After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?

A. The risk practitioner
B. The risk owner
C. The control owner
D. The business process owner

Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?

A. Utilize the change management process.
B. Validate functionality by running in a test environment.
C. Perform an in-depth code review with an expert.
D. Implement a service level agreement.

Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?

A. Control chart
B. Trend analysis
C. Sensitivity analysis
D. Decision tree

A risk practitioner recently discovered that sensitive data from the production environment is required for testing purposes in non-production environments. Which of the following is the BEST recommendation to address this situation?

A. Mask data before being transferred to the test environment.
B. Implement equivalent security in the test environment.
C. Enable data encryption in the test environment.
D. Prevent the use of production data for test purposes.

An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:

A. identify key process owners.
B. validate control process execution.
C. determine if controls are effective.
D. conduct a baseline assessment.

A risk practitioner is organizing a training session to communicate risk assessment methodologies to ensure a consistent risk view within the organization. Which of the following is the MOST important topic to cover in this training?

A. Applying risk factors
B. Applying risk appetite
C. Understanding risk culture
D. Referencing risk event data

An external security audit has reported multiple findings related to control noncompliance. Which of the following would be MOST important for the risk practitioner to communicate to senior management?

A. Plans for mitigating the associated risk
B. Suggestions for improving risk awareness training
C. A recommendation for internal audit validation
D. The impact to the organization’s risk profile

Which of the following is the BEST way to promote adherence to the risk tolerance level set by management?

A. Avoiding risks that could materialize into substantial losses
B. Increasing organizational resources to mitigate risks
C. Defining expectations in the enterprise risk policy
D. Communicating external audit results

When using a third party to perform penetration testing, which of the following is the MOST important control to minimize operational impact?

A. Require the vendor to have liability insurance.
B. Perform a background check on the vendor.
C. Require the vendor to sign a nondisclosure agreement.
D. Clearly define the project scope.

Malware has recently affected an organization. The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:

A. a vulnerability assessment.
B. a root cause analysis.
C. an impact assessment.
D. a gap analysis.