Which of the following is the MOST important element of a successful risk awareness training program?
- A . Customizing content for the audience
- B . Providing incentives to participants
- C . Mapping to a recognized standard
- D . Providing metrics for measurement
The MOST important characteristic of an organization s policies is to reflect the organization's:
- A . risk assessment methodology.
- B . risk appetite.
- C . capabilities
- D . asset value.
The risk associated with a high-risk vulnerability in an application is owned by the:
- A . security department.
- B . business unit
- C . vendor.
- D . IT department.
An organization with a large number of applications wants to establish a security risk assessment program .
Which of the following would provide the MOST useful information when determining the frequency of risk assessments?
- A . Feedback from end users
- B . Results of a benchmark analysis
- C . Recommendations from internal audit
- D . Prioritization from business owners
An organization has just implemented changes to close an identified vulnerability that impacted a critical business process .
What should be the NEXT course of action?
- A . Redesign the heat map.
- B . Review the risk tolerance.
- C . Perform a business impact analysis (BIA)
- D . Update the risk register.
The PRIMARY purpose of vulnerability assessments is to:
- A . provide clear evidence that the system is sufficiently secure.
- B . determine the impact of potential threats.
- C . test intrusion detection systems (IDS) and response procedures.
- D . detect weaknesses that could lead to system compromise.
Which of the following provides the BEST evidence that risk mitigation plans have been implemented effectively?
- A . Self-assessments by process owners
- B . Mitigation plan progress reports
- C . Risk owner attestation
- D . Change in the level of residual risk
The head of a business operations department asks to review the entire IT risk register .
Which of the following would be the risk manager s BEST approach to this request before sharing the register?
- A . Escalate to senior management
- B . Require a nondisclosure agreement.
- C . Sanitize portions of the register
- D . Determine the purpose of the request
The GREATEST concern when maintaining a risk register is that:
- A . impacts are recorded in qualitative terms.
- B . executive management does not perform periodic reviews.
- C . IT risk is not linked with IT assets.
- D . significant changes in risk factors are excluded.
What should a risk practitioner do FIRST upon learning a risk treatment owner has implemented a different control than what was specified in the IT risk action plan?
- A . Seek approval from the control owner.
- B . Update the action plan in the risk register.
- C . Reassess the risk level associated with the new control.
- D . Validate that the control has an established testing method.
A bank has outsourced its statement printing function to an external service provider .
Which of the following is the MOST critical requirement to include in the contract?
- A . Monitoring of service costs
- B . Provision of internal audit reports
- C . Notification of sub-contracting arrangements
- D . Confidentiality of customer data
The risk associated with inadvertent disclosure of database records from a public cloud service provider (CSP) would MOST effectively be reduced by:
- A . encrypting the data
- B . including a nondisclosure clause in the CSP contract
- C . assessing the data classification scheme
- D . reviewing CSP access privileges
Which of the following is the GREATEST advantage of implementing a risk management program?
- A . Enabling risk-aware decisions
- B . Promoting a risk-aware culture
- C . Improving security governance
- D . Reducing residual risk
Which of the following is the PRIMARY reason for a risk practitioner to use global standards related to risk management?
- A . To build an organizational risk-aware culture
- B . To continuously improve risk management processes
- C . To comply with legal and regulatory requirements
- D . To identify gaps in risk management practices
A control owner responsible for the access management process has developed a machine learning model to automatically identify excessive access privileges .
What is the risk practitioner's BEST course of action?
- A . Review the design of the machine learning model against control objectives.
- B . Adopt the machine learning model as a replacement for current manual access reviews.
- C . Ensure the model assists in meeting regulatory requirements for access controls.
- D . Discourage the use of emerging technologies in key processes.