An organization moved its payroll system to a Software as a Service (SaaS) application. A new data privacy regulation stipulates that data can only be processed within the country where it is collected. Which of the following should be done FIRST when addressing this situation?

A. Analyze data protection methods.
B. Understand data flows.
C. Include a right-to-audit clause.
D. Implement strong access controls.

Which of the following is the BEST way to validate whether controls to reduce user device vulnerabilities have been implemented according to management’s action plan?

A. Survey device owners.
B. Review awareness training assessment results.
C. Re-scan the user environment.
D. Require annual end user policy acceptance.

Which of the following activities should be performed FIRST when establishing IT risk management processes?

A. Conduct a high-level risk assessment based on the nature of business.
B. Collect data of past incidents and lessons learned.
C. Identify the risk appetite of the organization.
D. Assess the goals and culture of the organization.

Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?

A. Obtain an objective view of process gaps and systemic errors.
B. Ensure the risk profile is defined and communicated.
C. Validate the threat management process.
D. Obtain objective assessment of the control environment.

Which of the following BEST indicates that an organization has implemented IT performance requirements?

A. Vendor references
B. Accountability matrix
C. Benchmarking data
D. Service level agreements

Which of the following is the BEST indication that an organization is following a mature risk management process?

A. Executive management receives periodic risk awareness training.
B. Attributes of each risk scenario have been documented within the risk register.
C. The risk register is frequently utilized for decision-making.
D. A dashboard has been developed for senior management to provide real-time risk values.

Which of the following would BEST help secure online financial transactions from improper users?

A. Multi-factor authentication
B. Periodic review of audit trails
C. Multi-level authorization
D. Review of log-in attempts

Which of the following can be used to assign a monetary value to risk?

A. Annual loss expectancy (ALE)
B. Business impact analysis
C. Cost-benefit analysis
D. Inherent vulnerabilities

An application runs a scheduled job that compiles financial data from multiple business systems and updates the financial reporting system. If this job runs too long, it can delay financial reporting. Which of the following is the risk practitioner's BEST recommendation?

A. Implement database activity and capacity monitoring.
B. Consider providing additional system resource to this job.
C. Ensure the enterprise has a process to detect such situations.
D. Ensure the business is aware of the risk.

An organization has just started accepting credit card payments from customers via the corporate website. Which of the following is MOST likely to increase as a result of this new initiative?

A. Risk appetite
B. Residual risk
C. Risk tolerance
D. Inherent risk