An IT department has organized training sessions to improve user awareness of organizational information security policies. Which of the following is the BEST key performance indicator (KPI) to reflect effectiveness of the training?

A. Number of training sessions completes
B. Percentage of staff members who complete the training with a passing score
C. Percentage of attendees versus total staff
D. Percentage of staff members who attend the training with positive feedback

Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?

A. Reviewing logs for unauthorized data transfers
B. Configuring the DLP control to block credit card numbers
C. Testing the transmission of credit card numbers
D. Testing the DLP rule change control process

As part of an overall IT risk management plan, an IT risk register BEST helps management:

A. stay current with existing control status
B. align IT processes with business objectives
C. understand the organizational risk profile
D. communicate the enterprise risk management policy

The BEST control to mitigate the risk associated with project scope creep is to:

A. consult with senior management on a regular basis
B. apply change management procedures
C. ensure extensive user involvement
D. deploy CASE tools in software development

To help ensure all applicable risk scenarios are incorporated into the risk register, it is MOST important to review the:

A. risk assessment results
B. cost-benefit analysis
C. vulnerability assessment results
D. risk mitigation approach

Which of the following provides an organization with the MOST insight with regard to operational readiness associated with risk?

A. Capability maturity assessment results
B. Minutes of the enterprise risk committee meetings
C. Benchmarking against industry standards
D. Self-assessment of capabilities

An organization has raised the risk appetite for technology risk. The MOST likely result would be:

A. lower risk management cost
B. decreased residual risk
C. higher risk management cost
D. increased inherent risk

Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?

A. Ability to predict trends
B. Ongoing availability of data
C. Availability of automated reporting systems
D. Ability to aggregate data

The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner’s BEST recommendation?

A. Implement training on coding best practices
B. Perform a code review
C. Perform a root cause analysis
D. Implement version control software

A PRIMARY advantage of involving business management in evaluating and managing risk is that management:

A. can make better informed business decisions
B. better understands the system architecture
C. can balance technical and business risk
D. is more objective than risk management