After recent updates to the risk register, management has requested that the overall level of residual risk be reduced. Which of the following is the risk practitioner's BEST course of action?

A. Prioritize remediation plans.
B. Recommend the acceptance of low-level risk.
C. Develop new risk action plans with risk owners.
D. Implement additional controls.

Mapping open risk issues to an enterprise risk heat map BEST facilitates:

A. risk ownership.
B. risk identification.
C. risk response.
D. control monitoring.

A risk practitioner is reviewing the status of an action plan to mitigate an emerging IT risk and finds the risk level has increased. The BEST course of action would be to:

A. evaluate whether selected controls are still appropriate.
B. implement the planned controls and accept the remaining risk.
C. suspend the current action plan in order to reassess the risk.
D. revise the action plan to include additional mitigating controls.

Which of the following is an example of the second line in the three lines of defense model?

A. External auditors
B. Internal auditors
C. Risk management committee
D. Risk owners

Implementing which of the following will BEST help ensure that systems comply with an established baseline before deployment?

A. Continuous monitoring and alerting.
B. Access controls and active logging.
C. Configuration management.
D. Vulnerability scanning.

Which of the following should an organization perform to forecast the effects of a disaster?

A. Analyze capability maturity model gaps.
B. Define recovery time objectives (RTO).
C. Develop a business impact analysis (BIA).
D. Simulate a disaster recovery.

Which of the following will BEST help an organization evaluate the control environment of several third-party vendors?

A. Review vendors’ performance metrics on quality and delivery of processes.
B. Review vendors’ internal risk assessments covering key risk and controls.
C. Obtain independent control reports from high-risk vendors.
D. Obtain vendor references from third parties.

The purpose of requiring source code escrow in a contractual agreement is to:

A. ensure that the source code is available if the vendor ceases to exist.
B. ensure the source code is available when bugs occur.
C. review the source code for adequacy of controls.
D. ensure that the source code is valid and exists.

Which of the following is MOST important to include when identifying risk scenarios for inclusion in a risk review of a third-party service provider?

A. Open vendor issues.
B. Purchasing agreements.
C. Supplier questionnaires.
D. Process mapping.

Which of the following BEST illustrates the relationship of actual risk exposure to appetite?

A. Residual risk that exceeds appetite.
B. Risk events in the risk profile.
C. Percentage of high risk scenarios.
D. Controls that exceed risk appetite.