QUESTION 141
When identifying the owner of IT-related risk, the MOST important consideration is that the risk owner:
A. authorizes the budget for risk response action plans.
B. is accountable for the impacts of the risk.
C. controls the IT environment of the organization.
D. determines the risk appetite of the organization.
Correct Answer: B
QUESTION 142
Which of the following is MOST important to consider when determining the risk associated with re-identification of obfuscated personal data?
A. The type of shared data
B. The monetary value of the unique records that could be re-identified
C. The impact to affected stakeholders
D. The level of residual risk after data loss prevention (DLP) controls are implemented
Correct Answer: C
QUESTION 143
An organization plans to participate in a market research project that requires providing customer data to the research company. Which of the following is the MOST important control to mitigate the risk of customer data exposure?
A. Obtaining right to audit from the vendor
B. Anonymizing customer data
C. Implementing continuous monitoring
D. Removing data upon project completion
Correct Answer: B
QUESTION 144
Which of the following should be the PRIMARY consideration for a start-up organization that has decided to adopt externally-sourced security policies?
A. Availability of policy updates and support
B. Compliance with local regulations
C. Applicability to business operations
D. Stakeholder buy-in of policies
Correct Answer: C
QUESTION 145
Which of the following Is the MOST important outcome of IT risk analysis?
A. Prioritizing IT risk based on impact
B. Expressing IT risk in business terms
C. Identifying relevant threats and vulnerabilities
D. Obtaining the budget for risk mitigation
Correct Answer: B
QUESTION 146
Who is BEST suited to determine whether a compensating control properly addresses an associated risk?
A. Control owner
B. Information security manager
C. Risk practitioner
D. Risk owner
Correct Answer: D
QUESTION 147
Which of the following is the MOST important reason to communicate risk assessments to senior management?
A. To ensure key risk indicator (KRI) thresholds can be adjusted for tolerance
B. To ensure actions can be taken to align assessment results to risk appetite
C. To ensure awareness of risk and controls is shared with key decision makers
D. To ensure the maturity of the assessment program can be validated
Correct Answer: C
QUESTION 148
Which of the following BEST supports comparison of IT-related business risk across regional offices of a global enterprise?
A. Description of IT risk impact in monetary terms
B. Consistent approach to asset valuation
C. Centralized risk management reporting
D. Common risk taxonomy
Correct Answer: D
QUESTION 149
Which of the following is MOST important to consider when developing an organization’s risk management strategy?
A. Business operational requirements
B. Complexity of technology architecture
C. Criteria for assessing risk
D. Disaster recovery strategy
Correct Answer: A
QUESTION 150
Rapid business growth has raised concerns about an organization’s IT resource capacity. Which of the following would be the risk practitioner’s BEST course of action?
A. Review key risk indicators (KRIs) and threshold levels.
B. Raise threshold levels based on current usage.
C. Redefine the risk appetite associated with capacity planning.
D. Conduct industry benchmarking.
Correct Answer: D
QUESTION 151
Which of the following IS the MOST efficient method for monitoring control effectiveness?
A. Compare controls to business metrics.
B. Conduct control self-assessments (CSAs).
C. Perform independent periodic control testing.
D. Review system performance logs.
Correct Answer: B
QUESTION 152
Which of the following should be of MOST concern to a risk practitioner reviewing an organization’s data management practices?
A. Internal email communications are not encrypted.
B. Internally created documents are not automatically classified.
C. Data transmission within the corporate network is not encrypted.
D. Data transmission across public networks is not encrypted.
Correct Answer: D
QUESTION 153
Which of the following provides the BEST protection for Internet of Things (loT) devices that are accessed within an organization?
A. Comprehensive patching program
B. Adoption of a defense-in-depth strategy
C. Identity and access management (IAM)
D. Source code reviews
Correct Answer: B
QUESTION 154
A control owner is PRIMARILY accountable for:
A. ensuring controls are operating effectively.
B. validating that corresponding risks are mitigated.
C. performing control activities.
D. assessing the effectiveness of control design.
Correct Answer: A
QUESTION 155
Which of the following is MOST important for an organization to ensure proper handling, use, and safeguarding of data?
A. Identifying appropriate data repositories
B. Documenting information and control owners
C. Performing risk assessments for information assets
D. Clearly identifying the business value of data
Correct Answer: B
QUESTION 156
Which of the following key risk indicators (KRIs) provides the BEST insight into the risk associated with IT systems being unable to meet the required availability service level in the future?
A. Percentage of IT systems having defined incident management service levels
B. Percentage of IT systems routinely running at peak utilization
C. Percentage of IT systems having met the availability service level
D. Percentage of IT outsourced systems having met the availability service level
Correct Answer: B
QUESTION 157
Which group is BEST positioned to ensure the three lines model is incorporated in the organization’s risk management and control processes?
A. Senior management
B. External consultants
C. Internal audit
D. Compliance function
Correct Answer: A
QUESTION 158
A risk practitioner discovers that an IT operations team manager bypassed web filtering controls by using a mobile device, in violation of the network security policy. Which of the following should the risk practitioner do FIRST?
A. Assess the new risk.
B. Report the incident.
C. Plan a security awareness session.
D. Update the risk register.
Correct Answer: B
QUESTION 159
Digital signatures are an effective control method for information exchange over an insecure network because they:
A. authenticate the user biometrically.
B. are under the sole custody of the receiver.
C. enable nonrepudiation.
D. are constant over time.
Correct Answer: C
QUESTION 160
Which of the following will have the GREATEST influence when determining an organization’s risk appetite?
A. Risk culture
B. Organizational structure
C. Risk management budget
D. Industry benchmarks
Correct Answer: A
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.