Which of the following roles is BEST suited to help a risk practitioner understand the impact of IT-related events on business objectives?

A. Process owners
B. IT management
C. Senior management
D. Internal audit

Which of the following would be a risk practitioner’s BEST recommendation to help ensure cyber risk is assessed and reflected in the enterprise-level risk profile?

A. Conduct cyber risk awareness training tailored specifically for senior management
B. Implement a cyber risk program based on industry best practices
C. Manage cyber risk according to the organization’s risk management framework
D. Define cyber roles and responsibilities across the organization

Which of the following is the MOST important data source for monitoring key risk indicators (KRIs)?

A. Audit reports from internal information systems audits
B. Directives from legal and regulatory authorities
C. Trend analysis of external risk factors
D. Automated logs collected from different systems

Which of the following is the BEST way to validate the results of a vulnerability assessment?

A. Perform a penetration test
B. Perform a root cause analysis
C. Conduct a threat analysis
D. Review security logs

Which of the following is the BEST indication of an improved risk-aware culture following the implementation of a security awareness training program for all employees?

A. An increase in the number of identified system flaws
B. A reduction in the number of help desk calls
C. An increase in the number of incidents reported
D. A reduction in the number of user access resets

Establishing an organizational code of conduct is an example of which type of control?

A. Directive
B. Preventive
C. Detective
D. Compensating

Which of the following is MOST helpful in aligning IT risk with business objectives?

A. Performing a business impact analysis (BIA)
B. Integrating the results of top-down risk scenario analyses
C. Introducing an approved IT governance framework
D. Implementing a risk classification system

A contract associated with a cloud service provider MUST include:

A. a business recovery plan
B. ownership of responsibilities
C. provision for source code escrow
D. the provider’s financial statements

Which of the following statements BEST describes risk appetite?

A. Acceptable variation between risk thresholds and business objectives
B. The amount of risk an organization is willing to accept
C. The effective management of risk and internal control environments
D. The acceptable variation relative to the achievement of objectives

An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action?

A. Develop a compensating control
B. Identify risk responses
C. Allocate remediation resources
D. Perform a cost-benefit analysis