Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are:

A. authorized to select risk mitigation options.
B. independent from the business operations.
C. accountable for the affected processes.
D. members of senior management.

Which of the following would be the BEST justification to invest in the development of a governance, risk, and compliance (GRC) solution?

A. Facilitating risk-aware decision making by stakeholders.
B. Demonstrating management commitment to mitigate risk.
C. Closing audit findings on a timely basis.
D. Ensuring compliance to industry standards.

Which of the following is the MAIN reason for analyzing risk scenarios?

A. Establishing a risk appetite
B. Identifying additional risk scenarios
C. Updating the heat map
D. Assessing loss expectancy

The PRIMARY purpose of a maturity model is to compare the:

A. current state of key processes to their desired state.
B. organization to peers.
C. organization to industry best practices.
D. actual KPIs with target KPIs.

Which of the following is the BEST key performance indicator (KPI) for determining how well an IT policy is aligned to business requirements?

A. Total cost of policy breaches.
B. Total cost to support the policy.
C. Number of exceptions to the policy.
D. Number of inquiries regarding the policy.

An organization has identified that terminated employee accounts are not disabled or deleted within the time required by corporate policy. Unsure of the reason, the organization has decided to monitor the situation for three months to obtain more information. As a result of this decision, the risk has been:

A. accepted.
B. transferred.
C. avoided.
D. mitigated.

An IT organization is replacing the customer relationship management (CRM) system. Who should own the risk associated with customer data leakage caused by insufficient IT security controls for the new system?

A. Chief risk officer
B. IT controls manager
C. Chief information security officer
D. Business process owner

The MAIN goal of the risk analysis process is to determine the:

A. potential severity of impact.
B. control deficiencies.
C. frequency and magnitude of loss.
D. threats and vulnerabilities.

Which of the following is MOST important for an organization that wants to reduce IT operational risk?

A. Decentralizing IT infrastructure.
B. Increasing the frequency of data backups.
C. Increasing senior management’s understanding of IT operations.
D. Minimizing complexity of IT infrastructure.

Who is MOST likely to be responsible for the coordination between the IT risk strategy and the business risk strategy?

A. Information security director
B. Internal audit director
C. Chief information officer
D. Chief financial officer