Which of the following is MOST helpful in developing key risk indicator thresholds?

A. Loss expectancy information
B. IT service level agreements
C. Control performance results
D. Remediation activity progress

Which of the following is the BEST metric to demonstrate the effectiveness of an organization’s change management process?

A. Average time to complete changes
B. Increase in the number of emergency changes
C. Percent of unauthorized changes
D. Increase in the frequency of changes

Which of the following is the PRIMARY consideration when establishing an organization’s risk management methodology?

A. Risk tolerance level
B. Benchmarking information
C. Resource requirements
D. Business context

The PRIMARY reason, a risk practitioner would be interested in an internal audit report is to:

A. maintain a risk register based on noncompliances
B. plan awareness programs for business managers
C. assist in the development of a risk profile
D. evaluate maturity of the risk management process

Effective risk communication BEST benefits an organization by:

A. improving the effectiveness of IT controls
B. helping personnel make better informed decisions
C. increasing participation in the risk assessment process
D. assisting the development of a risk register

Which of the following is MOST important for successful incident response?

A. The quantity of data logged by the attack control tools
B. The ability to trace the source of the attack
C. The timeliness of attack recognition
D. Blocking the attack route immediately

The PRIMARY benefit of conducting continuous monitoring of access controls is the ability to identify.

A. possible noncompliant activities that lead to data disclosure
B. leading or lagging key risk indicators (KRIs)
C. inconsistencies between security policies and procedures
D. unknown threats to undermine existing access controls

Which of the following is the BEST way to identify changes in the risk profile of an organization?

A. Monitor key risk indicators (KRIs)
B. Monitor key performance indicators (KPIs)
C. Conduct a gap analysis
D. Interview the risk owner

If preventive controls cannot be implemented due to technology limitations, which of the following should be done FIRST to reduce risk?

A. Redefine the business process to reduce the risk
B. Evaluate alternative controls
C. Develop a plan to upgrade technology
D. Define a process for monitoring risk

Which of the following would present the GREATEST challenge when assigning accountability for control ownership?

A. Unclear reporting relationships
B. Weak governance structures
C. Senior management scrutiny
D. Complex regulatory environment