A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:

A. identifying risk mitigation controls
B. documenting the risk scenarios
C. validating the risk scenarios
D. updating the risk register

Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

A. Implement segregation of duties
B. Enforce an internal data access policy
C. Enforce the use of digital signatures
D. Apply single sign-on for access control

Which of the following would BEST help to ensure that suspicious network activity is identified?

A. Analyzing server logs
B. Coordinating events with appropriate agencies
C. Analyzing intrusion detection system (IDS) logs
D. Using a third-party monitoring provider

The BEST reason to classify IT assets during a risk assessment is to determine the:

A. appropriate level of protection
B. enterprise risk profile
C. priority in the risk register
D. business process owner

When an organization’s disaster recovery plan has a reciprocal agreement, which of the following risk treatment options is being applied?

A. Transfer
B. Avoidance
C. Acceptance
D. Mitigation

The BEST way to determine the likelihood of a system availability risk scenario is by assessing the:

A. availability of fault tolerant software
B. strategic plan for business growth
C. vulnerability scan results of critical systems
D. redundancy of technical infrastructure

When reviewing management’s IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?

A. Propose mitigating controls
B. Assess management’s risk tolerance
C. Recommend management accept the low risk scenarios
D. Re-evaluate the risk scenarios associated with the control

Which of the following provides the BEST measurement of an organization’s risk management maturity level?

A. IT alignment to business objectives
B. Level of residual risk
C. Key risk indicators (KRIs)
D. The results of a gap analysis

Which of the following is the MOST important factor affecting risk management in an organization?

A. The risk manager’s expertise
B. Regulatory requirements
C. Board of director’s expertise
D. The organization’s culture

Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management?

A. A decrease in the number of key controls
B. Changes in control design
C. An increase in residual risk
D. Changes in control ownership