A risk practitioner is preparing a report to communicate changes in the risk and control environment. The BEST way to engage stakeholder attention is to:

A. include a roadmap to achieve operational excellence
B. include a summary linking information to stakeholder needs
C. publish the report on-demand for stakeholders
D. include detailed deviations from industry benchmarks

Improvements in the design and implementation of a control will MOST likely result in an update to:

A. risk tolerance
B. risk appetite
C. inherent risk
D. residual risk

Which of the following would be MOST helpful when estimating the likelihood of negative events?

A. Business impact analysis
B. Cost-benefit analysis
C. Risk response analysis
D. Threat analysis

A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?

A. Invoke the incident response plan
B. Modify the design of the control
C. Document the finding in the risk register
D. Re-evaluate key risk indicators

Which of the following is a detective control?

A. Limit check
B. Access control software
C. Periodic access review
D. Rerun procedures

An audit reveals that several terminated employee accounts maintain access. Which of the following should be the FIRST step to address the risk?

A. Perform a risk assessment
B. Disable user access
C. Perform root cause analysis
D. Develop an access control policy

Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?

A. Internal audit reports from the vendor
B. A control self-assessment
C. A third-party security assessment report
D. Service level agreement monitoring

A risk practitioner has observed that risk owners have approved a high number of exceptions to the information security policy. Which of the following should be the risk practitioner’s GREATEST concern?

A. Aggregate risk approaching the tolerance threshold
B. Vulnerabilities are not being mitigated
C. Security policies are not being reviewed periodically
D. Risk owners are focusing more on efficiency

After mapping generic risk scenarios to organizational security policies, the NEXT course of action should be to:

A. record risk scenarios in the risk register for analysis
B. validate the risk scenarios for business applicability
C. reduce the number of risk scenarios to a manageable set
D. perform a risk analysis on the risk scenarios

An organization has engaged a third party to provide an Internet gateway encryption service that protects sensitive data uploaded to a cloud service. This is an example of risk:

A. transfer
B. acceptance
C. mitigation
D. avoidance