Who should be accountable for monitoring the control environment to ensure controls are effective?

A. Risk owner
B. Security monitoring operations
C. Impacted data owner
D. System owner

Which of the following is MOST important to include in regulatory and risk updates when a new legal requirement affects the organization?

A. Recommended key risk indicator (KRI) thresholds.
B. Cost of changes to critical business processes.
C. Risk associated with noncompliance.
D. Time frame to remediate noncompliance risk.

What is the GREATEST concern with maintaining decentralized risk registers instead of a consolidated risk register?

A. Aggregated risk may exceed the enterprise’s risk appetite and tolerance.
B. Duplicate resources may be used to manage risk registers.
C. Standardization of risk management practices may be difficult to enforce.
D. Risk analysis may be inconsistent due to non-uniform impact and likelihood scales.

The BEST indication that risk management is effective is when risk has been reduced to meet:

A. risk appetite
B. risk capacity
C. risk levels
D. risk budgets

The BEST criteria when selecting a risk response is the:

A. effectiveness of risk response options
B. alignment of response to industry standards
C. importance of IT risk within the enterprise
D. capability to implement the response

Which of the following is the MOST important consideration when determining whether to accept residual risk after security controls have been implemented on a critical system?

A. Cost of the information control system.
B. Cost versus benefit of additional mitigating controls.
C. Annualized loss expectancy (ALE) for the system.
D. Frequency of business impact.

Which of the following would be of GREATEST assistance when justifying investment in risk response strategies?

A. Cost-benefit analysis
B. Business impact analysis
C. Total cost of ownership
D. Resource dependency analysis

Which of the following should be a risk practitioner's NEXT step upon learning the organization is not in compliance with a specific legal regulation?

A. Assess the likelihood and magnitude of the associated risk.
B. Identify mitigation activities and compensating controls.
C. Notify senior compliance executives of the associated risk.
D. Determine the penalties for lack of compliance.

Which of the following is the BEST indicator of the effectiveness of IT risk management processes?

A. Time between when IT risk scenarios are identified and the enterprise’s response.
B. Percentage of business users completing risk training.
C. Percentage of high-risk scenarios for which risk action plans have been developed.
D. Number of key risk indicators (KRIs) defined.

The FIRST task when developing a business continuity plan should be to:

A. identify critical business functions and resources.
B. determine data backup and recovery availability at an alternate site.
C. define roles and responsibilities for implementation.
D. identify recovery time objectives (RTOs) for critical business applications.