A.  

Control effectiveness.

B.  

The budget for control implementation.

C.  

Assessment of control risk.

D.  

Internal control audits.

A.  

Invoke the disaster recovery plan during an incident.

B.  

Prepare a cost-benefit analysis of alternatives available

C.  

Implement redundant infrastructure for the application.

D.  

Reduce the recovery time by strengthening the response team.

A.  

Segregation of duties

B.  

Code review

C.  

Change management

D.  

Audit modules

A.  

implement the planned controls and accept the remaining risk.

B.  

suspend the current action plan in order to reassess the risk.

C.  

revise the action plan to include additional mitigating controls.

D.  

evaluate whether selected controls are still appropriate.

A.  

Fewer security incidents have been reported.

B.  

The number of audit findings has decreased.

C.  

Residual risk is reduced.

D.  

inherent risk Is unchanged.

A.  

Detective control

B.  

Deterrent control

C.  

Preventive control

D.  

Corrective control

A.  

Enable data wipe capabilities

B.  

Penetration testing and session timeouts

C.  

Implement remote monitoring

D.  

Enforce strong passwords and data encryption

A.  

Control owner

B.  

Risk owner

C.  

IT security manager

D.  

Control operator

A.  

Objectives are confirmed with the business owner.

B.  

Control owners approve control changes.

C.  

End-user acceptance testing has been conducted.

D.  

Performance information in the log is encrypted.

A.  

Identify changes in risk factors and initiate risk reviews.

B.  

Engage an external consultant to redesign the risk management process.

C.  

Outsource the process for updating the risk register.

D.  

Implement a process improvement and replace the old risk register.

A.  

risk appetite and control efficiency.

B.  

inherent risk and control effectiveness.

C.  

residual risk and cost of control.

D.  

risk tolerance and control complexity.

A.  

Comparative analysis of peer companies

B.  

Reviews of brokerage firm assessments

C.  

Interviews with senior management

D.  

Trend analysis using prior annual reports

A.  

Some IT risk scenarios have multi-year risk action plans.

B.  

Several IT risk scenarios are missing assigned owners.

C.  

Numerous IT risk scenarios have been granted risk acceptances.

D.  

Many IT risk scenarios are categorized as avoided.

A.  

Control owner

B.  

Risk manager

C.  

Control operator

D.  

Risk treatment owner

A.  

Compliance manager

B.  

Risk owner

C.  

Control owner

D.  

Risk practitioner

A.  

Negotiating terms of adoption

B.  

Understanding the timeframe to implement

C.  

Completing a gap analysis

D.  

Initiating the conversion

A.  

Cyber insurance

B.  

Data backups

C.  

Incident response plan

D.  

Key risk indicators (KRIs)

A.  

Business impact assessment (BIA)

B.  

Key performance indicators (KPIs)

C.  

Risk profile

D.  

Industry benchmark analysis

A.  

Changes in the number of intrusions detected

B.  

Changes in the number of security exceptions

C.  

Changes in the position in the maturity model

D.  

Changes to the structure of the risk register

A.  

Conduct a risk assessment with stakeholders.

B.  

Conduct third-party resilience tests.

C.  

Update the risk register with the process changes.

D.  

Review risk related to standards and regulations.

A.  

The number of stakeholders involved in IT risk identification workshops

B.  

The percentage of corporate budget allocated to IT risk activities

C.  

The percentage of incidents presented to the board

D.  

The number of executives attending IT security awareness training

A.  

Involvement of internal audit

B.  

Involvement of process owner

C.  

Quantitative impact of the risk

D.  

Identification of key risk indicators

A.  

based on industry trends.

B.  

mapped to incident response plans.

C.  

related to probable events.

D.  

aligned with risk management capabilities.

A.  

The vendor must provide periodic independent assurance reports.

B.  

The vendor must host data in a specific geographic location.

C.  

The vendor must be held liable for regulatory fines for failure to protect data.

D.  

The vendor must participate in an annual vendor performance review.

A.  

Key performance indicators (KPIs)

B.  

Risk heat maps

C.  

Internal audit findings

D.  

Periodic penetration testing

A.  

Request a regulatory risk reporting methodology

B.  

Require critical success factors (CSFs) for IT risks.

C.  

Establish IT-specific compliance objectives

D.  

Communicate IT key risk indicators (KRIs) and triggers

A.  

Use the severity rating to calculate risk.

B.  

Classify the risk scenario as low-probability.

C.  

Use the highest likelihood identified by risk management.

D.  

Rely on range-based estimates provided by subject-matter experts.

A.  

Cost of implementation

B.  

Implementation of unproven applications

C.  

Disruption to business processes

D.  

Increase in attack surface area

A.  

Results of data classification activities

B.  

Recent changes to enterprise architecture (EA)

C.  

High-level network diagrams

D.  

Notes from interviews with the data owners

A.  

Approval by senior management

B.  

Low cost of development and maintenance

C.  

Sensitivity to changes in risk levels

D.  

Use of industry risk data sources

A.  

More complex test restores

B.  

Inadequate service level agreement (SLA) with the provider

C.  

More complex incident response procedures

D.  

Inadequate data encryption

A.  

Expected frequency and potential impact

B.  

Risk tolerance

C.  

Enterprise-wide IT risk assessment

D.  

Risk appetite

A.  

the risk strategy is appropriate

B.  

KRIs and KPIs are aligned

C.  

performance of controls is adequate

D.  

the risk monitoring process has been established

A.  

Payroll system risk factors

B.  

Payroll system risk mitigation plans

C.  

Payroll process owner

D.  

Payroll administrative controls

A.  

BCP testing is net in conjunction with the disaster recovery plan (DRP)

B.  

Recovery time objectives (RTOs) do not meet business requirements.

C.  

BCP is often tested using the walk-through method.

D.  

Each business location has separate, inconsistent BCPs.

A.  

require the vendor to sign a nondisclosure agreement

B.  

clearly define the project scope.

C.  

perform background checks on the vendor.

D.  

notify network administrators before testing

A.  

Review the cause of the control failure.

B.  

Temporarily suspend emergency changes.

C.  

Recommend remedial training.

D.  

Initiate a review of the change management process.

A.  

Reviewing the implementation of the risk response

B.  

Creating a separate risk register for key business units

C.  

Performing real-time monitoring of threats

D.  

Performing regular risk control self-assessments

A.  

Performing scenario-based assessments

B.  

Reviewing audit reports annually

C.  

Conducting root cause analyses

D.  

Engaging a risk-focused audit team

A.  

Implementing risk treatment plans

B.  

Validating the status of risk mitigation efforts

C.  

Establishing risk policies and standards

D.  

Conducting independent reviews of risk assessment results

A.  

updating the risk register.

B.  

validating the risk scenarios.

C.  

documenting the risk scenarios.

D.  

identifying risk mitigation controls.

A.  

To redefine the risk appetite and risk tolerance levels based on changes in risk factors

B.  

To update the risk register to reflect changes in levels of identified and new IT-related risk

C.  

To ensure risk levels are within acceptable limits of the organization's risk appetite and risk tolerance

D.  

To help identify root causes of incidents and recommend suitable long-term solutions

A.  

Assign highest priority to remediation of related risk scenarios.

B.  

Prevent acceptance of related risk scenarios.

C.  

Conduct specialized business impact analyses (BIAs).

D.  

Manage risk like other types of operational risk.

A.  

The impact of the risk

B.  

The replacement cost of the business asset

C.  

The cost of risk mitigation controls

D.  

The classification of the business asset

A.  

Total cost of ownership

B.  

Resource dependency analysis

C.  

Cost-benefit analysis

D.  

Business impact analysis

A.  

threat vector.

B.  

critical success factor (CSF).

C.  

key performance indicator (KPI).

D.  

key risk indicator (KRI).

A.  

Cost of controls

B.  

Risk tolerance

C.  

Risk appetite

D.  

Probability definition

A.  

Perform a root cause analysis

B.  

Perform a code review

C.  

Implement version control software.

D.  

Implement training on coding best practices

A.  

The third-party risk manager

B.  

The application vendor

C.  

The business process owner

D.  

The information security manager

A.  

Increase in the frequency of changes

B.  

Percent of unauthorized changes

C.  

Increase in the number of emergency changes

D.  

Average time to complete changes

A.  

Number of users that participated in the DRP testing

B.  

Number of issues identified during DRP testing

C.  

Percentage of applications that met the RTO during DRP testing

D.  

Percentage of issues resolved as a result of DRP testing

A.  

A summary of risk response plans with validation results

B.  

A report with control environment assessment results

C.  

A dashboard summarizing key risk indicators (KRIs)

D.  

A summary of IT risk scenarios with business cases

A.  

Complexity of the IT infrastructure

B.  

Value of information assets

C.  

Management culture

D.  

Threats and vulnerabilities

A.  

Risk appetite

B.  

Threat type

C.  

Risk tolerance

D.  

Residual risk

A.  

Brainstorming sessions

B.  

Control self-assessments

C.  

Vulnerability analysis

D.  

Monte Carlo analysis

A.  

Number of projects going live without a security review

B.  

Number of employees completing project-specific security training

C.  

Number of security projects started in core departments

D.  

Number of security-related status reports submitted by project managers

A.  

Sections of the policy that may justify not implementing the requirement

B.  

Risk associated with the inability to implement the requirement

C.  

Budget justification to implement the new requirement during the current year

D.  

Industry best practices with respect to implementation of the proposed control

A.  

To ensure IT risk management is focused on mitigating emerging risk

B.  

To confirm that IT risk assessment results are expressed in quantitative terms

C.  

To evaluate threats to the organization's operations and strategy

D.  

To identify gaps in the alignment of IT risk management processes and strategy

A.  

Business management approval of change requests

B.  

Separation of development and production environments

C.  

Requirement of an implementation rollback plan

D.  

IT management review of implemented changes

A.  

Number of customer records held

B.  

Number of databases that host customer data

C.  

Number of encrypted customer databases

D.  

Number of staff members having access to customer data

A.  

To enable risk-based decision making

B.  

To promote awareness of the risk governance function

C.  

To clarify fundamental risk management principles

D.  

To ensure sufficient resources are available

A.  

Ensuring the vendor does not know the encryption key

B.  

Engaging a third party to validate operational controls

C.  

Using the same cloud vendor as a competitor

D.  

Using field-level encryption with a vendor supplied key

A.  

Implement compensating controls to deter fraud attempts.

B.  

Share the concern through a whistleblower communication channel.

C.  

Monitor the activity to collect evidence.

D.  

Determine whether the system environment has flaws that may motivate fraud attempts.

A.  

Assuring the risk profile supports the IT objectives

B.  

Improving the competencies of employees who performed the review

C.  

Determining what changes should be made to IS policies to reduce risk

D.  

Determining that procedures used in risk assessment are appropriate

A.  

Cyber insurance

B.  

Cryptocurrency reserve

C.  

Data backups

D.  

End user training

A.  

Potential loss to tie business due to non-performance of the asset

B.  

Known emerging environmental threats

C.  

Known vulnerabilities published by the asset developer

D.  

Cost of replacing the asset with a new asset providing similar services

A.  

Analyzing cyber intelligence reports

B.  

Engaging independent cybersecurity consultants

C.  

Increasing the frequency of updates to the risk register

D.  

Reviewing the outcome of the latest security risk assessment

A.  

The model could be hacked or exploited.

B.  

The model could be used to generate inaccurate content.

C.  

Staff could become overly reliant on the model.

D.  

It could lead to biased recommendations.

A.  

Accuracy of risk tolerance levels

B.  

Consistency of risk process results

C.  

Participation of stakeholders

D.  

Maturity of the process

A.  

Senior management demonstrates ethics in their day-to-day decision making.

B.  

An independent ethics investigation team has been established.

C.  

Employees are required to complete ethics training courses annually.

D.  

The risk practitioner is required to consult with the ethics committee.

A.  

Balanced scorecard

B.  

Threat and vulnerability assessment

C.  

Compliance assessments

D.  

Business impact analysis (BIA)

A.  

data logging and monitoring

B.  

data mining and analytics

C.  

data classification and labeling

D.  

data retention and destruction

A.  

Develop a risk action plan to address the findings.

B.  

Evaluate the impact of the vulnerabilities to the business application.

C.  

Escalate the findings to senior management and internal audit.

D.  

Conduct a penetration test to validate the vulnerabilities from the findings.

A.  

include detailed deviations from industry benchmarks,

B.  

include a summary linking information to stakeholder needs,

C.  

include a roadmap to achieve operational excellence,

D.  

publish the report on-demand for stakeholders.

A.  

Results of benchmarking studies

B.  

Results of risk assessments

C.  

Number of emergency change requests

D.  

Maturity model

A.  

Risk analysis results

B.  

Exception handling policy

C.  

Vulnerability assessment results

D.  

Benchmarking assessments

A.  

Periodic asset review by management

B.  

Asset registration form

C.  

Automated asset management software

D.  

IT resource budgeting process

A.  

The scenario is aligned to business control processes.

B.  

The scenario is aligned to the organization’s risk appetite and tolerance.

C.  

The scenario is aligned to a business objective.

D.  

The scenario is aligned to known vulnerabilities in information technology.

A.  

Self-assessments by process owners

B.  

Mitigation plan progress reports

C.  

Risk owner attestation

D.  

Change in the level of residual risk

A.  

Benchmarking parameters likely to affect the results

B.  

Tools and techniques used by risk owners to perform the assessments

C.  

A risk heat map with a summary of risk identified and assessed

D.  

The possible impact of internal and external risk factors on the assessment results

A.  

Conduct a comprehensive review of access management processes.

B.  

Declare a security incident and engage the incident response team.

C.  

Conduct a comprehensive awareness session for system administrators.

D.  

Evaluate system administrators' technical skills to identify if training is required.

A.  

Report the observation to the chief risk officer (CRO).

B.  

Validate the adequacy of the implemented risk mitigation measures.

C.  

Update the risk register with the implemented risk mitigation actions.

D.  

Revert the implemented mitigation measures until approval is obtained

A.  

exceeding availability thresholds

B.  

experiencing hardware failures

C.  

exceeding current patching standards.

D.  

meeting the baseline for hardening.

A.  

Fault tree analysis

B.  

Historical trend analysis

C.  

Root cause analysis

D.  

Business impact analysis (BIA)

A.  

Board of directors

B.  

Risk officers

C.  

Line management

D.  

Senior management

A.  

Changes in the organization's risk appetite and risk tolerance levels

B.  

Impact due to changes in external and internal risk factors

C.  

Changes in residual risk levels against acceptable levels

D.  

Gaps in best practices and implemented controls across the industry

A.  

Physical destruction

B.  

Degaussing

C.  

Data anonymization

D.  

Data deletion

A.  

An identity thief seeking to acquire personal financial data from an organization

B.  

Media recognition of an organization's market leadership in its industry

C.  

A standard procedure for applying software patches two weeks after release

D.  

An employee recently fired for insubordination

A.  

Customer notification plans

B.  

Capacity management

C.  

Access management

D.  

Impacts on IT project delivery

A.  

IT management

B.  

Internal audit

C.  

Process owners

D.  

Senior management

A.  

Residual risk and risk appetite

B.  

Strength of detective and preventative controls

C.  

Effectiveness and efficiency of controls

D.  

Inherent risk and risk tolerance

A.  

Increase in compliance breaches

B.  

Increase in loss event impact

C.  

Increase in residual risk

D.  

Increase in customer complaints

A.  

Key risk indicators (KRIs)

B.  

The owner of the financial reporting process

C.  

The risk rating of affected financial processes

D.  

The list of relevant financial controls

A.  

Operational strategies

B.  

Risk governance

C.  

Annualized loss expectancy (ALE)

D.  

Risk appetite

A.  

Facilitating risk-aware decision making by stakeholders

B.  

Demonstrating management commitment to mitigate risk

C.  

Closing audit findings on a timely basis

D.  

Ensuring compliance to industry standards

A.  

Transfer

B.  

Accept

C.  

Exploit

D.  

Mitigate

A.  

Collecting risk event data

B.  

Maintaining a risk register

C.  

Using key risk indicators (KRIs)

D.  

Defining risk parameters

A.  

Improved alignment will technical risk

B.  

Better-informed business decisions

C.  

Enhanced understanding of enterprise architecture (EA)

D.  

Improved business operations efficiency

A.  

Key risk indicators (KRls) are developed for key IT risk scenarios

B.  

IT risk scenarios are assessed by the enterprise risk management team

C.  

Risk appetites for IT risk scenarios are approved by key business stakeholders.

D.  

IT risk scenarios are developed in the context of organizational objectives.

A.  

Risk manager

B.  

Data owner

C.  

End user

D.  

IT department

A.  

Recommend risk remediation

B.  

Change the level of risk appetite

C.  

Document formal acceptance of the risk

D.  

Reject the business initiative

A.  

Assigning a data owner

B.  

Scheduling periodic audits

C.  

Implementing technical controls over the assets

D.  

Implementing a data loss prevention (DLP) solution

A.  

reflective of the lowest organizational level.

B.  

a data feed taken directly from operational production systems.

C.  

reported to management the same day data is collected.

D.  

focused on providing a forward-looking view.

A.  

Detective

B.  

Preventive

C.  

Deterrent

D.  

Directive

A.  

Segment the system on its own network.

B.  

Ensure regular backups take place.

C.  

Virtualize the system in the cloud.

D.  

Install antivirus software on the system.

A.  

Application monitoring

B.  

Separation of duty

C.  

Least privilege

D.  

Nonrepudiation

A.  

Monitoring digital platforms that disseminate inaccurate or misleading news stories

B.  

Engaging public relations personnel to debunk false stories and publications

C.  

Restricting the use of social media on corporate networks during specific hours

D.  

Providing awareness training to understand and manage these types of attacks

A.  

Business impact analysis

B.  

Risk analysis

C.  

Threat risk assessment

D.  

Vulnerability assessment

A.  

A privacy impact assessment has not been completed.

B.  

Data encryption methods apply to a subset of Pll obtained.

C.  

The data privacy officer was not consulted.

D.  

Insufficient access controls are used on the loT devices.

A.  

Identify information security controls in the requirements analysis

B.  

Identify key risk indicators (KRIs) as process output.

C.  

Design key performance indicators (KPIs) for security in system specifications.

D.  

Include information security control specifications in business cases.

A.  

Prioritizing risk responses

B.  

Evaluating risk based on frequency and probability

C.  

Considering risk factors that can be quantified

D.  

Managing the risk by using controls

A.  

Control owner

B.  

Data owner

C.  

System owner

D.  

Application owner

A.  

Senior management

B.  

Project manager

C.  

Project sponsor

D.  

IT risk manager

A.  

Evaluating the impact of removing existing controls

B.  

Evaluating existing controls against audit requirements

C.  

Reviewing system functionalities associated with business processes

D.  

Monitoring existing key risk indicators (KRIs)

A.  

Develop a mechanism for monitoring residual risk.

B.  

Update the risk register with the results.

C.  

Prepare a business case for the response options.

D.  

Identify resources for implementing responses.

A.  

Collaborate with the risk owner to determine the risk response plan.

B.  

Document the gap in the risk register and report to senior management.

C.  

Include a right to audit clause in the service provider contract.

D.  

Advise the risk owner to accept the risk.

A.  

initiate corrective action to address the known deficiency.

B.  

adjust the risk threshold to better reflect actual performance.

C.  

inquire about the status of any planned corrective actions.

D.  

keep monitoring the situation as there is evidence that this is normal.

A.  

Perform a business impact analysis (BIA).

B.  

Identify compensating controls

C.  

Conduct a root cause analysis.

D.  

Revise key risk indicator (KRI) thresholds.

A.  

Review the vendor selection process and vetting criteria.

B.  

Assess whether use of service falls within risk tolerance thresholds.

C.  

Establish service level agreements (SLAs) with the vendor.

D.  

Check the contract for appropriate security risk and control provisions.

A.  

Vulnerability scanning

B.  

Systems log correlation analysis

C.  

Penetration testing

D.  

Monitoring of intrusion detection system (IDS) alerts

A.  

Corporate risk appetite is communicated to staff members.

B.  

Risk owners understand and accept accountability for risk.

C.  

Risk policy has been published and acknowledged by employees.

D.  

Management encourages the reporting of policy breaches.

A.  

Creating a data classification scheme

B.  

Identifying events impacting continuity of operations

C.  

Analyzing previous risk assessment results

D.  

Identifying critical information assets

A.  

Implement a tool to create and distribute violation reports

B.  

Raise awareness of encryption requirements for sensitive data.

C.  

Block unencrypted outgoing emails which contain sensitive data.

D.  

Implement a progressive disciplinary process for email violations.

A.  

Insufficient risk tolerance

B.  

Optimized control management

C.  

Effective risk management

D.  

Over-controlled environment

A.  

Perform a gap analysis

B.  

Conduct system testing

C.  

Implement compensating controls

D.  

Update security policies

A.  

Risk magnitude

B.  

Incident probability

C.  

Risk appetite

D.  

Cost-benefit analysis

A.  

Risk tolerance

B.  

Risk magnitude

C.  

Risk response

D.  

Risk appetite

A.  

Loss expectancy information

B.  

Control performance predictions

C.  

IT service level agreements (SLAs)

D.  

Remediation activity progress

A.  

Whether the service provider's data center is located in the same country

B.  

Whether the data sent by email has been encrypted

C.  

Whether the data has been appropriately classified

D.  

Whether the service provider contract allows right of onsite audit

A.  

Accountability is established for risk treatment decisions

B.  

Stakeholders are consulted about risk treatment options

C.  

Risk owners are informed of risk treatment options

D.  

Responsibility is established for risk treatment decisions.

A.  

Update residual risk levels to reflect the expected risk impact.

B.  

Adjust inherent risk levels upward.

C.  

Include it on the next enterprise risk committee agenda.

D.  

Include it in the risk register for ongoing monitoring.

A.  

capability to implement new processes

B.  

evolution of process improvements

C.  

degree of compliance with policies and procedures

D.  

control requirements.

A.  

Cyber threat intelligence

B.  

Anti-malware software

C.  

Endpoint detection and response (EDR)

D.  

SIEM systems

A.  

Risk action plans and associated owners

B.  

Recent audit and self-assessment results

C.  

Potential losses compared to treatment cost

D.  

A list of assets exposed to the highest risk

A.  

It maintains evidence of compliance with risk policy.

B.  

It facilitates timely risk-based decisions.

C.  

It validates the organization's risk appetite.

D.  

It helps to mitigate internal and external risk factors.

A.  

Average time to implement patches after vendor release

B.  

Number of patches tested prior to deployment

C.  

Increase in the frequency of patches deployed into production

D.  

Percent of patches implemented within established timeframe

A.  

Lack of cross-functional risk assessment workshops within the organization

B.  

Lack of common understanding of the organization's risk culture

C.  

Lack of quantitative methods to aggregate the total risk exposure

D.  

Lack of an integrated risk management system to aggregate risk scenarios

A.  

Not providing capability for employees to work remotely

B.  

Outsourcing the IT activities and infrastructure

C.  

Enforcing change and configuration management processes

D.  

Taking out insurance coverage for IT-related incidents

A.  

accounts without documented approval

B.  

user accounts with default passwords

C.  

active accounts belonging to former personnel

D.  

accounts with dormant activity.

A.  

Lead auditor

B.  

Project manager

C.  

Chief audit executive (CAE)

D.  

Chief information officer (CIO)

A.  

Cost of controls

B.  

Annual loss expectancy (ALE)

C.  

Inherent risk

D.  

Residual risk

A.  

Aggregated risk may exceed the enterprise's risk appetite and tolerance.

B.  

Duplicate resources may be used to manage risk registers.

C.  

Standardization of risk management practices may be difficult to enforce.

D.  

Risk analysis may be inconsistent due to non-uniform impact and likelihood scales.

A.  

Decreased success rate of internal phishing tests

B.  

Decreased number of reported security incidents

C.  

Number of disciplinary actions issued for security violations

D.  

Number of employees that complete security training

A.  

Monitor the databases for abnormal activity

B.  

Approve exception to allow the software to continue operating

C.  

Require the software vendor to remediate the vulnerabilities

D.  

Accept the risk and let the vendor run the software as is

A.  

Cost-benefit analysis

B.  

Penetration testing

C.  

Business impact analysis (BIA)

D.  

Security assessment

A.  

Verify authorization by senior management.

B.  

Increase the risk appetite to align with the current risk level

C.  

Ensure the acceptance is set to expire over lime

D.  

Update the risk response in the risk register.

A.  

ensure that the source code is valid and exists.

B.  

ensure that the source code is available if the vendor ceases to exist.

C.  

review the source code for adequacy of controls.

D.  

ensure the source code is available when bugs occur.

A.  

a root cause analysis is required

B.  

controls are effective for ensuring continuity

C.  

hardware needs to be upgraded

D.  

no action is required as there was no impact

A.  

KPIs measure manual controls, while KCIs measure automated controls.

B.  

KPIs and KCIs both contribute to understanding of control effectiveness.

C.  

A robust KCI program will replace the need to measure KPIs.

D.  

KCIs are applied at the operational level while KPIs are at the strategic level.

A.  

Results of the last risk assessment of the vendor

B.  

Inherent risk of the business process supported by the vendor

C.  

Risk tolerance of the vendor

D.  

Length of time since the last risk assessment of the vendor

A.  

Key audit findings

B.  

Treatment plan status

C.  

Performance indicators

D.  

Risk scenario results

A.  

Identifying critical information assets

B.  

Identifying events impacting continuity of operations.

C.  

Creating a data classification scheme

D.  

Analyzing previous risk assessment results

A.  

Increased time to remediate vulnerabilities

B.  

Inaccurate reporting of results

C.  

Increased number of vulnerabilities

D.  

Network performance degradation

A.  

Establishing policies and procedures

B.  

Periodically reviewing control design

C.  

Measuring trends in control performance

D.  

Obtaining management control attestations

A.  

Monitoring

B.  

Analysis

C.  

Identification

D.  

Response selection

A.  

Change testing schedule

B.  

Impact assessment of the change

C.  

Change communication plan

D.  

User acceptance testing (UAT)

A.  

Identify threats and vulnerability

B.  

Ensure alignment with industry standards

C.  

Provide measurable risk reduction

D.  

Enforce strong security solutions

A.  

Security training for systems development staff

B.  

\Well-documented business cases

C.  

Security architecture principles

D.  

Secure coding practices

A.  

Perform their own risk assessment

B.  

Implement additional controls to address the risk.

C.  

Accept the risk based on the third party's risk assessment

D.  

Perform an independent audit of the third party.

A.  

Periodic user privileges review

B.  

Log monitoring

C.  

Periodic internal audits

D.  

Segregation of duties

A.  

Identifying tweets that may compromise enterprise architecture (EA)

B.  

Including diverse Business scenarios in user acceptance testing (UAT)

C.  

Performing risk assessments during the business case development stage

D.  

Including key stakeholders in review of user requirements

A.  

Report the gap to senior management

B.  

Consult with the IT department to update the RTO

C.  

Complete a risk exception form.

D.  

Consult with the business owner to update the BCP

A.  

Ensuring processes are documented to enable effective control execution

B.  

Ensuring regular risk messaging is Included in business communications from leadership

C.  

Ensuring schedules and deadlines for control-related deliverables are strictly monitored

D.  

Ensuring performance metrics balance business goals with risk appetite

A.  

inherent risk.

B.  

risk tolerance.

C.  

risk capacity.

D.  

residual risk.

A.  

Review the cost-benefit of mitigating controls

B.  

Mark the risk status as unresolved within the risk register

C.  

Verify the sufficiency of mitigating controls with the risk owner

D.  

Update the risk register with implemented mitigating actions

A.  

Tokenized personal data only in test environments

B.  

Data loss prevention tools (DLP) installed in passive mode

C.  

Anonymized personal data in non-production environments

D.  

Multi-factor authentication for access to non-production environments

A.  

Risk tolerance

B.  

Risk appetite

C.  

Risk awareness

D.  

Risk policy

A.  

Absorb the loss in productivity.

B.  

Request a waiver to the requirements.

C.  

Escalate the issue to senior management

D.  

Remove the control to accommodate business objectives.

A.  

risk appetite.

B.  

security policies

C.  

process maps.

D.  

risk tolerance level

A.  

Conduct a peer response assessment.

B.  

Update risk scenarios in the risk register.

C.  

Reevaluate the risk management program.

D.  

Ensure applications are compliant.

A.  

The policy lacks specifics on how to secure the organization's systems from cyberattacks.

B.  

The policy has gaps against relevant cybersecurity standards and frameworks.

C.  

The policy has not been reviewed by the cybersecurity team in over a year.

D.  

The policy has not been approved by the organization's board.

A.  

Implement targeted awareness training for new BYOD users.

B.  

Implement monitoring to detect control deterioration.

C.  

Identify log sources to monitor BYOD usage and risk impact.

D.  

Reduce the risk tolerance level.

A.  

Aligning business unit risk responses to organizational priorities

B.  

Determining attack likelihood per business unit

C.  

Adjusting business unit risk tolerances

D.  

Customizing incident response plans for each business unit

A.  

Control effectiveness

B.  

Risk appetite

C.  

Risk likelihood

D.  

Key risk indicator (KRI)

A.  

Complete an offsite business continuity exercise.

B.  

Conduct a compliance check against standards.

C.  

Perform a vulnerability assessment.

D.  

Measure the change in inherent risk.

A.  

for compliance with laws and regulations

B.  

as a basis for cost-benefit analysis.

C.  

as input for decision-making

D.  

to measure organizational success.

A.  

a recognized industry control framework

B.  

guidance provided by the external auditor

C.  

the service provider's existing controls

D.  

The organization's specific control requirements

A.  

Flexibility and adaptability

B.  

Measurability and consistency

C.  

Robustness and resilience

D.  

Optimal cost and benefit

A.  

Data minimization

B.  

Accountability

C.  

Accuracy

D.  

Purpose limitation

A.  

Adherence to legal and compliance requirements

B.  

Reduction in the number of test cases in the acceptance phase

C.  

Establishment of digital forensic architectures

D.  

Consistent management of information assets

A.  

Data encryption has not been applied to all sensitive data across the organization.

B.  

There are many data assets across the organization that need to be classified.

C.  

Changes to information handling procedures are not documented.

D.  

Changes to data sensitivity during the data life cycle have not been considered.

A.  

Organization's information security manager

B.  

Organization's risk function

C.  

Service provider's IT management

D.  

Service provider's information security manager

A.  

ensuring controls are operating efficiently and facilitating productivity.

B.  

enabling senior leadership to better understand the level of risk the organization is facing.

C.  

monitoring changes in the likelihood of adverse events due to ineffective controls.

D.  

providing information on the degree to which controls are meeting intended objectives.

A.  

Regulatory compliance

B.  

Risk ownership

C.  

Best practices

D.  

Desired risk level

A.  

A post-implementation review has been conducted by key personnel.

B.  

A qualified independent party assessed the new controls as effective.

C.  

Senior management has signed off on the design of the controls.

D.  

Robots have operated without human interference on a daily basis.

A.  

Consistent forms to document risk acceptance rationales

B.  

Acceptable scenarios to override risk appetite or tolerance thresholds

C.  

Individuals or roles authorized to approve risk acceptance

D.  

Communication protocols when a risk is accepted

A.  

Meet with the business leaders to ensure the classification of their transferred data is in place

B.  

Ensure the language in the contract explicitly states who is accountable for each step of the data transfer process

C.  

Collect requirements for the environment to ensure the infrastructure as a service (IaaS) is configured appropriately.

D.  

Work closely with the information security officer to ensure the company has the proper security controls in place.

A.  

Updating multi-factor authentication

B.  

Monitoring key access control performance indicators

C.  

Analyzing access control logs for suspicious activity

D.  

Revising the service level agreement (SLA)

A.  

risk response.

B.  

control monitoring.

C.  

risk identification.

D.  

risk ownership.

A.  

Threat to IT

B.  

Number of control failures

C.  

Impact on business

D.  

Risk ownership

A.  

Industry best practice review

B.  

Risk assessment

C.  

Cost-benefit analysis

D.  

Control-effectiveness evaluation

A.  

Residual risk is within risk tolerance.

B.  

Risk with low impact is accepted.

C.  

Risk ownership is identified and assigned.

D.  

Compliance breaches are addressed in a timely manner.

A.  

Operating controls for risk mitigation

B.  

Testing the effectiveness and efficiency of internal controls

C.  

Providing assurance on risk management processes

D.  

Recommending risk treatment options

A.  

A centralized computer security response team

B.  

Regular performance reviews and management check-ins

C.  

Code of ethics training for all employees

D.  

Communication of employee activity monitoring

A.  

To support regulatory requirements

B.  

To prevent the risk scenario in the current environment

C.  

To monitor for potential changes to the risk scenario

D.  

To track historical risk assessment results

A.  

Repeatable

B.  

Automated

C.  

Quantitative

D.  

Qualitative

A.  

Standards-based policies

B.  

Audit readiness

C.  

Efficient operations

D.  

Regulatory compliance

A.  

Cost and benefit

B.  

Security and availability

C.  

Maintainability and reliability

D.  

Performance and productivity

A.  

Reassessing control effectiveness of the process

B.  

Conducting a post-implementation review to determine lessons learned

C.  

Reporting key performance indicators (KPIs) for core processes

D.  

Establishing escalation procedures for anomaly events

A.  

Update the KRI threshold.

B.  

Recommend additional controls.

C.  

Review incident handling procedures.

D.  

Perform a root cause analysis.

A.  

Data classification policy

B.  

Emerging technology trends

C.  

The IT strategic plan

D.  

The risk register

A.  

Cause-and-effect diagram

B.  

Delphi technique

C.  

Bottom-up approach

D.  

Top-down approach

A.  

The organization may not have a sufficient number of skilled resources.

B.  

Application and data migration cost for backups may exceed budget.

C.  

Data may not be recoverable due to system failures.

D.  

The database system may not be scalable in the future.

A.  

Risk and control ownership

B.  

Senior management participation

C.  

Business unit support

D.  

Risk nomenclature and taxonomy

A.  

Using an aggregated view of organizational risk

B.  

Ensuring relevance to organizational goals

C.  

Relying on key risk indicator (KRI) data Including

D.  

Trend analysis of risk metrics

A.  

who owns the business process.

B.  

the amount of residual risk.

C.  

who is responsible for risk mitigation.

D.  

the total cost of risk treatment.

A.  

Percentage of projects with key risk accepted by the project steering committee

B.  

Reduction in risk policy noncompliance findings

C.  

Percentage of projects with developed controls on scope creep

D.  

Reduction in audits involving external risk consultants

A.  

Financial risk is given a higher priority.

B.  

Risk with strategic impact is included.

C.  

Security strategy is given a higher priority.

D.  

Risk identified by industry benchmarking is included.

A.  

Monitoring of service costs

B.  

Provision of internal audit reports

C.  

Notification of sub-contracting arrangements

D.  

Confidentiality of customer data

A.  

Existing IT environment

B.  

IT strategic plan

C.  

Risk register

D.  

Organizational strategic plan

A.  

Key risk indicators (KRIs)

B.  

Risk reporting methodology

C.  

Key performance indicators (KPIs)

D.  

Risk taxonomy

A.  

business purpose documentation and software license counts

B.  

an access control matrix and approval from the user's manager

C.  

documentation indicating the intended users of the application

D.  

security logs to determine the cause of invalid login attempts

A.  

Maintain and review the classified data inventor.

B.  

Implement mandatory encryption on data

C.  

Conduct an awareness program for data owners and users.

D.  

Define and implement a data classification policy

A.  

Business impact analysis (BIA) results

B.  

Risk scenario ownership

C.  

Risk thresholds

D.  

Possible causes of materialized risk

A.  

Whether the affected technology is used within the organization

B.  

Whether the affected technology is Internet-facing

C.  

What mitigating controls are currently in place

D.  

How pervasive the vulnerability is within the organization

A.  

Lack of a mature records management program

B.  

Lack of a dedicated asset management team

C.  

Decentralized asset lists

D.  

Incomplete asset inventory

A.  

Redesign the heat map.

B.  

Review the risk tolerance.

C.  

Perform a business impact analysis (BIA)

D.  

Update the risk register.

A.  

Percentage of IT systems recovered within the mean time to restore (MTTR) during the disaster recovery test

B.  

Percentage of issues arising from the disaster recovery test resolved on time

C.  

Percentage of IT systems included in the disaster recovery test scope

D.  

Percentage of IT systems meeting the recovery time objective (RTO) during the disaster recovery test

A.  

Risk action plans are approved by senior management.

B.  

Residual risk is within the organizational risk appetite

C.  

Mitigating controls are designed and implemented.

D.  

Risk is recorded and tracked in the risk register

A.  

The controls may not be properly tested

B.  

The vendor will not ensure against control failure

C.  

The vendor will not achieve best practices

D.  

Lack of a risk-based approach to access control

A.  

Obtain objective assessment of the control environment.

B.  

Ensure the risk profile is defined and communicated.

C.  

Validate the threat management process.

D.  

Obtain an objective view of process gaps and systemic errors.

A.  

An internal audit

B.  

A heat map

C.  

A business impact analysis (BIA)

D.  

A vulnerability report

A.  

impacts are recorded in qualitative terms.

B.  

executive management does not perform periodic reviews.

C.  

IT risk is not linked with IT assets.

D.  

significant changes in risk factors are excluded.

A.  

To deliver projects on time and on budget

B.  

To assess inherent risk

C.  

To include project risk in the enterprise-wide IT risk profit.

D.  

To assess risk throughout the project

A.  

determine data backup and recovery availability at an alternate site.

B.  

identify critical business functions and resources.

C.  

define roles and responsibilities for implementation.

D.  

identify recovery time objectives (RTOs) for critical business applications.

A.  

Maintaining a documented risk register

B.  

Establishing a risk awareness program

C.  

Rewarding employees for reporting security incidents

D.  

Allocating resources for risk remediation

A.  

Data controllers

B.  

Data processors

C.  

Data custodians

D.  

Data owners

A.  

business owner

B.  

IT department

C.  

Risk manager

D.  

Third-party provider

A.  

The program has not decreased threat counts.

B.  

The program has not considered business impact.

C.  

The program has been significantly revised

D.  

The program uses non-customized training modules.

A.  

Reviewing the organization's policies and procedures

B.  

Interviewing groups of key stakeholders

C.  

Circulating questionnaires to key internal stakeholders

D.  

Accepting IT personnel s view of business issues

A.  

Perform a business case analysis

B.  

Implement compensating controls.

C.  

Conduct a control sell-assessment (CSA)

D.  

Build a provision for risk

A.  

Risk likelihood

B.  

Inherent risk

C.  

Risk appetite

D.  

Risk tolerance

A.  

Conduct risk classification for associated IT controls.

B.  

Determine whether risk responses still effectively address risk.

C.  

Perform vulnerability and threat assessments.

D.  

Analyze and update IT control assessments.

A.  

Evaluate the organization's existing data protection controls.

B.  

Reassess the risk appetite and tolerance levels of the business.

C.  

Evaluate the sensitivity of data that the business needs to handle.

D.  

Review the organization’s data retention policy and regulatory requirements.

A.  

Al requires entirely new risk management processes.

B.  

Al potentially introduces new types of risk.

C.  

Al will result in changes to business processes.

D.  

Third-party Al solutions increase regulatory obligations.

A.  

Business benefits of shadow IT

B.  

Application-related expresses

C.  

Classification of the data

D.  

Volume of data

A.  

An IT owner is assigned for each risk scenario.

B.  

The register is updated frequently.

C.  

The register is shared with executive management.

D.  

Compensating controls are identified.

A.  

An increase in the number of high-risk audit findings

B.  

An increase in the number of security incidents

C.  

An increase in the percentage of turnover in IT personnel

D.  

An increase in the number of infrastructure changes

A.  

design of appropriate controls.

B.  

industry benchmarking of controls.

C.  

prioritization of response efforts.

D.  

classification of information assets.

A.  

Some critical business applications are not included in the plan

B.  

Several recovery activities will be outsourced

C.  

The plan is not based on an internationally recognized framework

D.  

The chief information security officer (CISO) has not approved the plan

A.  

Review risk governance

B.  

Asset identification

C.  

Identify risk factors

D.  

Inherent risk identification

A.  

Develop a risk treatment plan.

B.  

Validate organizational risk appetite.

C.  

Review results of prior risk assessments.

D.  

Include the current and desired states in the risk register.

A.  

Information security officer

B.  

Information security manager

C.  

Information custodian

D.  

Information owner

A.  

Risk owner

B.  

Business manager

C.  

Data owner

D.  

Risk manager

A.  

Audit findings

B.  

Risk appetite

C.  

Key risk indicators

D.  

Industry best practices

A.  

Management has not determined a final implementation date.

B.  

Management has not completed an early mitigation milestone.

C.  

Management has not secured resources for mitigation activities.

D.  

Management has not begun the implementation.

A.  

Enterprise risk management team

B.  

Risk mitigation manager

C.  

Business process owner

D.  

Risk owner

A.  

Improved senior management communication

B.  

Optimized risk treatment decisions

C.  

Enhanced awareness of risk management

D.  

Improved collaboration among risk professionals

A.  

inadequate resource allocation

B.  

Data disruption

C.  

Unauthorized access

D.  

Inadequate retention schedules

A.  

A comparison of the costs of notice and consent control options

B.  

Examples of regulatory fines incurred by industry peers for noncompliance

C.  

A report of critical controls showing the importance of notice and consent

D.  

A cost-benefit analysis of the control versus probable legal action

A.  

Key risk indicators (KRls)

B.  

Inherent risk

C.  

Residual risk

D.  

Risk appetite

A.  

Technical details

B.  

Target completion date

C.  

Treatment plan ownership

D.  

Treatment plan justification

A.  

Bottom-up identification of emerging risks

B.  

Categorization of risk scenarios against a standard taxonomy

C.  

Prioritization of risk scenarios based on severity

D.  

Review of external loss data

A.  

Promotion of a risk-aware culture

B.  

Compilation of a comprehensive risk register

C.  

Alignment of business activities

D.  

Facilitation of risk-aware decision making

A.  

Variances in recovery times

B.  

Ownership assignment for controls

C.  

New potentially disruptive scenarios

D.  

Contractual changes with customers

A.  

The service provider

B.  

Vendor risk manager

C.  

Legal counsel

D.  

Business process owner

A.  

priority in the risk register.

B.  

business process owner.

C.  

enterprise risk profile.

D.  

appropriate level of protection.

A.  

Balanced scorecard

B.  

Risk appetite

C.  

Risk map

D.  

Risk events

A.  

Data duplication processes

B.  

Data archival processes

C.  

Data anonymization processes

D.  

Data protection processes

A.  

Requirements for regulatory obligations.

B.  

Cost of control implementation.

C.  

Effectiveness of risk treatment.

D.  

Number of risk response options.

A.  

Results of current and past risk assessments

B.  

Organizational strategy and objectives

C.  

Lessons learned from materialized risk scenarios

D.  

Internal and external audit findings

A.  

Building an organizational risk profile after updating the risk register

B.  

Ensuring risk owners participate in a periodic control testing process

C.  

Designing a process for risk owners to periodically review identified risk

D.  

Implementing a process for ongoing monitoring of control effectiveness

A.  

External audit findings

B.  

Feedback from focus groups

C.  

Self-assessment reports

D.  

Changes in senior management

A.  

Data protection officer

B.  

Chief information officer (CIO)

C.  

Information asset custodian

D.  

Information asset owner

A.  

Regulatory requirements

B.  

Organizational objectives

C.  

Annual loss expectancy (ALE)

D.  

Risk management costs

A.  

have a better understanding of specific business needs

B.  

can balance the overall technical and business concerns

C.  

can see the overall impact to the business

D.  

are more objective than information security management.

A.  

buying an insurance policy.

B.  

acceptance of exposures

C.  

deployment of counter measures.

D.  

enterprise architecture implementation.

A.  

It facilitates the use of a framework for risk management.

B.  

It establishes a means for senior management to formally approve risk practices.

C.  

It encourages risk-based decision making for stakeholders.

D.  

It provides a basis for benchmarking against industry standards.

A.  

Logs are retained for longer than required.

B.  

Logs are reviewed annually.

C.  

Logs are stored in a multi-tenant cloud environment.

D.  

Logs are modified before analysis is conducted.

A.  

Information security managers

B.  

Internal auditors

C.  

Business process owners

D.  

Operational risk managers

A.  

The team that performed the risk assessment

B.  

An assigned risk manager to provide oversight

C.  

Action plans to address risk scenarios requiring treatment

D.  

The methodology used to perform the risk assessment

A.  

time required to restore files.

B.  

point of synchronization

C.  

priority of restoration.

D.  

annual loss expectancy (ALE).

A.  

Risk management

B.  

Business units

C.  

External audit

D.  

Internal audit

A.  

Risk maturity

B.  

Risk policy

C.  

Risk appetite

D.  

Risk culture

A.  

Confirming the adequacy of recovery plans.

B.  

Improving compliance with control standards.

C.  

Providing early detection of control degradation.

D.  

Reducing the number of incidents.

A.  

Accountable

B.  

Informed

C.  

Responsible

D.  

Consulted

A.  

The risk register has been updated.

B.  

The risk tolerance has been recalibrated.

C.  

The risk has been mitigated to the intended level.

D.  

The risk owner has reviewed the outcomes.

A.  

Testing is completed in phases, with user testing scheduled as the final phase.

B.  

Segregation of duties controls are overridden during user testing phases.

C.  

Data anonymization is used during all cycles of end-user testing.

D.  

Testing is completed by IT support users without input from end users.

A.  

Accepted risk scenarios with detailed plans for monitoring

B.  

Risk scenarios that have been shared with vendors and third parties

C.  

Accepted risk scenarios with impact exceeding the risk tolerance

D.  

Risk scenarios that have been identified, assessed, and responded to by the risk owners

A.  

An established process for project change management

B.  

Retention of test data and results for review purposes

C.  

Business managements review of functional requirements

D.  

Segregation between development, test, and production

A.  

Adopting qualitative enterprise risk assessment methods

B.  

Linking IT risk scenarios to technology objectives

C.  

linking IT risk scenarios to enterprise strategy

D.  

Adopting quantitative enterprise risk assessment methods

A.  

Conduct penetration testing.

B.  

Interview IT operations personnel.

C.  

Conduct vulnerability scans.

D.  

Review change control board documentation.

A.  

Balanced scorecard

B.  

Risk management framework

C.  

Capability maturity model

D.  

Risk scenario analysis

A.  

Analyzing the residual risk components

B.  

Performing risk prioritization

C.  

Validating the risk appetite level

D.  

Conducting a risk assessment

A.  

Mean time to recover (MTTR)

B.  

IT system criticality classification

C.  

Incident management service level agreement (SLA)

D.  

Recovery time objective (RTO)

A.  

A record of incidents is maintained.

B.  

Forensic investigations are facilitated.

C.  

Security violations can be identified.

D.  

Developing threats are detected earlier.

A.  

Utilization of a cross-functional team

B.  

Participation by IT subject matter experts

C.  

Integration of contingency planning

D.  

Validation by senior management

A.  

The system documentation is not available.

B.  

Enterprise risk management (ERM) has not approved the decision.

C.  

The board of directors has not approved the decision.

D.  

The business process owner is not an active participant.

A.  

Percentage of vulnerabilities remediated within the agreed service level

B.  

Number of vulnerabilities identified during the period

C.  

Number of vulnerabilities re-opened during the period

D.  

Percentage of vulnerabilities escalated to senior management

A.  

An updated risk register

B.  

Risk assessment results

C.  

Technical control validation

D.  

Control testing results

A.  

that results in a full root cause analysis.

B.  

used for verification within the SLA.

C.  

that are verified as actual incidents.

D.  

resolved within the SLA.

A.  

Incident reports

B.  

Cost-benefit analysis

C.  

Risk tolerance

D.  

Control objectives

A.  

KRIs assist in the preparation of the organization's risk profile.

B.  

KRIs signal that a change in the control environment has occurred.

C.  

KRIs provide a basis to set the risk appetite for an organization

D.  

KRIs provide an early warning that a risk threshold is about to be reached.

A.  

Al may result in less reliance on human intervention.

B.  

Malicious activity may inadvertently be classified as normal during baselining.

C.  

Risk assessments of heuristic security systems are more difficult.

D.  

Predefined patterns of malicious activity may quickly become outdated.

A.  

Evaluate past policy review reports.

B.  

Conduct regular independent reviews.

C.  

Perform penetration testing.

D.  

Test staff on their compliance responsibilities.

A.  

HR training director

B.  

Business process owner

C.  

HR recruitment manager

D.  

Chief information officer (CIO)

A.  

Perform quantitative risk analysis of historical data.

B.  

Adopt an industry-recognized risk framework.

C.  

Use qualitative risk assessment methodologies.

D.  

Conduct brainstorming sessions with key stakeholders.

A.  

An increase in the number of risk threshold exceptions

B.  

An increase in the number of change events pending management review

C.  

A decrease in the number of key performance indicators (KPIs)

D.  

A decrease in the number of critical assets covered by risk thresholds

A.  

Review historical application down me and frequency

B.  

Assess the potential impact and cost of mitigation

C.  

identify other legacy systems within the organization

D.  

Explore the feasibility of replacing the legacy system

A.  

reduce the likelihood of future events

B.  

restore availability

C.  

reduce the impact of future events

D.  

address the root cause

A.  

Classification of the data

B.  

Type of device

C.  

Remote management capabilities

D.  

Volume of data

A.  

Conducting a business impact analysis (BIA)

B.  

Identifying the recovery response team