QUESTION 181
Which of the following is a PRIMARY reason for differences in estimated impact when evaluating risk scenarios using qualitative methods?
A. The replacement cost of technology assets varies over time based on competitive market conditions.
B. Processes severely affected by a risk event have higher impact than moderately affected processes.
C. Qualitative assessments are less accurate than assessments done with semi-qualitative methods.
D. A single risk event may have different levels of impact based on the context from which it is viewed.
Correct Answer: D
QUESTION 182
An organization recently experienced a cyberattack that resulted in the loss of confidential customer data. Which of the following is the risk practitioner’s BEST recommendation after recovery steps have been completed?
A. Perform a root cause analysis.
B. Review the incident response plan.
C. Recommend the purchase of cyber insurance.
D. Develop new key risk indicators (KRIs).
Correct Answer: A
QUESTION 183
During a risk assessment, what should an assessor do after identifying threats to organizational assets?
A. Implement controls to achieve target risk levels.
B. Request funding for the security program.
C. Determine threats to be reported to upper management.
D. Evaluate the controls currently in place.
Correct Answer: D
QUESTION 184
Which of the following BEST enables the selection of appropriate risk treatment in the event of a disaster?
A. Risk scenario analysis
B. Risk treatment plan
C. Failover procedures
D. Business impact analysis (BIA)
Correct Answer: D
QUESTION 185
An organization has just implemented changes to close an identified vulnerability that impacted a critical business process. What should be the NEXT course of action?
A. Update the risk register.
B. Review the risk tolerance.
C. Redesign the heat map.
D. Perform a business impact analysis (BIA).
Correct Answer: A
QUESTION 186
Risk ownership is BEST assigned to personnel responsible for:
A. business impact.
B. strategic decisions.
C. internal controls.
D. risk management.
Correct Answer: A
QUESTION 187
A recent vulnerability scan of a web-facing application revealed several weaknesses. Which of the following should be done NEXT to determine the risk exposure?
A. Penetration test
B. Gap assessment
C. Code review
D. Business impact analysis (BIA)
Correct Answer: D
QUESTION 188
Which of the following is MOST helpful when prioritizing action plans for identified risk?
A. Ranking the risk based on likelihood of occurrence
B. Obtaining input from business units
C. Comparing risk rating against appetite
D. Determining cost of controls to mitigate risk
Correct Answer: C
QUESTION 189
Which of the following is MOST helpful when determining whether assessed risk requires a risk response?
A. Evaluating the effectiveness of current controls
B. Comparing current risk to the desired state of risk
C. Comparing the risk level against key risk indicator (KRI) thresholds
D. Performing a cost-benefit analysis of existing controls
Correct Answer: B
QUESTION 190
An organization plans to implement a new Al application, but the risk practitioner learns that IT policies do not address Al. Which of the following would be the risk practitioner’s GREATE ST concern?
A. Lack of direction for Al usage
B. Increased reliance on shadow IT
C. Lack of best practices for Al implementation
D. Complexity of Al implementation
Correct Answer: A
QUESTION 191
Assessing and documenting inherent risk is MOST helpful for.
A. projecting residual risk trends.
B. measuring control effectiveness.
C. determining risk appetite.
D. estimating maximum loss exposure.
Correct Answer: D
QUESTION 192
Which of the following is MOST critical to the successful adoption of an enterprise architecture (EA) program?
A. A mature governance plan
B. Skilled resources
C. Adequate funding
D. Stakeholder support
Correct Answer: D
QUESTION 193
Which of the following would be MOST helpful in assessing the risk associated with data loss due to human vulnerabilities?
A. Reviewing the results of security awareness surveys
B. Conducting social engineering exercises
C. Performing periodic access recertifications
D. Reviewing password change history
Correct Answer: B
QUESTION 194
Which of the following is the GREATEST risk to an organization without a defined and published privacy policy?
A. Unclear responsibilities during a data incident
B. Difficulty exercising data classification processes
C. Exposure to adverse litigation
D. Accidental deletion of sensitive information
Correct Answer: C
QUESTION 195
Which of the following is the MOST important consideration when establishing a recovery point objective (RPO)?
A. Time and resources required for offsite backups
B. Latency of the alternate site
C. Amount of acceptable data loss
D. Cost of testing the business continuity plan (BCP)
Correct Answer: C
QUESTION 196
Which of the following describes characteristics of a risk-related key performance indicator (KPI)?
A. Measures resource allocation and articulates risk prioritization
B. Measures risk levels and validates risk appetite
C. Measures activity goals and process effectiveness
D. Measures configuration compliance and protection of critical assets
Correct Answer: C
QUESTION 197
Which of the following is the PRIMARY responsibility of a risk owner?
A. Deciding responses to identified risk
B. Implementing risk action plans
C. Determining risk appetite and tolerance
D. Developing relevant control procedures
Correct Answer: A
QUESTION 198
Which of the following is the PRIMARY purpose of adopting the three lines model in an enterprise risk environment?
A. Establishing rules for the protection of organizational assets against external and internal threats
B. Providing guidance on activities to achieve effective governance, risk, and compliance (GRC)
C. Defining controls to be implemented in different layers within technology architecture components
D. Defining risk-related roles and responsibilities at different levels of the organization
Correct Answer: D
QUESTION 199
After developers make required application changes and prior to deployment, testing should be signed off by the:
A. application owners.
B. operations team.
C. business end users.
D. application support team.
Correct Answer: C
QUESTION 200
Which of the following is the PRIMARY purpose of analyzing control effectiveness during risk analysis?
A. To evaluate the risk impact
B. To determine the likelihood of occurrence
C. To determine the current risk level
D. To enable a control cost-benefit analysis
Correct Answer: C
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.