Which of the following would be a risk practitioner's GREATEST concern related to the monitoring of key risk indicators (KRIs)?

A. Logs are retained for a longer duration than the data retention policy requires.
B. Logs are encrypted during transmission from the system to analysis tools.
C. Logs are modified before analysis is conducted.
D. Logs are collected from a small number of systems.

Which of the following MUST be assessed before considering risk treatment options for a scenario with significant impact?

A. Cost-benefit analysis.
B. Incident probability.
C. Risk magnitude.
D. Risk appetite.

Which of the following provides the MOST up-to-date information about the effectiveness of an organization's overall IT control environment?

A. Periodic penetration testing.
B. Key performance indicators (KPIs).
C. Internal audit findings.
D. Risk heat maps.

Which of the following is MOST important when developing key risk indicators (KRIs)?

A. Availability of qualitative data.
B. Alignment with regulatory requirements.
C. Property set thresholds.
D. Alignment with industry benchmarks.

A peer review of a risk assessment finds that a relevant threat community was not included. Mitigation of the risk will require substantial changes to a software application. Which of the following is the BEST course of action?

A. Ask the business to make a budget request to remediate the problem.
B. Research the types of attacks the threat can present.
C. Determine the impact of the missing threat.
D. Build a business case to remediate the fix.

Which of the following would MOST likely require a risk practitioner to update the risk register?

A. An alert being reported by the security operations center.
B. Development of a project schedule for implementing a risk response.
C. Engagement of a third party to conduct a vulnerability scan.
D. Completion of a project for implementing a new control.

An organization has introduced risk ownership to establish clear accountability for each process. To ensure effective risk ownership, it is MOST important that:

A. risk owners have decision-making authority.
B. senior management has oversight of the process.
C. segregation of duties exists between risk and process owners.
D. process ownership aligns with IT system ownership.

Performing a background check on a new employee candidate before hiring is an example of what type of control?

A. Compensating
B. Preventive
C. Detective
D. Corrective

What should a risk practitioner do NEXT if an ineffective key control is identified on a critical system?

A. Revalidate the risk assessment.
B. Escalate to senior management.
C. Propose acceptance of the risk.
D. Conduct a gap analysis.

An organization must implement changes as the result of new regulations. Which of the following should the risk practitioner do FIRST to prepare for these changes?

A. Engage the legal department.
B. Conduct a gap analysis.
C. Implement compensating controls.
D. Review the risk profile.