Which of the following is the BEST way to determine software license compliance?

A. Conduct periodic compliance reviews.
B. List non-compliant systems in the risk register.
C. Monitor user software download activity.
D. Review whistleblower reports of noncompliance.

When establishing an enterprise IT risk management program, it is MOST important to:

A. review alignment with the organization’s strategy.
B. understand the organization’s information security policy.
C. validate the organization’s data classification scheme.
D. report identified IT risk scenarios to senior management.

Which of the following BEST indicates the effectiveness of anti-malware software?

A. Number of staff hours lost due to malware attacks.
B. Number of patches made to anti-malware software.
C. Number of successful attacks by malicious software.
D. Number of downtime hours in business critical servers.

Which of the following BEST indicates the efficiency of a process for granting access privileges?

A. Average time to grant access privileges.
B. Number of changes in access granted to users.
C. Average number of access privilege exceptions.
D. Number and type of locked obsolete accounts.

Which of the following is the MOST appropriate key risk indicator (KRI) for backup media that is recycled monthly?

A. Time required for backup restoration testing.
B. Change in size of data backed up.
C. Successful completion of backup operations.
D. Percentage of failed restore tests.

Which of the following is MOST important to have in place to ensure the effectiveness of risk and security metrics reporting?

A. Organizational reporting process.
B. Incident reporting procedures.
C. Regularly scheduled audits.
D. Incident management policy.

Which of the following is the BEST way for a risk practitioner to verify that management has addressed control issues identified during a previous external audit?

A. Inspect external audit documentation.
B. Review management’s detailed action plans.
C. Observe the control enhancements in operation.
D. Interview control owners.

To reduce costs, an organization is combining the second and third lines of defense in a new department that reports to a recently appointed C-level executive. Which of the following is the GREATEST concern with this situation?

A. The risk governance approach of the second and third lines of defense may differ.
B. The independence of the internal third line of defense may be compromised.
C. The new structure is not aligned to the organization’s internal control framework.
D. Cost reductions may negatively impact the productivity of other departments.

Which of the following conditions presents the GREATEST risk to an application?

A. Application development is outsourced.
B. Developers have access to production environment.
C. Source code is escrowed.
D. Application controls are manual.

Which of the following provides the BEST evidence that a selected risk treatment plan is effective?

A. Evaluating the residual risk level.
B. Identifying key risk indicators.
C. Evaluating the return on investment.
D. Performing a cost-benefit analysis.