Following a significant change to a business process, a risk practitioner believes the associated risk has been reduced. The risk practitioner should advise the risk owner to FIRST:

A. reallocate risk response resources
B. review the key risk indicators
C. conduct a risk analysis
D. update the risk register

A risk practitioner has observed that there is an increasing trend of users sending sensitive information by email without using encryption. Which of the following would be the MOST effective approach to mitigate the risk associated with data loss?

A. Implement a tool to create and distributive violation reports
B. Block unencrypted outgoing emails which contain sensitive data
C. Implement a progressive disciplinary process for email violations
D. Raise awareness of encryption requirements for sensitive data

During an IT department reorganization, the manager of a risk mitigation action plan was replaced. The new manager has begun implementing a new control after identifying a more effective option. Which of the following is the risk practitioner’s BEST course of action?

A. Communicate the decision to the risk owner for approval
B. Identify an owner for the new control
C. Modify the action plan in the risk register
D. Seek approval from the previous action plan manager

A review of an organization’s controls has determined its data loss prevention (DLP) system is currently failing to detect outgoing emails containing credit card data. Which of the following would be MOST impacted?

A. Risk appetite
B. Residual risk
C. Key risk indicators (KRIs)
D. Inherent risk

Which of the following is the PRIMARY factor in determining a recovery time objective (RTO)?

A. Response time of the emergency action plan
B. Cost of downtime due to a disaster
C. Cost of offsite backup premises
D. Cost of testing the business continuity plan

Which of the following would be MOST helpful to understand the impact of a new technology system on an organization’s current risk profile?

A. Conduct a gap analysis
B. Review existing risk mitigation controls
C. Perform a risk assessment
D. Hire consultants specializing in the new technology

Which of the following would MOST likely result in updates to an IT risk appetite statement?

A. Changes in senior management
B. External audit findings
C. Feedback from focus groups
D. Self-assessment reports

To implement the MOST effective monitoring of key risk indicators (KRIs), which of the following needs to be in place?

A. Automated data feed
B. Controls monitoring
C. Escalation procedures
D. Threshold definition

Which of the following BEST enables the identification of trends in risk levels?

A. Measurements for key risk indicators (KRIs) are repeatable
B. Qualitative definitions for key risk indicators (KRIs) are used
C. Quantitative measurements are used for key risk indicators (KRIs)
D. Correlation between risk levels and key risk indicators (KRIs) is positive

It is MOST appropriate for changes to be promoted to production after they are:

A. approved by the business owner
B. tested by business owners
C. communicated to business management
D. initiated by business users