QUESTION 81
A risk practitioner has been made aware of a problem in an IT system that was missed during a routine risk assessment. Which of the following is the practitioner’s BEST course of action?
A. Record a new issue but backdate it to the original risk assessment date.
B. Record the problem as a new issue in the risk management system.
C. Report the vulnerability to the asset owner’s manager.
D. Document the issue during the next risk assessment.
Correct Answer: B
QUESTION 82
Which of the following is the MOST significant risk related to an organization’s use of Al technology?
A. The Al system is being used beyond its intended purpose.
B. The Al system results have not been validated.
C. The Al system is on unsupported infrastructure.
D. The Al system’s contract does not include a right-to-audit clause.
Correct Answer: B
QUESTION 83
Which of the following is MOST helpful to understand the consequences of an IT risk event?
A. Historical trend analysis
B. Business impact analysis (BIA)
C. Fault tree analysis
D. Root cause analysis
Correct Answer: B
QUESTION 84
When deciding on a risk response strategy, senior management’s PRIMARY focus should be placed on the:
A. key risk indicator (KRI) trends.
B. business impact analysis (BIA) results.
C. alignment with risk appetite.
D. strategic investment portfolio.
Correct Answer: C
QUESTION 85
Which of the following is the GREATEST concern associated with insufficient focus on addressing blockchain interoperability in the system development life cycle (SDLC)?
A. Limited integration with external systems and blockchains
B. Reduced transaction speed and system responsiveness
C. Limited blockchain adoption and support
D. Reduced network integrity and availability
Correct Answer: A
QUESTION 86
A business delegates its application data management to the internal IT team. Which of the following is the role of the internal IT team in this situation?
A. Data analysts
B. Data owners
C. Data custodians
D. Data controllers
Correct Answer: C
QUESTION 87
Which of the following provides the MOST useful input for educating risk owners about the risk assessment process and related techniques?
A. High-risk findings reported by vulnerability assessments
B. List of recent internal and external risk factor changes
C. Descriptions of risk events and threats that cause them
D. Cost-benefit analysis for deciding appropriate risk responses
Correct Answer: C
QUESTION 88
A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner’s NEXT step?
A. Develop a mechanism for monitoring residual risk.
B. Develop key risk indicators (KRIs).
C. Update the risk register with the results.
D. Identify resources for implementing responses.
Correct Answer: C
QUESTION 89
A risk practitioner has discovered a deficiency in a critical system that cannot be patched. Which of the following should be the risk practitioner’s FIRST course of action?
A. Review the business impact assessment.
B. Conduct a risk assessment.
C. Submit a request to change management.
D. Report the issue to internal audit.
Correct Answer: B
QUESTION 90
A residual risk level has not declined despite the implementation of an approved risk mitigation plan. What should be the risk practitioner’s FIRST action?
A. Reopen the original action plan.
B. Escalate the concern to executive management.
C. Conduct a root cause analysis.
D. Reperform the risk assessment.
Correct Answer: C
QUESTION 91
The BEST way to validate that a risk treatment plan has been implemented effectively is by reviewing:
A. a post-implementation risk and control self-assessment (RCSA).
B. the original risk response plan.
C. results of a business impact analysis (BIA).
D. training program and user awareness documentation.
Correct Answer: A
QUESTION 92
Which of the following would BEST mitigate the risk of inadvertent use of sensitive client data by cloud service providers?
A. Implementing a data loss prevention (DLP) solution
B. Encrypting shared data in transit
C. Establishing contractual agreements with a nondisclosure form
D. Requiring secure destruction of assets at contract termination
Correct Answer: C
QUESTION 93
Which of the following would be the BEST way for an organization to evaluate the effectiveness of security awareness training?
A. Review security and applications error logs.
B. Conduct social engineering testing.
C. Review training quiz results.
D. Solicit supervisor feedback on user training.
Correct Answer: B
QUESTION 94
A risk practitioner learns that the annual maintenance contract of a business-critical server recently expired and cannot be renewed. Which of the following is the BEST source is of information to predict the probability of business loss?
A. Key performance indicators (KPIs)
B. The organization’s risk tolerance
C. Key risk indicators (KRIs)
D. Associated threats
Correct Answer: C
QUESTION 95
Which of the following is the PRIMARY role of the first line of defense with respect to information security policies?
A. Draft the information security policy.
B. Audit the implementation of the information security policy.
C. Implement controls in response to the policy requirements.
D. Approve the information security policy.
Correct Answer: C
QUESTION 96
Which of the following characterizes the relationship between risk tolerance and risk appetite?
A. Risk tolerance is the accepted level of variation from risk appetite.
B. The sum of risk tolerances must not exceed risk appetite.
C. Risk appetite and risk tolerance share the same upper threshold.
D. Risk tolerance must not exceed risk appetite.
Correct Answer: A
QUESTION 97
A risk practitioner is finding it challenging to assign value to intangible assets. Which of the following is the BEST approach?
A. Calculate the insurable replacement cost of the assets.
B. Include the assets in the inventory but leave them unvalued.
C. Benchmark the value of assets against industry standards.
D. Assess their impact on business processes.
Correct Answer: D
QUESTION 98
Which of the following should be the FIRST consideration when determining the risk associated with noncompliance?
A. Total cost of noncompliance
B. Requirements for adherence to industry standards
C. Requirements stipulated by the laws of the country
D. Direction set by chief compliance officer (CCO)
Correct Answer: C
QUESTION 99
A risk practitioner is concerned with potential data loss in the event of a breach at a hosted third-party provider. Which of the following is the BEST way is to mitigate this risk?
A. Purchase cyber insurance to protect against data breaches.
B. Ensure appropriate security controls are in place through independent audits.
C. Include an indemnification clause in the provider’s contract.
D. Monitor provider performance against service level agreements (SLAs).
Correct Answer: B
QUESTION 100
An IT project risk was identified during a monthly steering committee meeting. Which of the following roles is BEST positioned to approve the risk mitigation response?
A. Project sponsor
B. Product owner
C. IT manager
D. Project coordinator
Correct Answer: A
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.