A.  

Increase in the frequency of changes

B.  

Percent of unauthorized changes

C.  

Increase in the number of emergency changes

D.  

Average time to complete changes

A.  

A robust risk aggregation tool set

B.  

Clearly defined roles and responsibilities

C.  

A well-established risk management committee

D.  

Well-documented and communicated escalation procedures

A.  

Develop a compensating control.

B.  

Allocate remediation resources.

C.  

Perform a cost-benefit analysis.

D.  

Identify risk responses

A.  

Business impact analysis

B.  

Threat analysis

C.  

Risk response analysis

D.  

Cost-benefit analysis

A.  

Business impact analysis

B.  

Risk analysis

C.  

Threat risk assessment

D.  

Vulnerability assessment

A.  

impact due to failure of control

B.  

Frequency of failure of control

C.  

Contingency plan for residual risk

D.  

Cost-benefit analysis of automation

A.  

A reduction in the number of help desk calls

B.  

An increase in the number of identified system flaws

C.  

A reduction in the number of user access resets

D.  

An increase in the number of incidents reported

A.  

Applying risk appetite

B.  

Applying risk factors

C.  

Referencing risk event data

D.  

Understanding risk culture

A.  

Cost of offsite backup premises

B.  

Cost of downtime due to a disaster

C.  

Cost of testing the business continuity plan

D.  

Response time of the emergency action plan

A.  

reduce the risk to an acceptable level.

B.  

communicate the consequences for violations.

C.  

implement industry best practices.

D.  

reduce the organization's risk appetite

A.  

Risk impact

B.  

Risk trend

C.  

Risk appetite

D.  

Risk likelihood

A.  

invoke the established incident response plan.

B.  

Inform internal audit.

C.  

Perform a root cause analysis

D.  

Conduct an immediate risk assessment

A.  

Involvement of internal audit

B.  

Involvement of process owner

C.  

Quantitative impact of the risk

D.  

Identification of key risk indicators

A.  

map findings to objectives.

B.  

provide a quantified detailed analysts.

C.  

recommend risk tolerance thresholds.

D.  

quantify key risk indicators (KRls).

A.  

reduces risk to an acceptable level

B.  

quantifies risk impact

C.  

aligns with business strategy

D.  

advances business objectives.

A.  

The underlying data source for the KRI is using inaccurate data and needs to be corrected.

B.  

The KRI is not providing useful information and should be removed from the KRI inventory.

C.  

The KRI threshold needs to be revised to better align with the organization s risk appetite

D.  

Senior management does not understand the KRI and should undergo risk training.

A.  

Assess the vulnerability management process.

B.  

Conduct a control serf-assessment.

C.  

Conduct a vulnerability assessment.

D.  

Reassess the inherent risk of the target.

A.  

Collecting data for IT risk assessment

B.  

Establishing and communicating the IT risk profile

C.  

Utilizing a balanced scorecard

D.  

Performing and publishing an IT risk analysis

A.  

Failure to test the disaster recovery plan (DRP)

B.  

Lack of well-documented business impact analysis (BIA)

C.  

Lack of annual updates to the disaster recovery plan (DRP)

D.  

Significant changes in management personnel

A.  

Lack of a mature records management program

B.  

Lack of a dedicated asset management team

C.  

Decentralized asset lists

D.  

Incomplete asset inventory

A.  

risk appetite and control efficiency.

B.  

inherent risk and control effectiveness.

C.  

residual risk and cost of control.

D.  

risk tolerance and control complexity.

A.  

Encryption

B.  

Authentication

C.  

Configuration

D.  

Backups

A.  

Organization's industry sector

B.  

Long-term organizational goals

C.  

Concerns of the business process owners

D.  

History of risk events

A.  

Secure encryption protocols are utilized.

B.  

Multi-factor authentication is set up for users.

C.  

The solution architecture is approved by IT.

D.  

A risk transfer clause is included in the contact

A.  

An effective risk culture that empowers employees to report risk

B.  

Effective segregation of duties to prevent internal fraud

C.  

Clear accountability for risk management processes

D.  

Improved effectiveness and efficiency of business operations

A.  

The risk owner is not the control owner for associated data controls.

B.  

The risk owner is in a business unit and does not report through the IT department.

C.  

The risk owner is listed as the department responsible for decision making.

D.  

The risk owner is a staff member rather than a department manager.

A.  

Reject the risk acceptance and require mitigating controls.

B.  

Monitor the residual risk level of the accepted risk.

C.  

Escalate the risk decision to the project sponsor for review.

D.  

Document the risk decision in the project risk register.

A.  

The individual responsible for control operation

B.  

The individual informed of the control effectiveness

C.  

The individual responsible for resting the control

D.  

The individual accountable for monitoring control effectiveness

A.  

Key risk indicators (KRIs)

B.  

Risk reporting methodology

C.  

Key performance indicators (KPIs)

D.  

Risk taxonomy

A.  

The likelihood and impact of threat events

B.  

The cost to implement the risk response

C.  

Lack of data to measure threat events

D.  

Monetary value of the asset

A.  

Clear understanding of the risk

B.  

Comparable industry risk trends

C.  

Appropriate resources

D.  

Detailed standards and procedures

A.  

controls perform as intended.

B.  

controls operate efficiently.

C.  

controls are implemented consistent

D.  

control designs are reviewed periodically

A.  

Key risk indicators (KRIs)

B.  

Documented procedures

C.  

Information security policies

D.  

Information security standards

A.  

Risk mitigation plans

B.  

heat map

C.  

Risk appetite statement

D.  

Key risk indicators (KRls)

A.  

Risk management framework

B.  

Risk register

C.  

Global security standards

D.  

Recent security incidents reported by competitors

A.  

Meet with the business leaders to ensure the classification of their transferred data is in place

B.  

Ensure the language in the contract explicitly states who is accountable for each step of the data transfer process

C.  

Collect requirements for the environment to ensure the infrastructure as a service (IaaS) is configured appropriately.

D.  

Work closely with the information security officer to ensure the company has the proper security controls in place.

A.  

Identify new threats resorting from the new business strategy

B.  

Update risk awareness training to reflect current levels of risk appetite and tolerance

C.  

Inform the board of potential risk scenarios associated with aggressive business strategies

D.  

Increase the scale for measuring impact due to threat materialization

A.  

Improved alignment will technical risk

B.  

Better-informed business decisions

C.  

Enhanced understanding of enterprise architecture (EA)

D.  

Improved business operations efficiency

A.  

Corrective

B.  

Detective

C.  

Deterrent

D.  

Preventative

A.  

Results of benchmarking studies

B.  

Results of risk assessments

C.  

Number of emergency change requests

D.  

Maturity model

A.  

possible risk and suggested mitigation plans.

B.  

design of controls to encrypt the data to be shared.

C.  

project plan for classification of the data.

D.  

summary of data protection and privacy legislation.

A.  

Some critical business applications are not included in the plan

B.  

Several recovery activities will be outsourced

C.  

The plan is not based on an internationally recognized framework

D.  

The chief information security officer (CISO) has not approved the plan

A.  

Implementing risk treatment plans

B.  

Validating the status of risk mitigation efforts

C.  

Establishing risk policies and standards

D.  

Conducting independent reviews of risk assessment results

A.  

Frequency of business continuity plan (BCP) lasting

B.  

Frequency and number of new software releases

C.  

Frequency and duration of unplanned downtime

D.  

Number of IT support staff available after business hours

A.  

low cost effectiveness ratios and high risk levels

B.  

high cost effectiveness ratios and low risk levels.

C.  

high cost effectiveness ratios and high risk levels

D.  

low cost effectiveness ratios and low risk levels.

A.  

The underutilization of the replicated Iink

B.  

The cost of recovering the data

C.  

The lack of integrity of data

D.  

The loss of data confidentiality

A.  

Acquisition

B.  

Implementation

C.  

Initiation

D.  

Operation and maintenance

A.  

Activate the incident response plan.

B.  

Implement compensating controls.

C.  

Update the risk register.

D.  

Develop risk scenarios.

A.  

Human resources (HR) manager

B.  

System administrator

C.  

Data privacy manager

D.  

Compliance manager

A.  

An established process for project change management

B.  

Retention of test data and results for review purposes

C.  

Business managements review of functional requirements

D.  

Segregation between development, test, and production

A.  

IT risk practitioner

B.  

Third -partf3ecurity team

C.  

The relationship owner

D.  

Legal representation of the business

A.  

Individuals outside IT are managing action plans for the risk scenarios.

B.  

Target dates for completion are missing from some action plans.

C.  

Senior management approved multiple changes to several action plans.

D.  

Many action plans were discontinued after senior management accepted the risk.

A.  

Regular testing of risk controls

B.  

Communication of audit findings

C.  

Procedures for security monitoring

D.  

Open communication of risk reporting

A.  

To ensure completion of the risk assessment cycle

B.  

To ensure controls arc operating effectively

C.  

To ensure residual risk Is at an acceptable level

D.  

To ensure control costs do not exceed benefits

A.  

Define metrics for restoring availability.

B.  

Identify conditions that may cause disruptions.

C.  

Review incident response procedures.

D.  

Evaluate the probability of risk events.

A.  

Update firewall configuration

B.  

Require strong password complexity

C.  

implement a security awareness program

D.  

Implement two-factor authentication

A.  

Updating the organizational policy for remote access

B.  

Creating metrics to track remote connections

C.  

Implementing multi-factor authentication

D.  

Updating remote desktop software

A.  

Using the risk management process

B.  

Enforcing strict disciplinary procedures in case of noncompliance

C.  

Reviewing results of the annual company external audit

D.  

Adopting internationally accepted controls

A.  

process flow.

B.  

business impact analysis (BIA).

C.  

service level agreement (SLA).

D.  

system architecture.

A.  

Balanced scorecard

B.  

Risk management framework

C.  

Capability maturity model

D.  

Risk scenario analysis

A.  

Internal and external audit reports

B.  

Risk disclosures in financial statements

C.  

Risk assessment and risk register

D.  

Business objectives and strategies

A.  

A centralized computer security response team

B.  

Regular performance reviews and management check-ins

C.  

Code of ethics training for all employees

D.  

Communication of employee activity monitoring

A.  

Detective

B.  

Directive

C.  

Preventive

D.  

Compensating

A.  

KRI design must precede definition of KCIs.

B.  

KCIs and KRIs are independent indicators and do not impact each other.

C.  

A decreasing trend of KRI readings will lead to changes to KCIs.

D.  

Both KRIs and KCIs provide insight to potential changes in the level of risk.

A.  

Testing control design

B.  

Accepting residual risk

C.  

Establishing business information criteria

D.  

Establishing the risk register

A.  

KPIs measure manual controls, while KCIs measure automated controls.

B.  

KPIs and KCIs both contribute to understanding of control effectiveness.

C.  

A robust KCI program will replace the need to measure KPIs.

D.  

KCIs are applied at the operational level while KPIs are at the strategic level.

A.  

assess effectiveness of different projects.

B.  

define the risk assessment methodology.

C.  

ensure assets have low residual risk.

D.  

account for identified key risk factors.

A.  

Device corruption

B.  

Data loss

C.  

Malicious users

D.  

User support

A.  

An identity thief seeking to acquire personal financial data from an organization

B.  

Media recognition of an organization's market leadership in its industry

C.  

A standard procedure for applying software patches two weeks after release

D.  

An employee recently fired for insubordination

A.  

Identifying tweets that may compromise enterprise architecture (EA)

B.  

Including diverse Business scenarios in user acceptance testing (UAT)

C.  

Performing risk assessments during the business case development stage

D.  

Including key stakeholders in review of user requirements

A.  

solution delivery.

B.  

resource utilization.

C.  

strategic alignment.

D.  

performance evaluation.

A.  

Update the risk register with the average of residual risk for both business units.

B.  

Review the assumptions of both risk scenarios to determine whether the variance is reasonable.

C.  

Update the risk register to ensure both risk scenarios have the highest residual risk.

D.  

Request that both business units conduct another review of the risk.

A.  

Reduced ability to evaluate key risk indicators (KRIs)

B.  

Reduced access to internal audit reports

C.  

Dependency on the vendor's key performance indicators (KPIs)

D.  

Dependency on service level agreements (SLAs)

A.  

operates as intended.

B.  

is being monitored.

C.  

meets regulatory requirements.

D.  

operates efficiently.

A.  

To monitor changes in the risk environment

B.  

To provide input to management for the adjustment of risk appetite

C.  

To monitor the accuracy of threshold levels in metrics

D.  

To obtain business buy-in for investment in risk mitigation measures

A.  

Introducing an approved IT governance framework

B.  

Integrating the results of top-down risk scenario analyses

C.  

Performing a business impact analysis (BlA)

D.  

Implementing a risk classification system

A.  

Identifying key risk indicators (KRIs)

B.  

Evaluating the return on investment (ROI)

C.  

Evaluating the residual risk level

D.  

Performing a cost-benefit analysis

A.  

inherent risk.

B.  

risk tolerance.

C.  

risk capacity.

D.  

residual risk.

A.  

Transfer

B.  

Mitigation

C.  

Avoidance

D.  

Acceptance

A.  

The audit plan for the upcoming period

B.  

Spend to date on mitigating control implementation

C.  

A report of deficiencies noted during controls testing

D.  

A status report of control deployment

A.  

control is ineffective and should be strengthened

B.  

risk is inefficiently controlled.

C.  

risk is efficiently controlled.

D.  

control is weak and should be removed.

A.  

review and update the policies to align with industry standards.

B.  

determine that the policies should be updated annually.

C.  

report that the policies are adequate and do not need to be updated frequently.

D.  

review the policies against current needs to determine adequacy.

A.  

User authorization

B.  

User recertification

C.  

Change log review

D.  

Access log monitoring

A.  

Regulatory requirements may differ in each country.

B.  

Data sampling may be impacted by various industry restrictions.

C.  

Business advertising will need to be tailored by country.

D.  

The data analysis may be ineffective in achieving objectives.

A.  

Personal data attributed to a specific data subject is tokenized.

B.  

Data protection impact assessments are performed on a regular basis.

C.  

Personal data certifications are performed to prevent excessive data collection.

D.  

Data retention guidelines are documented, established, and enforced.

A.  

Perform a risk assessment.

B.  

Perform root cause analysis.

C.  

Initiate disciplinary action.

D.  

Update the incident response plan.

A.  

Expected frequency and potential impact

B.  

Risk tolerance

C.  

Enterprise-wide IT risk assessment

D.  

Risk appetite

A.  

Monitoring risk responses

B.  

Applying risk treatments

C.  

Providing assurance of control effectiveness

D.  

Implementing internal controls

A.  

Educating employees on what needs to be kept confidential

B.  

Implementing a data loss prevention (DLP) solution

C.  

Taking punitive action against employees who expose confidential data

D.  

Requiring employees to sign nondisclosure agreements

A.  

Regulatory compliance

B.  

Risk ownership

C.  

Best practices

D.  

Desired risk level

A.  

Results of the last risk assessment of the vendor

B.  

Inherent risk of the business process supported by the vendor

C.  

Risk tolerance of the vendor

D.  

Length of time since the last risk assessment of the vendor

A.  

Periodic user privileges review

B.  

Log monitoring

C.  

Periodic internal audits

D.  

Segregation of duties

A.  

changes due to emergencies.

B.  

changes that cause incidents.

C.  

changes not requiring user acceptance testing.

D.  

personnel that have rights to make changes in production.

A.  

Time required for backup restoration testing

B.  

Change in size of data backed up

C.  

Successful completion of backup operations

D.  

Percentage of failed restore tests

A.  

Monitoring

B.  

Analysis

C.  

Identification

D.  

Response selection

A.  

Ensuring time synchronization of log sources.

B.  

Ensuring the inclusion of external threat intelligence log sources.

C.  

Ensuring the inclusion of all computing resources as log sources.

D.  

Ensuring read-write access to all log sources

A.  

Flexibility and adaptability

B.  

Measurability and consistency

C.  

Robustness and resilience

D.  

Optimal cost and benefit

A.  

Risk impact

B.  

Risk likelihood

C.  

Risk appropriate

D.  

Control self-assessments (CSAs)

A.  

Segregation of duties

B.  

Three lines of defense

C.  

Compliance review

D.  

Quality assurance review

A.  

To measure business exposure to risk

B.  

To identify control vulnerabilities

C.  

To monitor the achievement of set objectives

D.  

To raise awareness of operational issues

A.  

External audit

B.  

Internal audit

C.  

Vendor performance scorecard

D.  

Regulatory examination

A.  

benchmarks against other organizations

B.  

defines a qualitative measure of risk

C.  

provides a reference for progress

D.  

provides risk metrics.

A.  

Data duplication processes

B.  

Data archival processes

C.  

Data anonymization processes

D.  

Data protection processes

A.  

Conduct social engineering testing.

B.  

Audit security awareness training materials.

C.  

Administer an end-of-training quiz.

D.  

Perform a vulnerability assessment.

A.  

Percentage of business users completing risk training

B.  

Percentage of high-risk scenarios for which risk action plans have been developed

C.  

Number of key risk indicators (KRIs) defined

D.  

Time between when IT risk scenarios are identified and the enterprise's response

A.  

Insurance coverage

B.  

Security awareness training

C.  

Policies and standards

D.  

Risk appetite and tolerance

A.  

Identify changes in risk factors and initiate risk reviews.

B.  

Engage an external consultant to redesign the risk management process.

C.  

Outsource the process for updating the risk register.

D.  

Implement a process improvement and replace the old risk register.

A.  

Cable lock

B.  

Acceptable use policy

C.  

Data encryption

D.  

Asset tag with GPS

A.  

Total cost to support the policy

B.  

Number of exceptions to the policy

C.  

Total cost of policy breaches

D.  

Number of inquiries regarding the policy

A.  

Assigning control ownership

B.  

Assigning appropriate resources

C.  

Assigning a quality control review

D.  

Performing regular independent control reviews

A.  

Determine changes in the risk level.

B.  

Outsource the vulnerability management process.

C.  

Review the patch management process.

D.  

Add agenda item to the next risk committee meeting.

A.  

Disaster recovery plan (DRP) of the system

B.  

Right to audit the provider

C.  

Internal controls to ensure data privacy

D.  

Transparency of key performance indicators (KPIs)

A.  

IT infrastructure head

B.  

Human resources head

C.  

Supplier management head

D.  

Application development head

A.  

helps in calculating the expected cost of controls

B.  

uses qualitative risk rankings such as low. medium and high.

C.  

can be used m a cost-benefit analysts

D.  

can be used to determine the indirect business impact.

A.  

Frequency of anti-virus software updates

B.  

Number of alerts generated by the anti-virus software

C.  

Number of false positives detected over a period of time

D.  

Percentage of IT assets with current malware definitions

A.  

Loss expectancy information

B.  

Control performance predictions

C.  

IT service level agreements (SLAs)

D.  

Remediation activity progress

A.  

Project sponsor

B.  

Process owner

C.  

Risk manager

D.  

Internal auditor

A.  

Self-assessment questionnaires completed by management

B.  

Review of internal audit and third-party reports

C.  

Management review and sign-off on system documentation

D.  

First-hand direct observation of the controls in operation

A.  

The scenarios are based on industry best practice.

B.  

The scenarios focus on current vulnerabilities.

C.  

The scenarios are relevant to the organization.

D.  

The scenarios include technical consequences.

A.  

Independent audit report

B.  

Control self-assessment

C.  

MOST important to update when an

D.  

Service level agreements (SLAs)

A.  

increased inherent risk.

B.  

higher risk management cost

C.  

decreased residual risk.

D.  

lower risk management cost.

A.  

Risk assessment results

B.  

A recently reviewed risk register

C.  

Key performance indicators (KPIs)

D.  

The organization's risk framework

A.  

Interview control owners.

B.  

Observe the control enhancements in operation.

C.  

Inspect external audit documentation.

D.  

Review management's detailed action plans.

A.  

Risk policy review

B.  

Business impact analysis (B1A)

C.  

Control catalog

D.  

Risk register

A.  

business process owner.

B.  

database administrator.

C.  

chief information officer.

D.  

systems administrator.

A.  

Impact

B.  

Residual risk

C.  

Inherent risk

D.  

Risk appetite

A.  

An internal audit

B.  

Security operations center review

C.  

Internal penetration testing

D.  

A third-party audit

A.  

Review the business impact analysis.

B.  

Create a business continuity plan.

C.  

Analyze previous disaster recovery reports.

D.  

Conduct a root cause analysis.

A.  

Risk and control ownership

B.  

Senior management participation

C.  

Business unit support

D.  

Risk nomenclature and taxonomy

A.  

An updated risk register

B.  

Risk assessment results

C.  

Technical control validation

D.  

Control testing results

A.  

Escalate the issue to the service provider.

B.  

Re-certify the application access controls.

C.  

Remove the developer's access.

D.  

Review the results of pre-migration testing.

A.  

Organization's information security manager

B.  

Organization's risk function

C.  

Service provider's IT management

D.  

Service provider's information security manager

A.  

Sections of the policy that may justify not implementing the requirement

B.  

Risk associated with the inability to implement the requirement

C.  

Budget justification to implement the new requirement during the current year

D.  

Industry best practices with respect to implementation of the proposed control

A.  

The data is measurable.

B.  

The data is calculated continuously.

C.  

The data is relevant.

D.  

The data is automatically produced.

A.  

Notify executive management.

B.  

Analyze the impact to the organization.

C.  

Update the IT risk register.

D.  

Design IT risk mitigation plans.

A.  

Risk tolerance

B.  

Risk magnitude

C.  

Risk response

D.  

Risk appetite

A.  

Lead auditor

B.  

Project manager

C.  

Chief audit executive (CAE)

D.  

Chief information officer (CIO)

A.  

Implement targeted awareness training for new BYOD users.

B.  

Implement monitoring to detect control deterioration.

C.  

Identify log sources to monitor BYOD usage and risk impact.

D.  

Reduce the risk tolerance level.

A.  

Introducing control procedures early in the life cycle

B.  

Implementing loT device software monitoring

C.  

Performing periodic risk assessments of loT

D.  

Performing secure code reviews

A.  

The amount of risk an organization is willing to accept

B.  

The effective management of risk and internal control environments

C.  

Acceptable variation between risk thresholds and business objectives

D.  

The acceptable variation relative to the achievement of objectives

A.  

Vulnerability scanning

B.  

Continuous monitoring and alerting

C.  

Configuration management

D.  

Access controls and active logging

A.  

Establishing a risk management committee

B.  

Updating the organization's risk register to reflect the new threat

C.  

Communicating the results of the threat impact analysis

D.  

Establishing metrics to assess the effectiveness of the responses

A.  

mitigated

B.  

accepted

C.  

avoided

D.  

deferred

A.  

amount of risk reduced by compensating controls.

B.  

amount of risk present in the organization.

C.  

variance against objectives.

D.  

number of incidents.

A.  

evaluate the organization s ability and expertise to implement the solution.

B.  

evaluate the risk response of similar organizations.

C.  

address high risk factors that have efficient and effective solutions.

D.  

determine which risk factors have high remediation costs

A.  

trending data is available.

B.  

process flowcharts are current.

C.  

measurement objectives are defined.

D.  

data collection technology is available.

A.  

update the risk rating.

B.  

reevaluate inherent risk.

C.  

develop new risk scenarios.

D.  

implement additional controls.

A.  

Annual loss expectancy (ALE)

B.  

Business impact analysis

C.  

Cost-benefit analysis

D.  

Inherent vulnerabilities

A.  

Mitigate

B.  

Accept

C.  

Transfer

D.  

Avoid

A.  

Enterprise architecture (EA)

B.  

Control environment

C.  

IT objectives

D.  

Organizational objectives

A.  

Weak governance structures

B.  

Senior management scrutiny

C.  

Complex regulatory environment

D.  

Unclear reporting relationships

A.  

Accept the risk and document contingency plans for data disruption.

B.  

Remove the associated risk scenario from the risk register due to avoidance.

C.  

Mitigate the risk with compensating controls enforced by the third-party cloud provider.

D.  

Validate the transfer of risk and update the register to reflect the change.

A.  

Number of users that participated in the DRP testing

B.  

Number of issues identified during DRP testing

C.  

Percentage of applications that met the RTO during DRP testing

D.  

Percentage of issues resolved as a result of DRP testing

A.  

Loss event frequency and magnitude

B.  

The previous year's budget and actuals

C.  

Industry benchmarks and standards

D.  

Return on IT security-related investments

A.  

communication

B.  

identification.

C.  

treatment.

D.  

assessment.

A.  

Control chart

B.  

Sensitivity analysis

C.  

Trend analysis

D.  

Decision tree

A.  

plan awareness programs for business managers.

B.  

evaluate maturity of the risk management process.

C.  

assist in the development of a risk profile.

D.  

maintain a risk register based on noncompliances.

A.  

take necessary precautions for claims and losses.

B.  

achieve acceptable residual risk levels.

C.  

avoid risk for business and IT assets.

D.  

achieve compliance with legal requirements.

A.  

The percentage of systems meeting recovery target times has increased.

B.  

The number of systems tested in the last year has increased.

C.  

The number of systems requiring a recovery plan has increased.

D.  

The percentage of systems with long recovery target times has decreased.

A.  

Obtaining logs m an easily readable format

B.  

Providing accurate logs m a timely manner

C.  

Collecting logs from the entire set of IT systems

D.  

implementing an automated log analysis tool

A.  

The risk manager's expertise

B.  

Regulatory requirements

C.  

Board of directors' expertise

D.  

The organization's culture

A.  

Hire consultants specializing m the new technology.

B.  

Review existing risk mitigation controls.

C.  

Conduct a gap analysis.

D.  

Perform a risk assessment.

A.  

Service level agreement

B.  

Customer service reviews

C.  

Scope of services provided

D.  

Right to audit the provider

A.  

Key risk indicators (KRls)

B.  

Inherent risk

C.  

Residual risk

D.  

Risk appetite

A.  

Reviewing database access rights

B.  

Reviewing database activity logs

C.  

Comparing data to input records

D.  

Reviewing changes to edit checks

A.  

Alignment to risk responses

B.  

Alignment to management reports

C.  

Alerts when risk thresholds are reached

D.  

Identification of trends

A.  

Logs and system events

B.  

Intrusion detection system (IDS) rules

C.  

Vulnerability assessment reports

D.  

Penetration test reports

A.  

Digital signatures

B.  

Encrypted passwords

C.  

One-time passwords

D.  

Digital certificates

A.  

Aligning risk ownership and control ownership

B.  

Developing risk escalation and reporting procedures

C.  

Maintaining up-to-date risk treatment plans

D.  

Using a consistent method for risk assessment

A.  

Percentage of systems included in recovery processes

B.  

Number of key systems hosted

C.  

Average response time to resolve system incidents

D.  

Percentage of system availability

A.  

Assisting in continually optimizing risk governance

B.  

Enabling the documentation and analysis of trends

C.  

Ensuring compliance with regulatory requirements

D.  

Providing an early warning to take proactive actions

A.  

Encrypted storage of data

B.  

Links to source data

C.  

Audit trails for updates and deletions

D.  

Check totals on data records and data fields

A.  

Delayed removal of employee access

B.  

Authorized administrative access to HR files

C.  

Corruption of files due to malware

D.  

Server downtime due to a denial of service (DoS) attack

A.  

Optimize the control environment.

B.  

Realign risk appetite to the current risk level.

C.  

Decrease the number of related risk scenarios.

D.  

Reduce the risk management budget.

A.  

IT risk register

B.  

List of key risk indicators

C.  

Internal audit reports

D.  

List of approved projects

A.  

Internal audit reports

B.  

Access reviews

C.  

Threat modeling

D.  

Root cause analysis

A.  

Continuous monitoring

B.  

A control self-assessment

C.  

Transaction logging

D.  

Benchmarking against peers

A.  

Perform a penetration test.

B.  

Review security logs.

C.  

Conduct a threat analysis.

D.  

Perform a root cause analysis.

A.  

for compliance with laws and regulations

B.  

as a basis for cost-benefit analysis.

C.  

as input foe decision-making

D.  

to measure organizational success.