Q.No.1 Which of the following is MOST important for an organization that wants to reduce IT operational risk?
A. Increasing senior management's
... [Show More] understanding of IT operations
B. Increasing the frequency of data backups
C. Minimizing complexity of IT infrastructure
D. Decentralizing IT infrastructure
Q.No.2 Deviation from a mitigation action plan's completion date should be determined by which of the following?
A. Benchmarking analysis with similar completed projects
B. Change management as determined by a change control board
C. The risk owner as determined by risk management processes
D. Project governance criteria as determined by the project office
Q.No.3 A business unit has decided to accept the risk of implementing an off-the-shelf, commercial software package that uses weak password controls. What is the BEST course of action?
A. Continue the implementation with no changes.
B. Obtain management approval for policy exception.
C. Select another application with strong password controls.
D. Develop an improved password software routine.
Q.No.4 Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?
A. Validate the threat management process.
B. Obtain objective assessment of the control environment
C. Ensure the risk profile is defined and communicated.
D. Obtain an objective view of process gaps and systemic errors.
Q.No.5 In an organization dependent on data analytics to drive decision-making, which of the following would BEST help to minimize the risk associated with inaccurate data?
A. Periodically reviewing big data strategies
B. Evaluating each of the data sources for vulnerabilities
C. Establishing an intellectual property agreement
D. Benchmarking to industry best practice
Q.No.6 Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?
A. Implement segregation of duties.
B. Enforce an internal data access policy.
C. Apply single sign-on for access control.
D. Enforce the use of digital signatures.
Q.No.7 The GREATEST concern when maintaining a risk register is that:
A. significant changes in risk factors are excluded.
B. impacts are recorded in qualitative terms.
C. executive management does not perform periodic reviews.
D. IT risk is not linked with IT assets,
Q.No.8 Which of the following will BEST help in communicating strategic risk priorities?
A. Heat map
B. Business impact analysis (BIA)
C. Balanced Scorecard
D. Risk register
Q.No.9 Which of the following is the BEST indicator of the effectiveness of a control action plan's implementation?
A. Stakeholder commitment
B. Increased risk appetite
C. Reduced risk level
D. Increased number of controls
Q.No.10 Which of the following is the BEST method for identifying vulnerabilities?
A. Batch job failure monitoring
B. Periodic network scanning
C. Risk assessments
D. Annual penetration testing
Q.No.11 Which of the following will BEST ensure that information security risk factors are mitigated when developing in-house applications?
A. Design key performance indicators (KPIs) for security in system specifications.
B. Include information security control specifications in business cases.
C. Identify key risk indicators (KRIs) as process output
D. Identify information security controls in the requirements analysis
Q.No.12 A management team is on an aggressive mission to launch a new product to penetrate new markets and overlooks IT risk factors, threats, and vulnerabilities. This scenario BEST demonstrates an organization's risk:
A. Tolerance.
B. culture.
C. Management.
D. analysis.
Q.No.13 During a control review, the control owner states that an existing control has deteriorated over time. What is the BEST recommendation to the control owner?
A. Discuss risk mitigation options with the risk owner.
B. Escalate the issue to senior management
C. Implement compensating controls to reduce residual risk.
D. Certify the control after documenting the concern [Show Less]