Which of the following should be the PRIMARY consideration when implementing controls for monitoring user activity logs?

A. Building correlations between logs collected from different sources
B. Ensuring the control is proportional to the risk
C. Implementing log analysis tools to automate controls
D. Ensuring availability of resources for log analysis

Accountability for a particular risk is BEST represented in a:

A. risk register.
B. RACI matrix.
C. risk catalog.
D. risk scenario.

Which of the following roles would provide the MOST important input when identifying IT risk scenarios?

A. Operational risk managers
B. Internal auditors
C. Information security managers
D. Business process owners

Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?

A. It compares performance levels of IT assets to value delivered.
B. It provides input to business managers when preparing a business case for new IT projects.
C. It facilitates the alignment of strategic IT objectives to business objectives.
D. It helps assess the effects of IT decisions on risk exposure.

Which of the following should be the PRIMARY focus of a risk owner once a decision is made to mitigate a risk?

A. Determining processes for monitoring the effectiveness of the controls
B. Confirming to management the controls reduce the likelihood of the risk
C. Updating the risk register to include the risk mitigation plan
D. Ensuring that control design reduces risk to an acceptable level

In an organization with a mature risk management program, which of the following would provide the BEST evidence that the IT risk profile is up to date?

A. Risk questionnaire
B. Risk register
C. Compliance manual
D. Management assertion

From a business perspective, which of the following is the MOST important objective of a disaster recovery test?

A. All business critical systems are successfully tested.
B. Errors are discovered in the disaster recovery process.
C. All critical data is recovered within recovery time objectives (RTOs).
D. The organization gains assurance it can recover from a disaser.

A trusted third party service provider has determined that the risk of a client’s systems being hacked is low. Which of the following would be the client’s BEST course of action?

A. Perform an independent audit of the third party.
B. Accept the risk based on the third party’s risk assessment.
C. Perform their own risk assessment.
D. Implement additional controls to address the risk.

Which of the following is the MOST important key performance indicator (KPI) to establish in the service agreement (SLA) for an outsourced data center?

A. Number of key systems hosted
B. Percentage of system availability
C. Average response time to resolve system incidents
D. Percentage of systems included in recovery processes

Which of the following would be the BEST recommendation if the level of risk in the IT risk profile has decreased and is now below management’s risk appetite?

A. Decrease the number of related risk scenarios.
B. Optimize the control environment.
C. Realign risk appetite to the current risk level.
D. Reduce the risk management budget.