability assessment report B. Business case C. Technical evaluation report D. Budgetary requirements Suggested Answer: B As business case includes business need (like new product, change in process, compliance need, etc.) and the requirements of the enterprise (new technology, cost, etc.), risk professional should utilize this for implementing specific risk mitigation activity. Risk professional must look at the costs of the various controls and compare them against the benefits that the organization will receive from the risk response. Hence he/she needs to have knowledge of business case development to illustrate the costs and benefits of the risk response. Incorrect Answers: A, C, D: These all options are supplemental.
You are the project manager of the AFD project for your company. You are working with the project team to reassess existing risk events and to identify risk events that have not happened and whose relevancy to the project has passed. What should you do with these events that have not happened and would not happen now in the project? A. Add the risk to the issues log B. Close the outdated risks C. Add the risks to the risk register D. Add the risks to a low-priority watch-list Suggested Answer: B Risks that are now outdated should be closed by the project manager, there is no need to keep record of that. Incorrect Answers: A: Risks do not go into the issue log, but the risk register. C: Identified risks are already in the risk register. D: Risks with low probability and low impact go on the risk watchlist.
What activity should be done for effective post-implementation reviews during the project? A. Establish the business measurements up front B. Allow a sufficient number of business cycles to be executed in the new system C. Identify the information collected during each stage of the project D. Identify the information to be reviewed Suggested Answer: A For effective post-implementation review the business measurements up front is established during the project. Incorrect Answers: B: Executing sufficient number of business cycles in the new system is done after the completion of the project. C, D: Identifying the information to be reviewed and information collected during each stage of project is done in pre-project phase and not during project for effective post-implementation review.
Which of the following is the best reason for performing risk assessment? A. To determine the present state of risk B. To analyze the effect on the business C. To satisfy regulatory requirements D. To budget appropriately for the application of various controls Suggested Answer: A Risk assessment is a process of analyzing the identified risk, both quantitatively and qualitatively. Quantitative risk assessment requires calculations of two components of risk, the magnitude of the potential loss, and the probability that the loss will occur. While qualitatively risk assessment checks the severity of risk. Hence risk assessment helps in determining the present state of the risk. Incorrect Answers: B: Analyzing the effect of risk on an enterprise is the part of the process while performing risk assessment, but is not the reason for doing it. C: Performing risk assessment may satisfy the regulatory requirements, but is not the reason to perform risk assessment. D: Budgeting appropriately is one the results of risk assessment but is not the reason for performing the risk assessment.
You are the project manager of GHT project. You identified a risk of noncompliance with regulations due to missing of a number of relatively simple procedures. The response requires creating the missing procedures and implementing them. In which of the following risk response prioritization should this case be categorized? A. Business case to be made B. Quick win C. Risk avoidance D. Deferrals Suggested Answer: B This is categorized as a "quick win" because the allocation of existing resources or a minor resource investment provides measurable benefits. Quick win is very effective and efficient response that addresses medium to high risk. Incorrect Answers: A: "Business case to be made" requires careful analysis and management decisions on investments that are more expensive or difficult risk responses to medium to high risk. Here in this scenario, there is only minor investment that is why, it is not "business case to be made". C: Risk avoidance is a type of risk response and not risk response prioritization option. D: Deferral addresses costly risk response to a low risk, and hence in this specified scenario it is not used.
What are the PRIMARY objectives of a control? A. Detect, recover, and attack B. Prevent, respond, and log C. Prevent, control, and attack D. Prevent, recover, and detect Suggested Answer: D Controls are the policies, procedures, practices and guidelines designed to provide appropriate assurance that business objectives are achieved and undesired events are detected, prevented, and corrected. Controls, or countermeasures, will reduce or neutralize threats or vulnerabilities. Controls have three primary objectives: ✑ Prevent ✑ Recover ✑ Detect Incorrect Answers: A, B, C: One or more objectives stated in these choices is not correct objective of control.
Which of the following is the PRIMARY role of a data custodian in the risk management process? A. Ensuring data is protected according to the classification B. Being accountable for control design C. Reporting and escalating data breaches to senior management D. Performing periodic data reviews according to policy Suggested Answer: A
Sensitive data has been lost after an employee inadvertently removed a file from the premises, in violation of organizational policy. Which of the following controls MOST likely failed? A. Background checks B. Awareness training C. User access D. Policy management Suggested Answer: B
Which of the following is the BEST way to ensure that outsourced service providers comply with the enterprise's information security policy? A. Penetration testing B. Service level monitoring C. Security awareness training D. Periodic audits Suggested Answer: D As regular audits can spot gaps in information security compliance, periodic audits can ensure that outsourced service provider comply with the enterprise's information security policy. Incorrect Answers: A: Penetration testing can identify security vulnerability, but cannot ensure information compliance. B: Service level monitoring can only identify operational issues in the enterprise's operational environment. It does not play any role in ensuring that outsourced service provider complies with the enterprise's information security policy. C: Training can increase user awareness of the information security policy, but is less effective than periodic auditing.
You are the project manager of RFT project. You have identified a risk that the enterprise's IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become very expensive. To overcome this risk, the response adopted is re- architecture of the existing system and purchase of new integrated system. In which of the following risk prioritization options would this case be categorized? A. Deferrals B. Quick win C. Business case to be made D. Contagious risk Suggested Answer: C This is categorized as a Business case to be made because the project cost is very large. The response to be implemented requires quite large investment. Therefore it comes under business case to be made. Incorrect Answers: A: It addresses costly risk response to a low risk. But here the response is less costly than that of business case to be made. B: Quick win is very effective and efficient response that addresses medium to high risk. But in this the response does not require large investments. D: This is not risk response prioritization option, instead it is a type of risk that happen with the several of the enterprise's business partners within a very short time frame.
Which of the following BEST ensures that a firewall is configured in compliance with an enterprise's security policy? A. Interview the firewall administrator. B. Review the actual procedures. C. Review the device's log file for recent attacks. D. Review the parameter settings. Suggested Answer: D A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide reliable audit evidence documentation. Incorrect Answers: A: While interviewing the firewall administrator may provide a good process overview, it does not reliably confirm that the firewall configuration complies with the enterprise's security policy. B: While procedures may provide a good understanding of how the firewall is supposed to be managed, they do not reliably confirm that the firewall configuration complies with the enterprise's security policy. C: While reviewing the device's log file for recent attacks may provide indirect evidence about the fact that logging is enabled, it does not reliably confirm that the firewall configuration complies with the enterprise's security policy.
You work as the project manager for Company Inc. The project on which you are working has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks? A. Resource Management Plan B. Communications Management Plan C. Risk Management Plan D. Stakeholder management strategy Suggested Answer: B The Communications Management Plan defines, in regard to risk management, who will be available to share information on risks and responses throughout the project. The Communications Management Plan aims to define the communication necessities for the project and how the information will be circulated. The Communications Management Plan sets the communication structure for the project. This structure provides guidance for communication throughout the project's life and is updated as communication needs change. The Communication Managements Plan identifies and defines the roles of persons concerned with the project. It includes a matrix known as the communication matrix to map the communication requirements of the project. Incorrect Answers: A: The Resource Management Plan does not define risk communications. C: The Risk Management Plan deals with risk identification, analysis, response, and monitoring. D: The stakeholder management strategy does not address risk communications.
Which of the following statements is NOT true regarding the risk management plan? A. The risk management plan is an output of the Plan Risk Management process. B. The risk management plan is an input to all the remaining risk-planning processes. C. The risk management plan includes a description of the risk responses and triggers. D. The risk management plan includes thresholds, scoring and interpretation methods, responsible parties, and budgets. Suggested Answer: C The risk management plan details how risk management processes will be implemented, monitored, and controlled throughout the life of the project. The risk management plan does not include responses to risks or triggers. Responses to risks are documented in the risk register as part of the Plan Risk Responses process. Incorrect Answers: A, B, D: These all statements are true for risk management plan. The risk management plan details how risk management processes will be implemented, monitored, and controlled throughout the life of the project. It includes thresholds, scoring and interpretation methods, responsible parties, and budgets. It also acts as input to all the remaining risk-planning processes.
You are the project manager of a project in Bluewell Inc. You and your project team have identified several project risks, completed risk analysis, and are planning to apply most appropriate risk responses. Which of the following tools would you use to choose the appropriate risk response? A. Project network diagrams B. Cause-and-effect analysis C. Decision tree analysis D. Delphi Technique Suggested Answer: C Decision tree analysis is a risk analysis tool that can help the project manager in determining the best risk response. The tool can be used to measure probability, impact, and risk exposure and how the selected risk response can affect the probability and/or impact of the selected risk event. It helps to form a balanced image of the risks and opportunities connected with each possible course of action. This makes them mostly useful for choosing between different strategies, projects, or investment opportunities particularly when the resources are limited. A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible consequences, including chance event outcomes, resource costs, and utility. Incorrect Answers: A: Project network diagrams help the project manager and stakeholders visualize the flow of the project work, but they are not used as a part of risk response planning. B: Cause-and-effect analysis is used for exposing risk factors and not an effective one in risk response planning. This analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes. D: Delphi technique is used for risk analysis, i.e., for identifying the most probable risks. Delphi is a group of experts who used to rate independently the business risk of an organization. Each expert analyzes the risk independently and then prioritizes the risk, and the result is combined into a consensus.
What is the MAIN purpose of designing risk management programs? A. To reduce the risk to a level that the enterprise is willing to accept B. To reduce the risk to the point at which the benefit exceeds the expense C. To reduce the risk to a level that is too small to be measurable D. To reduce the risk to a rate of return that equals the current cost of capital Suggested Answer: A Risk cannot be removed completely from the enterprise; it can only be reduced to a level that an organization is willing to accept. Risk management programs are hence designed to accomplish the task of reducing risks. Incorrect Answers: B: Depending on the risk preference of an enterprise, it may or may not choose to pursue risk mitigation to the point at which benefit equals or exceeds the expense. Hence this is not the primary objective of designing the risk management program. C: Reducing risk to a level too small to measure is not practical and is often cost-prohibitive. D: Reducing risks to a specific return ignores the qualitative aspects of the risk which should also be considered.
Which of the following terms is described in the statement below? "They are the prime monitoring indicators of the enterprise, and are highly relevant and possess a high probability of predicting or indicating important risk." A. Key risk indicators B. Lag indicators C. Lead indicators D. Risk indicators Suggested Answer: A Key Risk Indicators are the prime monitoring indicators of the enterprise. KRIs are highly relevant and possess a high probability of predicting or indicating important risk. KRIs help in avoiding excessively large number of risk indicators to manage and report that a large enterprise may have. Incorrect Answers: B: Lag indicators are the risk indicators that is used to indicate risk after events have occurred. C: Lead indicators are the risk indicators that is used to indicate which capabilities are in place to prevent events from occurring. D: Risk indicators are metrics used to indicate risk thresholds, i.e., it gives indication when a risk level is approaching a high or unacceptable level of risk. The main objective of a risk indicator is to ensure tracking and reporting mechanisms that alert staff about the potential risks.
What type of policy would an organization use to forbid its employees from using organizational e-mail for personal use? A. Anti-harassment policy B. Acceptable use policy C. Intellectual property policy D. Privacy policy Suggested Answer: B An acceptable use policy is a set of rules applied by the owner/manager of a network, website or large computer system that restrict the ways in which the network site or system may be used. Acceptable Use Policies are an integral part of the framework of information security policies. Incorrect Answers: A, C: These two policies are not related to Information system security. D: Privacy policy is a statement or a legal document (privacy law) that discloses some or all of the ways a party gathers, uses, discloses and manages a customer or client's data.
Wendy has identified a risk event in her project that has an impact of $75,000 and a 60 percent chance of happening. Through research, her project team learns that the risk impact can actually be reduced to just $15,000 with only a ten percent chance of occurring. The proposed solution will cost $25,000. Wendy agrees to the $25,000 solution. What type of risk response is this? A. Mitigation B. Avoidance C. Transference D. Enhancing Suggested Answer: A Risk mitigation implies a reduction in the probability and/or impact of an adverse risk event to be within acceptable threshold limits. Taking early actions to reduce the probability and/or impact of a risk occurring on the project is often more effective than trying to repair the damage after the risk has occurred. Incorrect Answers: B: Avoidance changes the project plan to avoid the risk altogether. C: Transference requires shifting some or all of the negative impacts of a threat, along with the ownership of the response, to a third party. Transferring the risk simply gives another party the responsibility for its management-it does not eliminate it. Transferring the liability for a risk is most effective in dealing with financial risk exposure. Risk transference nearly always involves payment of a risk premium to the party taking on the risk. D: Enhancing is actually a positive risk response. This strategy is used to increase the probability and/or the positive impact of an opportunity. Identifying and maximizing the key drivers of these positive-impact risks may increase the probability of their occurrence.
Which of the following processes addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget? A. Monitor and Control Risk B. Plan risk response C. Identify Risks D. Qualitative Risk Analysis Suggested Answer: B The plan risk response project management process aims to reduce the threats to the project objectives and to increase opportunities. It follows the perform qualitative risk analysis process and perform quantitative risk analysis process. Plan risk response process includes the risk response owner to take the job for each agreed-to and funded risk response. This process addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget. The inputs to the plan risk response process are as follows: Risk register - Risk management plan - Incorrect Answers: A: Monitor and Control Risk is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project. It can involve choosing alternative strategies, executing a contingency or fallback plan, taking corrective action, and modifying the project management plan. C: Identify Risks is the process of determining which risks may affect the project. It also documents risks' characteristics. The Identify Risks process is part of the Project Risk Management knowledge area. As new risks may evolve or become known as the project progresses through its life cycle, Identify Risks is an iterative process. The process should involve the project team so that they can develop and maintain a sense of ownership and responsibility for the risks and associated risk response actions. Risk Register is the only output of this process. ✑ D: Qualitative analysis is the definition of risk factors in terms of high/medium/low or a numeric scale (1 to 10). Hence it determines the nature of risk on a relative scale. ✑ Some of the qualitative methods of risk analysis are: ✑ Scenario analysis- This is a forward-looking process that can reflect risk for a given point in time. ✑ Risk Control Self -assessment (RCSA) - RCSA is used by enterprises (like banks) for the identification and evaluation of operational risk exposure. It is a logical first step and assumes that business owners and managers are closest to the issues and have the most expertise as to the source of the risk. RCSA is a constructive process in compelling business owners to contemplate, and then explain, the issues at hand with the added benefit of increasing their accountability.
Out of several risk responses, which of the following risk responses is used for negative risk events? A. Share B. Enhance C. Exploit D. Accept Suggested Answer: D Among the given choices only Acceptance response is used for negative risk events. Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider who can accept the risk. Risk should be accepted only by senior management in relationship with senior management and the board. There are two alternatives to the acceptance strategy, passive and active. ✑ Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk but willing to accept the consequences of the risk. ✑ Active acceptance is the second strategy and might include developing contingency plans and reserves to deal with risks. Incorrect Answers: A, B, C: These all are used to deal with opportunities or positive risks, and not with negative risks.
Which of the following is the MOST critical security consideration when an enterprise outsource is major part of IT department to a third party whose servers are in foreign company? A. A security breach notification may get delayed due to time difference B. The enterprise could not be able to monitor the compliance with its internal security and privacy guidelines C. Laws and regulations of the country of origin may not be enforceable in foreign country D. Additional network intrusion detection sensors should be installed, resulting in additional cost Suggested Answer: C Laws and regulations of the country of origin may not be enforceable in foreign country and conversely, it is also true that laws and regulations of the foreign outsourcer may also impact the enterprise. Hence violation of applicable laws may not be recognized or rectified due to lack of knowledge of the local laws. Incorrect Answers: A: Security breach notification is not a problem and also time difference does not play any role in 24/7 environment. Pagers, cellular phones, telephones, etc. are there to communicate the notifications. B: Outsourcing does not remove the enterprise's responsibility regarding internal requirements. Hence monitoring the compliance with its internal security and privacy guidelines is not a problem. D: The need for additional network intrusion detection sensors is not a major problem as it can be easily managed. It only requires addition funding, but can be addressed.
You are the Risk Official in Bluewell Inc. You have detected much vulnerability during risk assessment process. What you should do next? A. Prioritize vulnerabilities for remediation solely based on impact. B. Handle vulnerabilities as a risk, even though there is no threat. C. Analyze the effectiveness of control on the vulnerabilities' basis. D. Evaluate vulnerabilities for threat, impact, and cost of mitigation. Suggested Answer: D Vulnerabilities detected during assessment should be first evaluated for threat, impact and cost of mitigation. It should be evaluated and prioritized on the basis whether they impose credible threat or not. Incorrect Answers: A, C: These are the further steps that are taken after evaluating vulnerabilities. So, these are not immediate action after detecting vulnerabilities. B: If detected vulnerabilities impose no/negligible threat on an enterprise then it is not cost effective to address it as risk.
Assessing the probability and consequences of identified risks to the project objectives, assigning a risk score to each risk, and creating a list of prioritized risks describes which of the following processes? A. Qualitative Risk Analysis B. Plan Risk Management C. Identify Risks D. Quantitative Risk Analysis Suggested Answer: A The purpose of qualitative risk analysis is to determine what impact the identified risk events will have on the project and the probability they'll occur. It also puts risks in priority order according to their effects on the project objectives and assigns a risk score for the project. Incorrect Answers: B: Risk Management is used to identify, assess, and control risks. It includes analyzing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats. Assessing the probability and consequences of identified risks is only the part of risk management. C: It involves listing of all the possible risks so as to cure them before it can occur. In risk identification both threats and opportunities are considered, as both carry some level of risk with them. D: This process does not involve assessing the probability and consequences of identified risks. Quantitative analysis is the use of numerical and statistical techniques rather than the analysis of verbal material for analyzing risks. Some of the quantitative methods of risk analysis are: ✑ Internal loss method ✑ External data analysis ✑ Business process modeling (BPM) and simulation ✑ Statistical process control (SPC)
You and your project team have identified a few risk events in the project and recorded the events in the risk register. Part of the recording of the events includes the identification of a risk owner. Who is a risk owner? A. A risk owner is the party that will monitor the risk events. B. A risk owner is the party that will pay for the cost of the risk event if it becomes an issue. C. A risk owner is the party that has caused the risk event. D. A risk owner is the party authorized to respond to the risk event. Suggested Answer: D Risk owner for each risk should be the person who has the most influence over its outcome. Selecting the risk owner thus usually involves considering the source of risk and identifying the person who is best placed to understand and implement what needs to be done. They are also responsible for responding to the event and reporting on the risk status. Incorrect Answers: A: A risk owner will monitor the identified risks for status changes, but all project stakeholders should be iteratively looking to identify the risks. B: Risk owners do not pay for the cost of the risk event. C: Risk owners are not the people who cause the risk event.
Suppose you are working in Company Inc. and you are using risk scenarios for estimating the likelihood and impact of the significant risks on this organization. Which of the following assessment are you doing? A. IT security assessment B. IT audit C. Threat and vulnerability assessment D. Risk assessment Suggested Answer: C Threat and vulnerability assessment consider the full spectrum of risks. It identifies the likelihood of occurrence of risks and impact of the significant risks on the organization using the risk scenarios. For example: Natural threats can be evaluated by using historical data concerning frequency of occurrence for given natural disasters such as tornadoes, hurricanes, floods, fire, etc. Incorrect Answers: A, B: These use either some technical evaluation tool or assessment methodologies to evaluate risk but do not use risk scenarios. D: Risk assessment uses quantitative and qualitative analysis approaches to evaluate each significant risk identified.
You are the project manager of the PFO project. You are working with your project team members and two subject matter experts to assess the identified risk events in the project. Which of the following approaches is the best to assess the risk events in the project? A. Interviews or meetings B. Determination of the true cost of the risk event C. Probability and Impact Matrix D. Root cause analysis Suggested Answer: A Risk probability and assessment is completed through interviews and meetings with the participants that are most familiar with the risk events, the project work, or have other information that can help determine the affect of the risk. Incorrect Answers: B: The true cost of the risk event is not a qualitative risk assessment approach. It is often done during the quantitative risk analysis process. C: The probability and impact matrix is a tool and technique to prioritize the risk events, but it's not the best answer for assessing risk events within the project. D: Root cause analysis is a risk identification technique, not a qualitative assessment tool.
Which of the following is BEST described by the definition below? "They are heavy influencers of the likelihood and impact of risk scenarios and should be taken into account during every risk analysis, when likelihood and impact are assessed." A. Obscure risk B. Risk factors C. Risk analysis D. Risk event Suggested Answer: B Risk factors are those features that influence the likelihood and/or business impact of risk scenarios. They have heavy influences on probability and impact of risk scenarios. They should be taken into account during every risk analysis, when likelihood and impact are assessed. Incorrect Answers: A: The enterprise must consider risk that has not yet occurred and should develop scenarios around unlikely, obscure or non-historical events. Such scenarios can be developed by considering two things: ✑ Visibility ✑ Recognition For the fulfillment of this task enterprise must: ✑ Be in a position that it can observe anything going wrong ✑ Have the capability to recognize an observed event as something wrong C: A risk analysis involves identifying the most probable threats to an organization and analyzing the related vulnerabilities of the organization to these threats. A risk from an organizational perspective consists of: ✑ Threats to various processes of organization. ✑ Threats to physical and information assets. ✑ Likelihood and frequency of occurrence from threat. ✑ Impact on assets from threat and vulnerability. Risk analysis allows the auditor to do the following tasks: ✑ Identify threats and vulnerabilities to the enterprise and its information system. ✑ Provide information for evaluation of controls in audit planning. ✑ Aids in determining audit objectives. ✑ Supporting decision based on risks. D: A risk event represents the situation where you have a risk that only occurs with a certain probability and where the risk itself is represented by a specified distribution.
Which of the following processes is described in the statement below? "It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project." A. Perform Quantitative Risk Analysis B. Monitor and Control Risks C. Identify Risks D. Perform Qualitative Risk Analysis Suggested Answer: B Monitor and Control Risk is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project. It can involve choosing alternative strategies, executing a contingency or fallback plan, taking corrective action, and modifying the project management plan. Incorrect Answers: B: This is the process of numerically analyzing the effect of identified risks on overall project objectives. C: This is the process of determining which risks may affect the project and documenting their characteristics. D: This is the process of prioritizing risks for further analysis or action by accessing and combining their probability of occurrence and impact.
Tom works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks, and provides a quantitative assessment of the likely cost to complete the scheduled activities? A. Activity duration estimates B. Risk management plan C. Cost management plan D. Activity cost estimates Suggested Answer: D The activity cost estimates review is valuable in identifying risks as it provides a quantitative assessment of the expected cost to complete the scheduled activities and is expressed as a range, with a width of the range indicating the degrees of risk. Incorrect Answers: A: The activity duration estimates review is valuable in identifying risks associated to the time allowances for the activities or projects as a whole, with a width of the range indicating the degrees of risk. B: This is the output of plan risk management process. A Risk management plan is a document arranged by a project manager to estimate the effectiveness, predict risks, and build response plans to mitigate them. It also consists of the risk assessment matrix. C: The cost management plan sets how the costs on a project are managed during the project's lifecycle. It defines the format and principles by which the project costs are measured, reported, and controlled. The cost management plan identifies the person responsible for managing costs, those who have the authority to approve changes to the project or its budget, and how cost performance is quantitatively calculated and reported upon.
Which of the following baselines identifies the specifications required by the resource that meet the approved requirements? A. Functional baseline B. Allocated baseline C. Product baseline D. Developmental baseline Suggested Answer: B Allocated baseline identifies the specifications that meet the approved requirements. Incorrect Answers: A: Functional baseline identifies the initial specifications before any changes are made. C: Product baseline identifies the minimal specification required by the resource to meet business outcomes. D: Developmental baseline identifies the state of the resources as it is developed to meet or exceed expectations and requirements.
Which of the following nodes of the decision tree analysis represents the start point of decision tree? A. Decision node B. End node C. Event node D. Root node Suggested Answer: D Root node is the starting node in the decision tree. Incorrect Answers: A: Decision nodes represents the choice available to the decision maker, usually between a risky choice and its non-risky counterpart. C: Event node represents the possible uncertain outcomes of a risky decision, with at least two nodes to illustrate the positive and negative range of events. B: End node represents the outcomes of risk and decisions.
Where are all risks and risk responses documented as the project progresses? A. Risk management plan B. Project management plan C. Risk response plan D. Risk register Suggested Answer: D All risks, their responses, and other characteristics are documented in the risk register. As the project progresses and the conditions of the risk events change, the risk register should be updated to reflect the risk conditions. Incorrect Answers: A: The risk management plan addresses the project management's approach to risk management, risk identification, analysis, response, and control. B: The project management plan is the overarching plan for the project, not the specifics of the risk responses and risk identification. C: The risk response plan only addresses the planned risk responses for the identified risk events in the risk register.
You are the project manager of the NHH Project. You are working with the project team to create a plan to document the procedures to manage risks throughout the project. This document will define how risks will be identified and quantified. It will also define how contingency plans will be implemented by the project team. What document do you and your team is creating in this scenario? A. Project plan B. Resource management plan C. Project management plan D. Risk management plan Suggested Answer: D The risk management plan, part of the comprehensive management plan, defines how risks will be identified, analyzed, monitored and controlled, and even responded to. A Risk management plan is a document arranged by a project manager to estimate the effectiveness, predict risks, and build response plans to mitigate them. It also consists of the risk assessment matrix. Risks are built in with any project, and project managers evaluate risks repeatedly and build plans to address them. The risk management plan consists of analysis of possible risks with both high and low impacts, and the mitigation strategies to facilitate the project and avoid being derailed through which the common problems arise. Risk management plans should be timely reviewed by the project team in order to avoid having the analysis become stale and not reflective of actual potential project risks. Most critically, risk management plans include a risk strategy for project execution. Incorrect Answers: A: The project plan is not an official PMBOK project management plan. B: The resource management plan defines the management of project resources, such as project team members, facilities, equipment, and contractors. C: The project management plan is a comprehensive plan that communicates the intent of the project for all project management knowledge areas.
A part of a project deals with the hardware work. As a project manager, you have decided to hire a company to deal with all hardware work on the project. Which type of risk response is this? A. Transference B. Mitigation C. Avoidance D. Exploit Suggested Answer: A When you are hiring a third party to own risk, it is known as transference risk response. Risk transfer means that impact of risk is reduced by transferring or otherwise sharing a portion of the risk with an external organization or another internal entity. Transfer of risk can occur in many forms but is most effective when dealing with financial risks. Insurance is one form of risk transfer. Incorrect Answers: B: The act of spending money to reduce a risk probability and impact is known as mitigation. C: When extra activities are introduced into the project to avoid the risk, this is an example of avoidance. D: Exploit is a strategy that may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized.
John works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks associated to the time allowances for the activities or projects as a whole, with a width of the range indicating the degrees of risk? A. Activity duration estimates B. Activity cost estimates C. Risk management plan D. Schedule management plan Suggested Answer: A The activity duration estimates review is valuable in identifying risks associated to the time allowances for the activities or projects as a whole, with a width of the range indicating the degrees of risk. Incorrect Answers: B: The activity cost estimates review is valuable in identifying risks as it provides a quantitative assessment of the expected cost to complete scheduled activities and is expressed as a range, with a width of the range indicating the degrees of risk. C: A Risk management plan is a document arranged by a project manager to estimate the effectiveness, predict risks, and build response plans to mitigate them. It also consists of the risk assessment matrix. D: It describes how the schedule contingencies will be reported and assessed.
Which of the following events refer to loss of integrity? Each correct answer represents a complete solution. (Choose three.) A. Someone sees company's secret formula B. Someone makes unauthorized changes to a Web site C. An e-mail message is modified in transit D. A virus infects a file Suggested Answer: BCD Loss of integrity refers to the following types of losses: ✑ An e-mail message is modified in transit A virus infects a file ✑ Someone makes unauthorized changes to a Web site Incorrect Answers: A: Someone sees company's secret formula or password comes under loss of confidentiality.
Which of the following should be PRIMARILY considered while designing information systems controls? A. The IT strategic plan B. The existing IT environment C. The organizational strategic plan D. The present IT budget Suggested Answer: C Review of the enterprise's strategic plan is the first step in designing effective IS controls that would fit the enterprise's long-term plans. Incorrect Answers: A: The IT strategic plan exists to support the enterprise's strategic plan but is not solely considered while designing information system control. B: Review of the existing IT environment is also useful and necessary but is not the first step that needs to be undertaken. D: The present IT budget is just one of the components of the strategic plan.
Which of the following is the MOST effective inhibitor of relevant and efficient communication? A. A false sense of confidence at the top on the degree of actual exposure related to IT and lack of a well-understood direction for risk management from the top down B. The perception that the enterprise is trying to cover up known risk from stakeholders C. Existence of a blame culture D. Misalignment between real risk appetite and translation into policies Suggested Answer: C Blame culture should be avoided. It is the most effective inhibitor of relevant and efficient communication. In a blame culture, business units tend to point the finger at IT when projects are not delivered on time or do not meet expectations. In doing so, they fail to realize how the business unit's involvement up front affects project success. In extreme cases, the business unit may assign blame for a failure to meet the expectations that the unit never clearly communicated. Executive leadership must identify and quickly control a blame culture if collaboration is to be fostered throughout the enterprise. Incorrect Answers: A: This is the consequence of poor risk communication, not the inhibitor of effective communication. B: This is the consequence of poor risk communication, not the inhibitor of effective communication. D: Misalignment between real risk appetite and translation into policies is an inhibitor of effective communication, but is not a prominent as existence of blame culture.
You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won't affect your project much if they happen. What should you do with these identified risk events? A. These risks can be dismissed. B. These risks can be accepted. C. These risks can be added to a low priority risk watch list. D. All risks must have a valid, documented risk response. Suggested Answer: C Low-impact, low-probability risks can be added to the low priority risk watch list. Incorrect Answers: A: These risks are not dismissed; they are still documented on the low priority risk watch list. B: While these risks may be accepted, they should be documented on the low priority risk watch list. This list will be periodically reviewed and the status of the risks may change. D: Not every risk demands a risk response, so this choice is incorrect.
You are the project manager of your enterprise. You have introduced an intrusion detection system for the control. You have identified a warning of violation of security policies of your enterprise. What type of control is an intrusion detection system (IDS)? A. Detective B. Corrective C. Preventative D. Recovery Suggested Answer: A An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPS for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. As IDS detects and gives warning when the violation of security policies of the enterprise occurs, it is a detective control. Incorrect Answers: B: These controls make effort to reduce the impact of a threat from problems discovered by detective controls. As IDS only detects but not reduce the impact, hence it is not a corrective control. C: As IDS only detects the problem when it occurs and not prior of its occurrence, it is not preventive control. D: These controls make efforts to overcome the impact of the incident on the business, hence IDS is not a recovery control.
What are the functions of audit and accountability control? Each correct answer represents a complete solution. (Choose three.) A. Provides details on how to protect the audit logs B. Implement effective access control C. Implement an effective audit program D. Provides details on how to determine what to audit Suggested Answer: ACD Audit and accountability family of controls helps an organization implement an effective audit program. It provides details on how to determine what to audit. It provides details on how to protect the audit logs. It also includes information on using audit logs for non-repudiation. Incorrect Answers: B: Access Control is the family of controls that helps an organization implement effective access control. They ensure that users have the rights and permissions they need to perform their jobs, and no more. It includes principles such as least privilege and separation of duties. Audit and accountability family of controls do not help in implementing effective access control.
Which among the following acts as a trigger for risk response process? A. Risk level increases above risk appetite B. Risk level increase above risk tolerance C. Risk level equates risk appetite D. Risk level equates the risk tolerance Suggested Answer: B The risk response process is triggered when a risk exceeds the enterprise's risk tolerance level. The acceptable variation relative to the achievement of an objective is termed as risk tolerance. In other words, risk tolerance is the acceptable deviation from the level set by the risk appetite and business objectives. Risk tolerance is defined at the enterprise level by the board and clearly communicated to all stakeholders. A process should be in place to review and approve any exceptions to such standards. Incorrect Answers: A, C: Risk appetite level is not relevant in triggering of risk response process. Risk appetite is the amount of risk a company or other entity is willing to accept in pursuit of its mission. This is the responsibility of the board to decide risk appetite of an enterprise. When considering the risk appetite levels for the enterprise, the following two major factors should be taken into account: ✑ The enterprise's objective capacity to absorb loss, e.g., financial loss, reputation damage, etc. ✑ The culture towards risk taking-cautious or aggressive. In other words, the amount of loss the enterprise wants to accept in pursue of its objective fulfillment. D: Risk response process is triggered when the risk level increases the risk tolerance level of the enterprise, and not when it just equates the risk tolerance level.
What is the value of exposure factor if the asset is lost completely? A. 1 B. Infinity C. 10 D. 0 Suggested Answer: A Exposure Factor represents the impact of the risk over the asset, or percentage of asset lost. For example, if the Asset Value is reduced to two third, the exposure factor value is 0.66. Therefore, when the asset is completely lost, the Exposure Factor is 1.0. Incorrect Answers: B, C, D: These are not the values of exposure factor for zero assets.
Your project is an agricultural-based project that deals with plant irrigation systems. You have discovered a byproduct in your project that your organization could use to make a profit. If your organization seizes this opportunity, it would be an example of what risk response? A. Enhancing B. Positive C. Opportunistic D. Exploiting Suggested Answer: D This is an example of exploiting a positive risk - a by-product of a project is an excellent example of exploiting a risk. Exploit response is one of the strategies to negate risks or threats that appear in a project. This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. Exploiting a risk event provides opportunities for positive impact on a project. Assigning more talented resources to the project to reduce the time to completion is an example of exploit response. Incorrect Answers: A: Enhancing is a positive risk response that describes actions taken to increase the odds of a risk event to happen. B: This is an example of a positive risk, but positive is not a risk response. C: Opportunistic is not a valid risk response.
Which of the following is true for Single loss expectancy (SLE), Annual rate of occurrence (ARO), and Annual loss expectancy (ALE)? A. ALE= ARO/SLE B. ARO= SLE/ALE C. ARO= ALE*SLE D. ALE= ARO*SLE Suggested Answer: D A quantitative risk assessment quantifies risk in terms of numbers such as dollar values. This involves gathering data and then entering it into standard formulas. The results can help in identifying the priority of risks. These results are also used to determine the effectiveness of controls. Some of the terms associated with quantitative risk assessments are: ✑ Single loss expectancy (SLE)-It refers to the total loss expected from a single incident. This incident can occur when vulnerability is being exploited by threat. The loss is expressed as a dollar value such as $1,000. It includes the value of data, software, and hardware. SLE = Asset value * Exposure factor ✑ Annual rate of occurrence (ARO)-It refers to the number of times expected for an incident to occur in a year. If an incident occurred twice a month in the past year, the ARO is 24. Assuming nothing changes, it is likely that it will occur 24 times next year. Annual loss expectancy (ALE)-It is the expected loss for a year. ALE is calculated by multiplying SLE with ARO. Because SLE is a given in a dollar value, ALE is also given in a dollar value. For example, if the SLE is $1,000 and the ARO is 24, the ALE is $24,000. ✑ ALE = SLE * ARO Safeguard value-This is the cost of a control. Controls are used to mitigate risk. For example, antivirus software of an average cost of $50 for each computer. If there are 50 computers, the safeguard value is $2,500. A, B, C: These are wrong formulas and are not used in quantitative risk assessment.
Which of the following statements are true for enterprise's risk management capability maturity level 3? A. Workflow tools are used to accelerate risk issues and track decisions B. The business knows how IT fits in the enterprise risk universe and the risk portfolio view C. The enterprise formally requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals D. Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized Suggested Answer: ABD An enterprise's risk management capability maturity level is 3 when: ✑ Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized. ✑ There is a selected leader for risk management, engaged with the enterprise risk committee, across the enterprise. ✑ The business knows how IT fits in the enterprise risk universe and the risk portfolio view. ✑ Local tolerances drive the enterprise risk tolerance. ✑ Risk management activities are being aligned across the enterprise. ✑ Formal risk categories are identified and described in clear terms. ✑ Situations and scenarios are included in risk awareness training beyond specific policy and structures and promote a common language for communicating risk. ✑ Defined requirements exist for a centralized inventory of risk issues. ✑ Workflow tools are used to accelerate risk issues and track decisions. Incorrect Answers: C: Enterprise having risk management capability maturity level 5 requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals.
You are using Information system. You have chosen a poor password and also sometimes transmits data over unprotected communication lines. What is this poor quality of password and unsafe transmission referring to? A. Probabilities B. Threats C. Vulnerabilities D. Impacts Suggested Answer: C Vulnerabilities represent characteristics of information resources that may be exploited by a threat. The given scenario describes such a situation, hence it is a vulnerability. Incorrect Answers: A: Probabilities represent the likelihood of the occurrence of a threat, and this scenario does not describe a probability. B: Threats are circumstances or events with the potential to cause harm to information resources. This scenario does not describe a threat. D: Impacts represent the outcome or result of a threat exploiting a vulnerability. The stem does not describe an impact.
You are the project manager of GHT project. You and your team have developed risk responses for those risks with the highest threat to or best opportunity for the project objectives. What are the immediate steps you should follow, after planning for risk response process? Each correct answer represents a complete solution. (Choose three.) A. Updating Project management plan and Project document B. Applying controls C. Updating Risk register D. Prepare Risk-related contracts Suggested Answer: ACD The risk register is updated at the end of the plan risk response process with the information that was discovered during the process. The response plans are recorded in the risk register. Project management plan consisting of WBS, schedule baseline and cost performance baseline should be updated. After planning risk response process, there may be requirement of updating project documents like technical documentation and assumptions, documented in the project scope statement. If risk response strategies include responses such as transference or sharing, it may be necessary to purchase services or items from third parties. Contracts for those services can be prepared and discussed with the appropriate parties. Incorrect Answers: B: Controls are implemented in the latter stage of risk response process. It is not immediate task after the planning of risk response process, as updating of several documents is done first. The purpose of the Plan Risk Responses process is to develop risk responses for those risks with the highest threat to or best opportunity for the project objectives. The Plan Risk Responses process has four outputs: ✑ Risk register updates ✑ Risk-related contract decisions ✑ Project management plan updates ✑ Project document updates
You are the project manager for Bluewell Inc. You are studying the documentation of project plan. The documentation states that there are twenty-five stakeholders with the project. What will be the number of communication channel s for the project? A. 20 B. 100 C. 50 D. 300 Suggested Answer: D Communication channels are paths of communication with stakeholders in a project. The number of communication channels shows the complexity of a project's communication and can be derived through the formula shown below: Total Number of Communication Channels = n (n-1)/2 where n is the number of stakeholders. Hence, a project having five stakeholders will have ten communication channels. Putting the value of the number of stakeholders in the formula will provide the number of communication channels. Hence, Number of communication channel = (n (n-1)) / 2 = (25 (25-1)) / 2 = (25 x 24) / 2 = 600 / 2 = 300 Incorrect Answers: A, B, C: These are not valid number of communication channels for the given scenario.
Which of the following are the common mistakes while implementing KRIs? Each correct answer represents a complete solution. (Choose three.) A. Choosing KRIs that are difficult to measure B. Choosing KRIs that has high correlation with the risk C. Choosing KRIs that are incomplete or inaccurate due to unclear specifications D. Choosing KRIs that are not linked to specific risk Suggested Answer: ACD A common mistake when implementing KRIs other than selecting too many KRIs includes choosing KRIs that are: ✑ Not linked to specific risk ✑ Incomplete or inaccurate due to unclear specifications ✑ Too generic ✑ Difficult to aggregate, compare and interpret ✑ Difficult to measure Incorrect Answers: B: For ensuring high reliability of the KRI, The indicator must possess a high correlation with the risk and be a good predictor or outcome measure. Hence KRIs are chosen that has high correlation with the risk.
Which of the following control audit is performed to assess the efficiency of the productivity in the operations environment? A. Operational B. Financial C. Administrative D. Specialized Suggested Answer: C The administrative audit is used to assess the efficiency of the productivity in the operations environment. Incorrect Answers: A: It evaluates the internal control structure of process of functional area. B: Audits that assesses the correctness of financial statements is called financial audit. D: They are the IS audits with specific intent to examine areas, such as processes, services, or technologies, usually by third party auditors.
Billy is the project manager of the HAR Project and is in month six of the project. The project is scheduled to last for 18 months. Management asks Billy how often the project team is participating in risk reassessment in this project. What should Billy tell management if he's following the best practices for risk management? A. Project risk management has been concluded with the project planning. B. Project risk management happens at every milestone. C. Project risk management is scheduled for every month in the 18-month project. D. At every status meeting the project team project risk management is an agenda item. Suggested Answer: D Risk management is an ongoing project activity. It should be an agenda item at every project status meeting. Incorrect Answers: A: Risk management happens throughout the project as does project planning. B: Milestones are good times to do reviews, but risk management should happen frequently. C: This answer would only be correct if the project has a status meeting just once per month in the project.
You are the project manager of the NGQQ Project for your company. To help you communicate project status to your stakeholders, you are going to create a stakeholder register. All of the following information should be included in the stakeholder register except for which one? A. Stakeholder management strategy B. Assessment information of the stakeholders' major requirements, expectations, and potential influence C. Identification information for each stakeholder D. Stakeholder classification of their role in the project Suggested Answer: A The stakeholder management strategy is generally not included in the stakeholder registry because it may contain sensitive information that should not be shared with project team members or certain other individuals that could see the stakeholder register. The stakeholder register is a project management document that contains a list of the stakeholders associated with the project. It assesses how they are involved in the project and identifies what role they play in the organization. The information in this document can be very perceptive and is meant for limited exchange only. It also contains relevant information about the stakeholders, such as their requirements, expectations, and influence on the project. Incorrect Answers: B, C, D: Stakeholder identification, Assessment information, and Stakeholder classification should be included in the stakeholder register.
Della works as a project manager for Tech Perfect Inc. She is studying the documentation of planning of a project. The documentation states that there are twenty- eight stakeholders with the project. What will be the number of communication channels for the project? A. 250 B. 28 C. 378 D. 300 Suggested Answer: C According to the twenty- eight stakeholders. Communication channels are paths of communication with stakeholders in a project. The number of communication channels shows the complexity of a project's communication and can be derived through the formula shown below: Total Number of Communication Channels = n (n-1)/2 where n is the number of stakeholders. Hence, a project having five stakeholders will have ten communication channels. Putting the value of the number of stakeholders in the formula will provide the number of communication channels. Putting the value of the number of stakeholders in the formula will provide the number of communication channels: Number of communication channel = (n (n-1)) / 2 = (28 (28-1)) / 2 = (28 x 27) / 2 = 756 / 2 = 378
Shawn is the project manager of the HWT project. In this project Shawn's team reports that they have found a way to complete the project work cheaply than what was originally estimated earlier. The project team presents a new software that will help to automate the project work. While the software and the associated training costs $25,000 it will save the project nearly $65,000 in total costs. Shawn agrees to the software and changes the project management plan accordingly. What type of risk response had been used by him? A. Avoiding B. Accepting C. Exploiting D. Enhancing Suggested Answer: C A risk event is being exploited so as to identify the opportunities for positive impacts. Exploit response is one of the strategies to negate risks or threats that appear in a project. This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. Exploiting a risk event provides opportunities for positive impact on a project. Assigning more talented resources to the project to reduce the time to completion is an example of exploit response. Incorrect Answers: A: To avoid a risk means to evade it altogether, eliminate the cause of the risk event, or change the project plan to protect the project objectives from the risk event. B: Accepting is a risk response that is appropriate for positive or negative risk events. It does not pursue the risk, but documents the event and allows the risk to happen. Often acceptance is used for low probability and low impact risk events. D: Enhancing is a positive risk response that aims to increase the probability and/or impact of the risk event.
Which among the following is the BEST reason for defining a risk response? A. To eliminate risk from the enterprise B. To ensure that the residual risk is within the limits of the risk appetite and tolerance C. To overview current status of risk D. To mitigate risk Suggested Answer: B The purpose of defining a risk response is to ensure that the residual risk is within the limits of the risk appetite and tolerance of the enterprise. Risk response is based on selecting the correct, prioritized response to risk, based on the level of risk, the enterprise's risk tolerance and the cost or benefit of the particular risk response option. Incorrect Answers: A: Risk cannot be completely eliminated from the enterprise. C: This is not a valid answer. D: Mitigation of risk is itself the risk response process, not the reason behind this.
Which of the following is the BEST defense against successful phishing attacks? A. Intrusion detection system B. Application hardening C. End-user awareness D. Spam filters Suggested Answer: C Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing attacks are a type of to social engineering attack and are best defended by end-user awareness training. Incorrect Answers: A: An intrusion detection system does not protect against phishing attacks since phishing attacks usually do not have a particular pattern or unique signature. B: Application hardening does not protect against phishing attacks since phishing attacks generally use e-mail as the attack vector, with the end-user as the vulnerable point, not the application. D: Certain highly specialized spam filters can reduce the number of phishing e-mails that reach the inboxes of user, but they are not as effective in addressing phishing attack as end-user awareness.
Which of the following laws applies to organizations handling health care information? A. GLBA B. HIPAA C. SOX D. FISMA Suggested Answer: B HIPAA handles health care information of an organization. The Health Insurance Portability and Accountability Act (HIPAA) were introduced in 1996. It ensures that health information data is protected. Before HIPAA, personal medical information was often available to anyone. Security to protect the data was lax, and the data was often misused. If your organization handles health information, HIPAA applies. HIPAA defines health information as any data that is created or received by health care providers, health plans, public health authorities, employers, life insurers, schools or universities, and health care clearinghouses. HIPAA defines any data that is related to the health of an individual, including past/present/future health, physical/mental health, and past/present/future payments for health care. Creating a HIPAA compliance plan involves following phases: ✑ Assessment: An assessment helps in identifying whether organization is covered by HIPAA. If it is, then further requirement is to identify what data is needed to protect. ✑ Risk analysis: A risk analysis helps to identify the risks. In this phase, analyzing method of handling data of organization is done. ✑ Plan creation: After identifying the risks, plan is created. This plan includes methods to reduce the risk. ✑ Plan implementation: In this plan is being implemented. ✑ Continuous monitoring: Security in depth requires continuous monitoring. Monitor regulations for changes. Monitor risks for changes. Monitor the plan to ensure it is still used. ✑ Assessment: Regular reviews are conducted to ensure that the organization remains in compliance. Incorrect Answers: A: GLBA is not used for handling health care information. C: SOX designed to hold executives and board members personally responsible for financial data. D: FISMA ensures protection of data of federal agencies.
Mike is the project manager of the NNP Project for his organization. He is working with his project team to plan the risk responses for the NNP Project. Mike would like the project team to work together on establishing risk thresholds in the project. What is the purpose of establishing risk threshold? A. It is a study of the organization's risk tolerance. B. It is a warning sign that a risk event is going to happen. C. It is a limit of the funds that can be assigned to risk events. D. It helps to identify those risks for which specific responses are needed. Suggested Answer: D Risk threshold helps to identify those risks for which specific responses are needed.
What should be considered while developing obscure risk scenarios? Each correct answer represents a part of the solution. (Choose two.) A. Visibility B. Controls C. Assessment methods D. Recognition Suggested Answer: AD The enterprise must consider risk that has not yet occurred and should develop scenarios around unlikely, obscure or non-historical events. Such scenarios can be developed by considering two things: ✑ Visibility ✑ Recognition For the fulfillment of this task enterprise must: ✑ Be in a position that it can observe anything going wrong ✑ Have the capability to recognize an observed event as something wrong
Which of the following is true for risk management frameworks, standards and practices? Each correct answer represents a part of the solution. (Choose three.) A. They act as a guide to focus efforts of variant teams. B. They result in increase in cost of training, operation and performance improvement. C. They provide a systematic view of "things to be considered" that could harm clients or an enterprise. D. They assist in achieving business objectives quickly and easily. Suggested Answer: ACD Frameworks, standards and practices are necessary as: ✑ They provide a systematic view of "things to be considered" that could harm clients or an enterprise. ✑ They act as a guide to focus efforts of variant teams. ✑ They save time and revenue, such as training costs, operational costs and performance improvement costs. ✑ They assist in achieving business objectives quickly and easily.
An interruption in business productivity is considered as which of the following risks? A. Reporting risk B. Operational risk C. Legal risk D. Strategic risk Suggested Answer: B Operation risks encompass any potential interruption in business. Operational risks are those risk that are associated with the day-to-day operations of the enterprise. They are generally more detailed as compared to strategic risks. It is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. Some sub-categories of operational risks include: ✑ Organizational or management related risks ✑ Information security risks Production, process, and productivity risks <img src="https://www.examtopics.com/assets/media/exam-media/04284/0016500007.png" alt="Reference Image" /> ✑ Profitability operational risks ✑ Business interruption risks ✑ Project activity risks ✑ Contract and product liability risks ✑ Incidents and crisis ✑ Illegal or malicious acts Incorrect Answers: A: Reporting risks are those occurrences which prevent accurate and timely reporting. C: Legal risks are dealing with those events which can deteriorate the company's legal status. Legal compliance is the process or procedure to ensure that an organization follows relevant laws, regulations and business rules. The definition of legal compliance, especially in the context of corporate legal departments, has recently been expanded to include understanding and adhering to ethical codes within entire professions, as well. Hence legal and compliance risk has the potential to deteriorate company's legal or regulatory status. D: Strategic risks have potential which breaks in obtaining strategic objectives. Since the strategic objective will shape and impact the entire organization, the risk of not meeting that objective can impose a great threat on the organization.
You are the project manager of the QPS project. You and your project team have identified a pure risk. You along with the key stakeholders, decided to remove the pure risk from the project by changing the project plan altogether. What is a pure risk? A. It is a risk event that only has a negative side and not any positive result. B. It is a risk event that is created by the application of risk response. C. It is a risk event that is generated due to errors or omission in the project work. D. It is a risk event that cannot be avoided because of the order of the work. Suggested Answer: A A pure risk has only a negative effect on the project. Pure risks are activities that are dangerous to complete and manage such as construction, electrical work, or manufacturing. It is a class of risk in which loss is the only probable result and there is no positive result. Pure risk is associated to the events that are outside the risk-taker's control. Incorrect Answers: B: The risk event created by the application of risk response is called secondary risk. C: A risk event that is generated due to errors or omission in the project work is not necessarily pure risk. D: This in not valid definition of pure risk.
You work as a project manager for BlueWell Inc. You are preparing to plan risk responses for your project with your team. How many risk response types are available for a negative risk event in the project? A. 5 B. 7 C. 1 D. 4 Suggested Answer: D Four risk response options are there to deal with negative risks or threats on the project objectives- avoid, transfer, mitigate, and accept. ✑ Risk avoidance ✑ Risk mitigation ✑ Risk transfer ✑ Risk acceptance Incorrect Answers: A, B ,C: These are incorrect choices as only 4 risk response are available to deal with negative risks.
You are the project manager for your organization. You are preparing for the quantitative risk analysis. Mark, a project team member, wants to know why you need to do quantitative risk analysis when you just completed qualitative risk analysis. Which one of the following statements best defines what quantitative risk analysis is? A. Quantitative risk analysis is the review of the risk events with the high probability and the highest impact on the project objectives. B. Quantitative risk analysis is the process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact. C. Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives. D. Quantitative risk analysis is the planning and quantification of risk responses based on probability and impact of each risk event. Suggested Answer: C Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives. It is performed on risk that have been prioritized through the qualitative risk analysis process. Incorrect Answers: A: While somewhat true, this statement does not completely define the quantitative risk analysis process. B: This is actually the definition of qualitative risk analysis. D: This is not a valid statement about the quantitative risk analysis process. Risk response planning is a separate project management process.
You are the project manager of your enterprise. You have identified new threats, and then evaluated the ability of existing controls to mitigate risk associated with new threats. You noticed that the existing control is not efficient in mitigating these new risks. What are the various steps you could take in this case? Each correct answer represents a complete solution. (Choose three.) A. Education of staff or business partners B. Deployment of a threat-specific countermeasure C. Modify of the technical architecture D. Apply more controls Suggested Answer: ABC As new threats are identified and prioritized in terms of impact, the first step is to evaluate the ability of existing controls to mitigate risk associated with new threats and if it does not work then in that case facilitate the: ✑ Modification of the technical architecture Deployment of a threat-specific countermeasure <img src="https://www.examtopics.com/assets/media/exam-media/04284/0016800002.png" alt="Reference Image" /> ✑ Implementation of a compensating mechanism or process until mitigating controls are developed ✑ Education of staff or business partners Incorrect Answers: D: Applying more controls is not the good solution. They usually complicate the condition.
Which of the following risks is associated with not receiving the right information to the right people at the right time to allow the right action to be taken? A. Relevance risk B. Integrity risk C. Availability risk D. Access risk Suggested Answer: A Relevance risk is the risk associated with not receiving the right information to the right people (or process or systems) at the right time to allow the right action to be taken. Incorrect Answers: B: The risk that data cannot be relied on because they are unauthorized, incomplete or inaccurate is termed as integrity risk. C: The risk of loss of service or that data is not available when needed is referred as availability risk. D: The risk that confidential or private information may be disclosed or made available to those without appropriate authority is termed as access or security risk. An aspect of this risk is non-compliance with local, national and international laws related to privacy and protection of personal information.
Kelly is the project manager of the NNQ Project for her company. This project will last for one year and has a budget of $350,000. Kelly is working with her project team and subject matter experts to begin the risk response planning process. What are the two inputs that Kelly would need to begin the plan risk response process? A. Risk register and the results of risk analysis B. Risk register and the risk response plan C. Risk register and power to assign risk responses D. Risk register and the risk management plan Suggested Answer: D The only two inputs for the risk response planning are the risk register and the risk management plan. The plan risk response project management process aims to reduce the threats to the project objectives and to increase opportunities. It follows the perform qualitative risk analysis process and perform quantitative risk analysis process. Plan risk response process includes the risk response owner to take the job for each agreed-to and funded risk response. This process addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget. The inputs to the plan risk response process are as follows: ✑ Risk register ✑ Risk management plan Incorrect Answers: B: Kelly will not need the risk response plan until monitoring and controlling the project. C: The results of risk analysis will help Kelly prioritize the risks, but this information will be recorded in the risk register. D: Kelly needs the risk register and the risk management plan as the input. The power to assign risk responses is not necessarily needed by Kelly.
To which level the risk should be reduced to accomplish the objective of risk management? A. To a level where ALE is lower than SLE B. To a level where ARO equals SLE C. To a level that an organization can accept D. To a level that an organization can mitigate Suggested Answer: C The main objective of risk management is to reduce risk to a level that the organization or company will accept, as the risk can never be completely eliminated. Incorrect Answers: A, B: There are no such concepts existing in manipulating risk level. D: Risk mitigation involves identification, planning, and conduct of actions for reducing risk. Because the elimination of all risk is usually impractical or close to impossible, it is aimed at reducing risk to an acceptable level with minimal adverse impact on the organization's resources and mission.
You are the project manager of GHT project. Your hardware vendor left you a voicemail saying that the delivery of the equipment you have ordered would not arrive on time. You identified a risk response strategy for this risk and have arranged for a local company to lease you the needed equipment until yours arrives. This is an example of which risk response strategy? A. Avoid B. Transfer C. Acceptance D. Mitigate Suggested Answer: D Mitigation attempts to reduce the impact of a risk event in case it occurs. Making plans to arrange for the leased equipment reduces the consequences of the risk and hence this response in mitigation. B: Risk transfer means that impact of risk is reduced by transferring or otherwise sharing a portion of the risk with an external organization or another internal entity. Transfer of risk can occur in many forms but is most effective when dealing with financial risks. Insurance is one form of risk transfer. Here there no such action is taken, hence it is not a risk transfer. Incorrect Answers: A: Risk avoidance means to evade risk altogether, eliminate the cause of the risk event, or change the project plan to protect the project objectives from the risk event. Risk avoidance is applied when the level of risk, even after the applying controls, would be greater than the risk tolerance level of the enterprise. Hence this risk response is adopted when: ✑ There is no other cost-effective response that can successfully reduce the likelihood and magnitude below the defined thresholds for risk appetite. ✑ The risk cannot be shared or transferred. ✑ The risk is deemed unacceptable by management. C: Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider who can accept the risk. Risk should be accepted only by senior management in relationship with senior management and the board. There are two alternatives to the acceptance strategy, passive and active. ✑ Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk but willing to accept the consequences of the risk. Active acceptance is the second strategy and might include developing contingency plans and reserves to deal with risks. <img src="https://www.examtopics.com/assets/media/exam-media/04284/0014300005.png" alt="Reference Image" />
Who is at the BEST authority to develop the priorities and identify what risks and impacts would occur if there were loss of the organization's private information? A. External regulatory agencies B. Internal auditor C. Business process owners D. Security management Suggested Answer: D
You are the project manager for TTP project. You are in the Identify Risks process. You have to create the risk register. Which of the following are included in the risk register? Each correct answer represents a complete solution. (Choose two.) A. List of potential responses B. List of key stakeholders C. List of mitigation techniques D. List of identified risks Suggested Answer: AD Risk register primarily contains the following: ✑ List of identified risks: A reasonable description of the identified risks is noted in the risk register. The description includes event, cause, effect, impact related to the risks identified. In addition to the list of identified risks, the root causes of those risks may appear in the risk register. ✑ List of potential responses: Potential responses to a risk may be identified during the Identify Risks process. These responses are useful as inputs to the Plan Risk Responses process. Incorrect Answers: B: This is not a valid content of risk register. A risk register is an inventory of risks and exposure associated with those risks. Risks are commonly found in project management practices, and provide information to identify, analyze, and manage risks. Typically a risk register contains: ✑ A description of the risk ✑ The impact should this event actually occur ✑ The probability of its occurrence ✑ Risk Score (the multiplication of Probability and Impact) ✑ A summary of the planned response should the event occur ✑ A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the event) ✑ Ranking of risks by Risk Score so as to highlight the highest priority risks to all involved. C: Risk register do contain the summary of mitigation, but only after the applying risk response. Here in this scenario you are in risk identification phase, hence mitigation techniques cannot be documented at this situation.
You work as a project manager for BlueWell Inc. You are about to complete the quantitative risk analysis process for your project. You can use three available tools and techniques to complete this process. Which one of the following is NOT a tool or technique that is appropriate for the quantitative risk analysis process? A. Data gathering and representation techniques B. Expert judgment C. Quantitative risk analysis and modeling techniques D. Organizational process assets Suggested Answer: D Organizational process asset is not a tool and technique, but an input to the quantitative risk analysis process. Quantitative Risk Analysis is a process to assess the probability of achieving particular project objectives, to quantify the effect of risks on the whole project objective, and to prioritize the risks based on the impact to overall project risk. Quantitative Risk Analysis process analyzes the affect of a risk event deriving a numerical value. It also presents a quantitative approach to build decisions in the presence of uncertainty. The inputs for Quantitative Risk Analysis are: ✑ Organizational process assets ✑ Project Scope Statement ✑ Risk Management Plan ✑ Risk Register Project Management Plan - <img src="https://www.examtopics.com/assets/media/exam-media/04284/0014500012.png" alt="Reference Image" /> Incorrect Answers: A: Data gathering and representation technique is a tool and technique for the quantitative risk analysis process. B: Expert judgment is a tool and technique for the quantitative risk analysis process. C: Quantitative risk analysis and modeling techniques is a tool and technique for the quantitative risk analysis process.
Which of the following is the PRIMARY requirement before choosing Key performance indicators of an enterprise? A. Determine size and complexity of the enterprise B. Prioritize various enterprise processes C. Determine type of market in which the enterprise operates D. Enterprise must establish its strategic and operational goals Suggested Answer: D Key Performance Indicators is a set of measures that a company or industry uses to measure and/or compare performance in terms of meeting their strategic and operational goals. KPIs vary with company to company, depending on their priorities or performance criteria. A company must establish its strategic and operational goals and then choose their KPIs which can best reflect those goals. For example, if a software company's goal is to have the fastest growth in its industry, its main performance indicator may be the measure of its annual revenue growth. Incorrect Answers: A: Determination of size and complexity of the enterprise is the selection criteria of the KRI, not KPI. KPI does not have any relevancy with size and complexity of the enterprise. B: This is not the valid answer. C: Type of market in which the enterprise is operating do not affect the selection of KPIs.
You are the project manager of project for a client. The client has promised your company a bonus, if the project is completed early. After studying the project work, you elect to crash the project in order to realize the early end date. This is an example of what type of risk response? A. Negative risk response, because crashing will add risks. B. Positive risk response, as crashing is an example of enhancing. C. Positive risk response, as crashing is an example of exploiting. D. Negative risk response, because crashing will add costs. Suggested Answer: B This is a positive risk response, as crashing is an example of enhancing. You are enhancing the probability of finishing the project early to realize the reward of bonus. Enhancing doesn't ensure positive risks, but it does increase the likelihood of the event. Incorrect Answers: A: Crashing is a positive risk response. Generally, crashing doesn't add risks and is often confused with other predominant schedule compression techniques of fast tracking - which does add risks. C: This isn't an example of exploiting. Exploiting is an action to take advantage of a positive risk response that will happen. D: Crashing does add costs, but in this instance, crashing is an example of the positive risk response of enhancing.
Judy has identified a risk event in her project that will have a high probability and a high impact. Based on the requirements of the project, Judy has asked to change the project scope to remove the associated requirement and the associated risk. What type of risk response is this? A. Exploit B. Not a risk response, but a change request C. Avoidance D. Transference Suggested Answer: C Risk avoidance involves changing the project management plan to eliminate the threat entirely. The project manager may also isolate the project objectives from the risk's impact or change the objective that is in jeopardy. Examples of this include extending the schedule, changing the strategy, or reducing the scope. The most radical avoidance strategy is to shut down the project entirely. Some risks that arise early in the project can be avoided by clarifying requirements, obtaining information, improving communication, or acquiring expertise. Incorrect Answers: A: Exploit risk response is used for positive risk or opportunity, not for negative risk. B: This risk response does require a change request, in some instances, but it's the avoidance risk response and not just a change request. D: Transference allows the risk to be transferred, not removed from the project, to a third party. Transference usually requires a contractual relationship with the third party.
You are the risk professional of your enterprise. You have performed cost and benefit analysis of control that you have adopted. What are all the benefits of performing cost and benefit analysis of control? Each correct answer represents a complete solution. (Choose three.) A. It helps in determination of the cost of protecting what is important B. It helps in taking risk response decisions C. It helps in providing a monetary impact view of risk D. It helps making smart choices based on potential risk mitigation costs and losses Suggested Answer: ACD
You are the project manager of GHT project. You want to perform post-project review of your project. What is the BEST time to perform post-project review by you and your project development team to access the effectiveness of the project? A. Project is completed and the system has been in production for a sufficient time period B. During the project C. Immediately after the completion of the project D. Project is about to complete Suggested Answer: A The project development team and appropriate end users perform a post-project review jointly after the project has been completed and the system has been in production for a sufficient time period to assess its effectiveness. Incorrect Answers: B: The post-project review of project for accessing effectiveness cannot be done during the project as effectiveness can only evaluated after setting the project in process of production. C: It is not done immediately after the completion of the project as its effectiveness cannot be measured until the system has been in production for certain time period. D: Post-project review for evaluating the effectiveness of the project can only be done after the completion of the project and the project is in production phase.
What are the steps that are involved in articulating risks? Each correct answer represents a complete solution. (Choose three.) A. Identify business opportunities. B. Identify the response C. Communicate risk analysis results and report risk management activities and the state of compliance. D. Interpret independent risk assessment findings. Suggested Answer: ACD Following are the tasks that are involved in articulating risk: ✑ Communicate risk analysis results. ✑ Report risk management activities and the state of compliance. ✑ Interpret independent risk assessment findings. ✑ Identify business opportunities.
What are the requirements of effectively communicating risk analysis results to the relevant stakeholders? Each correct answer represents a part of the solution. (Choose three.) A. The results should be reported in terms and formats that are useful to support business decisions B. Communicate only the negative risk impacts of events in order to drive response decisions C. Communicate the risk-return context clearly D. Provide decision makers with an understanding of worst-case and most probable scenarios Suggested Answer: ACD The result of risk analysis process is being communicated to relevant stakeholders. The steps that are involved in communication are: ✑ The results should be reported in terms and formats that are useful to support business decisions. ✑ Coordinate additional risk analysis activity as required by decision makers, like report rejection and scope adjustment. ✑ Communicate the risk-return context clearly, which include probabilities of loss and/or gain, ranges, and confidence levels (if possible) that enable management to balance risk-return. ✑ Identify the negative impacts of events that drive response decisions as well as positive impacts of events that represent opportunities which should channel back into the strategy and objective setting process. ✑ Provide decision makers with an understanding of worst-case and most probable scenarios, due diligence exposures and significant reputation, legal or regulatory considerations. Incorrect Answers: B: Both the negative and positive risk impacts are being communicated to relevant stakeholders. Identify the negative impacts of events that drive response decisions as well as positive impacts of events that represent opportunities which should channel back into the strategy and objective setting process.
Which among the following is the MOST crucial part of risk management process? A. Risk communication B. Auditing C. Risk monitoring D. Risk mitigation Suggested Answer: A Risk communication is a critical part in the risk management process. People are naturally uncomfortable talking about risk and tend to put off admitting that risk is involved and communicating about issues; incidents; and; eventually, even crises. If risk is to be managed and mitigated, it must first be discussed and effectively communicated throughout an enterprise. Incorrect Answers: B: Auditing is done to test the overall risk management process and the planned risk responses. So it is the very last phase after completion of risk management process. C: Risk monitoring is the last phase to complete risk management process, and for proper management of risk it should be communicated properly. Hence risk communication is the most crucial step. D: Risk mitigation is one of the phases of risk management process for effective mitigation of risk it should be first communicated throughout an enterprise.
Which of the following is a key component of strong internal control environment? A. RMIS B. Segregation of duties C. Manual control D. Automated tools Suggested Answer: B Segregation of duties (SOD) is a key component to maintaining a strong internal control environment because it reduces the risk of fraudulent transactions. When duties for a business process or transaction are segregated it becomes more difficult for fraudulent activity to occur because it would involve collusion among several employees. Incorrect Answers: A: An RMIS can be a very effective tool in monitoring all risk factors that impact the enterprise. The danger is that many important classes of risk may be omitted from consideration by the system. hence it doesn't ensure strong internal control environment. C: Manual controls usually not form strong internal control environment. By not automating SOD controls, there is, potentially, the issue of these controls becoming a barrier in serving the customer. As manual authorizations are often time consuming and require another step in any business process, this takes time away from serving the customer. Automated compliance solutions aim to provide enterprises with timely and efficient internal controls that do not disrupt their normal business process. D: It is not directly related in maintaining strong internal control environment. The automated tools are typically used to address SOD and also to provide the enterprise with reporting functionality on SOD violations (i.e., detective controls) and to put in place preventive controls.
You are the project manager of the NKJ Project for your company. The project's success or failure will have a significant impact on your organization's profitability for the coming year. Management has asked you to identify the risk events and communicate the event's probability and impact as early as possible in the project. Management wants to avoid risk events and needs to analyze the cost-benefits of each risk event in this project. What term is assigned to the low-level of stakeholder tolerance in this project? A. Mitigation-ready project management B. Risk avoidance C. Risk utility function D. Risk-reward mentality Suggested Answer: C Risk utility function is assigned to the low-level of stakeholder tolerance in this project. The risk utility function describes a person's or organization's willingness to accept risk. It is synonymous with stakeholder tolerance to risk. Risk utility function facilitates the selection and acceptance of risk and provides opportunity to merge the approach with setting thresholds of risk acceptability and using utility-risk ratios if necessary. Incorrect Answers: A: This is not a valid project management and risk management term. B: Risk avoidance is a risk response to avoid negative risk events. D: Risk-reward describes the balance between accepting risks and the expected reward for the risk event. Risk-reward mentality is not a valid project management term.
How residual risk can be determined? A. By determining remaining vulnerabilities after countermeasures are in place. B. By transferring all risks. C. By threat analysis D. By risk assessment Suggested Answer: D All risks are determined by risk assessment, regardless whether risks are residual or not. Incorrect Answers: A: Determining remaining vulnerabilities after countermeasures are in place says nothing about threats, therefore risk cannot be determined. B: Transferring all the risks in not relevant to determining residual risk. It is one of the method of risk management. C: Risk cannot be determined by threat analysis alone, regardless whether it is residual or not.
Which of the following are the MOST important risk components that must be communicated among all the stakeholders? Each correct answer represents a part of the solution. (Choose three.) A. Various risk response used in the project B. Expectations from risk management C. Current risk management capability D. Status of risk with regard to IT risk Suggested Answer: BCD The broad array of information and the major types of IT risk information that should be communicated are as follows: ✑ Expectations from risk management: They include risk strategy, policies, procedures, awareness training, uninterrupted reinforcement of principles, etc. This essential communication drives all subsequent efforts on risk management and sets the overall expectations from risk management. ✑ Current risk management capability: This allows monitoring of the status of the risk management engine in the enterprise. It is a key indicator for effective risk management and has predictive value for how well the enterprise is managing risk and reducing exposure. ✑ Status with regard to IT risk: This describes the actual status with regard to IT risk including information of risk profile of the enterprise, Key risk indicators (KRIs) to support management reporting on risk, event-loss data, root cause of loss events and options to mitigate risk. Incorrect Answers: A: Risk response is only communicated to some of the stakeholders not all, as it is irrelevant for them. It is not communicated to the stakeholders of the project like project sponsors, etc.
You are elected as the project manager of GHT project. You are in project initialization phase and are busy in defining requirements for your project. While defining requirements you are describing how users will interact with a system. Which of the following requirements are you defining here? A. Technical requirement B. Project requirement C. Functional requirement D. Business requirement Suggested Answer: C While defining requirements, there is need to define three requirements of the project- Business requirement, Functional requirement, and Technical requirement Functional requirements and use case models describe how users will interact with a system. Therefore here in this stem you are defining the functional requirement of the project. Incorrect Answers: A: Technical requirements and design specifications and coding specifications describe how the system will interact, conditions under which the system will operate and the information criteria the system should meet. B: Business requirement, Functional requirement, and Technical requirement come under project requirement. In this stem it is particular defining the functional requirement, hence this is not the best answer. D: Business requirements contain descriptions of what a system should do.
You work as a project manager for BlueWell Inc. You are involved with the project team on the different risk issues in your project. You are using the applications of IRGC model to facilitate the understanding and managing the rising of the overall risks that have impacts on the economy and society. One of your team members wants to know that what the need to use the IRGC is. What will be your reply? A. IRGC models aim at building robust, integrative inter-disciplinary governance models for emerging and existing risks. B. IRGC is both a concept and a tool. C. IRGC addresses the development of resilience and the capacity of organizations and people to face unavoidable risks. D. IRGC addresses understanding of the secondary impacts of a risk. Suggested Answer: A IRGC is aimed at building robust, integrative inter-disciplinary governance models for emerging and existing risks. The International Risk Governance Council (IRGC) is a self-governing organization whose principle is to facilitate the understanding and managing the rising overall risks that have impacts on the economy and society, human health and safety, the environment at large. IRGC's effort is to build and develop concepts of risk governance, predict main risk issues and present risk governance policy recommendations for the chief decision makers. IRGC mainly emphasizes on rising, universal risks for which governance deficits exist. Its goal is to present recommendations for how policy makers can correct them. IRGC models at constructing strong, integrative inter-disciplinary governance models for up-coming and existing risks. Incorrect Answers: B: As IRGC is aimed at building robust, integrative inter-disciplinary governance models for emerging and existing risks, so it is the best answer for this question. C, D: Risk governance addresses understanding of the secondary impacts of a risk, the development of resilience and the capacity of organizations and people to face unavoidable risks.
While considering entity-based risks, which dimension of the COSO ERM framework is being referred? A. Organizational levels B. Risk components C. Strategic objectives D. Risk objectives Suggested Answer: A The organizational levels of the COSO ERM framework describe the subsidiary, business unit, division, and entity-levels of aspects of risk solutions. Incorrect Answers: B: Risk components includes Internal Environment, Objectives settings, Event identification, Risk assessment, Risk response, Control activities, Information and communication, and monitoring. C: Strategic objectives includes strategic, operational, reporting, and compliance risks; and not entity-based risks. D: This is not a valid answer.
Which of the following individuals is responsible for identifying process requirements, approving process design and managing process performance? A. Business process owner B. Risk owner C. Chief financial officer D. Chief information officer Suggested Answer: A Business process owners are the individuals responsible for identifying process requirements, approving process design and managing process performance. In general, a business process owner must be at an appropriately high level in the enterprise and have authority to commit resources to process-specific risk management activities. Incorrect Answers: B: Risk owner for each risk should be the person who has the most influence over its outcome. Selecting the risk owner thus usually involves considering the source of risk and identifying the person who is best placed to understand and implement what needs to be done. C: Chief financial officer is the most senior official of the enterprise who is accountable for financial planning, record keeping, investor relations and financial risks. D: Chief information officer is the most senior official of the enterprise who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services and information and the deployment of associated human resources.
Which of the following should be considered to ensure that risk responses that are adopted are cost-effective and are aligned with business objectives? Each correct answer represents a part of the solution. (Choose three.) A. Identify the risk in business terms B. Recognize the business risk appetite C. Adopt only pre-defined risk responses of business D. Follow an integrated approach in business Suggested Answer: ABD Risk responses require a formal approach to issues, opportunities and events to ensure that solutions are cost-effective and are aligned with business objectives. The following should be considered: ✑ While preparing the risk response, identify the risk in business terms like loss of productivity, disclosure of confidential information, lost opportunity costs, etc. ✑ Recognize the business risk appetite. ✑ Follow an integrated approach in business. Risk responses requiring an investment should be supported by a carefully planned business case that justifies the expenditure outlines alternatives and describes the justification for the alternative selected. Incorrect Answers: C: There is no such requirement to follow the pre-defined risk responses. If some new risk responses are discovered during the risk management of a particular project, they should be noted down in lesson leaned document so that project manager working on some other project could also utilize them.
Walter is the project manager of a large construction project. He'll be working with several vendors on the project. Vendors will be providing materials and labor for several parts of the project. Some of the works in the project are very dangerous so Walter has implemented safety requirements for all of the vendors and his own project team. Stakeholders for the project have added new requirements, which have caused new risks in the project. A vendor has identified a new risk that could affect the project if it comes into fruition. Walter agrees with the vendor and has updated the risk register and created potential risk responses to mitigate the risk. What should Walter also update in this scenario considering the risk event? A. Project management plan B. Project communications plan C. Project contractual relationship with the vendor D. Project scope statement Suggested Answer: A When new risks are identified as part of the scope additions, Walter should update the risk register and the project management plan to reflect the responses to the risk event. Incorrect Answers: B: The project communications management plan may be updated if there's a communication need but the related to the risk event, not the communication of the risks. C: The contractual relationship won't change with the vendor as far as project risks are concerned. D: The project scope statement is changed as part of the scope approval that has already happened.
What are the three PRIMARY steps to be taken to initialize the project? Each correct answer represents a complete solution. (Choose three.) A. Conduct a feasibility study B. Define requirements C. Acquire software D. Plan risk management Suggested Answer: ABC Projects are initiated by sponsors who gather the information required to gain approval for the project to be created. Information often compiled into the terms of a project charter includes the objective of the project, business case and problem statement, stakeholders in the system to be produced, and project manager and sponsor. Following are the steps to initiate the project: ✑ Conduct a feasibility study: Feasibility study starts once initial approval has been given to move forward with a project, and includes an analysis to clearly define the need and to identify alternatives for addressing the need. A feasibility study involves: - Analyzing the benefits and solutions for the identified problem area - Development of a business case that states the strategic benefits of implementing the system either in productivity gains or in future cost avoidance and identifies and quantifies the cost savings of the new system. - Estimation of a payback schedule for the cost incurred in implementing the system or shows the projected return on investment (ROI) ✑ Define requirements: Requirements include: - Business requirements containing descriptions of what a system should do - Functional requirements and use case models describing how users will interact with a system - Technical requirements and design specifications and coding specifications describing how the system will interact, conditions under which the system will operate and the information criteria the system should meet. ✑ Acquire software: Acquiring software involves building new or modifying existing hardware or software after final approval by the stakeholder, which is not a phase in the standard SDLC process. If a decision was reached to acquire rather than develop software, this task should occur after defining requirements. Incorrect Answers: D: Risk management is planned latter in project development process, and not during initialization.
You are the risk official in Techmart Inc. You are asked to perform risk assessment on the impact of losing a network connectivity for 1 day. Which of the following factors would you include? A. Aggregate compensation of all affected business users. B. Hourly billing rate charged by the carrier C. Value that enterprise get on transferring data over the network D. Financial losses incurred by affected business units Suggested Answer: D The impact of network unavailability is the cost it incurs to the enterprise. As the network is unavailable for 1 day, it can be considered as the failure of some business units that rely on this network. Hence financial losses incurred by this affected business unit should be considered. Incorrect Answers: A, B, C: These factors in combination contribute to the overall financial impact, i.e., financial losses incurred by affected business units.
Beth is a project team member on the JHG Project. Beth has added extra features to the project and this has introduced new risks to the project work. The project manager of the JHG project elects to remove the features Beth has added. The process of removing the extra features to remove the risks is called what? A. Detective control B. Preventive control C. Corrective control D. Scope creep Suggested Answer: B This is an example of a preventive control as the problem is not yet occurred, only it is detected and are accounted for. By removing the scope items from the project work, the project manager is aiming to remove the added risk events, hence it is a preventive control. Preventive control is a type of internal control that is used to avoid undesirable events, errors and other occurrences, which an organization has determined could have a negative material effect on a process or end product. Incorrect Answers: A: Detective controls simply detect and report on the occurrence of problems. They identify specific symptoms to potential problems. C: Corrective actions are steps to bring the future performance of the project work in line with the project management plan. These controls make effort to reduce the impact of a threat from problems discovered by detective controls. They first identify the cause of the problems, then take corrective measures and modify the systems to minimize the future occurrences of the problem. Hence an incident should take place before corrective controls come in action. D: Scope creep refers to small undocumented changes to the project scope.
You are the project manager of the GHT project. This project will last for 18 months and has a project budget of $567,000. Robert, one of your stakeholders, has introduced a scope change request that will likely have an impact on the project costs and schedule. Robert assures you that he will pay for the extra time and costs associated with the risk event. You have identified that change request may also affect other areas of the project other than just time and cost. What project management component is responsible for evaluating a change request and its impact on all of the project management knowledge areas? A. Configuration management B. Integrated change control C. Risk analysis D. Project change control system Suggested Answer: B Integrated change control is responsible for evaluating a proposed change and determining its impact on all areas of the project: scope, time, cost, quality, human resources, communication, risk, and procurement. Incorrect Answers: A: Configuration management defines the management, control, and documentation of the features and functions of the project's product. C: Risk analysis is not responsible for reviewing the change aspects for the entire project. D: The project change control system defines the workflow and approval process for proposed changes to the project scope, time, cost, and contracts.
While developing obscure risk scenarios, what are the requirements of the enterprise? Each correct answer represents a part of the solution. (Choose two.) A. Have capability to cure the risk events B. Have capability to recognize an observed event as something wrong C. Have sufficient number of analyst D. Be in a position that it can observe anything going wrong Suggested Answer: BD The enterprise must consider risk that has not yet occurred and should develop scenarios around unlikely, obscure or non-historical events. Such scenarios can be developed by considering two things: ✑ Visibility ✑ Recognition ✑ For the fulfillment of this task enterprise must: ✑ Be in a position that it can observe anything going wrong ✑ Have the capability to recognize an observed event as something wrong Incorrect Answers: A, C: These are not the direct requirements for developing obscure risk scenarios, like curing risk events comes under process of risk management. Hence capability of curing risk event does not lay any impact on the process of development of risk scenarios.
You are the project manager of GHT project. During the data extraction process, you evaluated the total number of transactions per year by multiplying the monthly average by twelve. This process of evaluating total number of transactions is known as? A. Duplicates test B. Controls total C. Simplistic and ineffective D. Reasonableness test Suggested Answer: D Reasonableness tests make certain assumptions about the information as the basis for more elaborate data validation tests. Incorrect Answers: A: The duplicate test does not identify duplicate transactions; rather it identifies and confirms the validity of duplicates. B: The control total test does not ensure that all transactions have been extracted, but only ensures that the data are complete. C: As compared to simplistic, the reasonableness test is a valid foundation for more elaborate data validation tests.
You are the project manager of the KJH Project and are working with your project team to plan the risk responses. Consider that your project has a budget of $500,000 and is expected to last six months. Within the KJH Project you have identified a risk event that has a probability of .70 and has a cost impact of $350,000. When it comes to creating a risk response for this event what is the risk exposure of the event that must be considered for the cost of the risk response? A. The risk exposure of the event is $350,000. B. The risk exposure of the event is $500,000. C. The risk exposure of the event is $850,000. D. The risk exposure of the event is $245,000. Suggested Answer: D The risk exposure for this event is found by multiplying the risk impact by the risk probability. Risk Exposure is a straightforward estimate that gives a numeric value to a risk, enabling different risks to be compared. Risk Exposure of any given risk = Probability of risk occurring x impact of risk event = 0.70 * 350,000 = 245,000 Incorrect Answers: A: $350,000 is the impact of the risk event. B: $500,000 is the project's budget. C: $850,000 is the project's budget and the risk's impact.
Jane, the Director of Sales, contacts you and demands that you add a new feature to the software your project team is creating for the organization. In the meeting she tells you how important the scope change would be. You explain to her that the software is almost finished and adding a change now could cause the deliverable to be late, cost additional funds, and would probably introduce new risks to the project. Jane stands up and says to you, "I am the Director of Sales and this change will happen in the project." And then she leaves the room. What should you do with this verbal demand for a change in the project? A. Include the change in the project scope immediately. B. Direct your project team to include the change if they have time. C. Do not implement the verbal change request. D. Report Jane to your project sponsor and then include the change. Suggested Answer: C This is a verbal change request, and verbal change requests are never implemented. They introduce risk and cannot be tracked in the project scope. Change requests are requests to expand or reduce the project scope, modify policies, processes, plans, or procedures, modify costs or budgets or revise schedules. These requests for a change can be direct or indirect, externally or internally initiated, and legally or contractually imposed or optional. A Project Manager needs to ensure that only formally documented requested changes are processed and only approved change requests are implemented. Incorrect Answers: A: Including the verbal change request circumvents the project's change control system. B: Directing the project team to include the change request if they have time is not a valid option. The project manager and the project team will have all of the project team already accounted for so there is no extra time for undocumented, unapproved change requests. D: You may want to report Jane to the project sponsor, but you are not obligated to include the verbal change request.
You are the risk professional in Bluewell Inc. A risk is identified and enterprise wants to quickly implement control by applying technical solution that deviates from the company's policies. What you should do? A. Recommend against implementation because it violates the company's policies B. Recommend revision of the current policy C. Recommend a risk assessment and subsequent implementation only if residual risk is accepted D. Conduct a risk assessment and allow or disallow based on the outcome Suggested Answer: C If it is necessary to quickly implement control by applying technical solution that deviates from the company's policies, then risk assessment should be conducted to clarify the risk. It is up to the management to accept the risk or to mitigate it. Incorrect Answers: A: As in this case it is important to mitigate the risk, hence risk professional should once recommend a risk assessment. Though the decision for the conduction of risk assessment in case of violation of company's policy, is taken by management. B: The recommendation to revise the current policy should not be triggered by a single request. D: Risk professional can only recommend the risk assessment if the company's policies is violating, but it can only be conducted when the management allows.
Jane is the project manager of the NHJ Project for his company. He has identified several positive risk events within his project and he thinks these events can save the project time and money. Positive risk events, such as these within the NHJ Project are referred to as? A. Contingency risks B. Benefits C. Residual risk D. Opportunities Suggested Answer: D A positive risk event is also known as an opportunity. Opportunities within the project to save time and money must be evaluated, analyzed, and responded to. Incorrect Answers: A: A contingency risk is not a valid risk management term. B: Benefits are the good outcomes of a project endeavor. Benefits usually have a cost factor associated with them. C: Residual risk is the risk that remains after applying controls. It is not feasible to eliminate all risks from an organization. Instead, measures can be taken to reduce risk to an acceptable level. The risk that is left is residual risk.
During qualitative risk analysis you want to define the risk urgency assessment. All of the following are indicators of risk priority except for which one? A. Warning signs B. Symptoms C. Risk rating D. Cost of the project Suggested Answer: D The cost of the project is not an indicator of risk urgency. The affect of the risk on the overall cost of the project may be considered, but it is not the best answer. Incorrect Answers: A: Warning signs are an indicator of the risk urgency. B: Symptoms are an indicator of the risk urgency. C: The risk rating can be an indicator of the risk urgency.
Which of the following items is considered as an objective of the three dimensional model within the framework described in COSO ERM? A. Risk assessment B. Financial reporting C. Control environment D. Monitoring Suggested Answer: B The COSO ERM (Enterprise Risk Management) frame work is a 3-dimensional model. The dimensions and their components include: ✑ Strategic Objectives - includes strategic, operations, reporting, and compliance. ✑ Risk Components - includes Internal Environment, Objectives settings, Event identification, Risk assessment, Risk response, Control activities, Information and communication, and monitoring. ✑ Organizational Levels - include subsidiary, business unit, division, and entity-level. The COSO ERM framework contains eight risk components: ✑ Internal Environment ✑ Objective Settings ✑ Event Identification ✑ Risk Assessment ✑ Risk Response ✑ Control Activities ✑ Information and Communication ✑ Monitoring Section 404 of the Sarbanes-Oley act specifies a three dimensional model- COSO ERM, comprised of Internal control components, Internal control objectives, and organization entities. All the items listed are components except Financial reporting which is an internal control objective. Incorrect Answers: A, C, D: They are the Internal control components, not the Internal control objectives.
Which of the following phases is involved in the Data Extraction, Validation, Aggregation and Analysis? A. Risk response and Risk monitoring B. Requirements gathering, Data access, Data validation, Data analysis, and Reporting and corrective action C. Data access and Data validation D. Risk identification, Risk assessment, Risk response and Risk monitoring Suggested Answer: B The basic concepts related to data extraction, validation, aggregation and analysis is important as KRIs often rely on digital information from diverse sources. The phases which are involved in this are: ✑ Requirements gathering: Detailed plan and project's scope is required for monitoring risks. In the case of a monitoring project, this step should involve process owners, data owners, system custodians and other process stakeholders. ✑ Data access: In the data access process, management identifies which data are available and how they can be acquired in a format that can be used for analysis. There are two options for data extraction: - Extracting data directly from the source systems after system owner approval - Receiving data extracts from the system custodian (IT) after system owner approval Direct extraction is preferred, especially since this involves management monitoring its own controls, instead of auditors/third parties monitoring management's controls. If it is not feasible to get direct access, a data access request form should be submitted to the data owners that detail the appropriate data fields to be extracted. The request should specify the method of delivery for the file. ✑ Data validation: Data validation ensures that extracted data are ready for analysis. One of its important objective is to perform tests examining the data quality to ensure data are valid complete and free of errors. This may also involve making data from different sources suitable for comparative analysis. Following concepts should be considered while validating data: - Ensure the validity, i.e., data match definitions in the table layout - Ensure that the data are complete - Ensure that extracted data contain only the data requested - Identify missing data, such as gaps in sequence or blank records - Identify and confirm the validity of duplicates - Identify the derived values - Check if the data given is reasonable or not - Identify the relationship between table fields - Record, in a transaction or detail table, that the record has no match in a master table ✑ Data analysis: Analysis of data involves simple set of steps or complex combination of commands and other functionality. Data analysis is designed in such a way to achieve the stated objectives from the project plan. Although this may be applicable to any monitoring activity, it would be beneficial to consider transferability and scalability. This may include robust documentation, use of software development standards and naming conventions. ✑ Reporting and corrective action: According to the requirements of the monitoring objectives and the technology being used, reporting structure and distribution are decided. Reporting procedures indicate to whom outputs from the automated monitoring process are distributed so that they are directed to the right people, in the right format, etc. Similar to the data analysis stage, reporting may also identify areas in which changes to the sensitivity of the reporting parameters or the timing and frequency of the monitoring activity may be required. Incorrect Answers: D: These are the phases that are involved in risk management.
NIST SP 800-53 identifies controls in three primary classes. What are they? A. Technical, Administrative, and Environmental B. Preventative, Detective, and Corrective C. Technical, Operational, and Management D. Administrative, Technical, and Operational Suggested Answer: C NIST SP 800-53 is used to review security in any organization, that is, in reviewing physical security. The Physical and Environmental Protection family includes 19 different controls. Organizations use these controls for better physical security. These controls are reviewed to determine if they are relevant to a particular organization or not. Many of the controls described include additional references that provide more details on how to implement them. The National Institute of Standards and Technology (NIST) SP 800-53 rev 3 identifies 18 families of controls. It groups these controls into three classes: ✑ Technical ✑ Operational ✑ Management
While defining the risk management strategies, what are the major parts to be determined first? Each correct answer represents a part of the solution. (Choose two.) A. IT architecture complexity B. Organizational objectives C. Risk tolerance D. Risk assessment criteria Suggested Answer: BC While defining the risk management strategies, risk professional should first identify and analyze the objectives of the organization and the risk tolerance. Once the objectives of enterprise are known, risk professional can detect the possible risks which can occur in accomplishing those objectives. Analyzing the risk tolerance would help in identifying the priorities of risk which is the latter steps in risk management. Hence these two do the basic framework in risk management. Incorrect Answers: A: IT architecture complexity is related to the risk assessment and not the risk management, as it does much help in evaluating each significant risk identified. D: Risk assessment is one of the various phases that occur while managing risks, which uses quantitative and qualitative approach to evaluate risks. Hence risk assessment criteria is only a part of this framework.
Which of the following are true for quantitative analysis? Each correct answer represents a complete solution. (Choose three.) A. Determines risk factors in terms of high/medium/low. B. Produces statistically reliable results C. Allows discovery of which phenomena are likely to be genuine and which are merely chance occurrences D. Allows data to be classified and counted Suggested Answer: BCD As quantitative analysis is data driven, it: ✑ Allows data classification and counting. ✑ Allows statistical models to be constructed, which help in explaining what is being observed. ✑ Generalizes findings for a larger population and direct comparisons between two different sets of data or observations. ✑ Produces statistically reliable results. ✑ Allows discovery of phenomena which are likely to be genuine and merely occurs by chance. Incorrect Answers: A: Risk factors are expressed in terms of high/medium/low in qualitative analysis, and not in quantitative analysis.
Ned is the project manager of the HNN project for your company. Ned has asked you to help him complete some probability distributions for his project. What portion of the project will you most likely use for probability distributions? A. Bias towards risk in new resources B. Risk probability and impact matrixes C. Uncertainty in values such as duration of schedule activities D. Risk identification Suggested Answer: C Risk probability distributions are likely to be utilized in uncertain values, such as time and cost estimates for a project. Incorrect Answers: A: Risk probability distributions do not typically interact with the bias towards risks in new resources. B: Risk probability distributions are not likely to be used with risk probability and impact matrices. D: Risk probability distributions are not likely the risk identification.
You are the project manager of HWD project. It requires installation of some electrical machines. You and the project team decided to hire an electrician as electrical work can be too dangerous to perform. What type of risk response are you following? A. Avoidance B. Transference C. Mitigation D. Acceptance Suggested Answer: B As the risk is transferred to the third party (electrician), hence this type of risk response is transference. Incorrect Answers: A: Risk avoidance means to evade risk altogether, eliminate the cause of the risk event, or change the project plan to protect the project objectives from the risk event. Risk avoidance is applied when the level of risk, even after the applying controls, would be greater than the risk tolerance level of the enterprise. C: Risk mitigation attempts to reduce the probability of a risk event and its impacts to an acceptable level. Risk mitigation can utilize various forms of control carefully integrated together. D: Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs.
You are the project manager of GHT project. You have implemented an automated tool to analyze and report on access control logs based on severity. This tool generates excessively large amounts of results. You perform a risk assessment and decide to configure the monitoring tool to report only when the alerts are marked "critical". What you should do in order to fulfill that? A. Apply risk response B. Optimize Key Risk Indicator C. Update risk register D. Perform quantitative risk analysis Suggested Answer: B As the sensitivity of the monitoring tool has to be changed, therefore it requires optimization of Key Risk Indicator. The monitoring tool which is giving alerts is itself acting as a risk indicator. Hence to change the sensitivity of the monitoring tool to give alert only for critical situations requires optimization of the KRI. Incorrect Answers: A, C, D: These options are not relevant to the change of sensitivity of the monitoring tools.
One of the risk events you've identified is classified as force majeure. What risk response is likely to be used? A. Acceptance B. Transference C. Enhance D. Mitigation Suggested Answer: A Force majeure describes acts of God (Natural disaster), such as tornados and fires, and are usually accepted because there's little than can be done to mitigate these risks. Incorrect Answers: B: Transference transfers the risk ownership to a third party, usually for a fee. C: Enhance is used for a positive risk event, not for force majeure. D: Mitigation isn't the best choice, as this lowers the probability and/or impact of the risk event.
You are the project manager of GHT project. You have applied certain control to prevent the unauthorized changes in your project. Which of the following control you would have applied for this purpose? A. Personnel security control B. Access control C. Configuration management control D. Physical and environment protection control Suggested Answer: C Configuration management control is a family of controls that addresses both configuration management and change management. Change control practices prevent unauthorized changes. They include goals such as configuring systems for least functionality as a primary method of hardening systems. Incorrect Answers: A: The Personal security control is family of controls that includes aspects of personnel security. It includes personnel screening, termination, and transfer. B: Access control is the family of controls that helps an organization implement effective access control. They ensure that users have the rights and permissions they need to perform their jobs, and no more. It includes principles such as least privilege and separation of duties. D: Physical and environment protection control are the family that provides an extensive number of controls related to physical security.
You are the project manager for BlueWell Inc. You have noticed that the risk level in your project increases above the risk tolerance level of your enterprise. You have applied several risk responses. Now you have to update the risk register in accordance to risk response process. All of the following are included in the risk register except for which item? A. Risk triggers B. Agreed-upon response strategies C. Network diagram analysis of critical path activities D. Risk owners and their responsibility Suggested Answer: C The risk register does not examine the network diagram and the critical path. There may be risks associated with the activities on the network diagram, but it does not address the network diagram directly. The risk register is updated at the end of the plan risk response process with the information that was discovered during the process. The response plans are recorded in the risk register. In the risk register, risk is stated in order of priority, i.e., those with the highest potential for threat or opportunity first. Some risks might not require response plans at all, but then too they should be put on a watch list and monitored throughout the project. Following elements should appear in the risk register: ✑ List of identified risks, including their descriptions, root causes, and how the risks impact the project objectives ✑ Risk owners and their responsibility ✑ Outputs from the Perform Qualitative Analysis process ✑ Agreed-upon response strategies ✑ Risk triggers ✑ Cost and schedule activities needed to implement risk responses ✑ Contingency plans ✑ Fallback plans, which are risk response plans that are executed when the initial risk response plan proves to be ineffective ✑ Contingency reserves ✑ Residual risk, which is a leftover risk that remains after the risk response strategy has been implemented ✑ Secondary risks, which are risks that come about as a result of implementing a risk response
Which of the following techniques examines the degree to which organizational strengths offset threats and opportunities that may serve to overcome weaknesses? A. SWOT Analysis B. Delphi C. Brainstorming D. Expert Judgment Suggested Answer: A SWOT analysis is a strategic planning method used to evaluate the Strengths, Weaknesses, Opportunities, and Threats involved in a project or in a business venture. It involves specifying the objective of the business venture or project and identifying the internal and external factors that are favorable and unfavorable to achieving that objective. Incorrect Answers: B, C: Brainstorming and Delphi techniques are used to identify risks in a project through consensus. Delphi differs in that as the members of the team do not know each other. D: In this technique, risks can be identified directly by experts with relevant experience of similar projects or business areas.
Ben is the project manager of the CMH Project for his organization. He has identified a risk that has a low probability of happening, but the impact of the risk event could save the project and the organization with a significant amount of capital. Ben assigns Laura to the risk event and instructs her to research the time, cost, and method to improve the probability of the positive risk event. Ben then communicates the risk event and response to management. What risk response has been used here? A. Transference B. Enhance C. Exploit D. Sharing Suggested Answer: B Enhance is a risk response to improve the conditions to ensure the risk event occurs. Risk enhancement raises the probability of an opportunity to take place by focusing on the trigger conditions of the opportunity and optimizing the chances. Identifying and maximizing input drivers of these positive-impact risks may raise the probability of their occurrence. Incorrect Answers: A: Transference is a strategy to mitigate negative risks or threats. In this strategy, consequences and the ownership of a risk is transferred to a third party. This strategy does not eliminate the risk but transfers responsibility of managing the risk to another party. Insurance is an example of transference. C: Exploit response is one of the strategies to negate risks or threats that appear in a project. This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. Exploiting a risk event provides opportunities for positive impact on a project. Assigning more talented resources to the project to reduce the time to completion is an example of exploit response. D: Sharing happens through partnerships, joint ventures, and teaming agreements. Sharing response is where two or more entities share a positive risk. Teaming agreements are good example of sharing the reward that comes from the risk of the opportunity.
You are the project manager for your company and a new change request has been approved for your project. This change request, however, has introduced several new risks to the project. You have communicated these risk events and the project stakeholders understand the possible effects these risks could have on your project. You elect to create a mitigation response for the identified risk events. Where will you record the mitigation response? A. Risk register B. Risk log C. Project management plan D. Risk management plan Suggested Answer: A The Identified risks and potential responses are documented in the risk register. A risk register is an inventory of risks and exposure associated with those risks. Risks are commonly found in project management practices, and provide information to identify, analyze, and manage risks. Typically a risk register contains: ✑ A description of the risk ✑ The impact should this event actually occur ✑ The probability of its occurrence ✑ Risk Score (the multiplication of Probability and Impact) ✑ A summary of the planned response should the event occur ✑ A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the event) ✑ Ranking of risks by Risk Score so as to highlight the highest priority risks to all involved. Incorrect Answers: B: This is not a valid choice for this question C: The project management plan is the parent of the risk management plan, but the best choice is the risk register. D: The risk management plan is an input to the risk response planning, but it is not the best choice for this question
Which of the following actions assures management that the organization's objectives are protected from the occurrence of risk events? A. Internal control B. Risk management C. Hedging D. Risk assessment Suggested Answer: A Internal controls are the actions taken by the organization to help to assure management that the organization's objectives are protected from the occurrence of risk events. Internal control objectives are applicable to all manual or automated areas. Internal control objectives include: ✑ Internal accounting controls- They control accounting operations, including safeguarding assets and financial records. ✑ Operational controls- They focus on day-to-day operations, functions, and activities. They ensure that all the organization's objectives are being accomplished. ✑ Administrative controls- They focus on operational efficiency in a functional area and stick to management policies. Incorrect Answers: B: Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources. It is done to minimize, monitor, and control the probability and impact of unfortunate events or to maximize the realization of opportunities. C: Hedging is the process of managing the risk of price changes in physical material by offsetting that risk in the futures market. In other words, it is the avoidance of risk. So, it only avoids risk but can not assure protection against risk. D: Risk assessment is a process of analyzing the identified risk, both quantitatively and qualitatively. Quantitative risk assessment requires calculations of two components of risk, the magnitude of the potential loss, and the probability that the loss will occur. While qualitatively risk assessment checks the severity of risk. The assessment attempts to determine the likelihood of the risk being realized and the impact of the risk on the operation. This provides several conclusions: ✑ Probability-establishing the likelihood of occurrence and reoccurrence of specific risks, independently and combined. ✑ Interdependencies-the relationship between different types of risk. For instance, one risk may have greater potential of occurring if another risk has occurred. Or probability or impact of a situation may increase with combined risk.
You are working as a project manager in Bluewell Inc. You are nearing the final stages of project execution and looking towards the final risk monitoring and controlling activities. For your project archives, which one of the following is an output of risk monitoring and control? A. Qualitative risk analysis B. Risk audits C. Quantitative risk analysis D. Requested changes Suggested Answer: D Of all the choices given, only requested changes is an output of the monitor and control risks process. You might also have risk register updates, recommended corrective and preventive actions, organizational process assets, and updates to the project management plan. Incorrect Answers: A, C: These are the plan risk management processes. B: Risk audit is a risk monitoring and control technique.
You are the project manager of HGT project. You are in the first phase of the risk response process and are doing following tasks : Communicating risk analysis results Reporting risk management activities and the state of compliance Interpreting independent risk assessment findings Identifying business opportunities Which of the following process are you performing? A. Articulating risk B. Mitigating risk C. Tracking risk D. Reporting risk Suggested Answer: A Articulating risk is the first phase in the risk response process to ensure that information on the true state of exposures and opportunities are made available in a timely manner and to the right people for appropriate response. Following are the tasks that are involved in articulating risk: ✑ Communicate risk analysis results. ✑ Report risk management activities and the state of compliance. ✑ Interpret independent risk assessment findings. ✑ Identify business opportunities. Incorrect Answers: B: Risk mitigation attempts to reduce the probability of a risk event and its impacts to an acceptable level. Risk mitigation can utilize various forms of control carefully integrated together. This comes under risk response process and is latter stage after articulating risk. C: Tracking risk is the process of tracking the ongoing status of risk mitigation processes. This tracking ensures that the risk response strategy remains active and that proposed controls are implemented according to schedule. D: This is not related to risk response process. It is a type of risk. Reporting risks are the risks that are caused due to wrong reporting which leads to bad decision.
Which of the following BEST measures the operational effectiveness of risk management capabilities? A. Capability maturity models (CMMs) B. Metric thresholds C. Key risk indicators (KRIs) D. Key performance indicators (KPIs) Suggested Answer: D Key performance indicators (KPIs) provide insights into the operational effectiveness of the concept or capability that they monitor. Key Performance Indicators is a set of measures that a company or industry uses to measure and/or compare performance in terms of meeting their strategic and operational goals. KPIs vary with company to company, depending on their priorities or performance criteria. A company must establish its strategic and operational goals and then choose their KPIs which can best reflect those goals. For example, if a software company's goal is to have the fastest growth in its industry, its main performance indicator may be the measure of its annual revenue growth. Incorrect Answers: A: Capability maturity models (CMMs) assess the maturity of a concept or capability and do not provide insights into operational effectiveness. B: Metric thresholds are decision or action points that are enacted when a KPI or KRI reports a specific value or set of values. It does not provide any insights into operational effectiveness. C: Key risk indicators (KRIs) only provide insights into potential risks that may exist or be realized within a concept or capability that they monitor. Key Risk Indicators are the prime monitoring indicators of the enterprise. KRIs are highly relevant and possess a high probability of predicting or indicating important risk. KRIs help in avoiding excessively large number of risk indicators to manage and report that a large enterprise may have.
You are the project manager of GHT project. You have initiated the project and conducted the feasibility study. What result would you get after conducting feasibility study? Each correct answer represents a complete solution. (Choose two.) A. Recommend alternatives and course of action B. Risk response plan C. Project management plan D. Results of criteria analyzed, like costs, benefits, risk, resources required and organizational impact Suggested Answer: AD The completed feasibility study results should include a cost/benefit analysis report that: ✑ Provides the results of criteria analyzed (e.g., costs, benefits, risk, resources required and organizational impact) ✑ Recommends one of the alternatives and a course of action Incorrect Answers: B, C: Project management plan and risk response plan are the results of plan project management and plan risk response, respectively. They are not the result of feasibility study.
Your project change control board has approved several scope changes that will drastically alter your project plan. You and the project team set about updating the project scope, the WBS, the WBS dictionary, the activity list, and the project network diagram. There are also some changes caused to the project risks, communication, and vendors. What also should the project manager update based on these scope changes? A. Stakeholder identification B. Vendor selection process C. Quality baseline D. Process improvement plan Suggested Answer: C When changes enter the project scope, the quality baseline is also updated. The quality baseline records the quality objectives of the project and is based on the project requirements. Incorrect Answers: A: The stakeholder identification process will not change because of scope additions. The number of stakeholders may change but how they are identified will not be affected by the scope addition. B: The vendor selection process likely will not change because of added scope changes. The vendors in the project may, but the selection process will not. D: The process improvement plan aims to improve the project's processes regardless of scope changes.
You are the risk control professional of your enterprise. You have implemented a tool that correlates information from multiple sources. To which of the following do this monitoring tool focuses? A. Transaction data B. Process integrity C. Configuration settings D. System changes Suggested Answer: A Monitoring tools that focuses on transaction data generally correlate information from one system to another, such as employee data from the human resources (HR) system with spending information from the expense system or the payroll system. Incorrect Answers: B: Process integrity is confirmed within the system, it does not need monitoring. C: Configuration settings are generally compared against predefined values and not based on the correlation between multiple sources. D: System changes are compared from a previous state to the current state, it does not correlate information from multiple sources.
Which of the following are the security plans adopted by the organization? Each correct answer represents a complete solution. (Choose three.) A. Business continuity plan B. Backup plan C. Disaster recovery plan D. Project management plan Suggested Answer: ABC Organizations create different security plans to address different scenarios. Many of the security plans are common to most organizations. Most used security plans found in many organizations are: ✑ Business continuity plan ✑ Disaster recovery plan ✑ Backup plan ✑ Incident response plan Incorrect Answers: D: Project management plan is not a security plan, but a plan which describes the implementation of the project.
Which of the following guidelines should be followed for effective risk management? Each correct answer represents a complete solution. (Choose three.) A. Promote and support consistent performance in risk management B. Promote fair and open communication C. Focus on enterprise's objective D. Balance the costs and benefits of managing risk Suggested Answer: BCD The primary function of the enterprise is to meet its objective. Each business activity for fulfilling enterprise's objective carries both risk and opportunity, therefore objective should be considered while managing risk. Open and fair communication should me there for effective risk management. Open, accurate, timely and transparent information on lT risk is exchanged and serves as the basis for all risk-related decisions. Cost-benefit analysis should be done for proper weighing the total costs expected against the total benefits expected, which is the major aspect of risk management. Incorrect Answers: A: For effective risk management, there should be continuous improvement, not consistent. Because of the dynamic nature of risk, risk management is an iterative, perpetual and ongoing process; that's why, continuous improvement is required.
According to the Section-302 of the Sarbanes-Oxley Act of 2002, what does certification of reports implies? Each correct answer represents a complete solution. (Choose three.) A. The signing officer has evaluated the effectiveness of the issuer's internal controls as of a date at the time to report. B. The financial statement does not contain any materially untrue or misleading information. C. The signing officer has reviewed the report. D. The signing officer has presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date. Suggested Answer: BCD Section 302 of Sarbanes-Oxley act has the tremendous impact on the risk management solution adopted by corporations. This section specifies that the reports must be certified by the CEO, CFO, or other senior officer performing similar functions. Certification of reports establishes: ✑ The signing officer has reviewed the report. ✑ The financial statement does not contain, to the knowledge of signing officer, any materially untrue or misleading information and represent fairly all financial conditions and results of the enterprise's operations. ✑ The signing officers: - are responsible for establishing and maintaining internal controls - have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made - known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared - have evaluated the effectiveness of the issuer's internal controls as of a date within 90 days prior to the report - have presented in the report their conclusions about the effectiveness of their internal controls base on their evaluation as of that date ✑ The signing officer have disclosed to external auditors, audit committee, and other directors: - all significant deficiencies in the design or operation of internal controls which could adversely affect the reliability of the reported financial data - any fraud, whether or not material, that involves management or other employees who have a significant role in the internal controls of the enterprise ✑ The signing officer have indicated in the report any internal controls or changes to those internal controls which have been implemented since they were evaluated. Incorrect Answers: A: The signing officer has evaluated the effectiveness of the issuer's internal controls as of a date within 90 days prior to the report, not at the time of the report.
Thomas is a key stakeholder in your project. Thomas has requested several changes to the project scope for the project you are managing. Upon review of the proposed changes, you have discovered that these new requirements are laden with risks and you recommend to the change control board that the changes be excluded from the project scope. The change control board agrees with you. What component of the change control system communicates the approval or denial of a proposed change request? A. Configuration management system B. Integrated change control C. Change log D. Scope change control system Suggested Answer: B Integrated change control is responsible for facilitating, documenting, and dispersing information on a proposed change to the project scope. Integrated change control is a way to manage the changes incurred during a project. It is a method that manages reviewing the suggestions for changes and utilizing the tools and techniques to evaluate whether the change should be approved or rejected. Integrated change control is a primary component of the project's change control system that examines the affect of a proposed change on the entire project. Incorrect Answers: A: The configuration management system controls and documents changes to the project's product C: The change log documents approved changes in the project scope. D: The scope change control system controls changes that are permitted to the project scope.
Which of the following process ensures that the risk response strategy remains active and that proposed controls are implemented according to schedule? A. Risk management B. Risk response integration C. Risk response implementation D. Risk response tracking Suggested Answer: D Risk response tracking tracks the ongoing status of risk mitigation processes as part of risk response process. This tracking ensures that the risk response strategy remains active and that proposed controls are implemented according to schedule. When an enterprise is conscious of a risk, but does not have an appropriate risk response strategy, then it leads to the increase of the liability of the organization to adverse publicity or even civil or criminal penalties. Incorrect Answers: A: Risk management provides an approach for individuals and groups to make a decision on how to deal with potentially harmful situations B: Integrating risk response options to address more than one risk together, help in achieving greater efficiency. The use of techniques that are versatile and enterprise-wide, rather than individual solutions provides better justification for risk response strategies and related costs. C: Implementation of risk response ensures that the risks analyzed in risk analysis process are being lowered to level that the enterprise can accept, by applying appropriate controls.
Which of the following vulnerability assessment software can check for weak passwords on the network? A. Password cracker B. Antivirus software C. Anti-spyware software D. Wireshark Suggested Answer: A A password cracker is an application program that is used to identify an unknown or forgotten password on a computer or network resources. It can also be used to help a human cracker obtain unauthorized access to resources. A password cracker can also check for weak passwords on the network and give notifications to put another password. Incorrect Answers: B: Antivirus or anti-virus software is used to prevent, detect, and remove malware. It scans the computer for viruses. C: Anti-spyware software is a type of program designed to prevent and detect unwanted spyware program installations and to remove those programs if installed. D: Wireshark is a free and open-source protocol analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.
Which of the following is NOT true for risk governance? A. Risk governance is based on the principles of cooperation, participation, mitigation and sustainability, and is adopted to achieve more effective risk management. B. Risk governance requires reporting once a year. C. Risk governance seeks to reduce risk exposure and vulnerability by filling gaps in risk policy. D. Risk governance is a systemic approach to decision making processes associated to natural and technological risks. Suggested Answer: B Risk governance is a continuous life cycle that requires regular reporting and ongoing review, not once a year. Incorrect Answers: A, C, D: These are true for risk governance.
You are the project manager of HGT project. You have identified project risks and applied appropriate response for its mitigation. You noticed a risk generated as a result of applying response. What this resulting risk is known as? A. Pure risk B. Secondary risk C. Response risk D. High risk Suggested Answer: B Secondary risk is a risk that is generated as the result of risk response. Incorrect Answers: A: A pure risk is a risk that has only a negative effect on the project. Pure risks are activities that are dangerous to complete and manage such as construction, electrical work, or manufacturing. C, D: These terms are not applied for the risk that is generated as a result of risk response.
What are the various outputs of risk response? A. Risk Priority Number B. Residual risk C. Risk register updates D. Project management plan and Project document updates E. Risk-related contract decisions Suggested Answer: CDE The outputs of the risk response planning process are: ✑ Risk Register Updates: The risk register is written in detail so that it can be related to the priority ranking and the planned response. ✑ Risk Related Contract Decisions: Risk related contract decisions are the decisions to transmit risk, such as services, agreements for insurance, and other items as required. It provides a means for sharing risks. ✑ Project Management Plan Updates: Some of the elements of the project management plan updates are: - Schedule management plan - Cost management plan - Quality management plan - Procurement management plan - Human resource management plan - Work breakdown structure - Schedule baseline - Cost performance baseline ✑ Project Document Updates: Some of the project documents that can be updated includes: - Assumption log updates - Technical documentation updates Incorrect Answers: A: Risk priority number is not an output for risk response but instead it is done before applying response. Hence it acts as one of the inputs of risk response and is not the output of it. B: Residual risk is not an output of risk response. Residual risk is the risk that remains after applying controls. It is not feasible to eliminate all risks from an organization. Instead, measures can be taken to reduce risk to an acceptable level. The risk that is left is residual risk. As, Risk = Threat Vulnerability - and Total risk = Threat Vulnerability Asset Value Residual risk can be calculated with the following formula: Residual Risk = Total Risk - Controls Senior management is responsible for any losses due to residual risk. They decide whether a risk should be avoided, transferred, mitigated or accepted. They also decide what controls to implement. Any loss due to their decisions falls on their sides. Residual risk assessments are conducted after mitigation to determine the impact of the risk on the enterprise. For risk assessment, the effect and frequency is reassessed and the impact is recalculated.
Which of the following is an output of risk assessment process? A. Identification of risk B. Identification of appropriate controls C. Mitigated risk D. Enterprise left with residual risk Suggested Answer: B The output of the risk assessment process is identification of appropriate controls for reducing or eliminating risk during the risk mitigation process. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system. Once risk factors have been identified, existing or new controls are designed and measured for their strength and likelihood of effectiveness. Controls are preventive, detective or corrective; manual or programmed; and formal or ad hoc. Incorrect Answers: A: Risk identification acts as input of the risk assessment process. C: This is an output of risk mitigation process, that is, after applying several risk responses. D: Residual risk is the latter output after appropriate control.
What is the IMMEDIATE step after defining set of risk scenarios? A. Risk mitigation B. Risk monitoring C. Risk management D. Risk analysis Suggested Answer: D Once the set of risk scenarios is defined, it can be used for risk analysis. In risk analysis, likelihood and impact of the scenarios are assessed. Important components of this assessment are the risk factors. Incorrect Answers: A: Risk mitigation is the latter step after analyzing risk. B: Risk monitoring is the latter step after risk analysis and risk mitigation. C: Risk analysis comes under risk management, therefore management is a generalized term, and is not the best answer for this question.
Which of the following statements are true for risk communication? Each correct answer represents a complete solution. (Choose three.) A. It requires a practical and deliberate scheduling approach to identify stakeholders, actions, and concerns. B. It helps in allocating the information concerning risk among the decision-makers. C. It requires investigation and interconnectivity of procedural, legal, social, political, and economic factors. D. It defines the issue of what a stakeholder does, not just what it says. Suggested Answer: ACD Risk communication is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions. Risk communication is mostly concerned with the nature of risk or expressing concerns, views, or reactions to risk managers or institutional bodies for risk management. The key plan to consider and communicate risk is to categorize and impose priorities, and acquire suitable measures to reduce risks. It is important throughout any crisis to put across multifaceted information in a simple and clear manner. Risk communication helps in switching or allocating the information concerning risk among the decision-maker and the stakeholders. Risk communication can be explained more clearly with the help of the following definitions: ✑ It defines the issue of what a group does, not just what it says. ✑ It must take into account the valuable element in user's perceptions of risk. ✑ It will be more valuable if it is thought of as conversation, not instruction. Risk communication is a fundamental and continuing element of the risk analysis exercise, and the involvement of the stakeholder group is from the beginning. It makes the stakeholders conscious of the process at each phase of the risk assessment. It helps to guarantee that the restrictions, outcomes, consequence, logic, and risk assessment are undoubtedly understood by all the stakeholders. Incorrect Answers: B: It helps in allocating the information concerning risk not only among the decision-makers but also stakeholders.
Which of the following is the most accurate definition of a project risk? A. It is an unknown event that can affect the project scope. B. It is an uncertain event or condition within the project execution. C. It is an uncertain event that can affect the project costs. D. It is an uncertain event that can affect at least one project objective. Suggested Answer: D Risk is an uncertain event or condition that, if it occurs, has an effect on at least one project objective. Project risk is concerned with the expected value of one or more results of one or more future events in a project. It is an uncertain condition that, if it occurs, has an effect on at least one project objective. Objectives can be scope, schedule, cost, and quality. Project risk is always in the future. Incorrect Answers: A: Risk is not unknown, it is uncertain; in addition, the event can affect at least one project objective - not just the project scope. B: This statement is almost true, but the event does not have to happen within project execution. C: Risks can affect time, costs, or scope, rather affecting only cost.
Which of the following considerations should be taken into account while selecting risk indicators that ensures greater buy-in and ownership? A. Lag indicator B. Lead indicator C. Root cause D. Stakeholder Suggested Answer: D To ensure greater buy-in and ownership, risk indicators should be selected with the involvement of relevant stakeholders. Risk indicators should be identified for all stakeholders and should not focus solely on the more operational or strategic side of risk. Incorrect Answers: A: Role of lag indicators is to ensure that risk after events have occurred is being indicated. B: Lead indicators indicate which capabilities are in place to prevent events from occurring. They do not play any role in ensuring greater buy-in and ownership. C: Root cause is considered while selecting risk indicator but it does not ensure greater buy-in or ownership.
Suppose you are working in Techmart Inc. which sells various products through its website. Due to some recent losses, you are trying to identify the most important risks to the Website. Based on feedback from several experts, you have come up with a list. You now want to prioritize these risks. Now in which category you would put the risk concerning the modification of the Website by unauthorized parties. A. Ping Flooding Attack B. Web defacing C. Denial of service attack D. FTP Bounce Attack Suggested Answer: B Website defacing is an attack on a website by unauthorized party that changes the visual appearance of the site or a webpage. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own. Incorrect Answers: A: Ping Flooding is the extreme of sending thousands or millions of pings per second. Ping Flooding attack can make system slow or even shut down an entire site. C: A denial-of-service attack (DoS attack) is an attempt to make a computer or network resource unavailable to its intended users. One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. D: The FTP bounce attack is attack which slips past application-based firewalls. In this hacker uploads a file to the FTP server and then requests this file be sent to an internal server. This file may contain malicious software or a simple script that occupies the internal server and uses up all the memory and CPU resources.
Which of the following is true for risk evaluation? A. Risk evaluation is done only when there is significant change. B. Risk evaluation is done once a year for every business processes. C. Risk evaluation is done annually or when there is significant change. D. Risk evaluation is done every four to six months for critical business processes. Suggested Answer: C Due to the reason that risk is constantly changing, it is being evaluated annually or when there is significant change. This gives best alternative as it takes into consideration a reasonable time frame of one year, and meanwhile it also addresses significant changes (if any). Incorrect Answers: A: Evaluating risk only when there are significant changes do not take into consideration the effect of time. As the risk is changing constantly, small changes do occur with time that would affect the overall risk. Hence risk evaluation should be done annually too. B: Evaluating risk once a year is not sufficient in the case when some significant change takes place. This significant change should be taken into account as it affects the overall risk. D: Risk evaluation need not to be done every four to six months for critical processes, as it does not address important changes in timely manner.
You work as a project manager for Bluewell Inc. You have identified a project risk. You have then implemented the risk action plan and it turn out to be non- effective. What type of plan you should implement in such case? A. Risk mitigation B. Risk fallback plan C. Risk avoidance D. Risk response plan Suggested Answer: B A risk fallback plan is a proper plan devised to identify definite action to be taken if the risk action plan (Risk Mitigation Plan) is not helpful. Fallback plan is important in Risk Response Planning. If the contingency plan for a risk is not successful, then the project team implements the fallback plan. Fall-back planning is intended for a known and specific activity that may perhaps fail to produce desired outcome. It is related with technical procedures and with the responsibility of the technical lead. Incorrect Answers: A, C, D: These all choices itself comes under risk action plan. As in the described scenario, risk action plan is not turned to be effective, these should not be implemented again.
You are completing the qualitative risk analysis process with your project team and are relying on the risk management plan to help you determine the budget, schedule for risk management, and risk categories. You discover that the risk categories have not been created. When the risk categories should have been created? A. Define scope process B. Risk identification process C. Plan risk management process D. Create work breakdown structure process Suggested Answer: C The plan risk management process is when risk categories were to be defined. If they were not defined, as in this scenario, it is acceptable to define the categories as part of the qualitative risk analysis process. Plan risk management is the process of defining the way to conduct the risk management activities. Planning is essential for providing sufficient resources and time for risk management activities, and to establish an agreed-upon basis of evaluating risks. This process should start as soon as project is conceived and should be completed early during project planning. Incorrect Answers: A: Risk categories are not defined through the define scope process. B: Risk categories are not defined through the risk identification process. D: Risk categories are not defined through the create work breakdown structure process.
You work as a project manager for BlueWell Inc. You have declined a proposed change request because of the risk associated with the proposed change request. Where should the declined change request be documented and stored? A. Change request log B. Project archives C. Lessons learned D. Project document updates Suggested Answer: A The change request log records the status of all change requests, approved or declined. The change request log is used as an account for change requests and as a means of tracking their disposition on a current basis. The change request log develops a measure of consistency into the change management process. It encourages common inputs into the process and is a common estimation approach for all change requests. As the log is an important component of project requirements, it should be readily available to the project team members responsible for project delivery. It should be maintained in a file with read-only access to those who are not responsible for approving or disapproving project change requests. Incorrect Answers: B: The project archive includes all project documentation and is created through the close project or phase process. It is not the best choice for this option. C: Lessons learned are not the correct place to document the status of a declined, or approved, change request. D: The project document updates is not the best choice for this question. It can be placed into the project documents, but the declined changes are part of the change request log.
Capability maturity models are the models that are used by the enterprise to rate itself in terms of the least mature level to the most mature level. Which of the following capability maturity levels shows that the enterprise does not recognize the need to consider the risk management or the business impact from IT risk? A. Level 2 B. Level 0 C. Level 3 D. Level 1 Suggested Answer: B 0 nonexistent: An enterprise's risk management capability maturity level is 0 when: ✑ The enterprise does not recognize the need to consider the risk management or the business impact from IT risk. ✑ Decisions involving risk lack credible information. ✑ Awareness of external requirements for risk management and integration with enterprise risk management (ERM) do not exists. Incorrect Answers: A, C, D: These all are higher levels of capability maturity model and in this enterprise is mature enough to recognize the importance of risk management.
Using which of the following one can produce comprehensive result while performing qualitative risk analysis? A. Scenarios with threats and impacts B. Cost-benefit analysis C. Value of information assets. D. Vulnerability assessment Suggested Answer: A Using list of possible scenarios with threats and impacts will better frame the range of risk and hence can frame more informative result of qualitative analysis. Incorrect Answers: B: Cost and benefit analysis is used for taking financial decisions that can be formal or informal, such as appraisal of any project or proposal. The approach weighs the total cost against the benefits expected, and then identifies the most profitable option. It only decides what type of control should be applied for effective risk management. C, D: These are not sufficient for producing detailed result.
Which of the following is the BEST method for discovering high-impact risk types? A. Qualitative risk analysis B. Delphi technique C. Failure modes and effects analysis D. Quantitative risk analysis Suggested Answer: C Failure modes and effects analysis is used in discovering high-impact risk types. FMEA: ✑ Is one of the tools used within the Six Sigma methodology to design and implement a robust process to: - Identify failure modes - Establish a risk priority so that corrective actions can be put in place to address and reduce the risk - Helps in identifying and documenting where in the process the source of the failure impacts the (internal or external) customer - Is used to determine failure modes and assess risk posed by the process and thus, to the enterprise as a whole' Incorrect Answers: A, D: These two are the methods of analyzing risk, but not specifically for high-impact risk types. Hence is not the best answer. B: Delphi is a technique to identify potential risk. In this technique, the responses are gathered via a question: and their inputs are organized according to their contents. The collected responses are sent back to these experts for further input, addition, and comments. The final list of risks in the project is prepared after that. The participants in this technique are anonymous and therefore it helps prevent a person from unduly influencing the others in the group. The Delphi technique helps in reaching the consensus quickly.
Which of the following is MOST appropriate method to evaluate the potential impact of legal, regulatory, and contractual requirements on business objectives? A. Communication with business process stakeholders B. Compliance-oriented business impact analysis C. Compliance-oriented gap analysis D. Mapping of compliance requirements to policies and procedures Suggested Answer: B A compliance-oriented BIA will identify all the compliance requirements to which the enterprise has to align and their impacts on business objectives and activities. It is a discovery process meant to uncover the inner workings of any process. Hence it will also evaluate the potential impact of legal, regulatory, and contractual requirements on business objectives. Incorrect Answers: A: Communication with business process stakeholders is done so as to identify the business objectives, but it does not help in identifying impacts. C: Compliance-oriented gap analysis will only identify the gaps in compliance to current requirements and will not identify impacts to business objectives. D: Mapping of compliance requirements to policies and procedures will identify only the way the compliance is achieved but not the business impact.
Wendy is about to perform qualitative risk analysis on the identified risks within her project. Which one of the following will NOT help Wendy to perform this project management activity? A. Risk management plan B. Project scope statement C. Risk register D. Stakeholder register Suggested Answer: D The stakeholder register is not an input to the qualitative risk analysis process. The four inputs are the risk register, risk management plan, project scope statement, and organizational process assets. Incorrect Answers: A: The Risk management plan is an input to the risk qualitative analysis process. B: The project scope statement is needed to help with qualitative risk analysis. C: The risk register can help Wendy to perform qualitative risk analysis.
There are four inputs to the Monitoring and Controlling Project Risks process. Which one of the following will NOT help you, the project manager, to prepare for risk monitoring and controlling? A. Risk register B. Work Performance Information C. Project management plan D. Change requests Suggested Answer: D Change requests are not one of the four inputs to the Risk Monitoring and Controlling Process. The four inputs are the risk register, the project management plan, work performance information, and performance reports. Incorrect Answers: A, B, C: These are the valid inputs to the Risk Monitoring and Controlling Process.
Which of the following type of risk could result in bankruptcy? A. Marginal B. Negligible C. Critical D. Catastrophic Suggested Answer: D Catastrophic risk causes critical financial losses that have the possibility of bankruptcy. Incorrect Answers: A: Marginal risk causes financial loss in a single line of business and a reduced return on IT investment. B: It causes minimal impact on a single line of business affecting their ability to deliver services or products. C: Critical risk causes serious financial losses in more than one line of business with a loss in productivity.
Risks with low ratings of probability and impact are included for future monitoring in which of the following? A. Risk alarm B. Observation list C. Watch-list D. Risk register Suggested Answer: C Watch-list contains risks with low rating of probability and impact. This list is useful for future monitoring of low risk factors. Incorrect Answers: A, B: No such documents as risk alarm and observation list is prepared during risk identification process. D: Risk register is a document that contains the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning. Description, category, cause, probability of occurring, impact on objectives, proposed responses, owner, and the current status of all identified risks are put in the risk register.
You are the project manager of your project. You have to analyze various project risks. You have opted for quantitative analysis instead of qualitative risk analysis. What is the MOST significant drawback of using quantitative analysis over qualitative risk analysis? A. lower objectivity B. higher cost C. higher reliance on skilled personnel D. lower management buy-in Suggested Answer: B Quantitative risk analysis is generally more complex and thus is costlier than qualitative risk analysis. Incorrect Answers: A: Neither of the two risk analysis methods is fully objective. Qualitative method subjectively assigns high, medium and low frequency and impact categories to a specific risk, whereas quantitative method subjectivity expressed in mathematical "weights". C: To be effective, both processes require personnel who have a good understanding of the business. So there is equal requirement of skilled personnel in both. D: Quantitative analysis generally has a better buy-in than qualitative analysis to the point where it can cause over-reliance on the results. Hence this option is not correct.
You are working as the project manager of the ABS project. The project is for establishing a computer network in a school premises. During the project execution, the school management asks to make the campus Wi-Fi enabled. You know that this may impact the project adversely. You have discussed the change request with other stakeholders. What will be your NEXT step? A. Update project management plan. B. Issue a change request. C. Analyze the impact. D. Update risk management plan. Suggested Answer: C The first step after receiving any change request in a project must be first analyzed for its impact. Changes may be requested by any stakeholder involved with the project. Although, they may be initiated verbally, they should always be recorded in written form and entered into the change management and/or configuration management. Incorrect Answers: A, B, D: All these are the required steps depending on the change request. Any change request must be followed by the impact analysis of the change.
Which of the following role carriers are responsible for setting up the risk governance process, establishing and maintaining a common risk view, making risk- aware business decisions, and setting the enterprise's risk culture? Each correct answer represents a complete solution. (Choose two.) A. Senior management B. Chief financial officer (CFO) C. Human resources (HR) D. Board of directors Suggested Answer: AD The board of directors and senior management has the responsibility to set up the risk governance process, establish and maintain a common risk view, make risk-aware business decisions, and set the enterprise's risk culture. Incorrect Answers: B: CFO is the most senior official 0f the enterprise who is accountable for financial planning, record keeping, investor relations and financial risks. CFO is not responsible for responsible for setting up the risk governance process, establishing and maintaining a common risk view, making risk-aware business decisions, and setting the enterprise's risk culture. C: Human resource is the most senior official of an enterprise who is accountable for planning and policies with respect to all human resources in that enterprise. HR is not responsible for risk related activities.
You are working in an enterprise. You project deals with important files that are stored on the computer. You have identified the risk of the failure of operations. To address this risk of failure, you have guided the system administrator sign off on the daily backup. This scenario is an example of which of the following? A. Risk avoidance B. Risk transference C. Risk acceptance D. Risk mitigation Suggested Answer: D Mitigation is the strategy that provides for the definition and implementation of controls to address the risk described. Here in this scenario, you are trying to reduce the risk of operation failure by guiding administrator to take daily backup, hence it is risk mitigation. Risk mitigation attempts to reduce the probability of a risk event and its impacts to an acceptable level. Risk mitigation can utilize various forms of control carefully integrated together. The main control types are: ✑ Managerial(e.g.,policies) ✑ Technical (e.g., tools such as firewalls and intrusion detection systems) ✑ Operational (e.g., procedures, separation of duties) ✑ Preparedness activities Incorrect Answers: A: The scenario does not describe risk avoidance. Avoidance is a strategy that provides for not implementing certain activities or processes that would incur risk. B: The scenario does not describe the sharing of risk. Transference is the strategy that provides for sharing risk with partners or taking insurance coverage. C: The scenario does not describe risk acceptance, Acceptance is a strategy that provides for formal acknowledgment of the existence of a risk and the monitoring of that risk.
Risks to an organization's image are referred to as what kind of risk? A. Operational B. Financial C. Information D. Strategic Suggested Answer: D Strategic risks are those risks which have potential outcome of not fulfilling on strategic objectives of the organization as planned. Since the strategic objective will shape and impact the entire organization, the risk of not meeting that objective can impose a great threat on the organization. Strategic risks can be broken down into external and internal risks: ✑ External risks are those circumstances from outside the enterprise which will have a potentially damaging or helpful impact on the enterprise. These risks include sudden change of economy, industry, or regulatory conditions. Some of the external risks are predictable while others are not. For instance, a recession may be predictable and the enterprise may be able to hedge against the dangers economically; but the total market failure may not as predictable and can be much more devastating. ✑ Internal risks usually focus on the image or reputation of the enterprise. some of the risks that are involved in this are public communication, trust, and strategic agreement from stakeholders and customers.
Which of the following steps ensure effective communication of the risk analysis results to relevant stakeholders? Each correct answer represents a complete solution. (Choose three.) A. The results should be reported in terms and formats that are useful to support business decisions B. Provide decision makers with an understanding of worst-case and most probable scenarios,due diligence exposures and significant reputation, legal or regulatory considerations C. Communicate the negative impacts of the events only, it needs more consideration D. Communicate the risk-return context clearly Suggested Answer: ABD The result of risk analysis process is being communicated to relevant stakeholders. The steps that are involved in communication are: ✑ The results should be reported in terms and formats that are useful to support business decisions. ✑ Coordinate additional risk analysis activity as required by decision makers, like report rejection and scope adjustment ✑ Communicate the risk-return context clearly, which include probabilities of loss and/or gain, ranges, and confidence levels (if possible) that enable management to balance risk-return. ✑ Identify the negative impacts of events that drive response decisions as well as positive impacts of events that represent opportunities which should channel back into the strategy and objective setting process. ✑ Provide decision makers with an understanding of worst-case and most probable scenarios, due diligence exposures and significant reputation, legal or regulatory considerations. Incorrect Answers: C: Communicate the negative impacts of events that drive response decisions as well as positive impacts of events that represent opportunities which should channel back into the strategy and objective setting process, for effective communication. Only negative impacts are not considered alone.
What is the PRIMARY objective difference between an internal and an external risk management assessment reviewer? A. In quality of work B. In ease of access C. In profession D. In independence Suggested Answer: D Independence is the freedom from conflict of interest and undue influence. By the mere fact that the external auditors belong to a different entity, their independence level is higher than that of the reviewer inside the entity for which they are performing a review. Independence is directly linked to objectivity. Incorrect Answers: A, B, C: These all choices vary subjectively.
You are the product manager in your enterprise. You have identified that new technologies, products and services are introduced in your enterprise time-to-time. What should be done to prevent the efficiency and effectiveness of controls due to these changes? A. Receive timely feedback from risk assessments and through key risk indicators, and update controls B. Add more controls C. Perform Business Impact Analysis (BIA) D. Nothing, efficiency and effectiveness of controls are not affected by these changes Suggested Answer: A As new technologies, products and services are introduced, compliance requirements become more complex and strict; business processes and related information flows change over time. These changes can often affect the efficiency and effectiveness of controls. Formerly effective controls become inefficient, redundant or obsolete and have to be removed or replaced. Therefore, the monitoring process has to receive timely feedback from risk assessments and through key risk indicators (KRIs) to ensure an effective control life cycle. Incorrect Answers: B: Most of the time, the addition of controls results in degradation of the efficiency and profitability of a process without adding an equitable level of corresponding risk mitigation, hence better controls are adopted in place of adding more controls. C: A BIA is a discovery process meant to uncover the inner workings of any process. It helps to identify about actual procedures, shortcuts, workarounds and the types of failure that may occur. It involves determining the purpose of the process, who performs the process and its output. It also involves determining the value of the process output to the enterprise. D: Efficiency and effectiveness of controls are not affected by the changes in technology or product, so some measure should be taken.
You work as a Project Manager for www.company.com Inc. You have to measure the probability, impact, and risk exposure. Then, you have to measure how the selected risk response can affect the probability and impact of the selected risk event. Which of the following tools will help you to accomplish the task? A. Project network diagrams B. Delphi technique C. Decision tree analysis D. Cause-and-effect diagrams Suggested Answer: C Decision tree analysis is a risk analysis tool that can help the project manager in determining the best risk response. The tool can be used to measure probability, impact, and risk exposure and how the selected risk response can affect the probability and/or impact of the selected risk event. It helps to form a balanced image of the risks and opportunities connected with each possible course of action. This makes them mostly useful for choosing between different strategies, projects, or investment opportunities particularly when the resources are limited. A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible consequences, including chance event outcomes, resource costs, and utility. Incorrect Answers: A: Project network diagrams help the project manager and stakeholders visualize the flow of the project work, but they are not used as a part of risk response planning. B: The Delphi technique can be used in risk identification, but generally is not used in risk response planning. The Delphi technique uses rounds of anonymous surveys to identify risks. D: Cause-and-effect diagrams are useful for identifying root causes and risk identification, but they are not the most effective ones for risk response planning.
Which of the following are sub-categories of threat? Each correct answer represents a complete solution. (Choose three.) A. Natural and supernatural B. Computer and user C. Natural and man-made D. Intentional and accidental E. External and internal Suggested Answer: CDE A threat is any event which have the potential to cause a loss. In other word, it is any activity that represents a possible danger. The loss or danger is directly related to one of the following: ✑ Loss of confidentiality- Someone sees a password or a company's secret formula, this is referred to as loss of confidentiality. Loss of integrity- An e-mail message is modified in transit, a virus infects a file, or someone makes unauthorized changes to a Web site is referred to as loss of integrity. ✑ Loss of availability- An e-mail server is down and no one has e-mail access, or a file server is down so data files aren't available comes under loss of availability. Threat identification is the process of creating a list of threats. This list attempts to identify all the possible threats to an organization. The list can be extensive. Threats are often sub-categorized as under: ✑ External or internal- External threats are outside the boundary of the organization. They can also be thought of as risks that are outside the control of the organization. While internal threats are within the boundary of the organization. They could be related to employees or other personnel who have access to company resources. Internal threats can be related to any hardware or software controlled by the business. ✑ Natural or man-made- Natural threats are often related to weather such as hurricanes, tornadoes, and ice storms. Natural disasters like earthquakes and tsunamis are also natural threats. A human or man-made threat is any threat which is caused by a person. Any attempt to harm resources is a man-made threat. Fire could be man-made or natural depending on how the fire is started. ✑ Intentional or accidental- An attempt to compromise confidentiality, integrity, or availability is intentional. While employee mistakes or user errors are accidental threats. A faulty application that corrupts data could also be considered accidental.
Which of the following are external risk factors? Each correct answer represents a complete solution. (Choose three.) A. Geopolitical situation B. Complexity of the enterprise C. Market D. Competition Suggested Answer: AD These three are external risk factors as they lie outside the enterprise's control. Incorrect Answers: B: This includes geographic spread and value chain coverage (for example, in a manufacturing environment). That is why it is internal risk factor.
You work as a project manager for BlueWell Inc. Your project is using a new material to construct a large warehouse in your city. This new material is cheaper than traditional building materials, but it takes some time to learn how to use the material properly. You have communicated to the project stakeholders that you will be able to save costs by using the new material, but you will need a few extra weeks to complete training to use the materials. This risk response of learning how to use the new materials can also be known as what term? A. Benchmarking B. Cost-benefits analysis C. Cost of conformance to quality D. Team development Suggested Answer: C When the project team needs training to be able to complete the project work it is a cost of conformance to quality. The cost of conformance to quality defines the cost of training, proper resources, and the costs the project must spend in order to ascertain the expected levels of quality the customer expects from the project. It is the capital used up throughout the project to avoid failures. It consists of two types of costs: ✑ Prevention costs: It is measured to build a quality product. It includes costs in training, document processing, equipment, and time to do it right. ✑ Appraisal costs: It is measured to assess the quality. It includes testing, destructive testing loss, and inspections. Incorrect Answers: A: Benchmarking compares any two items, such as materials, vendors, or resources. B: Cost-benefit analysis is the study of the benefits in relation to the costs to receive the benefits of a decision, a project, or other investment. D: Team development describes activities the project manager uses to create a more cohesive and responsive project team.
Which of the following is an acceptable method for handling positive project risk? A. Exploit B. Avoid C. Mitigate D. Transfer Suggested Answer: A Exploit is a method for handling positive project risk. Incorrect Answers: B, C, D: These are all responses which is used for negative risks, and not the positive risk.
You are the project manager of GFT project. Your project involves the use of electrical motor. It was stated in its specification that if its temperature would increase to 500 degree Fahrenheit the machine will overheat and have to be shut down for 48 hours. If the machine overheats even once it will delay the project's arrival date. So to prevent this you have decided while creating response that if the temperature of the machine reach 450, the machine will be paused for at least an hour so as to normalize its temperature. This temperature of 450 degrees is referred to as? A. Risk identification B. Risk trigger C. Risk event D. Risk response Suggested Answer: B A risk trigger is a warning sign or condition that a risk event is about to happen. Here the warning temperature is 450 degrees Fahrenheit, therefore it is referred as risk trigger. Incorrect Answers: A: Risk identification is the process of the identifying the risks. This process identifies the risk events that could affect the project adversely or would act as opportunity. C: Here risk event is 500-degree temperature, as when machine reaches this temperature it should have to be shut-down for 48 hours, which in turn will laid a great impact on the working of project. D: Risk response here is shutting off of machine when its temperature reaches 450 degree Fahrenheit, so as to prevent the occurring of risk event.
Which of the following decision tree nodes have probability attached to their branches? A. Root node B. Event node C. End node D. Decision node Suggested Answer: B Event nodes represents the possible uncertain outcomes of a risky decision, with at least two nodes to illustrate the positive and negative range of events. Probabilities are always attached to the branches of event nodes. Incorrect Answers: A: Root node is the starting node in the decision tree, and it has no branches. C: End node represents the outcomes of risk and decisions and probability is not attached to it. D: It represents the choice available to the decision maker, usually between a risky choice and its non-risky counterpart. As it represents only the choices available to the decision makers, hence probability is not attached to it.
Which of the following IS processes provide indirect information? Each correct answer represents a complete solution. (Choose three.) A. Post-implementation reviews of program changes B. Security log monitoring C. Problem management D. Recovery testing Suggested Answer: ABC Security log monitoring, Post-implementation reviews of program changes, and Problem management provide indirect information. Security log monitoring provide indirect information about certain controls in the security environment, particularly when used to analyze the source of failed access attempts. Post-implementation reviews of program changes provide indirect information about the effectiveness of internal controls over the development process. Problem management provide indirect information about the effectiveness of several different IS processes that may ultimately be determined to be the source of incidents. Incorrect Answers: D: Recovery testing is the direct evidence that the redundancy or backup controls work effectively. It doesn't provide any indirect information.
You are the risk professional of your enterprise. You need to calculate potential revenue loss if a certain risks occurs. Your enterprise has an electronic (e- commerce) web site that is producing US $1 million of revenue each day, then if a denial of service (DoS) attack occurs that lasts half a day creates how much loss? A. US $250,000 loss B. US $500,000 loss C. US $1 million loss D. US $100,000 loss Suggested Answer: B Denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root name-servers. The term is generally used with regards to computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management. As the total revenue of the website for the day is $1 million, and due to denial of service attack it is unavailable for half day. Therefore, Revenue loss = $1,000,000/2 - = $500,000 Incorrect Answers: A, C, D: These are wrong answers.
Which of the following process ensures that extracted data are ready for analysis? A. Data analysis B. Data validation C. Data gathering D. Data access Suggested Answer: B Data validation ensures that extracted data are ready for analysis. One objective is to perform data quality tests to ensure data are valid complete and free of errors. This may also involve making data from different sources suitable for comparative analysis. Incorrect Answers: A: Analysis of data involves simple set of steps or complex combination of commands and other functionality. Data analysis is designed in such a way to achieve the stated objectives from the project plan. Although this may be applicable to any monitoring activity, it would be beneficial to consider transferability and scalability. This may include robust documentation, use of software development standards and naming conventions. C: Data gathering is the process of collecting data on risk to be monitored, prepare a detailed plan and define the project's scope. In the case of a monitoring project, this step should involve process owners, data owners, system custodians and other process stakeholders. D: In the data access process, management identifies which data are available and how they can be acquired in a format that can be used for analysis. There are two options for data extraction: ✑ Extracting data directly from the source systems after system owner approval ✑ Receiving data extracts from the system custodian (IT) after system owner approval
Fred is the project manager of a large project in his organization. Fred needs to begin planning the risk management plan with the project team and key stakeholders. Which plan risk management process tool and technique should Fred use to plan risk management? A. Information gathering techniques B. Data gathering and representation techniques C. Planning meetings and analysis D. Variance and trend analysis Suggested Answer: C There is only one tool and technique available for Fred to plan risk management: planning meetings and analysis. Planning Meeting and Analysis is a tool and technique in the Plan Risk Management process. Planning meetings are organized by the project teams to develop the risk management plan. Attendees at these meetings include the following: ✑ Project manager ✑ Selected project team members ✑ Stakeholders ✑ Anybody in the organization with the task to manage risk planning Sophisticated plans for conducting the risk management activities are defined in these meetings, responsibilities related to risk management are assigned, and risk contingency reserve application approaches are established and reviewed. Incorrect Answers: A, B, D: These are not plan risk management tools and techniques.
Which of the following is the HIGHEST risk of a policy that inadequately defines data and system ownership? A. User management coordination does not exist B. Audit recommendations may not be implemented C. Users may have unauthorized access to originate, modify or delete data D. Specific user accountability cannot be established Suggested Answer: C There is an increased risk without a policy defining who has the responsibility for granting access to specific data or systems, as one could gain system access without a justified business needs. There is better chance that business objectives will be properly supported when there is appropriate ownership. Incorrect Answers: A, B, D: These risks are not such significant as compared to unauthorized access.
Marie has identified a risk event in her project that needs a mitigation response. Her response actually creates a new risk event that must now be analyzed and planned for. What term is given to this newly created risk event? A. Residual risk B. Secondary risk C. Infinitive risk D. Populated risk Suggested Answer: B Secondary risks are the risks that come about as a result of implementing a risk response. This new risk event must be recorded, analyzed, and planned for management. Incorrect Answers: A: A residual risk event is similar to a secondary risk, but is often small in probability and impact, so it may just be accepted. C: Infinitive risk is not a valid project management term. D: Populated risk event is not a valid project management term.
Which one of the following is the only output for the qualitative risk analysis process? A. Project management plan B. Risk register updates C. Organizational process assets D. Enterprise environmental factors Suggested Answer: B Risk register update is the only output of the choices presented for the qualitative risk analysis process. The four inputs for the qualitative risk analysis process are the risk register, risk management plan, project scope statement, and organizational process assets. The output of perform qualitative risk analysis process is Risk Register Updates. Risk register is updated with the information from perform qualitative risk analysis and the updated risk register is included in the project documents. Updates include the following important elements: ✑ Relative ranking or priority list of project risks ✑ Risks grouped by categories ✑ Causes of risk or project areas requiring particular attention ✑ List of risks requiring response in the near-term ✑ List of risks for additional analysis and response ✑ Watchlist of low priority risks ✑ Trends in qualitative risk analysis results Incorrect Answers: A, C, D: These are not the valid outputs for the qualitative risk analysis process.
FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization? A. Annually B. Quarterly C. Every three years D. Never Suggested Answer: A Inspection of FISMA is required to be done annually. Each year, agencies must have an independent evaluation of their program. The objective is to determine the effectiveness of the program. These evaluations include: ✑ Testing for effectiveness: Policies, procedures, and practices are to be tested. This evaluation does not test every policy, procedure, and practice. Instead, a representative sample is tested. ✑ An assessment or report: This report identifies the agency's compliance as well as lists compliance with FISMA. It also lists compliance with other standards and guidelines. Incorrect Answers: B, C, D: Auditing of compliance by external organization is done annually, not quarterly or every three years.
Which of the following is the FOREMOST root cause of project risk? Each correct answer represents a complete solution. (Choose two.) A. New system is not meeting the user business needs B. Delay in arrival of resources C. Lack of discipline in managing the software development process D. Selection of unsuitable project methodology Suggested Answer: CD The foremost root cause of project risk is: ✑ A lack of discipline in managing the software development process ✑ Selection of a project methodology that is unsuitable to the system being developed Incorrect Answers: A: The risk associated with new system is not meeting the user business needs is business risks, not project risk. B: This is not direct reason of project risk.
You are the project manager of a SGT project. You have been actively communicating and working with the project stakeholders. One of the outputs of the "manage stakeholder expectations" process can actually create new risk events for your project. Which output of the manage stakeholder expectations process can create risks? A. Project management plan updates B. An organizational process asset updates C. Change requests D. Project document updates Suggested Answer: C The manage stakeholder expectations process can create change requests for the project, which can cause new risk events to enter into the project. Change requests are requests to expand or reduce the project scope, modify policies, processes, plans, or procedures, modify costs or budgets or revise schedules. These requests for a change can be direct or indirect, externally or internally initiated, and legally or contractually imposed or optional. A Project Manager needs to ensure that only formally documented requested changes are processed and only approved change requests are implemented. Incorrect Answers: A: The project management plan updates do not create new risks. B: The organizational process assets updates do not create new risks. D: The project document updates do not create new risks.
Which of the following characteristics of risk controls can be defined as under? "The separation of controls in the production environment rather than the separation in the design and implementation of the risk" A. Trusted source B. Secure C. Distinct D. Independent Suggested Answer: C A control or countermeasure which does not overlap in its performance with another control or countermeasure is considered as distinct. Hence the separation of controls in the production environment rather than the separation in the design and implementation of the risk refers to distinct. Incorrect Answers: A: Trusted source refers to the commitment of the people designing, implementing, and maintenance of the control towards the security policy. B: Secure controls refers to the activities ability to protect from exploitation or attack. D: The separation in design, implementation, and maintenance of controls or countermeasures are refer to as independent. Hence this answer is not valid.
Shelly is the project manager of the BUF project for her company. In this project Shelly needs to establish some rules to reduce the influence of risk bias during the qualitative risk analysis process. What method can Shelly take to best reduce the influence of risk bias? A. Establish risk boundaries B. Group stakeholders according to positive and negative stakeholders and then complete the risk analysis C. Determine the risk root cause rather than the person identifying the risk events D. Establish definitions of the level of probability and impact of risk event Suggested Answer: D By establishing definitions for the level of probability and impact a project manager can reduce the influence of bias. Incorrect Answers: A: This is not a valid statement for reducing bias in the qualitative risk analysis. B: Positive and negative stakeholders are identified based on their position towards the project goals and objectives, not necessarily risks. C: Root cause analysis is a good exercise, but it would not determine risk bias.
You are the IT manager in Bluewell Inc. You identify a new regulation for safeguarding the information processed by a specific type of transaction. What would be the FIRST action you will take? A. Assess whether existing controls meet the regulation B. Update the existing security privacy policy C. Meet with stakeholders to decide how to comply D. Analyze the key risk in the compliance process Suggested Answer: A When a new regulation for safeguarding information processed by a specific type of transaction is being identified by the IT manager, then the immediate step would be to understand the impact and requirements of this new regulation. This includes assessing how the enterprise will comply with the regulation and to what extent the existing control structure supports the compliance process. After that manager should then assess any existing gaps. Incorrect Answers: B, C, D: These choices are appropriate as well as important, but are subsequent steps after understanding and gap assessment.
You are the risk official of your enterprise. You have just completed risk analysis process. You noticed that the risk level associated with your project is less than risk tolerance level of your enterprise. Which of following is the MOST likely action you should take? A. Apply risk response B. Update risk register C. No action D. Prioritize risk response options Suggested Answer: C When the risk level is less than risk tolerance level of the enterprise than no action is taken against that, because the cost of mitigation will increase over its benefits. Incorrect Answers: A: This is not a valid answer, as no response is being applied to such low risk level. B: Risk register is updates after applying response, and as no response is applied to such low risk level; hence no updating is done. D: This is not a valid answer, as no response is being applied to such low risk level.
Which of the following operational risks ensures that the provision of a quality product is not overshadowed by the production costs of that product? A. Information security risks B. Contract and product liability risks C. Project activity risks D. Profitability operational risks Suggested Answer: D Profitability operational risks focus on the financial risks which encompass providing a quality product that is cost-effective in production. It ensures that the provision of a quality product is not overshadowed by the production costs of that product. Incorrect Answers: A: Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Information security risks are the risks that are associated with the protection of these information and information systems. B: These risks do not ensure that the provision of a quality product is not overshadowed by the production costs of that product. C: Project activity risks are not associated with provision of a quality product or the production costs of that product.
Which of the following is the process of numerically analyzing the effects of identified risks on the overall enterprise's objectives? A. Identifying Risks B. Quantitative Risk Assessment C. Qualitative Risk Assessment D. Monitoring and Controlling Risks Suggested Answer: B A quantitative risk assessment quantifies risk in terms of numbers such as dollar values. This involves gathering data and then entering it into standard formulas. The results can help in identifying the priority of risks. These results are also used to determine the effectiveness of controls. Some of the terms associated with quantitative risk assessments are: ✑ Single loss expectancy (SLE)-It refers to the total loss expected from a single incident. This incident can occur when vulnerability is being exploited by threat. The loss is expressed as a dollar value such as $1,000. It includes the value of data, software, and hardware. SLE = Asset value * Exposure factor ✑ Annual rate of occurrence (ARO)-It refers to the number of times expected for an incident to occur in a year. If an incident occurred twice a month in the past year, the ARO is 24. Assuming nothing changes, it is likely that it will occur 24 times next year. ✑ Annual loss expectancy (ALE)-It is the expected loss for a year. ALE is calculated by multiplying SLE with ARO. Because SLE is a given in a dollar value, ALE is also given in a dollar value. For example, if the SLE is $1,000 and the ARO is 24, the ALE is $24,000. ALE = SLE * ARO ✑ Safeguard value-This is the cost of a control. Controls are used to mitigate risk. For example, antivirus software of an average cost of $50 for each computer. If there are 50 computers, the safeguard value is $2,500. Incorrect Answers: A: The first thing we must do in risk management is to identify the areas of the project where the risks can occur. This is termed as risk identification. Listing all the possible risks is proved to be very productive for the enterprise as we can cure them before it can occur. In risk identification both threats and opportunities are considered, as both carry some level of risk with them. C: Unlike the quantitative risk assessment, qualitative risk assessment does not assign dollar values. Rather, it determines risk's level based on the probability and impact of a risk. These values are determined by gathering the opinions of experts. ✑ Probability- establishing the likelihood of occurrence and reoccurrence of specific risks, independently, and combined. The risk occurs when a threat exploits vulnerability. Scaling is done to define the probability that a risk will occur. The scale can be based on word values such as Low, Medium, or High. Percentage can also be assigned to these words, like 10% to low and 90% to high. ✑ Impact- Impact is used to identify the magnitude of identified risks. The risk leads to some type of loss. However, instead of quantifying the loss as a dollar value, an impact assessment could use words such as Low, Medium, or High. Impact is expressed as a relative value. For example, low could be 10, medium could be 50, and high could be 100. Risk level = Probability*Impact - D: This is the process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness through the project.
Which of the following processes is described in the statement below? "It is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions." A. Risk governance B. IRGC C. Risk response planning D. Risk communication Suggested Answer: D Risk communication is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions. Risk communication is mostly concerned with the nature of risk or expressing concerns, views, or reactions to risk managers or institutional bodies for risk management. The key plan to consider and communicate risk is to categorize and impose priorities, and acquire suitable measures to reduce risks. It is important throughout any crisis to put across multifaceted information in a simple and clear manner. Risk communication helps in switching or allocating the information concerning risk among the decision-maker and the stakeholders. Risk communication can be explained more clearly with the help of the following definitions: ✑ It defines the issue of what a group does, not just what it says. ✑ It must take into account the valuable element in user's perceptions of risk. ✑ It will be more valuable if it is thought of as conversation, not instruction. Risk communication is a fundamental and continuing element of the risk analysis exercise, and the involvement of the stakeholder group is from the beginning. It makes the stakeholders conscious of the process at each phase of the risk assessment. It helps to guarantee that the restrictions, outcomes, consequence, logic, and risk assessment are undoubtedly understood by all the stakeholders. Incorrect Answers: A: Risk governance is a systemic approach to decision making processes associated to natural and technological risks. It is based on the principles of cooperation, participation, mitigation and sustainability, and is adopted to achieve more effective risk management. It seeks to reduce risk exposure and vulnerability by filling gaps in risk policy, in order to avoid or reduce human and economic costs caused by disasters. Risk governance is a continuous life cycle that requires regular reporting and ongoing review. The risk governance function must oversee the operations of the risk management team. B: The International Risk Governance Council (IRGC) is a self-governing organization whose principle is to facilitate the understanding and managing the rising overall risks that have impacts on the economy and society, human health and safety, the environment at large. IRGC's effort is to build and develop concepts of risk governance, predict main risk issues and present risk governance policy recommendations for the chief decision makers. IRGC mainly emphasizes on rising, universal risks for which governance deficits exist. Its goal is to present recommendations for how policy makers can correct them. IRGC models at constructing strong, integrative inter-disciplinary governance models for up-coming and existing risks. C: Risk response is a process of deciding what measures should be taken to reduce threats and take advantage of the opportunities discovered during the risk analysis processes. This process also includes assigning departments or individual staff members the responsibility of carrying out the risk response plans and these folks are known as risk owners. The prioritization of the risk responses and development of the risk response plan is based on following parameters: ✑ Cost of the response to reduce risk within tolerance levels ✑ Importance of the risk ✑ Capability to implement the response ✑ Effectiveness and efficiency of the response Risk prioritization strategy is used to create a risk response plan and implementation schedule because all risk cannot be addressed at the same time. It may take considerable investment of time and resources to address all the risk identified in the risk analysis process. Risk with a greater likelihood and impact on the enterprise will prioritized above other risk that is considered less likely or lay less impact.
Which of the following are the principles of risk management? Each correct answer represents a complete solution. (Choose three.) A. Risk management should be an integral part of the organization B. Risk management should be a part of decision-making C. Risk management is the responsibility of executive management D. Risk management should be transparent and inclusive Suggested Answer: ABD The International Organization for Standardization (ISO) identifies the following principles of risk management. Risk management should: ✑ create value ✑ be an integral part of organizational processes ✑ be part of decision making ✑ explicitly address uncertainty ✑ be systematic and structured ✑ be based on the best available information ✑ be tailored ✑ take into account human factors ✑ be transparent and inclusive ✑ be dynamic, iterative, and responsive to change be capable of continual improvement and enhancement <img src="https://www.examtopics.com/assets/media/exam-media/04284/0008100015.png" alt="Reference Image" />
Which of the following characteristics of risk controls answers the aspect about the control given below: "Will it continue to function as expressed over the time and adopts as changes or new elements are introduced to the environment" A. Reliability B. Sustainability C. Consistency D. Distinct Suggested Answer: B Sustainability ensures that the control continues to function as expressed over the time and adopts as changes or new elements are introduced to the environment. Incorrect Answers: A: Reliability of control ensures that it will serve its purpose under multiple circumstances. C: Consistent characteristic of the control tells whether the control can be applied in the same manner across the organization. D: A control or countermeasure which does not overlap in its performance with another control or countermeasure is considered as distinct. Hence the separation of controls in the production environment rather than the separation in the design and implementation of the risk refers to distinct.
Jeff works as a Project Manager for www.company.com Inc. He and his team members are involved in the identify risk process. Which of the following tools & techniques will Jeff use in the identify risk process? Each correct answer represents a complete solution. (Choose three.) A. Information gathering technique B. Documentation reviews C. Checklist analysis D. Risk categorization Suggested Answer: ABC The various tools & techniques used in the identify risk process are as follows: ✑ Documentation reviews ✑ Information gathering technique ✑ Checklist analysis ✑ Assumption analysis ✑ Diagramming techniques ✑ SWOT analysis ✑ Expert judgment
Mary is the project manager for the BLB project. She has instructed the project team to assemble, to review the risks. She has included the schedule management plan as an input for the quantitative risk analysis process. Why is the schedule management plan needed for quantitative risk analysis? A. Mary will schedule when the identified risks are likely to happen and affect the project schedule. B. Mary will utilize the schedule controls and the nature of the schedule for the quantitative analysis of the schedule. C. Mary will use the schedule management plan to schedule the risk identification meetings throughout the remaining project. D. Mary will utilize the schedule controls to determine how risks may be allowed to change the project schedule. Suggested Answer: B The controls within the schedule management plan can shape how quantitative risk analysis will be performed on the schedule. Schedule management plan also describes how the schedule contingencies will be reported and assessed. Incorrect Answers: A: When risks are likely to happen is important, but it is not the best answer for this question C: This is not a valid answer for this question throughout the project, but it is not scheduled during the quantitative risk analysis process. D: Risks may affect the project schedule, but this is not the best answer for the question.
Which of the following control detects problem before it can occur? A. Deterrent control B. Detective control C. Compensation control D. Preventative control Suggested Answer: D Preventative controls are the controls that detect the problem before it occurs. They attempt to predict potential problems and make adjustments to prevent those problems to occur in near future. This prediction is being made by monitoring both the system's operations and its inputs. Incorrect Answers: A: Deterrent controls are similar to the preventative controls, but they diminish or reverse the attraction of the environment to prevent risk from occurring instead of making adjustments to the environment. B: Detective controls simply detect and report on the occurrence of a problems. They identify specific symptoms to potential problems. C: Compensation controls ensure that normal business operations continue by applying appropriate resource.
Which of the following aspects are included in the Internal Environment Framework of COSO ERM? Each correct answer represents a complete solution. (Choose three.) A. Enterprise's integrity and ethical values B. Enterprise's working environment C. Enterprise's human resource standards D. Enterprise's risk appetite Suggested Answer: ACD The internal environment for risk management is the foundational level of the COSO ERM framework, which describes the philosophical basics of managing risks within the implementing enterprise. The different aspects of the internal environment include the enterprise's: ✑ Philosophy on risk management ✑ Risk appetite ✑ Attitudes of Board of Directors ✑ Integrity and ethical values ✑ Commitment to competence ✑ Organizational structure ✑ Authority and responsibility ✑ Human resource standards
What are the requirements of monitoring risk? Each correct answer represents a part of the solution. (Choose three.) A. Information of various stakeholders B. Preparation of detailed monitoring plan C. Identifying the risk to be monitored D. Defining the project's scope Suggested Answer: BCD It is important to first understand the risk to be monitored, prepare a detailed plan and define the project's scope for monitoring risk. In the case of a monitoring project, this step should involve process owners, data owners, system custodians and other process stakeholders. Incorrect Answers: A: Data regarding stakeholders of the project is not required in any phase of risk monitoring.
Your company is covered under a liability insurance policy, which provides various liability coverage for information security risks, including any physical damage of assets, hacking attacks, etc. Which of the following risk management techniques is your company using? A. Risk transfer B. Risk acceptance C. Risk avoidance D. Risk mitigation Suggested Answer: A Risk transfer is the practice of passing risk from one entity to another entity. In other words, if a company is covered under a liability insurance policy providing various liability coverage for information security risks, including any physical damage of assets, hacking attacks, etc., it means it has transferred its security risks to the insurance company. Incorrect Answers: B: Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way. C: Risk avoidance is the practice of not performing an activity that could carry risk. Avoidance may seem the answer to all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed. D: Risk mitigation is the practice of reducing the severity of the loss or the likelihood of the loss from occurring.
You work as a project manager for BlueWell Inc. Management has asked you to work with the key project stakeholder to analyze the risk events you have identified in the project. They would like you to analyze the project risks with a goal of improving the project's performance as a whole. What approach can you use to achieve this goal of improving the project's performance through risk analysis with your project stakeholders? A. Involve subject matter experts in the risk analysis activities B. Involve the stakeholders for risk identification only in the phases where the project directly affects them C. Use qualitative risk analysis to quickly assess the probability and impact of risk events D. Focus on the high-priority risks through qualitative risk analysis Suggested Answer: D By focusing on the high-priority of risk events through qualitative risk analysis you can improve the project's performance. Qualitative analysis is the definition of risk factors in terms of high/medium/low or a numeric scale (1 to 10). Hence it determines the nature of risk on a relative scale. Some of the qualitative methods of risk analysis are: ✑ Scenario analysis- This is a forward-looking process that can reflect risk for a given point in time. ✑ Risk Control Self -assessment (RCSA) - RCSA is used by enterprises (like banks) for the identification and evaluation of operational risk exposure. It is a logical first step and assumes that business owners and managers are closest to the issues and have the most expertise as to the source of the risk. RCSA is a constructive process in compelling business owners to contemplate, and then explain, the issues at hand with the added benefit of increasing their accountability. Incorrect Answers: A: Subject matter experts can help the qualitative risk assessment, but by focusing on high-priority risks the project's performance can improve by addressing these risk events. B: Stakeholders should be involved throughout the project as situations within the project demand their input to risk identification and analysis. C: Qualitative analysis does use a fast approach of analyzing project risks, but it's not the best answer for this
You are a project manager for your organization and you're working with four of your key stakeholders. One of the stakeholders is confused as to why you're not discussing the current problem in the project during the risk identification meeting. Which one of the following statements best addresses when a project risk actually happens? A. Project risks are uncertain as to when they will happen. B. Risks can happen at any time in the project. C. Project risks are always in the future. D. Risk triggers are warning signs of when the risks will happen. Suggested Answer: C According to the PMBOK, a project risk is always in the future. If the risk event has already happened, then it is an issue, not a risk. Incorrect Answers: A: You can identify risks before they occur and not after their occurrence. B: Risks can only happen in the future. D: Triggers are warning signs and conditions of risk events, but this answer isn't the best choice for this question.
Which of the following is the MOST effective method for indicating that the risk level is approaching a high or unacceptable level of risk? A. Risk register B. Cause and effect diagram C. Risk indicator D. Return on investment Suggested Answer: C Risk indicators are metrics used to indicate risk thresholds, i.e., it gives indication when a risk level is approaching a high or unacceptable level of risk. The main objective of a risk indicator is to ensure tracking and reporting mechanisms that alert staff about the potential risks. Incorrect Answers: A: A risk register is an inventory of risks and exposure associated with those risks. Risks are commonly found in project management practices, and provide information to identify, analyze, and manage risks. Typically a risk register contains: ✑ A description of the risk ✑ The impact should this event actually occur ✑ The probability of its occurrence ✑ Risk Score (the multiplication of Probability and Impact) ✑ A summary of the planned response should the event occur ✑ A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the event) ✑ Ranking of risks by Risk Score so as to highlight the highest priority risks to all involved. D: Return On Investment (ROI) is a performance measure used to evaluate the efficiency of an investment or to compare the efficiency of a number of different investments. To calculate ROI, the benefit (return) of an investment is divided by the cost of the investment; the result is expressed as a percentage or a ratio. The return on investment formula: ROI= (Gain from investment - Cost of investment) / Cost of investment In the above formula "gains from investment", refers to the proceeds obtained from selling the investment of interest.
You work as the project manager for Bluewell Inc. Your project has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks? A. Risk Management Plan B. Stakeholder management strategy C. Communications Management Plan D. Resource Management Plan Suggested Answer: C The Communications Management Plan defines, in regard to risk management, who will be available to share information on risks and responses throughout the project. The Communications Management Plan aims to define the communication necessities for the project and how the information will be circulated. The Communications Management Plan sets the communication structure for the project. This structure provides guidance for communication throughout the project's life and is updated as communication needs change. The Communication Managements Plan identifies and defines the roles of persons concerned with the project. It includes a matrix known as the communication matrix to map the communication requirements of the project. Incorrect Answers: A: The Risk Management Plan defines risk identification, analysis, response, and monitoring. B: The stakeholder management strategy does not address risk communications. D: The Resource Management Plan does not define risk communications.
Your project spans the entire organization. You would like to assess the risk of your project but worried about that some of the managers involved in the project could affect the outcome of any risk identification meeting. Your consideration is based on the fact that some employees would not want to publicly identify risk events that could declare their supervision as poor. You would like a method that would allow participants to anonymously identify risk events. What risk identification method could you use? A. Delphi technique B. Root cause analysis C. Isolated pilot groups D. SWOT analysis Suggested Answer: A The Delphi technique uses rounds of anonymous surveys to build consensus on project risks. Delphi is a technique to identify potential risk. In this technique, the responses are gathered via a question and their inputs are organized according to their contents. The collected responses are sent back to these experts for further input, addition, and comments. The final list of risks in the project is prepared after that. The participants in this technique are anonymous and therefore it helps prevent a person from unduly influencing the others in the group. The Delphi technique helps in reaching the consensus quickly. Incorrect Answers: B: Root cause analysis is not an anonymous approach to risk identification. C: Isolated pilot groups is not a valid risk identification activity. D: SWOT analysis evaluates the strengths, weaknesses, opportunities, and threats of the project.
Which of the following represents lack of adequate controls? A. Vulnerability B. Threat C. Asset D. Impact Suggested Answer: A Vulnerability is a weakness or lack of safeguard that can be exploited by a threat, thus causing harm to the information systems or networks. It can exist in hardware, operating systems, firmware, applications, and configuration files. Hence lack of adequate controls represents vulnerability and would ultimately cause threat to the enterprise. Incorrect Answers: B: Threat is the potential cause of unwanted incident. C: Assets are economic resources that are tangible or intangible, and is capable of being owned or controlled to produce value. D: Impact is the measure of the financial loss that the threat event may have.
The only output of qualitative risk analysis is risk register updates. When the project manager updates the risk register he will need to include several pieces of information including all of the following except for which one? A. Trends in qualitative risk analysis B. Risk probability-impact matrix C. Risks grouped by categories D. Watchlist of low-priority risks Suggested Answer: B The risk matrix is not included as part of the risk register updates. There are seven things that can be updated in the risk register as a result of qualitative risk analysis: relating ranking of project risks, risks grouped by categories, causes of risks, list of near-term risks, risks requiring additional analysis, watchlist of low- priority risks, trends in qualitative risk analysis. Incorrect Answers: A: Trends in qualitative risk analysis are part of the risk register updates. C: Risks grouped by categories are part of the risk register updates. D: Watchlist of low-priority risks is part of the risk register updates.
Which of the following risks is the risk that happen with an important business partner and affects a large group of enterprises within an area or industry? A. Contagious risk B. Reporting risk C. Operational risk D. Systemic risk Suggested Answer: D Systemic risks are those risks that happen with an important business partner and affect a large group of enterprises within an area or industry. An example would be a nationwide air traffic control system that goes down for an extended period of time (six hours), which affects air traffic on a very large scale. Incorrect Answers: A: Contagious risks are those risk events that happen with several of the enterprise's business partners within a very short time frame. B, C: Their scopes do not limit to the important or general enterprise's business partners. These risks can occur with both. Operational risks are those risks that are associated with the day-to-day operations of the enterprise. It is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. Reporting risks are caused due to wrong reporting which leads to bad decision. This bad decision due to wrong report hence causes a risk on the functionality of the organization.
You have been assigned as the Project Manager for a new project that involves development of a new interface for your existing time management system. You have completed identifying all possible risks along with the stakeholders and team and have calculated the probability and impact of these risks. Which of the following would you need next to help you prioritize the risks? A. Affinity Diagram B. Risk rating rules C. Project Network Diagram D. Risk categories Suggested Answer: B Risk rating rules define how to prioritize risks after the related probability and impact values are calculated. These are generally included in the organizational process assets and are refined for individual projects. Incorrect Answers: A: Affinity Diagram is a method of group creativity technique to collect requirements which allows large numbers of ideas to be sorted into groups for review and analysis. This is generally used in Scope Management and not applicable to this option. C: A Project Network diagram shows the sequencing and linkage between various project tasks and is not applicable to this question D: Risk categories are an output of the Perform Qualitative Risk Analysis process and not a tool to complete the process.
You are the project manager of a large networking project. During the execution phase the customer requests for a change in the existing project plan. What will be your immediate action? A. Update the risk register. B. Ask for a formal change request. C. Ignore the request as the project is in the execution phase. D. Refuse the change request. Suggested Answer: B Whenever the customer or key stakeholder asks for a change in the existing plan, you should ask him/her to submit a formal change request. Change requests may modify project policies or procedures, project scope, project cost or budget, project schedule, or project quality. Incorrect Answers: A, C, D: The first action required is to create a formal change request, if a change is requested in the project.
Which of the following is described by the definition given below? "It is the expected guaranteed value of taking a risk." A. Certainty equivalent value B. Risk premium C. Risk value guarantee D. Certain value assurance Suggested Answer: A The Certainty equivalent value is the expected guaranteed value of taking a risk. It is derived by the uncertainty of the situation and the potential value of the situation's outcome. Incorrect Answers: B: The risk premium is the difference between the larger expected value of the risk and the smaller certainty equivalent value. C, D: These are not valid answers.
You are the project manager of GHT project. Your hardware vendor left you a voicemail saying that the delivery of the equipment you have ordered would not arrive on time. She wanted to give you a heads-up and asked that you return the call. Which of the following statements is TRUE? A. This is a residual risk. B. This is a trigger. C. This is a contingency plan. D. This is a secondary risk. Suggested Answer: B Triggers are warning signs of an upcoming risk event. Here delay in delivery signifies that there may be a risk event like delay in completion of project. Hence it is referred to as a trigger. Incorrect Answers: A: Residual risk is the risk that remains after applying controls. But here in this scenario, risk event has not occurred yet. C: A contingency plan is a plan devised for a specific situation when things go wrong. Contingency plans are often devised by governments or businesses who want to be prepared for anything that could happen. Here there are no such plans. D: Secondary risks are risks that come about as a result of implementing a risk response. But here in this scenario, risk event has not occurred yet.
There are five inputs to the quantitative risk analysis process. Which one of the following is NOT an input to quantitative risk analysis process? A. Risk management plan B. Enterprise environmental factors C. Cost management plan D. Risk register Suggested Answer: B Enterprise environmental factor is not an input to the quantitative risk analysis process. The five inputs to the perform quantitative risk analysis process are: risk register, risk management plan, cost management plan, schedule management plan, and organizational process assets. Incorrect Answers: A, C, D: These are the valid inputs to the perform quantitative risk analysis process.
Stephen is the project manager of the GBB project. He has worked with two subject matter experts and his project team to complete the risk assessment technique. There are approximately 47 risks that have a low probability and a low impact on the project. Which of the following answers best describes what Stephen should do with these risk events? A. Because they are low probability and low impact, Stephen should accept the risks. B. The low probability and low impact risks should be added to a watchlist for future monitoring. C. Because they are low probability and low impact, the risks can be dismissed. D. The low probability and low impact risks should be added to the risk register. Suggested Answer: B The low probability and low impact risks should be added to a watchlist for future monitoring. Incorrect Answers: A: The risk response for these events may be to accept them, but the best answer is to first add them to a watchlist. C: Risks are not dismissed; they are at least added to a watchlist for monitoring. D: While the risks may eventually be added to the register, the best answer is to first add them to the watchlist for monitoring.
Jenny is the project manager for the NBT projects. She is working with the project team and several subject matter experts to perform the quantitative risk analysis process. During this process she and the project team uncover several risks events that were not previously identified. What should Jenny do with these risk events? A. The events should be entered into qualitative risk analysis. B. The events should be determined if they need to be accepted or responded to. C. The events should be entered into the risk register. D. The events should continue on with quantitative risk analysis. Suggested Answer: C All identified risk events should be entered into the risk register. A risk register is an inventory of risks and exposure associated with those risks. Risks are commonly found in project management practices, and provide information to identify, analyze, and manage risks. Typically a risk register contains: ✑ A description of the risk ✑ The impact should this event actually occur ✑ The probability of its occurrence ✑ Risk Score (the multiplication of Probability and Impact) ✑ A summary of the planned response should the event occur ✑ A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the event) ✑ Ranking of risks by Risk Score so as to highlight the highest priority risks to all involved. Incorrect Answers: A: Before the risk events are analyzed they should be documented in the risk register. B: The risks should first be documented and analyzed. D: These risks should first be identified, documented, passed through qualitative risk analysis and then it should be determined if they should pass through the quantitative risk analysis process.
You are working on a project in an enterprise. Some part of your project requires e-commerce, but your enterprise choose not to engage in e-commerce. This scenario is demonstrating which of the following form? A. risk avoidance B. risk treatment C. risk acceptance D. risk transfer Suggested Answer: A Each business process involves inherent risk. Not engaging in any activity avoids the inherent risk associated with the activity. Hence this demonstrates risk avoidance. Incorrect Answers: B: Risk treatment means that action is taken to reduce the frequency and impact of a risk. C: Acceptance means that no action is taken relative to a particular risk, and loss is accepted when/if it occurs. This is different from being ignorant of risk; accepting risk assumes that the risk is known, i.e., an informed decision has been made by management to accept it as such. D: Risk transfer/sharing means reducing either risk frequency or impact by transferring or otherwise sharing a portion of the risk. Common techniques include insurance and outsourcing. These techniques do not relieve an enterprise of a risk, but can involve the skills of another party in managing the risk and reducing the financial consequence if an adverse event occurs.
Which of the following are risk components of the COSO ERM framework? Each correct answer represents a complete solution. (Choose three.) A. Risk response B. Internal environment C. Business continuity D. Control activities Suggested Answer: ABD The risk components defined by the COSO ERM are internal environment, objective settings, event identification, risk assessment, risk response, control objectives, information and communication, and monitoring. Incorrect Answers: C: Business continuity is not considered as risk component within the ERM framework.
Your project team has completed the quantitative risk analysis for your project work. Based on their findings, they need to update the risk register with several pieces of information. Which one of the following components is likely to be updated in the risk register based on their analysis? A. Listing of risk responses B. Risk ranking matrix C. Listing of prioritized risks D. Qualitative analysis outcomes Suggested Answer: C The outcome of quantitative analysis can create a listing of prioritized risks that should be updated in the risk register. The project team will create and update the risk register with four key components: ✑ probabilistic analysis of the project ✑ probability of achieving time and cost objectives ✑ list of quantified risks ✑ trends in quantitative risk analysis Incorrect Answers: A, B, D: These subjects are not updated in the risk register as a result of quantitative risk analysis.
Which of the following is the BEST way to ensure that outsourced service providers comply with the enterprise's information security policy? A. Penetration testing B. Service level monitoring C. Security awareness training D. Periodic audits Suggested Answer: D As regular audits can spot gaps in information security compliance, periodic audits can ensure that outsourced service provider comply with the enterprise's information security policy. Incorrect Answers: A: Penetration testing can identify security vulnerability, but cannot ensure information compliance. B: Service level monitoring can only identify operational issues in the enterprise's operational environment. It does not play any role in ensuring that outsourced service provider complies with the enterprise's information security policy. C: Training can increase user awareness of the information security policy, but is less effective than periodic auditing.
You are the project manager of RFT project. You have identified a risk that the enterprise's IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become very expensive. To overcome this risk, the response adopted is re- architecture of the existing system and purchase of new integrated system. In which of the following risk prioritization options would this case be categorized? A. Deferrals B. Quick win C. Business case to be made D. Contagious risk Suggested Answer: C This is categorized as a Business case to be made because the project cost is very large. The response to be implemented requires quite large investment. Therefore it comes under business case to be made. Incorrect Answers: A: It addresses costly risk response to a low risk. But here the response is less costly than that of business case to be made. B: Quick win is very effective and efficient response that addresses medium to high risk. But in this the response does not require large investments. D: This is not risk response prioritization option, instead it is a type of risk that happen with the several of the enterprise's business partners within a very short time frame.
Which of the following BEST ensures that a firewall is configured in compliance with an enterprise's security policy? A. Interview the firewall administrator. B. Review the actual procedures. C. Review the device's log file for recent attacks. D. Review the parameter settings. Suggested Answer: D A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide reliable audit evidence documentation. Incorrect Answers: A: While interviewing the firewall administrator may provide a good process overview, it does not reliably confirm that the firewall configuration complies with the enterprise's security policy. B: While procedures may provide a good understanding of how the firewall is supposed to be managed, they do not reliably confirm that the firewall configuration complies with the enterprise's security policy. C: While reviewing the device's log file for recent attacks may provide indirect evidence about the fact that logging is enabled, it does not reliably confirm that the firewall configuration complies with the enterprise's security policy.
Which of following is NOT used for measurement of Critical Success Factors of the project? A. Productivity B. Quality C. Quantity D. Customer service Suggested Answer: C Incorrect Answers: A, B, D: Productivity, quality and customer service are used for evaluating critical service factor of any particular project.
Which of the following statements is NOT true regarding the risk management plan? A. The risk management plan is an output of the Plan Risk Management process. B. The risk management plan is an input to all the remaining risk-planning processes. C. The risk management plan includes a description of the risk responses and triggers. D. The risk management plan includes thresholds, scoring and interpretation methods, responsible parties, and budgets. Suggested Answer: C The risk management plan details how risk management processes will be implemented, monitored, and controlled throughout the life of the project. The risk management plan does not include responses to risks or triggers. Responses to risks are documented in the risk register as part of the Plan Risk Responses process. Incorrect Answers: A, B, D: These all statements are true for risk management plan. The risk management plan details how risk management processes will be implemented, monitored, and controlled throughout the life of the project. It includes thresholds, scoring and interpretation methods, responsible parties, and budgets. It also act as input to all the remaining risk-planning processes.
You are the project manager of a project in Bluewell Inc. You and your project team have identified several project risks, completed risk analysis, and are planning to apply most appropriate risk responses. Which of the following tools would you use to choose the appropriate risk response? A. Project network diagrams B. Cause-and-effect analysis C. Decision tree analysis D. Delphi Technique Suggested Answer: C Decision tree analysis is a risk analysis tool that can help the project manager in determining the best risk response. The tool can be used to measure probability, impact, and risk exposure and how the selected risk response can affect the probability and/or impact of the selected risk event. It helps to form a balanced image of the risks and opportunities connected with each possible course of action. This makes them mostly useful for choosing between different strategies, projects, or investment opportunities particularly when the resources are limited. A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible consequences, including chance event outcomes, resource costs, and utility. Incorrect Answers: A: Project network diagrams help the project manager and stakeholders visualize the flow of the project work, but they are not used as a part of risk response planning. B: Cause-and-effect analysis is used for exposing risk factors and not an effective one in risk response planning. This analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes. D: Delphi technique is used for risk analysis, i.e., for identifying the most probable risks. Delphi is a group of experts who used to rate independently the business risk of an organization. Each expert analyzes the risk independently and then prioritizes the risk, and the result is combined into a consensus.
You are the risk official of your enterprise. Your enterprise takes important decisions without considering risk credential information and is also unaware of external requirements for risk management and integration with enterprise risk management. In which of the following risk management capability maturity levels does your enterprise exists? A. Level 1 B. Level 0 C. Level 5 D. Level 4 Suggested Answer: B 0 nonexistent: An enterprise's risk management capability maturity level is 0 when: ✑ The enterprise does not recognize the need to consider the risk management or the business impact from IT risk. ✑ Decisions involving risk lack credible information. ✑ Awareness of external requirements for risk management and integration with enterprise risk management (ERM) do not exists. Incorrect Answers: A, C, D: These all are much higher levels of the risk management capability maturity model and in all these enterprises do take decisions considering the risk credential information. Moreover, in these levels enterprise is aware of external requirements for risk management and integrate with ERM.
Which of the following is the priority of data owners when establishing risk mitigation method? A. User entitlement changes B. Platform security C. Intrusion detection D. Antivirus controls Suggested Answer: A Data owners are responsible for assigning user entitlement changes and approving access to the systems for which they are responsible. Incorrect Answers: B, C, D: Data owners are not responsible for intrusion detection, platform security or antivirus controls. These are the responsibilities of data custodians.
What type of policy would an organization use to forbid its employees from using organizational e-mail for personal use? A. Anti-harassment policy B. Acceptable use policy C. Intellectual property policy D. Privacy policy Suggested Answer: B An acceptable use policy is a set of rules applied by the owner/manager of a network, website or large computer system that restrict the ways in which the network site or system may be used. Acceptable Use Policies are an integral part of the framework of information security policies. Incorrect Answers: A, C: These two policies are not related to Information system security. D: Privacy policy is a statement or a legal document (privacy law) that discloses some or all of the ways a party gathers, uses, discloses and manages a customer or client's data.
Wendy has identified a risk event in her project that has an impact of $75,000 and a 60 percent chance of happening. Through research, her project team learns that the risk impact can actually be reduced to just $15,000 with only a ten percent chance of occurring. The proposed solution will cost $25,000. Wendy agrees to the $25,000 solution. What type of risk response is this? A. Mitigation B. Avoidance C. Transference D. Enhancing Suggested Answer: A Risk mitigation implies a reduction in the probability and/or impact of an adverse risk event to be within acceptable threshold limits. Taking early actions to reduce the probability and/or impact of a risk occurring on the project is often more effective than trying to repair the damage after the risk has occurred. Incorrect Answers: B: Avoidance changes the project plan to avoid the risk altogether. C: Transference requires shifting some or all of the negative impacts of a threat, along with the ownership of the response, to a third party. Transferring the risk simply gives another party the responsibility for its management-it does not eliminate it. Transferring the liability for a risk is most effective in dealing with financial risk exposure. Risk transference nearly always involves payment of a risk premium to the party taking on the risk. D: Enhancing is actually a positive risk response. This strategy is used to increase the probability and/or the positive impact of an opportunity. Identifying and maximizing the key drivers of these positive-impact risks may increase the probability of their occurrence.
Which of the following processes addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget? A. Monitor and Control Risk B. Plan risk response C. Identify Risks D. Qualitative Risk Analysis Suggested Answer: B The plan risk response project management process aims to reduce the threats to the project objectives and to increase opportunities. It follows the perform qualitative risk analysis process and perform quantitative risk analysis process. Plan risk response process includes the risk response owner to take the job for each agreed-to and funded risk response. This process addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget. The inputs to the plan risk response process are as follows: ✑ Risk register Risk management plan - <img src="https://www.examtopics.com/assets/media/exam-media/04284/0004900002.png" alt="Reference Image" /> Incorrect Answers: A: Monitor and Control Risk is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project. It can involve choosing alternative strategies, executing a contingency or fallback plan, taking corrective action, and modifying the project management plan. C: Identify Risks is the process of determining which risks may affect the project. It also documents risks' characteristics. The Identify Risks process is part of the Project Risk Management knowledge area. As new risks may evolve or become known as the project progresses through its life cycle, Identify Risks is an iterative process. The process should involve the project team so that they can develop and maintain a sense of ownership and responsibility for the risks and associated risk response actions. Risk Register is the only output of this process. D: Qualitative analysis is the definition of risk factors in terms of high/medium/low or a numeric scale (1 to 10). Hence it determines the nature of risk on a relative scale. Some of the qualitative methods of risk analysis are: ✑ Scenario analysis- This is a forward-looking process that can reflect risk for a given point in time. ✑ Risk Control Self -assessment (RCSA) - RCSA is used by enterprises (like banks) for the identification and evaluation of operational risk exposure. It is a logical first step and assumes that business owners and managers are closest to the issues and have the most expertise as to the source of the risk. RCSA is a constructive process in compelling business owners to contemplate, and then explain, the issues at hand with the added benefit of increasing their accountability.
Out of several risk responses, which of the following risk responses is used for negative risk events? A. Share B. Enhance C. Exploit D. Accept Suggested Answer: D Among the given choices only Acceptance response is used for negative risk events. Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider who can accept the risk. Risk should be accepted only by senior management in relationship with senior management and the board. There are two alternatives to the acceptance strategy, passive and active. ✑ Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk but willing to accept the consequences of the risk. Active acceptance is the second strategy and might include developing contingency plans and reserves to deal with risks. <img src="https://www.examtopics.com/assets/media/exam-media/04284/0005000004.png" alt="Reference Image" /> Incorrect Answers: A, B, C: These all are used to deal with opportunities or positive risks, and not with negative risks.
Which of the following risks refer to probability that an actual return on an investment will be lower than the investor's expectations? A. Integrity risk B. Project ownership risk C. Relevance risk D. Expense risk Suggested Answer: D Probability that an actual return on an investment will be lower than the investor's expectations is termed as investment risk or expense risk. All investments have some level of risk associated with it due to the unpredictability of the market's direction. This includes consideration of the overall IT investment portfolio. Incorrect Answers: A: The risk that data cannot be relied on because they are unauthorized, incomplete or inaccurate is termed as integrity risks. B: The risk of IT projects failing to meet objectives due to lack of accountability and commitment is referring to as project risk ownership. C: The risk associated with not receiving the right information to the right people (or process or systems) at the right time to allow the right action to be taken is termed as relevance risk.
What are the PRIMARY requirements for developing risk scenarios? Each correct answer represents a part of the solution. (Choose two.) A. Potential threats and vulnerabilities that could lead to loss events B. Determination of the value of an asset at risk C. Determination of actors that has potential to generate risk D. Determination of threat type Suggested Answer: AB Creating a scenario requires determination of the value of an asset or a business process at risk and the potential threats and vulnerabilities that could cause loss. The risk scenario should be assessed for relevance and realism, and then entered into the risk register if found to be relevant. In practice following steps are involved in risk scenario development: ✑ First determine manageable set of scenarios, which include: ✑ Frequently occurring scenarios in the industry or product area. ✑ Scenarios representing threat sources that are increasing in count or severity level. ✑ Scenarios involving legal and regulatory requirements applicable to the business. ✑ After determining manageable risk scenarios, perform a validation against the business objectives of the entity. ✑ Based on this validation, refine the selected scenarios and then detail them to a level in line with the criticality of the entity. ✑ Lower down the number of scenarios to a manageable set. Manageable does not signify a fixed number, but should be in line with the overall importance and criticality of the unit. ✑ Risk factors kept in a register so that they can be reevaluated in the next iteration and included for detailed analysis if they have become relevant at that time. ✑ Risk factors kept in a register so that they can be reevaluated in the next iteration and included for detailed analysis if they have become relevant at that time. ✑ Include an unspecified event in the scenarios, that is, address an incident not covered by other scenarios. Incorrect Answers: C, D: Determination of actors and threat type are not the primary requirements for developing risk scenarios, but are the components that are determined during risk scenario development.
What are the responsibilities of the CRO? Each correct answer represents a complete solution. (Choose three.) A. Managing the risk assessment process B. Implement corrective actions C. Advising Board of Directors D. Managing the supporting risk management function Suggested Answer: ABD Chief Risk Officer is the executive-level manager in an organization. They provide corporate, guidance, governance, and oversight over the enterprise's risk management activities. The main priority for the CRO is to ensure that the organization is in full compliance with applicable regulations. They may also deal with areas regarding insurance, internal auditing, corporate investigations, fraud, and information security. CRO's responsibilities include: ✑ Managing the risk assessment process ✑ Implementation of corrective actions ✑ Communicate risk management issues ✑ Supporting the risk management functions
You are working with a vendor on your project. A stakeholder has requested a change for the project, which will add value to the project deliverables. The vendor that you're working with on the project will be affected by the change. What system can help you introduce and execute the stakeholder change request with the vendor? A. Contract change control system B. Scope change control system C. Cost change control system D. Schedule change control system Suggested Answer: A The contract change control system is part of the project's change control system. It addresses changes with the vendor that may affect the project contract. Change control system, a part of the configuration management system, is a collection of formal documented procedures that define how project deliverables and documentation will be controlled, changed, and approved. Incorrect Answers: B: The scope may change because of the stakeholder change request. Vendor's relationship to the project, hence this choice is not the best answer. C: The cost change control system manages changes to costs in the project. D: There is no indication that the change could affect the project schedule.
You are the project manager of GHT project. You are performing cost and benefit analysis of control. You come across the result that costs of specific controls exceed the benefits of mitigating a given risk. What is the BEST action would you choose in this scenario? A. The enterprise may apply the appropriate control anyway. B. The enterprise should adopt corrective control. C. The enterprise may choose to accept the risk rather than incur the cost of mitigation. D. The enterprise should exploit the risk. Suggested Answer: C If the costs of specific controls or countermeasures (control overhead) exceed the benefits of mitigating a given risk the enterprise may choose to accept the risk rather than incur the cost of mitigation. This is done according to the principle of proportionality described in: ✑ Generally accepted security systems principles (GASSP) ✑ Generally accepted information security principles (GAISP) Incorrect Answers: A: When the cost of specific controls exceeds the benefits of mitigating a given risk, then controls are not applied, rather risk is being accepted. B: As the cost of control exceeds the benefits of mitigating a given risk, hence no control should be applied. Corrective control is a type of control and hence it should not be adopted. D: The risk is being exploited when there is an opportunity, i.e., the risk is positive. But here in this case, negative risk exists as it needs mitigation. So, exploitation cannot be done.
Mortality tables are based on what mathematical activity? Each correct answer represents a complete solution. (Choose three.) A. Normal distributions B. Probabilities C. Impact D. Sampling Suggested Answer: ABD Probability identifies the chances that a particular event will happen under certain circumstances. The variables provided are based on information gathered in real life. For situations with large numbers, a smaller set of participants are identified to represent the larger population. This represents a sample of the population. The points are mapped to identify their distribution. Normal distribution refers to the theoretical plotting of points against the mathematical mean. The result of these activities provides a reasonable predictability for the mortality of the subject. Incorrect Answers: C: Impact is used to identify the magnitude of identified risks. The risk leads to some type of loss. However, instead of quantifying the loss as a dollar value, an impact assessment could use words such as Low, Medium, or High. Hence it is not mathematical.
Harry is the project manager of HDW project. He has identified a risk that could injure project team members. He does not want to accept any risk where someone could become injured on this project so he hires a professional vendor to complete this portion of the project work. What type of risk response is Harry implementing? A. Transference B. Mitigation C. Acceptance D. Avoidance Suggested Answer: A Risk transfer means that impact of risk is reduced by transferring or otherwise sharing a portion of the risk with an external organization or another internal entity. Transfer of risk can occur in many forms but is most effective when dealing with financial risks. Insurance is one form of risk transfer. Hence when Harry hires a professional vendor to manage that risk, the risk event does not go away but the responsibility for the event is transferred to the vendor. Incorrect Answers: B: Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. Here Harry is not accepting this risk event; he does not want anyone of his team to become injured so he's transferring the event to professional vendor. C: Mitigation are actions that Harry's project team could take to reduce the probability and/or impact of a risk event. D: Avoidance removes the risk event entirely either by adding additional steps to avoid the event or reducing the project scope.
The Identify Risk process determines the risks that affect the project and document their characteristics. Why should the project team members be involved in the Identify Risk process? A. They are the individuals that will most likely cause and respond to the risk events. B. They are the individuals that will have the best responses for identified risks events within the project. C. They are the individuals that are most affected by the risk events. D. They are the individuals that will need a sense of ownership and responsibility for the risk events. Suggested Answer: D The project team members should be involved in the risk identification so that they will develop a sense of ownership and responsibility for the risk events and the associated risk responses. Identify Risks is the process of determining which risks may affect the project. It also documents risks' characteristics. The Identify Risks process is part of the Project Risk Management knowledge area. As new risks may evolve or become known as the project progresses through its life cycle, Identify Risks is an iterative process. The process should involve the project team so that they can develop and maintain a sense of ownership and responsibility for the risks and associated risk response actions. Risk Register is the only output of this process. Incorrect Answers: A, B, C: These are not the valid answers for this question.
Which of the following controls do NOT come under technical class of control? A. Program management control B. System and Communications Protection control C. Identification and Authentication control D. Access Control Suggested Answer: A Program Management control comes under management class of controls, not technical. Program Management control is driven by the Federal Information Security Management Act (FISMA). It provides controls to ensure compliance with FISMA. These controls complement other controls. They don't replace them. Incorrect Answers: B, C, D: These controls comes under technical class of control. The Technical class of controls includes four families. These families include over 75 individual controls. Following is a list of each of the families in the Technical class: ✑ Access Control (AC): This family of controls helps an organization implement effective access control. They ensure that users have the rights and permissions they need to perform their jobs, and no more. It includes principles such as least privilege and separation of duties. ✑ Audit and Accountability (AU): This family of controls helps an organization implement an effective audit program. It provides details on how to determine what to audit. It provides details on how to protect the audit logs. It also includes information on using audit logs for non-repudiation. Identification and Authentication (IA): These controls cover different practices to identify and authenticate users. Each user should be uniquely identified. In <img src="https://www.examtopics.com/assets/media/exam-media/04284/0002900003.png" alt="Reference Image" /> other words, each user has one account. This account is only used by one user. Similarly, device identifiers uniquely identify devices on the network. ✑ System and Communications Protection (SC): The SC family is a large group of controls that cover many aspects of protecting systems and communication channels. Denial of service protection and boundary protection controls are included. Transmission integrity and confidentiality controls are also included.
Mary is a project manager in her organization. On her current project she is working with her project team and other key stakeholders to identify the risks within the project. She is currently aiming to create a comprehensive list of project risks so she is using a facilitator to help generate ideas about project risks. What risk identification method is Mary likely using? A. Delphi Techniques B. Expert judgment C. Brainstorming D. Checklist analysis Suggested Answer: C Mary is using brainstorming in this example. Brainstorming attempts to create a comprehensive list of risks and often is led by a moderator or facilitator to move the process along. Brainstorming is a technique to gather general data. It can be used to identify risks, ideas, or solutions to issues by using a group of team members or subject- matter expert. Brainstorming is a group creativity technique that also provides other benefits, such as boosting morale, enhancing work enjoyment, and improving team work. Incorrect Answers: A: The Delphi technique uses rounds of anonymous surveys to generate a consensus on the identified risks. B: Expert judgment is not the best answer for this; projects experts generally do the risk identification, in addition to the project team. D: Checklist analysis uses historical information and information from similar projects within the organization's experience.
Which of the following is an administrative control? A. Water detection B. Reasonableness check C. Data loss prevention program D. Session timeout Suggested Answer: C
You are the project manager of the NHH Project. You are working with the project team to create a plan to document the procedures to manage risks throughout the project. This document will define how risks will be identified and quantified. It will also define how contingency plans will be implemented by the project team. What document do you and your team is creating in this scenario? A. Project plan B. Resource management plan C. Project management plan D. Risk management plan Suggested Answer: D The risk management plan, part of the comprehensive management plan, defines how risks will be identified, analyzed, monitored and controlled, and even responded to. A Risk management plan is a document arranged by a project manager to estimate the effectiveness, predict risks, and build response plans to mitigate them. It also consists of the risk assessment matrix. Risks are built in with any project, and project managers evaluate risks repeatedly and build plans to address them. The risk management plan consists of analysis of possible risks with both high and low impacts, and the mitigation strategies to facilitate the project and avoid being derailed through which the common problems arise. Risk management plans should be timely reviewed by the project team in order to avoid having the analysis become stale and not reflective of actual potential project risks. Most critically, risk management plans include a risk strategy for project execution. Incorrect Answers: A: The project plan is not an official PMBOK project management plan. B: The resource management plan defines the management of project resources, such as project team members, facilities, equipment, and contractors. C: The project management plan is a comprehensive plan that communicates the intent of the project for all project management knowledge areas.
Where are all risks and risk responses documented as the project progresses? A. Risk management plan B. Project management plan C. Risk response plan D. Risk register Suggested Answer: D All risks, their responses, and other characteristics are documented in the risk register. As the project progresses and the conditions of the risk events change, the risk register should be updated to reflect the risk conditions. Incorrect Answers: A: The risk management plan addresses the project management's approach to risk management, risk identification, analysis, response, and control. B: The project management plan is the overarching plan for the project, not the specifics of the risk responses and risk identification. C: The risk response plan only addresses the planned risk responses for the identified risk events in the risk register.
A part of a project deals with the hardware work. As a project manager, you have decided to hire a company to deal with all hardware work on the project. Which type of risk response is this? A. Transference B. Mitigation C. Avoidance D. Exploit Suggested Answer: A When you are hiring a third party to own risk, it is known as transference risk response. Risk transfer means that impact of risk is reduced by transferring or otherwise sharing a portion of the risk with an external organization or another internal entity. Transfer of risk can occur in many forms but is most effective when dealing with financial risks. Insurance is one form of risk transfer. Incorrect Answers: B: The act of spending money to reduce a risk probability and impact is known as mitigation. C: When extra activities are introduced into the project to avoid the risk, this is an example of avoidance. D: Exploit is a strategy that may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized.
John works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks associated to the time allowances for the activities or projects as a whole, with a width of the range indicating the degrees of risk? A. Activity duration estimates B. Activity cost estimates C. Risk management plan D. Schedule management plan Suggested Answer: A The activity duration estimates review is valuable in identifying risks associated to the time allowances for the activities or projects as a whole, with a width of the range indicating the degrees of risk. Incorrect Answers: B: The activity cost estimates review is valuable in identifying risks as it provides a quantitative assessment of the expected cost to complete scheduled activities and is expressed as a range, with a width of the range indicating the degrees of risk. C: A Risk management plan is a document arranged by a project manager to estimate the effectiveness, predict risks, and build response plans to mitigate them. It also consists of the risk assessment matrix. D: It describes how the schedule contingencies will be reported and assessed.
Which of the following events refer to loss of integrity? Each correct answer represents a complete solution. (Choose three.) A. Someone sees company's secret formula B. Someone makes unauthorized changes to a Web site C. An e-mail message is modified in transit D. A virus infects a file Suggested Answer: BCD Loss of integrity refers to the following types of losses: ✑ An e-mail message is modified in transit A virus infects a file ✑ Someone makes unauthorized changes to a Web site Incorrect Answers: A: Someone sees company's secret formula or password comes under loss of confidentiality.
Which of the following should be PRIMARILY considered while designing information systems controls? A. The IT strategic plan B. The existing IT environment C. The organizational strategic plan D. The present IT budget Suggested Answer: C Review of the enterprise's strategic plan is the first step in designing effective IS controls that would fit the enterprise's long-term plans. Incorrect Answers: A: The IT strategic plan exists to support the enterprise's strategic plan but is not solely considered while designing information system control. B: Review of the existing IT environment is also useful and necessary but is not the first step that needs to be undertaken. D: The present IT budget is just one of the components of the strategic plan.
Which of the following is the MOST effective inhibitor of relevant and efficient communication? A. A false sense of confidence at the top on the degree of actual exposure related to IT and lack of a well-understood direction for risk management from the top down B. The perception that the enterprise is trying to cover up known risk from stakeholders C. Existence of a blame culture D. Misalignment between real risk appetite and translation into policies Suggested Answer: C Blame culture should be avoided. It is the most effective inhibitor of relevant and efficient communication. In a blame culture, business units tend to point the finger at IT when projects are not delivered on time or do not meet expectations. In doing so, they fail to realize how the business unit's involvement up front affects project success. In extreme cases, the business unit may assign blame for a failure to meet the expectations that the unit never clearly communicated. Executive leadership must identify and quickly control a blame culture if collaboration is to be fostered throughout the enterprise. Incorrect Answers: A: This is the consequence of poor risk communication, not the inhibitor of effective communication. B: This is the consequence of poor risk communication, not the inhibitor of effective communication. D: Misalignment between real risk appetite and translation into policies is an inhibitor of effective communication, but is not a prominent as existence of blame culture.
You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won't affect your project much if they happen. What should you do with these identified risk events? A. These risks can be dismissed. B. These risks can be accepted. C. These risks can be added to a low priority risk watch list. D. All risks must have a valid, documented risk response. Suggested Answer: C Low-impact, low-probability risks can be added to the low priority risk watch list. Incorrect Answers: A: These risks are not dismissed; they are still documented on the low priority risk watch list. B: While these risks may be accepted, they should be documented on the low priority risk watch list. This list will be periodically reviewed and the status of the risks may change. D: Not every risk demands a risk response, so this choice is incorrect.
You are the project manager of your enterprise. You have introduced an intrusion detection system for the control. You have identified a warning of violation of security policies of your enterprise. What type of control is an intrusion detection system (IDS)? A. Detective B. Corrective C. Preventative D. Recovery Suggested Answer: A An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPS for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. As IDS detects and gives warning when the violation of security policies of the enterprise occurs, it is a detective control. Incorrect Answers: B: These controls make effort to reduce the impact of a threat from problems discovered by detective controls. As IDS only detects but not reduce the impact, hence it is not a corrective control. C: As IDS only detects the problem when it occurs and not prior of its occurrence, it is not preventive control. D: These controls make efforts to overcome the impact of the incident on the business, hence IDS is not a recovery control.
What are the functions of audit and accountability control? Each correct answer represents a complete solution. (Choose three.) A. Provides details on how to protect the audit logs B. Implement effective access control C. Implement an effective audit program D. Provides details on how to determine what to audit Suggested Answer: ACD Audit and accountability family of controls helps an organization implement an effective audit program. It provides details on how to determine what to audit. It provides details on how to protect the audit logs. It also includes information on using audit logs for non-repudiation. Incorrect Answers: B: Access Control is the family of controls that helps an organization implement effective access control. They ensure that users have the rights and permissions they need to perform their jobs, and no more. It includes principles such as least privilege and separation of duties. Audit and accountability family of controls do not help in implementing effective access control.
Which among the following acts as a trigger for risk response process? A. Risk level increases above risk appetite B. Risk level increase above risk tolerance C. Risk level equates risk appetite D. Risk level equates the risk tolerance Suggested Answer: B The risk response process is triggered when a risk exceeds the enterprise's risk tolerance level. The acceptable variation relative to the achievement of an objective is termed as risk tolerance. In other words, risk tolerance is the acceptable deviation from the level set by the risk appetite and business objectives. Risk tolerance is defined at the enterprise level by the board and clearly communicated to all stakeholders. A process should be in place to review and approve any exceptions to such standards. Incorrect Answers: A, C: Risk appetite level is not relevant in triggering of risk response process. Risk appetite is the amount of risk a company or other entity is willing to accept in pursuit of its mission. This is the responsibility of the board to decide risk appetite of an enterprise. When considering the risk appetite levels for the enterprise, the following two major factors should be taken into account: ✑ The enterprise's objective capacity to absorb loss, e.g., financial loss, reputation damage, etc. ✑ The culture towards risk taking-cautious or aggressive. In other words, the amount of loss the enterprise wants to accept in pursue of its objective fulfillment. D: Risk response process is triggered when the risk level increases the risk tolerance level of the enterprise, and not when it just equates the risk tolerance level.
What is the value of exposure factor if the asset is lost completely? A. 1 B. Infinity C. 10 D. 0 Suggested Answer: A Exposure Factor represents the impact of the risk over the asset, or percentage of asset lost. For example, if the Asset Value is reduced to two third, the exposure factor value is 0.66. Therefore, when the asset is completely lost, the Exposure Factor is 1.0. Incorrect Answers: B, C, D: These are not the values of exposure factor for zero assets.
Your project is an agricultural-based project that deals with plant irrigation systems. You have discovered a byproduct in your project that your organization could use to make a profit. If your organization seizes this opportunity it would be an example of what risk response? A. Enhancing B. Positive C. Opportunistic D. Exploiting Suggested Answer: D This is an example of exploiting a positive risk - a by-product of a project is an excellent example of exploiting a risk. Exploit response is one of the strategies to negate risks or threats that appear in a project. This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. Exploiting a risk event provides opportunities for positive impact on a project. Assigning more talented resources to the project to reduce the time to completion is an example of exploit response. Incorrect Answers: A: Enhancing is a positive risk response that describes actions taken to increase the odds of a risk event to happen. B: This is an example of a positive risk, but positive is not a risk response. C: Opportunistic is not a valid risk response.
Which of the following is true for Single loss expectancy (SLE), Annual rate of occurrence (ARO), and Annual loss expectancy (ALE)? A. ALE= ARO/SLE B. ARO= SLE/ALE C. ARO= ALE*SLE D. ALE= ARO*SLE Suggested Answer: D A quantitative risk assessment quantifies risk in terms of numbers such as dollar values. This involves gathering data and then entering it into standard formulas. The results can help in identifying the priority of risks. These results are also used to determine the effectiveness of controls. Some of the terms associated with quantitative risk assessments are: ✑ Single loss expectancy (SLE)-It refers to the total loss expected from a single incident. This incident can occur when vulnerability is being exploited by threat. The loss is expressed as a dollar value such as $1,000. It includes the value of data, software, and hardware. SLE = Asset value * Exposure factor ✑ Annual rate of occurrence (ARO)-It refers to the number of times expected for an incident to occur in a year. If an incident occurred twice a month in the past year, the ARO is 24. Assuming nothing changes, it is likely that it will occur 24 times next year. Annual loss expectancy (ALE)-It is the expected loss for a year. ALE is calculated by multiplying SLE with ARO. Because SLE is a given in a dollar value, ALE is also given in a dollar value. For example, if the SLE is $1,000 and the ARO is 24, the ALE is $24,000. ✑ ALE = SLE * ARO Safeguard value-This is the cost of a control. Controls are used to mitigate risk. For example, antivirus software of an average cost of $50 for each computer. If there are 50 computers, the safeguard value is $2,500. A, B, C: These are wrong formulas and are not used in quantitative risk assessment.
Which of the following statements are true for enterprise's risk management capability maturity level 3? A. Workflow tools are used to accelerate risk issues and track decisions B. The business knows how IT fits in the enterprise risk universe and the risk portfolio view C. The enterprise formally requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals D. Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized Suggested Answer: ABD An enterprise's risk management capability maturity level is 3 when: ✑ Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized. ✑ There is a selected leader for risk management, engaged with the enterprise risk committee, across the enterprise. ✑ The business knows how IT fits in the enterprise risk universe and the risk portfolio view. ✑ Local tolerances drive the enterprise risk tolerance. ✑ Risk management activities are being aligned across the enterprise. ✑ Formal risk categories are identified and described in clear terms. ✑ Situations and scenarios are included in risk awareness training beyond specific policy and structures and promote a common language for communicating risk. ✑ Defined requirements exist for a centralized inventory of risk issues. ✑ Workflow tools are used to accelerate risk issues and track decisions. Incorrect Answers: C: Enterprise having risk management capability maturity level 5 requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals.
Which of the following role carriers is accounted for analyzing risks, maintaining risk profile, and risk-aware decisions? A. Business management B. Business process owner C. Chief information officer (CIO) D. Chief risk officer (CRO) Suggested Answer: D Business management is the business individuals with roles relating to managing a program. They are typically accountable for analyzing risks, maintaining risk profile, and risk-aware decisions. Other than this, they are also responsible for managing risks, react to events, etc. Incorrect Answers: B: Business process owner is an individual responsible for identifying process requirements, approving process design and managing process performance. He/ she is responsible for analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them. C: CIO is the most senior official of the enterprise who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services and information and the deployment of associated human resources. CIO has some responsibility analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them.
You are using Information system. You have chosen a poor password and also sometimes transmits data over unprotected communication lines. What is this poor quality of password and unsafe transmission refers to? A. Probabilities B. Threats C. Vulnerabilities D. Impacts Suggested Answer: C Vulnerabilities represent characteristics of information resources that may be exploited by a threat. The given scenario describes such a situation, hence it is a vulnerability. Incorrect Answers: A: Probabilities represent the likelihood of the occurrence of a threat, and this scenario does not describe a probability. B: Threats are circumstances or events with the potential to cause harm to information resources. This scenario does not describe a threat. D: Impacts represent the outcome or result of a threat exploiting a vulnerability. The stem does not describe an impact.
An enterprise has identified risk events in a project. While responding to these identified risk events, which among the following stakeholders is MOST important for reviewing risk response options to an IT risk. A. Information security managers B. Internal auditors C. Incident response team members D. Business managers Suggested Answer: D Business managers are accountable for managing the associated risk and will determine what actions to take based on the information provided by others. Incorrect Answers: A: Information security managers may best understand the technical tactical situation, but business managers are accountable for managing the associated risk and will determine what actions to take based on the information provided by others, which includes collaboration with, and support from, lT security managers. C: The incident response team must ensure open communication to management and stakeholders to ensure that business managers understand the associated risk and are provided enough information to make informed risk-based decisions. They are not responsible for reviewing risk response options.
Which of the following is a technique that provides a systematic description of the combination of unwanted occurrences in a system? A. Sensitivity analysis B. Scenario analysis C. Fault tree analysis D. Cause and effect analysis Suggested Answer: C Fault tree analysis (FIA) is a technique that provides a systematic description of the combination of possible occurrences in a system, which can result in an undesirable outcome. It combines hardware failures and human failures. Incorrect Answers: A: Sensitivity analysis is the quantitative risk analysis technique that: Assist in determination of risk factors that have the most potential impact Examines the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline values B: This analysis provides ability to see a range of values across several scenarios to identify risk in specific situation. It provides ability to identify those inputs which will provide the greatest level of uncertainty. D: Cause-and-effect analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes. These tools also help in identifying potential risk.
What is the process for selecting and implementing measures to impact risk called? A. Risk Treatment B. Control C. Risk Assessment D. Risk Management Suggested Answer: A The process for selecting and implementing measures for impacting risk in the environment is called risk treatment. Incorrect Answers: C: The process of analyzing and evaluating risk is called risk assessment. D: Risk management is the coordinated activities for directing and controlling the treatment of risk in the organization.
Which section of the Sarbanes-Oxley Act specifies "Periodic financial reports must be certified by CEO and CFO"? A. Section 302 B. Section 404 C. Section 203 D. Section 409 Suggested Answer: A Section 302 of the Sarbanes-Oxley Act requires corporate responsibility for financial reports to be certified by CEO, CFO, or designated representative. Incorrect Answers: B: Section 404 of the Sarbanes-Oxley Act states that annual assessments of internal controls are the responsibility of management. C: Section 203 of the Sarbanes-Oxley Act requires audit partners and review partners to rotate off an assignment every five years. D: Section 409 of the Sarbanes-Oxley Act states that the financial reports must be distributed quickly and currently.
What is the PRIMARY need for effectively assessing controls? A. Control's alignment with operating environment B. Control's design effectiveness C. Control's objective achievement D. Control's operating effectiveness Suggested Answer: C Controls can be effectively assessed only by determining how accurately the control objective is achieved within the environment in which they are operating. No conclusion can be reached as to the strength of the control until the control has been adequately tested. Incorrect Answers: A: Alignment of control with the operating environment is essential but after the control's accuracy in achieving objective. In other words, achieving objective is the top most priority in assessing controls. B: Control's design effectiveness is also considered but is latter considered after achieving objectives. D: Control's operating effectiveness is considered but after its accuracy in objective achievement.
You work as the project manager for Bluewell Inc. There has been a delay in your project work that is adversely affecting the project schedule. You decide, with your stakeholders' approval, to fast track the project work to get the project done faster. When you fast track the project, what is likely to increase? A. Human resource needs B. Quality control concerns C. Costs D. Risks Suggested Answer: D Fast tracking allows entire phases of the project to overlap and generally increases risks within the project. Fast tracking is a technique for compressing project schedule. In fast tracking, phases are overlapped that would normally be done in sequence. It is shortening the project schedule without reducing the project scope. Incorrect Answers: A: Human resources are not affected by fast tracking in most scenarios. B: Quality control concerns usually are not affected by fast tracking decisions. C: Costs do not generally increase based on fast tracking decisions.
David is the project manager of the HRC Project. He has identified a risk in the project, which could cause the delay in the project. David does not want this risk event to happen so he takes few actions to ensure that the risk event will not happen. These extra steps, however, cost the project an additional $10,000. What type of risk response has David adopted? A. Avoidance B. Mitigation C. Acceptance D. Transfer Suggested Answer: B As David is taking some operational controls to reduce the likelihood and impact of the risk, hence he is adopting risk mitigation. Risk mitigation means that actions are taken to reduce the likelihood and/or impact of risk. Incorrect Answers: A: Risk avoidance means that activities or conditions that give rise to risk are discontinued. But here, no such actions are taken, therefore risk in not avoided. C: Risk acceptance means that no action is taken relative to a particular risk; loss is accepted in case it occurs. As David has taken some actions in case to defend, therefore he is not accepting risk. D: David has not hired a vendor to manage the risk for his project; therefore he is not transferring the risk.
Which of the following is the MOST important objective of the information system control? A. Business objectives are achieved and undesired risk events are detected and corrected B. Ensuring effective and efficient operations C. Developing business continuity and disaster recovery plans D. Safeguarding assets Suggested Answer: A The basic purpose of Information System control in an organization is to ensure that the business objectives are achieved and undesired risk events are detected and corrected. Some of the IS control objectives are given below: ✑ Safeguarding assets ✑ Assuring integrity of sensitive and critical application system environments ✑ Assuring integrity of general operating system ✑ Ensuring effective and efficient operations ✑ Fulfilling user requirements, organizational policies and procedures, and applicable laws and regulations ✑ Changing management ✑ Developing business continuity and disaster recovery plans ✑ Developing incident response and handling plans Hence the most important objective is to ensure that business objectives are achieved and undesired risk events are detected and corrected. Incorrect Answers: B, C, D: These are also the objectives of the information system control but are not the best answer.
Which of the following is prepared by the business and serves as a starting point for producing the IT Service Continuity Strategy? A. Business Continuity Strategy B. Index of Disaster-Relevant Information C. Disaster Invocation Guideline D. Availability/ ITSCM/ Security Testing Schedule Suggested Answer: A The Business Continuity Strategy is an outline of the approach to ensure the continuity of Vital Business Functions in the case of disaster events. The Business Continuity Strategy is prepared by the business and serves as a starting point for producing the IT Service Continuity Strategy. Incorrect Answers: B: Index of Disaster-Relevant Information is a catalog of all information that is relevant in the event of disasters. This document is maintained and circulated by IT Service Continuity Management to all members of IT staff with responsibilities for fighting disasters. C: Disaster Invocation Guideline is a document produced by IT Service Continuity Management with detailed instructions on when and how to invoke the procedure for fighting a disaster. Most importantly, the guideline defines the first step to be taken by the Service Desk after learning that a disaster has occurred. D: Availability/ ITSCM/ Security Testing Schedule is a schedule for the regular testing of all availability, continuity, and security mechanisms jointly maintained by Availability, IT Service Continuity, and IT Security Management.
For which of the following risk management capability maturity levels do the statement given below is true? "Real-time monitoring of risk events and control exceptions exists, as does automation of policy management" A. Level 3 B. Level 0 C. Level 5 D. Level 2 Suggested Answer: C An enterprise's risk management capability maturity level is 5 when real-time monitoring of risk events and control exceptions exists, as does automation of policy management. Incorrect Answers: A, D: In these levels real-time monitoring of risk events is not done. B: In level 0 of risk management capability maturity model, enterprise does not recognize the importance of considering the risk management or the business impact from IT risk.
Which of the following is true for Cost Performance Index (CPI)? A. If the CPI > 1, it indicates better than expected performance of project B. CPI = Earned Value (EV) * Actual Cost (AC) C. It is used to measure performance of schedule D. If the CPI = 1, it indicates poor performance of project Suggested Answer: A Cost performance index (CPI) is used to calculate performance efficiencies of project. It is used in trend analysis to predict future performance. CPI is the ratio of earned value to actual cost. If the CPI value is greater than 1, it indicates better than expected performance, whereas if the value is less than 1, it shows poor performance. Incorrect Answers: B: CPI is the ratio of earned value to actual cost, i.e., CPI = Earned Value (EV) / Actual Cost (AC). C: Cost performance index (CPI) is used to calculate performance efficiencies of project and not its schedule. D: The CPI value of 1 indicates that the project is right on target.
Which of the following do NOT indirect information? A. Information about the propriety of cutoff B. Reports that show orders that were rejected for credit limitations. C. Reports that provide information about any unusual deviations and individual product margins. D. The lack of any significant differences between perpetual levels and actual levels of goods. Suggested Answer: A Information about the propriety of cutoff is a kind of direct information. Incorrect Answers: B: Reports that show orders that were rejected for credit limitations provide indirect information that credit checking aspects of the system are working as intended. C: Reports that provide information about any unusual deviations and individual product margins (whereby, the price of an item sold is compared to its standard cost) provide indirect information that controls over billing and pricing are operating. D: The lack of any significant differences between perpetual levels and actual levels provides indirect information that its billing controls are operating.
Ben works as a project manager for the MJH Project. In this project, Ben is preparing to identify stakeholders so he can communicate project requirements, status, and risks. Ben has elected to use a salience model as part of his stakeholder identification process. Which of the following activities best describes a salience model?
A. Describing classes of stakeholders based on their power (ability to impose their will), urgency (need for immediate attention), and legitimacy (their involvement is appropriate).
B. Grouping the stakeholders based on their level of authority ("power") and their level or concern ("interest") regarding the project outcomes.
C. Influence/impact grid, grouping the stakeholders based on their active involvement ("influence") in the project and their ability to affect changes to the project's planning or execution ("impact").
D. Grouping the stakeholders based on their level of authority ("power") and their active involvement ("influence") in the project.
Suggested Answer: A
A salience model defines and charts stakeholders' power, urgency, and legitimacy in the project.
The salience model is a technique for categorizing stakeholders according to their importance. The various difficulties faced by the project managers are as follows:
✑ How to choose the right stakeholders?
✑ How to prioritize competing claims of the stakeholders communication needs?
Stakeholder salience is determined by the evaluation of their power, legitimacy and urgency in the organization.
✑ Power is defined as the ability of the stakeholder to impose their will.
✑ Urgency is the need for immediate action.
✑ Legitimacy shows the stakeholders participation is appropriate or not.
The model allows the project manager to decide the relative salience of a particular stakeholder.
Incorrect Answers:
B: This defines the power/interest grid.
C: This defines an influence/impact grid.
D: This defines a power/influence grid.
Which of the following is the first MOST step in the risk assessment process? A. Identification of assets B. Identification of threats C. Identification of threat sources D. Identification of vulnerabilities Suggested Answer: A Asset identification is the most crucial and first step in the risk assessment process. Risk identification, assessment and evaluation (analysis) should always be clearly aligned to assets. Assets can be people, processes, infrastructure, information or applications.
Which of the following matrices is used to specify risk thresholds? A. Risk indicator matrix B. Impact matrix C. Risk scenario matrix D. Probability matrix Suggested Answer: A Risk indicators are metrics used to indicate risk thresholds, i.e., it gives indication when a risk level is approaching a high or unacceptable level of risk. The main objective of a risk indicator is to ensure tracking and reporting mechanisms that alert staff about the potential risks. Incorrect Answers: B, D: Estimation of risk's consequence and priority for awareness is conducted by using probability and impact matrix. These matrices specify the mixture of probability and impact that directs to rating the risks as low, moderate, or high priority. C: A risk scenario is a description of an event that can lay an impact on business, when and if it would occur. Some examples of risk scenario are of: ✑ Having a major hardware failure ✑ Failed disaster recovery planning (DRP) ✑ Major software failure
What are the two MAJOR factors to be considered while deciding risk appetite level? Each correct answer represents a part of the solution. (Choose two.) A. The amount of loss the enterprise wants to accept B. Alignment with risk-culture C. Risk-aware decisions D. The capacity of the enterprise's objective to absorb loss. Suggested Answer: AD Risk appetite is the amount of risk a company or other entity is willing to accept in pursuit of its mission. This is the responsibility of the board to decide risk appetite of an enterprise. When considering the risk appetite levels for the enterprise, the following two major factors should be taken into account: The enterprise's objective capacity to absorb loss, e.g., financial loss, reputation damage, etc. The culture towards risk taking-cautious or aggressive. In other words, the amount of loss the enterprise wants to accept in pursue of its objective fulfillment. Incorrect Answers: B: Alignment with risk-culture is also one of the factors but is not as important as these two. C: Risk aware decision is not the factor, but is the result which uses risk appetite information as its input.
You are the project manager of the GHY Project for your company. You need to complete a project management process that will be on the lookout for new risks, changing risks, and risks that are now outdated. Which project management process is responsible for these actions? A. Risk planning B. Risk monitoring and controlling C. Risk identification D. Risk analysis Suggested Answer: B The risk monitoring and controlling is responsible for identifying new risks, determining the status of risks that may have changed, and determining which risks may be outdated in the project. Incorrect Answers: A: Risk planning creates the risk management plan and determines how risks will be identified, analyzed, monitored and controlled, and responded to. C: Risk identification is a process that identifies risk events in the project. D: Risk analysis helps determine the severity of the risk events, the risks' priority, and the probability and impact of risks.
You are the project manager of the HGT project in Bluewell Inc. The project has an asset valued at $125,000 and is subjected to an exposure factor of 25 percent. What will be the Single Loss Expectancy of this project? A. $ 125,025 B. $ 31,250 C. $ 5,000 D. $ 3,125,000 Suggested Answer: B The Single Loss Expectancy (SLE) of this project will be $31,250. Single Loss Expectancy is a term related to Quantitative Risk Assessment. It can be defined as the monetary value expected from the occurrence of a risk on an asset. It is mathematically expressed as follows: Single Loss Expectancy (SLE) = Asset Value (AV) * Exposure Factor (EF) where the Exposure Factor represents the impact of the risk over the asset, or percentage of asset lost. As an example, if the Asset Value is reduced two third, the exposure factor value is .66. If the asset is completely lost, the Exposure Factor is 1.0. The result is a monetary value in the same unit as the Single Loss Expectancy is expressed. Therefore, SLE = Asset Value * Exposure Factor = 125,000 * 0.25 = $31,250 Incorrect Answers: A, C, D: These are not SLEs of this project.
Which of the following are the principles of access controls? Each correct answer represents a complete solution. (Choose three.) A. Confidentiality B. Availability C. Reliability D. Integrity Suggested Answer: ABD The principles of access controls focus on availability, integrity, and confidentiality, as loss or danger is directly related to these three: ✑ Loss of confidentiality- Someone sees a password or a company's secret formula, this is referred to as loss of confidentiality. ✑ Loss of integrity- An e-mail message is modified in transit, a virus infects a file, or someone makes unauthorized changes to a Web site is referred to as loss of integrity. ✑ Loss of availability- An e-mail server is down and no one has e-mail access, or a file server is down so data files aren't available comes under loss of availability.
You are the project manager of GHT project. You have selected appropriate Key Risk Indicators for your project. Now, you need to maintain those Key Risk Indicators. What is the MOST important reason to maintain Key Risk Indicators? A. Risk reports need to be timely B. Complex metrics require fine-tuning C. Threats and vulnerabilities change over time D. They help to avoid risk Suggested Answer: C Since the enterprise's internal and external environments are constantly changing, the risk environment is also highly dynamic, i.e., threats and vulnerabilities change over time. Hence KRIs need to be maintained to ensure that KRIs continue to effectively capture these changes. Incorrect Answers: A: Timely risk reporting is one of the business requirements, but is not the reason behind KRI maintenance. B: While most key risk indicator metrics need to be optimized in respect to their sensitivity, the most important objective of KRI maintenance is to ensure that KRIs continue to effectively capture the changes in threats and vulnerabilities over time. D: Avoiding risk is a type of risk response. Risk responses are based on KRI reporting.
Which of the following is the MOST important reason to maintain key risk indicators (KRIs)? A. In order to avoid risk B. Complex metrics require fine-tuning C. Risk reports need to be timely D. Threats and vulnerabilities change over time Suggested Answer: D Threats and vulnerabilities change over time and KRI maintenance ensures that KRIs continue to effectively capture these changes. The risk environment is highly dynamic as the enterprise's internal and external environments are constantly changing. Therefore, the set of KRIs needs to be changed over time, so that they can capture the changes in threat and vulnerability. Incorrect Answers: A: Risk avoidance is one possible risk response. Risk responses are based on KRI reporting, but is not the reason for maintenance of KRIs. B: While most key risk indicator (KRI) metrics need to be optimized in respect to their sensitivity, the most important objective of KRI maintenance is to ensure that KRIs continue to effectively capture the changes in threats and vulnerabilities over time. Hence the most important reason is that because of change of threat and vulnerability overtime. C: Risk reporting timeliness is a business requirement, but is not a reason for KRI maintenance.
You are the project manager of a HGT project that has recently finished the final compilation process. The project customer has signed off on the project completion and you have to do few administrative closure activities. In the project, there were several large risks that could have wrecked the project but you and your project team found some new methods to resolve the risks without affecting the project costs or project completion date. What should you do with the risk responses that you have identified during the project's monitoring and controlling process? A. Include the responses in the project management plan. B. Include the risk responses in the risk management plan. C. Include the risk responses in the organization's lessons learned database. D. Nothing. The risk responses are included in the project's risk register already. Suggested Answer: C The risk responses that do not exist up till then, should be included in the organization's lessons learned database so other project managers can use these responses in their project if relevant. Incorrect Answers: A: The responses are not in the project management plan, but in the risk response plan during the project and they'll be entered into the organization's lessons learned database. B: The risk responses are included in the risk response plan, but after completing the project, they should be entered into the organization's lessons learned database. D: If the new responses that were identified is only included in the project's risk register then it may not be shared with project managers working on some other project.
You are the project manager of GHT project. You have identified a risk event on your project that could save $100,000 in project costs if it occurs. Which of the following statements BEST describes this risk event? A. This risk event should be mitigated to take advantage of the savings. B. This is a risk event that should be accepted because the rewards outweigh the threat to the project. C. This risk event should be avoided to take full advantage of the potential savings. D. This risk event is an opportunity to the project and should be exploited. Suggested Answer: D This risk event has the potential to save money on project costs, so it is an opportunity, and the appropriate strategy to use in this case is the exploit strategy. The exploit response is one of the strategies to negate risks or threats appear in a project. This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. Exploiting a risk event provides opportunities for positive impact on a project. Assigning more talented resources to the project to reduce the time to completion is an example of exploit response. Incorrect Answers: A, C: Mitigation and avoidance risk response is used in case of negative risk events, and not in positive risk events. Here in this scenario, as it is stated that the event could save $100,000, hence it is a positive risk event. Therefore should not be mitigated or avoided. B: To accept risk means that no action is taken relative to a particular risk; loss is accepted if it occurs. But as this risk event bring an opportunity, it should me exploited and not accepted.
You are the project manager of a large construction project. This project will last for 18 months and will cost $750,000 to complete. You are working with your project team, experts, and stakeholders to identify risks within the project before the project work begins. Management wants to know why you have scheduled so many risk identification meetings throughout the project rather than just initially during the project planning. What is the best reason for the duplicate risk identification sessions? A. The iterative meetings allow all stakeholders to participate in the risk identification processes throughout the project phases. B. The iterative meetings allow the project manager to discuss the risk events which have passed the project and which did not happen. C. The iterative meetings allow the project manager and the risk identification participants to identify newly discovered risk events throughout the project. D. The iterative meetings allow the project manager to communicate pending risks events during project execution. Suggested Answer: C Risk identification is an iterative process because new risks may evolve or become known as the project progresses through its life cycle. Incorrect Answers: A: Stakeholders are encouraged to participate in the risk identification process, but this is not the best choice. B: Risk identification focuses on discovering new risk events, not the events which did not happen. D: The primary reason for iterations of risk identification is to identify new risk events.
You are the risk official in Bluewell Inc. You are supposed to prioritize several risks. A risk has a rating for occurrence, severity, and detection as 4, 5, and 6, respectively. What Risk Priority Number (RPN) you would give to it? A. 120 B. 100 C. 15 D. 30 Suggested Answer: A Steps involving in calculating risk priority number are as follows: ✑ Identify potential failure effects ✑ Identify potential causes ✑ Establish links between each identified potential cause ✑ Identify potential failure modes ✑ Assess severity, occurrence and detection ✑ Perform score assessments by using a scale of 1 -10 (low to high rating) to score these assessments. ✑ Compute the RPN for a particular failure mode as Severity multiplied by occurrence and detection. RPN = Severity * Occurrence * Detection Hence, RPN = 4 * 5 * 6 - = 120 Incorrect Answers: B, C, D: These are not RPN for given values of severity, occurrence, and detection.
Which of the following is the MOST important use of KRIs? A. Providing a backward-looking view on risk events that have occurred B. Providing an early warning signal C. Providing an indication of the enterprise's risk appetite and tolerance D. Enabling the documentation and analysis of trends Suggested Answer: B Key Risk Indicators are the prime monitoring indicators of the enterprise. KRIs are highly relevant and possess a high probability of predicting or indicating important risk. KRIs help in avoiding excessively large number of risk indicators to manage and report that a large enterprise may have. As KRIs are the indicators of risk, hence its most important function is to effectively give an early warning signal that a high risk is emerging to enable management to take proactive action before the risk actually becomes a loss. Incorrect Answers: A: This is one of the important functions of KRIs which can help management to improve but is not as important as giving early warning. C: KRIs provide an indication of the enterprise's risk appetite and tolerance through metric setting, but this is not as important as giving early warning. D: This is not as important as giving early warning.
Which of the following role carriers will decide the Key Risk Indicator of the enterprise? Each correct answer represents a part of the solution. Choose two. A. Business leaders B. Senior management C. Human resource D. Chief financial officer Suggested Answer: AB An enterprise may have hundreds of risk indicators such as logs, alarms and reports. The CRISC will usually need to work with senior management and business leaders to determine which risk indicators will be monitored on a regular basis and be recognized as KRIs. Incorrect Answers: C, D: Chief financial officer and human resource only overview common risk view, but are not involved in risk based decisions.
What are the requirements for creating risk scenarios? Each correct answer represents a part of the solution. (Choose three.) A. Determination of cause and effect B. Determination of the value of business process at risk C. Potential threats and vulnerabilities that could cause loss D. Determination of the value of an asset Suggested Answer: BCD Creating a scenario requires determination of the value of an asset or a business process at risk and the potential threats and vulnerabilities that could cause loss. The risk scenario should be assessed for relevance and realism, and then entered into the risk register if found to be relevant. In practice following steps are involved in risk scenario development: ✑ First determine manageable set of scenarios, which include: - Frequently occurring scenarios in the industry or product area. - Scenarios representing threat sources that are increasing in count or severity level. - Scenarios involving legal and regulatory requirements applicable to the business. ✑ After determining manageable risk scenarios, perform a validation against the business objectives of the entity. ✑ Based on this validation, refine the selected scenarios and then detail them to a level in line with the criticality of the entity. ✑ Lower down the number of scenarios to a manageable set. Manageable does not signify a fixed number, but should be in line with the overall importance and criticality of the unit. ✑ Risk factors kept in a register so that they can be reevaluated in the next iteration and included for detailed analysis if they have become relevant at that time. ✑ Risk factors kept in a register so that they can be reevaluated in the next iteration and included for detailed analysis if they have become relevant at that time. ✑ Include an unspecified event in the scenarios, that is, address an incident not covered by other scenarios. Incorrect Answers: A: Cause-and-effect analysis is a predictive or diagnostic analytical tool used to explore the root causes or factors that contribute to positive or negative effects or outcomes. It is used during the process of exposing risk factors.
You work as the project manager for Bluewell Inc. Your project has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks? A. Resource Management Plan B. Risk Management Plan C. Stakeholder management strategy D. Communications Management Plan Suggested Answer: D The Communications Management Plan defines, in regard to risk management, who will be available to share information on risks and responses throughout the project. The Communications Management Plan aims to define the communication necessities for the project and how the information will be circulated. The Communications Management Plan sets the communication structure for the project. This structure provides guidance for communication throughout the project's life and is updated as communication needs change. The Communication Managements Plan identifies and defines the roles of persons concerned with the project. It includes a matrix known as the communication matrix to map the communication requirements of the project. Incorrect Answers: A: The Resource Management Plan does not define risk communications. B: The Risk Management Plan defines risk identification, analysis, response, and monitoring. C: The stakeholder management strategy does not address risk communications.
Which of the following controls is an example of non-technical controls? A. Access control B. Physical security C. Intrusion detection system D. Encryption Suggested Answer: B Physical security is an example of non-technical control. It comes under the family of operational controls. Incorrect Answers: A, C, D: Intrusion detection system, access control, and encryption are the safeguards that are incorporated into computer hardware, software or firmware, hence they refer to as technical controls.
You are the project manager of GHT project. Your project team is in the process of identifying project risks on your current project. The team has the option to use all of the following tools and techniques to diagram some of these potential risks EXCEPT for which one? A. Process flowchart B. Ishikawa diagram C. Influence diagram D. Decision tree diagram Suggested Answer: D Decision tree diagrams are used during the Quantitative risk analysis process and not in risk identification. Incorrect Answers: A, B, C: All these options are diagrammatical techniques used in the Identify risks process.
Which of the following BEST describes the utility of a risk? A. The finance incentive behind the risk B. The potential opportunity of the risk C. The mechanics of how a risk works D. The usefulness of the risk to individuals or groups Suggested Answer: D The utility of the risk describes the usefulness of a particular risk to an individual. Moreover, the same risk can be utilized by two individuals in different ways. Financial outcomes are one of the methods for measuring potential value for taking a risk. For example, if the individual's economic wealth increases, the potential utility of the risk will decrease. Incorrect Answers: A: Determining financial incentive is one of the method to measure the potential value for taking a risk, but it is not the valid definition for utility of risk. B: It is not the valid definition. C: It is not the valid definition.
Which of the following aspect of monitoring tool ensures that the monitoring tool has the ability to keep up with the growth of an enterprise? A. Scalability B. Customizability C. Sustainability D. Impact on performance Suggested Answer: A Monitoring tools have to be able to keep up with the growth of an enterprise and meet anticipated growth in process, complexity or transaction volumes; this is ensured by the scalability criteria of the monitoring tool. Incorrect Answers: B: For software to be effective, it must be customizable to the specific needs of an enterprise. Hence customizability ensures that end users can adapt the software. C: It ensures that monitoring software is able to change at the same speed as technology applications and infrastructure to be effective over time. D: The impact on performance has nothing related to the ability of monitoring tool to keep up with the growth of enterprise.
You are the project manager in your enterprise. You have identified risk that is noticeable failure threatening the success of certain goals of your enterprise. In which of the following levels do this identified risk exists? A. Moderate risk B. High risk C. Extremely high risk D. Low risk Suggested Answer: A Moderate risks are noticeable failure threatening the success of certain goals. Incorrect Answers: B: High risk is the significant failure impacting in certain goals not being met. C: Extremely high risk are the risks that has large impact on enterprise and are most likely results in failure with severe consequences. D: Low risks are the risk that results in certain unsuccessful goals.
Courtney is the project manager for her organization. She is working with the project team to complete the qualitative risk analysis for her project. During the analysis Courtney encourages the project team to begin the grouping of identified risks by common causes. What is the primary advantage to group risks by common causes during qualitative risk analysis? A. It helps the project team realize the areas of the project most laden with risks. B. It assist in developing effective risk responses. C. It saves time by collecting the related resources, such as project team members, to analyze the risk events. D. It can lead to the creation of risk categories unique to each project. Suggested Answer: B By grouping the risks by categories the project team can develop effective risk responses. Related risk events often have common causal factors that can be addressed with a single risk response.
Which of the following processes is described in the statement below? "It is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions." A. Risk governance B. Risk identification C. Risk response planning D. Risk communication Suggested Answer: D Risk communication is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions. Risk communication is mostly concerned with the nature of risk or expressing concerns, views, or reactions to risk managers or institutional bodies for risk management. The key plan to consider and communicate risk is to categorize and impose priorities, and acquire suitable measures to reduce risks. It is important throughout any crisis to put across multifaceted information in a simple and clear manner. Risk communication helps in switching or allocating the information concerning risk among the decision-maker and the stakeholders. Risk communication can be explained more clearly with the help of the following definitions: ✑ It defines the issue of what a group does, not just what it says. ✑ It must take into account the valuable element in user's perceptions of risk. ✑ It will be more valuable if it is thought of as conversation, not instruction. Risk communication is a fundamental and continuing element of the risk analysis exercise, and the involvement of the stakeholder group is from the beginning. It makes the stakeholders conscious of the process at each phase of the risk assessment. It helps to guarantee that the restrictions, outcomes, consequence, logic, and risk assessment are undoubtedly understood by all the stakeholders. Incorrect Answers: C: A risk response ensures that the residual risk is within the limits of the risk appetite and tolerance of the enterprise. Risk response is process of selecting the correct, prioritized response to risk, based on the level of risk, the enterprise's risk tolerance and the cost and benefit of the particular risk response option. Risk response ensures that management is providing accurate reports on: The level of risk faced by the enterprise <img src="https://www.examtopics.com/assets/media/exam-media/04284/0001200004.png" alt="Reference Image" /> ✑ The incidents' type that have occurred ✑ Any alteration in the enterprise's risk profile based on changes in the risk environment
You are an experienced Project Manager that has been entrusted with a project to develop a machine which produces auto components. You have scheduled meetings with the project team and the key stakeholders to identify the risks for your project. Which of the following is a key output of this process? A. Risk Register B. Risk Management Plan C. Risk Breakdown Structure D. Risk Categories Suggested Answer: A The primary outputs from Identify Risks are the initial entries into the risk register. The risk register ultimately contains the outcomes of other risk management processes as they are conducted, resulting in an increase in the level and type of information contained in the risk register over time. Incorrect Answers: B, C, D: All these are outputs from the "Plan Risk Management" process, which happens prior to the starting of risk identification.
Which of the following components of risk scenarios has the potential to generate internal or external threat on an enterprise? A. Timing dimension B. Events C. Assets D. Actors Suggested Answer: D Components of risk scenario that are needed for its analysis are: ✑ Actor: Actors are those components of risk scenario that has the potential to generate the threat that can be internal or external, human or non-human. Internal actors are within the enterprise like staff, contractors, etc. On the other hand, external actors include outsiders, competitors, regulators and the market. ✑ Threat type: Threat type defines the nature of threat, that is, whether the threat is malicious, accidental, natural or intentional. ✑ Event: Event is an essential part of a scenario; a scenario always has to contain an event. Event describes the happenings like whether it is a disclosure of confidential information, or interruption of a system or project, or modification, theft, destruction, etc. ✑ Asset: Assets are the economic resources owned by business or company. Anything tangible or intangible that one possesses, usually considered as applicable to the payment of one's debts, is considered an asset. An asset can also be defined as a resource, process, product, computing infrastructure, and so forth that an organization has determined must be protected. Tangible asset: Tangible are those asset that has physical attributes and can be detected with the senses, e.g., people, infrastructure, and finances. Intangible asset: Intangible are those assets that has no physical attributes and cannot be detected with the senses, e.g., information, reputation and customer trust. ✑ Timing dimension: The timing dimension is the application of the scenario to detect time to respond to or recover from an event. It identifies if the event occurs at a critical moment and its duration. It also specifies the time lag between the event and the consequence, that is, if there an immediate consequence (e.g., network failure, immediate downtime) or a delayed consequence (e.g., wrong IT architecture with accumulated high costs over a long period of time).
You are the project manager of GHT project. You have planned the risk response process and now you are about to implement various controls. What you should do before relying on any of the controls? A. Review performance data B. Discover risk exposure C. Conduct pilot testing D. Articulate risk Suggested Answer: AC Pilot testing and reviewing of performance data to verify operation against design are done before relying on control. Incorrect Answers: B: Discovering risk exposure helps in identifying the severity of risk, but it does not play any role in specifying the reliability of control. D: Articulating risk is the first phase in the risk response process to ensure that information on the true state of exposures and opportunities are made available in a timely manner and to the right people for appropriate response. But it does not play any role in identifying whether any specific control is reliable or not.
Which of the following is NOT true for risk management capability maturity level 1? A. There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk B. Decisions involving risk lack credible information C. Risk appetite and tolerance are applied only during episodic risk assessments D. Risk management skills exist on an ad hoc basis, but are not actively developed Suggested Answer: B The enterprise with risk management capability maturity level 0 makes decisions without having much knowledge about the risk credible information. In level 1, enterprise takes decisions on the basis of risk credible information. Incorrect Answers: A, C, D: An enterprise's risk management capability maturity level is 1 when: ✑ There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk. ✑ Any risk identification criteria vary widely across the enterprise. ✑ Risk appetite and tolerance are applied only during episodic risk assessments. ✑ Enterprise risk policies and standards are incomplete and/or reflect only external requirements and lack defensible rationale and enforcement mechanisms. ✑ Risk management skills exist on an ad hoc basis, but are not actively developed. ✑ Ad hoc inventories of controls that are unrelated to risk are dispersed across desktop applications.
16 views0 answers0 votes
12 views0 answers0 votes
12 views0 answers0 votes
18 views0 answers0 votes
12 views0 answers0 votes
15 views0 answers0 votes
11 views0 answers0 votes
13 views0 answers0 votes
13 views0 answers0 votes
13 views0 answers0 votes
15 views0 answers0 votes
9 views0 answers0 votes
9 views0 answers0 votes
13 views0 answers0 votes
11 views0 answers0 votes
10 views0 answers0 votes
14 views0 answers0 votes
Other exams
- 101 (450)
- 101-500 (120)
- 102-500 (120)
- 1V0-21.20 (97)
- 200-125 (1926)
- 200-201 (300)
- 200-301 (1384)
- 200-901 (587)
- 201-450 (60)
- 202-450 (120)
- 212-89 (82)
- 220-1001 (414)
- 220-1002 (472)
- 220-1101 (517)
- 220-1102 (472)
- 2V0-21.19 (213)
- 2V0-21.19D (90)
- 2V0-21.20 (107)
- 2V0-21.23 (103)
- 2V0-31.20 (86)
- 2V0-31.21 (87)
- 2V0-41.19 (89)
- 2V0-41.20 (92)
- 2V0-41.23 (105)
- 2V0-51.21 (94)
- 2V0-602 (97)
- 2V0-62.21 (87)
- 300-101 (1468)
- 300-115 (992)
- 300-160 (97)
- 300-320 (112)
- 300-410 (621)
- 300-415 (402)
- 300-420 (266)
- 300-425 (176)
- 300-430 (249)
- 300-435 (105)
- 300-510 (106)
- 300-535 (45)
- 300-610 (135)
- 300-615 (200)
- 300-620 (292)
- 300-630 (107)
- 300-635 (46)
- 300-710 (311)
- 300-715 (277)
- 300-730 (172)
- 300-735 (56)
- 300-810 (170)
- 300-815 (170)
- 300-820 (306)
- 300-910 (105)
- 312-38 (184)
- 312-39 (85)
- 312-49 (146)
- 312-49V10 (580)
- 312-50V10 (203)
- 312-50V11 (400)
- 312-50v12 (310)
- 312-50V9 (198)
- 350-201 (129)
- 350-401 (1020)
- 350-501 (396)
- 350-601 (526)
- 350-701 (703)
- 350-801 (443)
- 350-901 (383)
- 3V0-21.21 (90)
- 5V0-21.19 (100)
- 5V0-21.21 (94)
- 5V0-23.20 (123)
- 5V0-31.22 (128)
- 712-50 (638)
- ADM-201 (561)
- AI-100 (206)
- AI-102 (293)
- AI-900 (245)
- ANS-C00 (377)
- ANS-C01 (220)
- AXS-C01 (58)
- AZ-103 (265)
- AZ-104 (606)
- AZ-120 (223)
- AZ-140 (189)
- AZ-204 (399)
- AZ-220 (174)
- AZ-300 (241)
- AZ-301 (232)
- AZ-303 (334)
- AZ-304 (237)
- AZ-305 (284)
- AZ-400 (516)
- AZ-500 (485)
- AZ-700 (260)
- AZ-800 (227)
- AZ-900 (462)
- BDS-C00 (85)
- CAS-003 (390)
- CAS-004 (514)
- CCAK (160)
- CCNA (1385)
- CCSP (509)
- CDPSE (126)
- Certified Advanced Administrator (182)
- Certified AI Associate (72)
- Certified Business Analyst (95)
- Certified CPQ Specialist (240)
- Certified Data Architect (70)
- Certified Experience Cloud Consultant (111)
- Certified Integration Architect (68)
- Certified Marketing Cloud Consultant (99)
- Certified Marketing Cloud Email Specialist (112)
- Certified OmniStudio Developer (77)
- CERTIFIED PLATFORM APP BUILDER (469)
- Certified Platform Developer II (266)
- Certified Sales Cloud Consultant Exam (196)
- Certified Tableau CRM and Einstein Discovery Consultant (95)
- CGEIT (362)
- CISA (1284)
- CISM (1250)
- CISSP (484)
- CISSP-ISSAP (107)
- CLF-C01 (987)
- CLF-C02 (714)
- CRISC (1896)
- CRT-450 (283)
- CS0-001 (277)
- CS0-002 (422)
- CS0-003 (265)
- CSSLP (172)
- CV0-003 (315)
- DA0-001 (190)
- DAS-C01 (164)
- DBS-C01 (359)
- DEA-C01 (141)
- DOP-C01 (208)
- DOP-C02 (281)
- DP-100 (477)
- DP-200 (228)
- DP-201 (206)
- DP-203 (370)
- DP-500 (183)
- DP-900 (285)
- DVA-C01 (443)
- DVA-C02 (414)
- GISF (316)
- GISP (654)
- Google Associate Cloud Engineer (274)
- Google Professional Cloud Architect (278)
- Google Professional Cloud Database Engineer (132)
- Google Professional Cloud Developer (279)
- Google Professional Cloud DevOps Engineer (166)
- Google Professional Cloud Network Engineer (172)
- Google Professional Cloud Security Engineer (244)
- ITILF (540)
- JN0-102 (63)
- JN0-103 (96)
- JN0-104 (103)
- JN0-105 (94)
- JN0-211 (65)
- JN0-231 (102)
- JN0-251 (67)
- JN0-347 (58)
- JN0-348 (69)
- JN0-349 (95)
- JN0-351 (90)
- JN0-360 (74)
- JN0-362 (63)
- JN0-363 (94)
- JN0-649 (65)
- JN0-663 (91)
- JN0-664 (95)
- JN0-682 (56)
- MB-210 (365)
- MB-220 (205)
- MB-230 (249)
- MB-300 (411)
- MB-310 (289)
- MB-330 (392)
- MB-500 (257)
- MB-700 (178)
- MB-800 (238)
- MD-100 (398)
- MLS-C0 (0)
- MLS-C01 (336)
- MS-100 (426)
- MS-101 (449)
- MS-102 (294)
- MS-203 (392)
- MS-500 (344)
- MS-700 (395)
- MS-900 (438)
- N10-007 (701)
- N10-008 (677)
- NSE4_FGT-7.2 (103)
- PAS-C01 (130)
- PCCET (137)
- PCCSE (246)
- PCDRA (93)
- PCNSA (403)
- PCNSE (619)
- PCSAE (139)
- PCSFE (103)
- PL-100 (339)
- PL-200 (279)
- PL-300 (516)
- PL-400 (349)
- PL-500 (158)
- PL-600 (192)
- PL-900 (288)
- PMP (1137)
- PNCSE (0)
- PSE Strata (115)
- PT0-001 (196)
- PT0-002 (341)
- RHCSA-EX200 (109)
- SAA-C02 (800)
- SAA-C03 (1777)
- SAP-C01 (1019)
- SAP-C02 (410)
- SC-100 (185)
- SC-200 (305)
- SC-300 (302)
- SC-400 (580)
- SC-900 (209)
- SCS-C01 (509)
- SCS-C02 (173)
- SK0-005 (303)
- SOA-C01 (931)
- SOA-C02 (464)
- SSCP (151)
- SY0-501 (1043)
- SY0-601 (847)
- SY0-701 (305)
- XK0-004 (322)
- XK0-005 (239)