Which of the following data would be used when performing a business impact analysis (BIA)?

A. Cost of regulatory compliance
B. Expected costs for recovering the business
C. Cost-benefit analysis of running the current business
D. Projected impact of current business on future business

Which of the following activities would BEST facilitate effective risk management throughout the organization?

A. Performing a business impact analysis
B. Performing frequent audits
C. Reviewing risk-related process documentation
D. Conducting periodic risk assessments

The analysis of which of the following will BEST help validate whether suspicious network activity is malicious?

A. Intrusion detection system (IDS) rules
B. Penetration test reports
C. Vulnerability assessment reports
D. Logs and system events

An organization is considering outsourcing user administration controls for a critical system. The potential vendor has offered to perform quarterly self-audits of its controls instead of having annual independent audits. Which of the following should be of GREATEST concern to the risk practitioner?

A. The vendor will not achieve best practices
B. The vendor will not ensure against control failure
C. The controls may not be properly tested
D. Lack of a risk-based approach to access control

An organization maintains independent departmental risk registers that are not automatically aggregated. Which of the following is the GREATEST concern?

A. Resources may be inefficiency allocated
B. Management may be unable to accurately evaluate the risk profile
C. Multiple risk treatment efforts may be initiated to treat a given risk
D. The same risk factor may be identified in multiple areas

When updating the risk register after a risk assessment, which of the following is MOST important to include?

A. Actor and threat type of the risk scenario
B. Historical losses due to past risk events
C. Cost to reduce the impact and likelihood
D. Likelihood and impact of the risk scenario

Which of the following is the BEST indicator of the effectiveness of a control action plan’s implementation?

A. Increased risk appetite
B. Increased number of controls
C. Reduced risk level
D. Stakeholder commitment

Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?

A. Availability of in-house resources
B. Completeness of system documentation
C. Variances between planned and actual cost
D. Results of end user acceptance testing

The PRIMARY benefit associated with key risk indicators (KRIs) is that they:

A. identify trends in the organization’s vulnerabilities
B. provide ongoing monitoring of emerging risk
C. help an organization identify emerging threats
D. benchmark the organization’s risk profile

Which of the following is MOST important when developing key performance indicators (KPIs)?

A. Alignment to management reports
B. Alignment to risk responses
C. Alerts when risk thresholds are reached
D. Identification of trends