Which of the following is the BEST key performance indicator (KPI) to measure the ability to deliver uninterrupted IT services?

A. Mean time between failures
B. Unplanned downtime
C. Mean time to recover
D. Planned downtime

Which of the following activities would BEST contribute to promoting an organization-wide risk-aware culture?

A. Communicating components of risk and their acceptable levels
B. Performing a benchmark analysis and evaluating gaps
C. Participating in peer reviews and implementing best practices
D. Conducting risk assessments and implementing controls

Who should be responsible for implementing and maintaining security controls?

A. Data custodian
B. Internal auditor
C. Data owner
D. End user

Which of the following controls would BEST decrease exposure if a password is compromised?

A. Passwords have format restrictions
B. Passwords are masked
C. Password changes are mandated
D. Passwords are encrypted

Which of the following is the BEST way to validate whether controls have been implemented according to the risk mitigation action plan?

A. Implement key risk indicators (KRIs)
B. Test the control design
C. Test the control environment
D. Implement key performance indicators (KPIs)

Which of the following is MOST important to update when an organization’s risk appetite changes?

A. Key risk indicators (KRIs)
B. Risk taxonomy
C. Key performance indicators (KPIs)
D. Risk reporting methodology

Which of the following should be done FIRST when a new risk scenario has been identified?

A. Assess the risk awareness program
B. Assess the risk training program
C. Identify the risk owner
D. Estimate the residual risk

An organization has outsourced an application to a Software as a Service (SaaS) provider. The risk associated with the use of this service should be owned by the:

A. service provider’s IT manager
B. service provider’s risk manager
C. organization’s business process manager
D. organization’s vendor manager

The FIRST step for a startup company when developing a disaster recovery plan should be to identify:

A. current vulnerabilities
B. a suitable alternate site
C. recovery time objectives
D. critical business processes

Which of the following is the BEST method to maintain a common view of IT risk within an organization?

A. Establishing and communicating the IT risk profile
B. Performing and publishing an IT risk analysis
C. Collecting data for IT risk assessment
D. Utilizing a balanced scorecard