QUESTION 41
Which of the following would MOST effectively protect financial records from ransomware attacks?
A. Immutable storage and backups
B. Classifying and encrypting data on backups
C. Enforcement of encryption at rest for backups
D. Multi-factor authentication (MFA) on storage points
Correct Answer: A
QUESTION 42
A risk practitioner has been asked to investigate the root cause of data integrity issues associated with system logs that were recently collected for analysis. Once the data sources and owners have been identified, which of the following should be done NEXT?
A. Isolate sources and report this as a data breach.
B. Identify the controls surrounding the data sources.
C. Perform multiple extractions and compare them.
D. Establish a data cleansing team.
Correct Answer: B
QUESTION 43
A newly hired risk practitioner has learned the organization’s IT risk register has not been updated since being created and approved over a year ago. Which of the following should be the risk practitioner’s FIRST course of action?
A. Perform risk identification and assess against the risk scenarios.
B. Complete a gap analysis and add risk responses to the risk register.
C. Identify emerging risk and add any new risk scenarios to the risk register.
D. Review current risk scenarios and determine if they are still relevant.
Correct Answer: D
QUESTION 44
Who is BEST suited to own an IT risk scenario in an organization where only one IT support person knows how to maintain a core business application?
A. Application business analyst
B. IT manager
C. Risk manager
D. Business owner
Correct Answer: D
QUESTION 45
Which of the following is the PRIMARY privacy concern when implementing business continuity management in a public cloud environment?
A. Data sovereignty
B. Data encryption at rest
C. Employee training
D. Redundancy of physical servers
Correct Answer: A
QUESTION 46
A chief risk officer (CRO) has asked to have the IT risk register integrated into the enterprise risk management (ERM) process. Which of the following will BEST facilitate the reporting of IT risk at the enterprise level?
A. Providing a summary of open IT risk-related audit findings
B. Aggregating the IT risk scenarios into a maturity benchmark value
C. Using an IT risk heat map to depict likelihood and impact
D. Using the same risk taxonomy across the organization
Correct Answer: D
QUESTION 47
Which of the following is the BEST way to address IT regulatory compliance risk?
A. Conduct specialized business impact analyses (BIAs).
B. Manage risk like other types of operational risk.
C. Assign highest priority to remediation of related risk scenarios.
D. Prevent acceptance of related risk scenarios.
Correct Answer: B
QUESTION 48
Which of the following observations would be the GREATEST concern to a risk practitioner evaluating an organization’s risk management practices?
A. Business leaders provide final approval for information security policies.
B. Several risk scenarios have action plans spanning multiple years.
C. Senior management does not set risk tolerance.
D. Senior management has approved numerous requests for risk acceptance.
Correct Answer: C
QUESTION 49
Which of the following is the MOST effective tool for providing the board with an overview of the current state of risk?
A. Key risk indicator (KRI) dashboard
B. Independent audit report
C. Risk capability maturity model
D. Risk heat map
Correct Answer: A
QUESTION 50
Which of the following is the MOST important objective of embedding risk management practices into the project life cycle?
A. To assess inherent risk
B. To evaluate risk throughout the project
C. To assess residual risk
D. To define appropriate risk tolerance for the project
Correct Answer: B
QUESTION 51
Which of the following is the GREATEST risk associated with having poorly defined owners for systems?
A. Business objectives may be inaccurate.
B. Access control requests may not be managed appropriately.
C. Specific user accountability cannot be established.
D. Patches have inappropriate authorization.
Correct Answer: C
QUESTION 52
What would be a risk practitioner’s BEST course of action upon learning the organization’s key competitor has plans to launch a new product using an emerging technology?
A. Inform executive management of the new competitive product.
B. Evaluate the organization’s key risk indicators (KRIs).
C. Update the organization’s risk profile.
D. Conduct a risk assessment of the competitive threat.
Correct Answer: D
QUESTION 53
Which of the following is the MOST important course of action to ensure the security of data transmitted from Internet of Things (IoT) consumer devices?
A. Developing incident response plans
B. Enabling data encryption options
C. Performing regular patch management
D. Enforcing the physical security of devices
Correct Answer: B
QUESTION 54
A risk practitioner noted an ineffective key control that links to several low residual risk scenarios. What should be the NEXT course of action?
A. Propose mitigating controls.
B. Conduct targeted risk assessments.
C. Assess management’s risk tolerance.
D. Recommend management accept the low risk scenarios.
Correct Answer: C
QUESTION 55
An application that was not compliant with the organization’s user access controls was recently attacked. After proper user access controls were implemented, the risk practitioner was asked by management to report on the risk profile specific to the targeted application. Which of the following should the risk practitioner do FIRST?
A. Review key risk indicators (KRIs) to validate changes in risk levels.
B. Update the residual risk levels in the risk register.
C. Gain assurance that the application’s user access controls are operating effectively.
D. Recommend that the user access control policy be updated.
Correct Answer: C
QUESTION 56
When considering the risk associated with a history of deferred maintenance, which of the following BEST supports decision making related to IT infrastructure investments?
A. Business impact analysis (BIA)
B. Cost-benefit analysis
C. IT strategy roadmap
D. IT asset inventory
Correct Answer: B
QUESTION 57
Which of the following is the PRIMARY reason for managing emerging risk?
A. Risk assessment methodologies cannot be applied to emerging risk.
B. The organization is likely to become prone to continuous disruptive events.
C. The number of risk scenarios may become uncontrollably high.
D. Assumptions about the future state are likely to become invalid.
Correct Answer: D
QUESTION 58
Which of the following is the MOST important reason to communicate control effectiveness to senior management?
A. To assure management that control ownership is assigned
B. To align risk management with strategic objectives
C. To demonstrate alignment with industry best practices
D. To ensure management understands the current risk status
Correct Answer: D
QUESTION 59
Which of the following is the FIRST step to mitigate security risk when deploying Internet of Things (IoT) components in an organization’s environment?
A. Changing default passwords for the IoT components
B. Implementing logging capability for the IoT components
C. Requiring manager approval for the use of the IoT components
D. Maintaining an inventory of IoT components
Correct Answer: D
QUESTION 60
The PRIMARY focus of vulnerability and control deficiency analyses is to determine
A. impact of an incident on a system or process.
B. potential risk to a system or process.
C. strengths of a system or process.
D. weaknesses in a system or process.
Correct Answer: B
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.