Which of the following key risk indicators (KRIs) is MOST effective for monitoring risk related to a bring your own device (BYOD) program?

A. Number of incidents originating from BYOD devices
B. Budget allocated to the BYOD program security controls
C. Number of devices enrolled in the BYOD program
D. Number of users who have signed a BYOD acceptable use policy

Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?

A. An increase in control vulnerabilities
B. An increase in inherent risk
C. A decrease in control layering effectiveness
D. An increase in the level of residual risk

After the review of a risk record, internal audit questioned why the risk was lowered from medium to low. Which of the following is the BEST course of action in responding to this inquiry?

A. Notify the business at the next risk briefing
B. Obtain industry benchmarks related to the specific risk
C. Provide justification for the lower risk rating
D. Reopen the risk issue and complete a full assessment

When reviewing a risk response strategy, senior management’s PRIMARY focus should be placed on the:

A. investment portfolio
B. alignment with risk appetite
C. key performance indicators (KPIs)
D. cost-benefit analysis

While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach. Which of the following controls will BEST reduce the risk associated with such a data breach?

A. Engaging a third party to validate operational controls
B. Using the same cloud vendor as a competitor
C. Using field-level encryption with a vendor supplied key
D. Ensuring the vendor does not know the encryption key

Which of the following is MOST effective in continuous risk management process improvement?

A. Policy updates
B. Periodic assessments
C. Awareness training
D. Change management

An organization operates in an environment where reduced time-to-market for new software products is a top business priority. Which of the following should be the risk practitioner’s GREATEST concern?

A. Email infrastructure does not have proper rollback plans
B. Sufficient resources are not assigned to IT development projects
C. The corporate email system does not identify and store phishing emails
D. Customer support help desk staff does not have adequate training

During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?

A. Recommend the formation of an executive risk council to oversee IT risk
B. Provide an estimate of IT system downtime if IT risk materializes
C. Describe IT risk scenarios in terms of business risk
D. Educate business executives on IT risk concepts

Which of the following is the MOST important consideration when sharing risk management updates with executive management?

A. Using an aggregated view of organizational risk
B. Relying on key risk indicator (KRI) data
C. Ensuring relevance to organizational goals
D. Including trend analysis of risk metrics

A risk practitioner discovers several key documents detailing the design of a product currently in development have been posted on the Internet. What should be the risk practitioner’s FIRST course of action?

A. Perform a root cause analysis
B. Conduct an immediate risk assessment
C. Invoke the established incident response plan
D. Inform internal audit