Which of the following will BEST support management reporting on risk?

A. A risk register.
B. Key performance indicators.
C. Control self-assessment.
D. Risk policy requirements.

Controls should be defined during the design phase of system development because:

A. technical specifications are defined during this phase.
B. structured programming techniques require that controls be designed before coding begins.
C. its more cost-effective to determine controls in the early design phase.
D. structured analysis techniques exclude identification of controls.

An organization has four different projects competing for funding to reduce overall IT risk. Which project should management defer?



A. Project Alpha
B. Project Bravo
C. Project Charlie
D. Project Delta

Which of the following is MOST important to ensure when continuously monitoring the performance of a client-facing application?

A. Performance information in the log is encrypted.
B. Control owners approve control changes.
C. Objectives are confirmed with the business owner.
D. End-user acceptance testing has been conducted.

The PRIMARY purpose of IT control status reporting is to:

A. assist internal audit in evaluating and initiating remediation efforts.
B. ensure compliance with IT governance strategy.
C. facilitate the comparison of the current and desired states.
D. benchmark IT controls with industry standards.

An internal audit report reveals that not all IT application databases have encryption in place. Which of the following information would be MOST important for assessing the risk impact?

A. The reason some databases have not been encrypted.
B. A list of unencrypted databases which contain sensitive data.
C. The cost required to enforce encryption.
D. The number of users who can access sensitive data.

A risk practitioner has become aware of production data being used in a test environment. Which of the following should be the practitioner’s PRIMARY concern?

A. Security of the test environment.
B. Readability of test data.
C. Sensitivity of the data.
D. Availability of data to authorized staff.

Which of the following BEST indicates the condition of a risk management program?

A. Number of controls.
B. Amount of residual risk.
C. Number of risk register entries.
D. Level of financial support.

Which of the following is the PRIMARY purpose of analyzing log data collected from systems?

A. To identify risk that may materialize.
B. To facilitate incident investigation.
C. To detect changes in risk ownership.
D. To prevent incidents caused by materialized risk.

The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:

A. new vulnerabilities identified.
B. recurring vulnerabilities.
C. vulnerabilities remediated.
D. vulnerability scans.