A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?

A. An increase in attempted distributed denial of service (DDoS) attacks
B. An increase in attempted website phishing attacks
C. A decrease in remediated web security vulnerabilities
D. A decrease in achievement of service level agreements (SLAs)

Which of the following is the BEST indication of an effective risk management program?

A. Risk action plans are approved by senior management
B. Mitigating controls are designed and implemented
C. Residual risk is within the organizational risk appetite
D. Risk is recorded and tracked in the risk register

From a risk management perspective, the PRIMARY objective of using maturity models is to enable:

A. solution delivery
B. strategic alignment
C. resource utilization
D. performance evaluation

To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:

A. clearly define the project scope
B. perform background checks on the vendor
C. notify network administrators before testing
D. require the vendor to sign a nondisclosure agreement

Which of the following would be MOST helpful to an information security management team when allocating resources to mitigate exposures?

A. Internal audit findings
B. Relevant risk case studies
C. Risk assessment results
D. Penetration testing results

What is the PRIMARY reason to periodically review key performance indicators (KPIs)?

A. Identify trends
B. Optimize resources needed for controls
C. Ensure compliance
D. Promote a risk-aware culture

Which of the following is the BEST control to detect an advanced persistent threat (APT)?

A. Monitoring social media activities
B. Conducting regular penetration tests
C. Utilizing antivirus systems and firewalls
D. Implementing automated log monitoring

For the first time, the procurement department has requested that IT grant remote access to third-party suppliers. Which of the following is the BEST course of action for IT in responding to the request?

A. Propose a solution after analyzing IT risk
B. Design and implement key authentication controls
C. Design and implement a secure remote access process
D. Adequate internal standards to fit the new business case

An organization is considering acquiring a new line of business and wants to develop new IT risk scenarios to guide its decisions. Which of the following would add the MOST value to the new risk scenarios?

A. Audit findings
B. Expected losses
C. Cost-benefit analysis
D. Organizational threats

Which of the following is the GREATEST concern when using a generic set of IT risk scenarios for risk analysis?

A. Inherent risk might not be considered
B. Implementation costs might increase
C. Risk factors might not be relevant to the organization
D. Quantitative analysis might not be possible