Which of the following is MOST important to understand when determining an appropriate risk assessment approach?

A. Threats and vulnerabilities
B. Value of information assets
C. Complexity of the IT infrastructure
D. Management culture

When defining thresholds for control key performance indicators (KPIs), it is MOST helpful to align:

A. key risk indicators (KRIs) with risk appetite of the business
B. the control key performance indicators (KPIs) with audit findings
C. control performance with risk tolerance of business owners
D. information risk assessments with enterprise risk assessments

Which of the following should be the MOST important consideration when determining controls necessary for a highly critical information system?

A. The number of vulnerabilities to the system
B. The level of acceptable risk to the organization
C. The organization’s available budget
D. The number of threats to the system

A program manager has completed an unsuccessful disaster recovery test. Which of the following should the risk practitioner recommend as the NEXT course of action?

A. Identify what additional controls are needed
B. Update the business impact analysis (BIA)
C. Prioritize issues noted during the testing window
D. Communicate test results to management

When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?

A. Exception handling policy
B. Benchmarking assessments
C. Vulnerability assessment results
D. Risk analysis results

A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management. The BEST way to support risk-based decisions by senior management would be to:

A. quantify key risk indicators (KRIs)
B. recommend risk tolerance thresholds
C. provide a quantified detailed analysis
D. map findings to objectives

To help ensure the success of a major IT project, it is MOST important to:

A. obtain approval from business process owners
B. obtain the appropriate stakeholders’ commitment
C. update the risk register on a regular basis
D. align it with the organization’s strategic plan

IT stakeholders have asked a risk practitioner for IT risk profile reports associated with specific departments to allocate resources for risk mitigation. The BEST way to address this request would be to use:

A. historical risk assessments
B. key risk indicators (KRIs)
C. the cost associated with each control
D. information from the risk register

Which of the following would require updates to an organization’s IT risk register?

A. Discovery of an ineffectively designed key IT control
B. Management review of key risk indicators (KRIs)
C. Changes to the team responsible for maintaining the register
D. Completion of the latest internal audit

Which of the following would be an IT business owner’s BEST course of action following an unexpected increase in emergency changes?

A. Conducting a root-cause analysis
B. Validating the adequacy of current processes
C. Evaluating the impact to control objectives
D. Reconfiguring the IT infrastructure