Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security?

A. Establishing e-discovery and data loss prevention (DLP)
B. Sending notifications when near storage quota
C. Implementing record retention tools and techniques
D. Implementing a bring your own device (BYOD) policy

Risk mitigation procedures should include:

A. buying an insurance policy.
B. acceptance of exposures.
C. deployment of countermeasures.
D. enterprise architecture implementation

Which of the following should be the HIGHEST priority when developing a risk response?

A. The risk response is accounted for in the budget.
B. The risk response aligns with the organization’s risk appetite.
C. The risk response is based on a cost-benefit analysis.
D. The risk response addresses the risk with a holistic view.

A key risk indicator (KRI) is reported to senior management on a periodic basis as exceeding thresholds, but each time senior management has decided to take no action to reduce the risk. Which of the following is the MOST likely reason for senior management’s response?

A. The underlying data source for the KRI is using inaccurate data and needs to be corrected.
B. The KRI threshold needs to be revised to better align with the organization’s risk appetite.
C. Senior management does not understand the KRI and should undergo risk training.
D. The KRI is not providing useful information and should be removed from the KRI inventory.

A control for mitigating risk in a key business area cannot be implemented immediately. Which of the following is the risk practitioner’s BEST course of action when a compensating control needs to be applied?

A. Record the risk as accepted in the risk register.
B. Obtain the risk owner’s approval.
C. Inform senior management.
D. Update the risk response plan.

Which of the following should be the PRIMARY input when designing IT controls?

A. Internal and external risk reports
B. Outcome of control self-assessments
C. Benchmark of industry standards
D. Recommendations from IT risk experts

Which of the following is MOST useful when communicating risk to management?

A. Risk policy
B. Risk map
C. Maturity model
D. Audit report

Which of the following would BEST help an enterprise prioritize risk scenarios?

A. Industry best practices
B. Degree of variances in the risk
C. Cost of risk mitigation
D. Placement on the risk map

The GREATEST concern when maintaining a risk register is that:

A. executive management does not perform periodic reviews.
B. significant changes in risk factors are excluded.
C. IT risk is not linked with IT assets.
D. impacts are recorded in qualitative terms.

A risk practitioner has identified that the organization’s secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?

A. Business continuity director
B. Business application owner
C. Disaster recovery manager
D. Data center manager