Prudent business practice requires that risk appetite not exceed:

A. risk capacity.
B. inherent risk.
C. risk tolerance.
D. residual risk.

Which of the following issues regarding an organization's IT incident response plan would be the GREATEST concern?

A. The incident response capability is outsourced.
B. Teams are not operational until an incident occurs.
C. Not all employees have attended incident response training.
D. Roles and responsibilities are not clearly defined.

Which of the following is the STRONGEST indication that controls implemented as part of a risk action plan are not effective?

A. A security breach occurs.
B. Internal audit identifies recurring exceptions.
C. Changes are put into production without management approval.
D. A sample is used to validate the action plan.

To effectively support business decisions, an IT risk register MUST:

A. reflect the results of risk assessments.
B. effectively support a business maturity model.
C. be available to operational risk groups.
D. be reviewed by the IT steering committee.

Which of the following would BEST help identify the owner for each risk scenario in a risk register?

A. Allocating responsibility for risk factors equally to asset owners.
B. Determining resource dependency of assets.
C. Mapping identified risk factors to specific business processes.
D. Determining which departments contribute most to risk.

A data processing center operates in a jurisdiction where new regulations have significantly increased penalties for data breaches. Which of the following elements of the risk register is MOST important to update to reflect this change?

A. Risk impact
B. Risk trend
C. Risk appetite
D. Risk likelihood

A PRIMARY function of the risk register is to provide supporting information for the development of an organization’s risk:

A. map.
B. process.
C. profile.
D. strategy.

The PRIMARY objective for selecting risk response options is to:

A. minimize residual risk.
B. reduce risk factors.
C. reduce risk to an acceptable level.
D. identify compensating controls.

Which of the following should be included in a risk scenario to be used for risk analysis?

A. Residual risk
B. Risk tolerance
C. Risk appetite
D. Threat type

In addition to the risk register, what should a risk practitioner review to develop an understanding of the organization’s risk profile?

A. The asset profile
B. Business objectives
C. The control catalog
D. Key risk indicators (KRIs)