A risk assessment has identified that departments have installed their own WiFi access points on the enterprise network. Which of the following would be MOST important to include in a report to senior management?

A. Planned remediation actions
B. The network security policy
C. The WiFi access point configuration
D. Potential business impact

Which of the following is the BEST course of action when risk is found to be above the acceptable risk appetite?

A. Execute the risk response plan.
B. Analyze the effectiveness of controls.
C. Maintain the current controls.
D. Review risk tolerance levels.

An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan. Which of the following is the risk practitioner’s BEST course of action?

A. Revert the implemented mitigation measures until approval is obtained.
B. Validate the adequacy of the implemented risk mitigation measures.
C. Report the observation to the chief risk officer (CRO).
D. Update the risk register with the implemented risk mitigation actions.

Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?

A. Redundant compensating controls are in place.
B. Asset custodians are responsible for defining controls instead of asset owners.
C. A high number of approved exceptions exist with compensating controls.
D. Successive assessments have the same recurring vulnerabilities.

Which of the following will BEST mitigate the risk associated with IT and business misalignment?

A. Introducing an established framework for IT architecture
B. Establishing business key performance indicators (KPIs)
C. Involving the business process owner in IT strategy
D. Establishing key risk indicators (KRIs)

Which of the following is MOST critical to the design of relevant risk scenarios?

A. The scenarios are linked to probable organizational situations.
B. The scenarios are based on past incidents.
C. The scenarios are aligned with risk management capabilities.
D. The scenarios are mapped to incident management capabilities.

Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?

A. Return on investment
B. Risk mitigation budget
C. Cost-benefit analysis
D. Business impact analysis

Which of the following is the MOST important foundational element of an effective three lines of defense model for an organization?

A. A well-established risk management committee
B. A robust risk aggregation tool set
C. Well-documented and communicated escalation procedures
D. Clearly defined roles and responsibilities

The MAIN purpose of having a documented risk profile is to:

A. enable well-informed decision making.
B. comply with external and internal requirements.
C. keep the risk register up-to-date.
D. prioritize investment projects.

Which of the following would be the BEST key performance indicator (KPI) for monitoring the effectiveness of the IT asset management process?

A. Percentage of unpatched IT assets
B. The number of IT assets procured during the previous month
C. The number of IT assets securely disposed during the past year
D. Percentage of IT assets without ownership