An organization is considering modifying its system to enable acceptance of credit card payments. To reduce the risk of data exposure, which of the following should the organization do FIRST?

A. Implement additional controls
B. Conduct a risk assessment
C. Update the risk register
D. Update the security strategy

The MAIN purpose of conducting a control self-assessment (CSA) is to:

A. reduce the dependency on external audits
B. gain a better understanding of the risk in the organization
C. gain a better understanding of the control effectiveness in the organization
D. adjust the controls prior to an external audit

It is MOST important for a risk practitioner to have an awareness of an organization’s processes in order to:

A. perform a business impact analysis
B. establish risk guidelines
C. understand control design
D. identify potential sources of risk

The PRIMARY advantage of implementing an IT risk management framework is the:

A. alignment of business goals with IT objectives
B. improvement of controls within the organization and minimized losses
C. compliance with relevant legal and regulatory requirements
D. establishment of a reliable basis for risk-aware decision making

An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented in procedure manuals for use by the part-time employees. This situation would be considered:

A. a risk
B. an incident
C. a threat
D. a vulnerability

An organization has granted a vendor access to its data in order to analyze customer behavior. Which of the following would be the MOST effective control to mitigate the risk of customer data leakage?

A. Restrict access to customer data on a “need to know” basis
B. Enforce criminal background checks
C. Mask customer data fields
D. Require vendor to sign a confidentiality agreement

The PRIMARY objective of testing the effectiveness of a new control before implementation is to:

A. comply with the organization’s policy
B. ensure that risk is mitigated by the control
C. confirm control alignment with business objectives
D. measure efficiency of the control process

When preparing a risk status report for periodic review by senior management, it is MOST important to ensure the report includes:

A. recommendations by an independent risk assessor
B. a summary of incidents that have impacted the organization
C. a detailed view of individual risk exposures
D. risk exposure in business terms

An organization has been notified that a dis grunted, terminated IT administrator has tried to break into the corporate network. Which of the following discoveries should be of GREATEST concern to the organization?

A. A brute force attack has been detected
B. An external vulnerability scan has been detected
C. An increase in support request has been observed
D. Authentication logs have been disabled

Which of the following is a PRIMARY benefit of engaging the risk owner during the risk assessment process?

A. Accurate measurement of loss impact
B. Early detection of emerging threats
C. Identification of controls gaps that may lead to noncompliance
D. Prioritization of risk action plans across departments