IT management has asked for a consolidated view into the organization’s risk profile to enable project prioritization and resource allocation. Which of the following materials would be MOST helpful?

A. List of key risk indicators
B. Internal audit reports
C. IT risk register
D. List of approved projects

An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations?

A. The organization’s vendor management office
B. The organization’s management
C. The control operators at the third party
D. The third party’s management

After identifying new risk events during a project, the project manager’s NEXT step should be to:

A. continue with a quantitative risk analysis
B. determine if the scenarios need to be accepted or responded to
C. continue with a qualitative risk analysis
D. record the scenarios into the risk register

Which of the following would BEST help to ensure that identified risk is efficiently managed?

A. Reviewing the maturity of the control environment
B. Maintaining a key risk indicator for each asset in the risk register
C. Regularly monitoring the project plan
D. Periodically reviewing controls per the risk treatment plan

An application owner was specified the acceptable downtime in the event of an incident to be much lower the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?

A. Invoke the disaster recovery plan during an incident
B. Reduce the recovery time by strengthening the response team
C. Prepare a cost-benefit analysis of alternatives available
D. Implement redundant infrastructure for the application

An organization is planning to engage a cloud-based service provider for some of its data-intensive business processes. Which of the following is MOST important to help define the IT risk associated with this outsourcing activity?

A. Service level agreement
B. Right to audit the provider
C. Customer service reviews
D. Scope of services provided

An organization delegates its data processing to the internal IT team to manage information through its applications. Which of the following is the role of the internal IT team in this situation?

A. Data owners
B. Data custodians
C. Data controllers
D. Data processors

The annualized loss expectancy (ALE) method of risk analysis:

A. uses qualitative risk rankings such as low, medium, and high
B. can be used to determine the indirect business impact
C. helps in calculating the expected cost of controls
D. can be used in a cost-benefit analysis

Which of the following is the MOST relevant input to an organization’s risk profile?

A. External audit’s risk assessment
B. Management’s risk self-assessment
C. Internal audit’s risk assessment
D. Information security’s vulnerability assessment

The PRIMARY benefit of maintaining an up-to-date risk register is that it helps to:

A. ensure business unit risk uniformly distributed
B. build a risk profile for management review
C. quantify the organization’s risk appetite
D. implement uniform controls for common risk scenarios