Before implementing instant messaging within an organization using a public solution, which of the following should be in place to mitigate data leakage risk?

A. An access control list
B. An acceptable usage policy
C. An intrusion detection system (IDS)
D. A data extraction tool

When developing IT risk scenarios, it is CRITICAL to involve:

A. process owners
B. IT managers
C. internal auditors
D. senior management

Which of the following approaches would BEST help to identify relevant risk scenarios?

A. Engage line management in risk assessment workshops
B. Escalate the situation to risk leadership
C. Engage internal audit for risk assessment workshops
D. Review system and process documentation

All business units within an organization have the same risk response plan for creating local disaster recovery plans. In an effort to achieve cost effectiveness., the BEST course of action would be to:

A. outsource disaster recovery to an external provider
B. select a provider to standardize the disaster recovery plans
C. evaluate opportunities to combine disaster recovery plans
D. centralize the risk response function at the enterprise level

For a large software development project, risk assessments are MOST effective when performed:

A. during the development of the business case
B. at each stage of the SDLC
C. at system development
D. before system development begins

A change management process has recently been updated with new testing procedures. The NEXT course of action is to:

A. communicate to those who test and promote changes
B. assess the maturity of the change management process
C. conduct a cost-benefit analysis to justify the cost of the control
D. monitor processes to ensure recent updates are being followed

After a high-profile systems breach at an organization’s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:

Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor’s control environment?

A. External audit
B. Internal audit
C. Vendor performance scorecard
D. Regulatory examination

Which of the following is the GREATEST benefit to an organization when updates to the risk register are made promptly after the completion of a risk assessment?

A. Improved senior management communication
B. Enhanced awareness of risk management
C. Optimized risk treatment decisions
D. Improved collaboration among risk professionals

What should be PRIMARILY responsible for establishing an organization’s IT risk culture?

A. Risk management
B. IT management
C. Business process owner
D. Executive management

Which of the following is MOST important to the effectiveness of key performance indicators (KPIs)?

A. Management approval
B. Automation
C. Annual review
D. Relevance