Risk management strategies are PRIMARILY adopted to:

A. achieve compliance with legal requirements
B. take necessary precautions for claims and losses
C. avoid risk for business and IT assets
D. achieve acceptable residual risk levels

Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the corporate risk register?

A. Corporate incident escalation protocols are established
B. The organization-wide control budget is expanded
C. Exposure is integrated into the organization’s risk profile
D. Risk appetite cascades to business unit management

Which of the following is the MOST effective way to incorporate stakeholder concerns when developing risk scenarios?

A. Evaluating risk impact
B. Creating quarterly risk reports
C. Establishing key performance indicators
D. Conducting internal audits

Which of the following approaches to bring you own device (BYOD) service delivery provides the BEST protection from data loss?

A. Penetration testing and session timeouts
B. Implement remote monitoring
C. Enforce strong passwords and data encryption
D. Enable data wipe capabilities

During a control review, the control owner states that an existing control has deteriorated over time. What is the BEST recommendation to the control owner?

A. Escalate the issue to senior management
B. Discuss risk mitigation options with the risk owner
C. Certify the control after documenting the concern
D. Implement compensating controls to reduce residual risk

The best way to test the operational effectiveness of a data backup procedure is to:

A. inspect a selection of audit trails and backup logs
B. conduct an audit of files stored offsite
C. demonstrate a successful recovery from backup files
D. interview employees to compare actual with expected procedures

Which of the following is the BEST method to identify unnecessary controls?

A. Evaluating existing controls against audit requirements
B. Reviewing system functionalities associated with business processes
C. Monitoring existing key risk indicators (KRIs)
D. Evaluating the impact of removing existing controls

The BEST method to align an organization’s business continuity plan (BCP) and disaster recovery plan (DRP) with core business needs to:

A. outsource the maintenance of the BCP and DRP to a third party
B. include BCP and DRP responsibilities as part of the new employee training
C. execute periodic walk-throughs of the BCP and DRP
D. update the business impact analysis (BIA) for significant business changes

The MOST effective way to increase the likelihood that risk responses will be implemented is to:

A. review progress reports
B. create an action plan
C. perform regular audits
D. assign ownership

An organization’s internal auditors have identified a new IT control deficiency in the organization’s identity and access management (IAM) system. It is most important for the risk practitioner to:

A. perform a follow-up risk assessment to quantify the risk impact
B. verify that applicable risk owners understand the risk
C. implement compensating controls to address the deficiency
D. recommend replacement of the deficient system