During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:

A. a control mitigation plan is in place
B. residual risk is accepted
C. compensating controls are in place
D. risk management is effective

The compensating control that MOST effectively addresses the risk associated with piggybacking into a restricted area without a dead-man door is:

A. using two-factor authentication
B. using biometric door locks
C. requiring employees to wear ID badges
D. security awareness training

Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited. Which of the following would be the BEST response to this scenario?

A. Assess the vulnerability management process
B. Conduct a control self-assessment
C. Reassess the inherent risk of the target
D. Conduct a vulnerability assessment

An organization has experienced several incidents of extended network outages that have exceeded tolerance. Which of the following should be the risk practitioner’s FIRST step to address this situation?

A. Recommend a root cause analysis of the incidents
B. Update the risk tolerance level to acceptable thresholds
C. Recommend additional controls to address the risk
D. Update the incident-related risk trend in the risk register

Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?

A. Enabling risk-based decision making
B. Increasing process control efficiencies
C. Better understanding of the risk appetite
D. Improving audit results

An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:

A. communicate the consequences for violations
B. implement industry best practices
C. reduce the organization’s risk appetite
D. reduce the risk to an acceptable level

When reviewing a business continuity plan (BCP), which of the following would be the MOST significant deficiency?

A. BCP is often tested using the walkthrough method
B. BCP testing is not in conjunction with the disaster recovery plan (DRP)
C. Each business location has separate, inconsistent BCPs
D. Recovery time objectives (RTOs) do not meet business requirements

Which of the following would BEST help minimize the risk associated with social engineering threats?

A. Reviewing the organization’s risk appetite
B. Enforcing employee sanctions
C. Enforcing segregation of duties
D. Conducting phishing exercises

Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior BEST represents:

A. a vulnerability
B. a control
C. an impact
D. a threat

Which of the following is the GREATEST concern associated with redundant data in an organization’s inventory system?

A. Data inconsistency
B. Unnecessary data storage usage
C. Poor access control
D. Unnecessary costs of program changes