Which of the following is the MOST effective way to mitigate identified risk scenarios?

A. Document the risk tolerance of the organization.
B. Assign ownership of the risk response plan.
C. Provide awareness in early detection of risk.
D. Perform periodic audits on identified risk areas.

Whose risk tolerance matters MOST when making a risk decision?

A. Customers who would be affected by a breach
B. The information security manager
C. The business process owner of the exposed assets
D. Auditors, regulators, and standards organizations

An organization is considering allowing users to access company data from their personal devices. Which of the following is the MOST important factor when assessing the risk?

A. Classification of the data
B. Type of device
C. Remote management capabilities
D. Volume of data

Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?

A. Percentage of issues related as a result of DRP testing
B. Number of users that participated in the DRP testing
C. Number of issues identified during DRP testing
D. Percentage of applications that met the RTO during DRP testing

Which of the following BEST indicates effective information security incident management?

A. Frequency of information security incident response plan testing
B. Percentage of high risk security incidents
C. Monthly trend of information security-related incidents
D. Average time to identify critical information security incidents

Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?

A. Customer database manager
B. Audit committee
C. Data privacy officer
D. Customer data custodian

An IT license audit has revealed that there are several unlicensed copies of commercial applications installed on company laptops. The risk practitioner’s BEST course of action would be to:

A. immediately uninstall the unlicensed software from the laptops.
B. procure the requisite licenses for the software to minimize business impact.
C. report the issue to management so appropriate action can be taken.
D. centralize administration rights on laptops so that installations are controlled.

A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session?

A. Senior management allocation of risk management resources
B. Senior management roles and responsibilities
C. The organization’s strategic risk management projects
D. The organization’s risk appetite and tolerance

Who is the MOST appropriate owner for newly identified IT risk?

A. The manager responsible for IT operations that will support the risk mitigation efforts
B. The individual with the most IT risk-related subject matter knowledge
C. The individual with authority to commit organizational resources to mitigate the risk
D. A project manager capable of prioritizing the risk remediation efforts

Which of the following is the MOST important requirement for monitoring key risk indicators (KRIs) using log analysis?

A. Collecting logs from the entire set of IT systems
B. Providing accurate logs in a timely manner
C. Implementing an automated log analysis tool
D. Obtaining logs in an easily readable format