Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?
During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:
Which of the following would BEST mitigate the ongoing risk associated with operating system (OS) vulnerabilities?
Which of the following is the MOST important outcome of a business impact analysis (BIA)?
Of the following, who is responsible for approval when a change in an application system is ready for release to production?
An organization maintains independent departmental risk registers that are not automatically aggregated. Which of the following is the GREATEST concern?
Which of the following would BEST facilitate the implementation of data classification requirements?
When reviewing the business continuity plan (BCP) of an online sales order system, a risk practitioner notices that the recovery time objective (RTO) has a shorter lime than what is defined in the disaster recovery plan (DRP). Which of the following is the BEST way for the risk practitioner to address this concern?
Reviewing which of the following BEST helps an organization gam insight into its overall risk profile''
Which of the following is the MOST important objective from a cost perspective for considering aggregated risk responses in an organization?
Who is BEST suited to provide objective input when updating residual risk to reflect the results of control effectiveness?
Which of the following is the MOST important consideration for effectively maintaining a risk register?
As pan of business continuity planning, which of the following is MOST important to include m a business impact analysis (BlA)?
A risk practitioner recently discovered that personal information from the production environment is required for testing purposes in non-production environments. Which of the following is the BEST recommendation to address this situation?
A control process has been implemented in response to a new regulatory requirement, but has significantly reduced productivity. Which of the following is the BEST way to resolve this concern?
Which of the following will BEST help to ensure new IT policies address the enterprise's requirements?
A segregation of duties control was found to be ineffective because it did not account for all applicable functions when evaluating access. Who is responsible for ensuring the control is designed to effectively address risk?
An organization has operations in a location that regularly experiences severe weather events. Which of the following would BEST help to mitigate the risk to operations?
An organization is analyzing the risk of shadow IT usage. Which of the following is the MOST important input into the assessment?
Which of the following is the MAIN benefit to an organization using key risk indicators (KRIs)?
Which of the following would be a risk practitioner's BEST course of action when a project team has accepted a risk outside the established risk appetite?
The MAIN reason for prioritizing IT risk responses is to enable an organization to:
Which of the following is the GREATEST concern when establishing key risk indicators (KRIs)?
Which of the following stakeholders are typically included as part of a line of defense within the three lines of defense model?
Which of the following is the MOST useful information for a risk practitioner when planning response activities after risk identification?
A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?
Which of the following is the MOST important requirement for monitoring key risk indicators (KRls) using log analysis?
A multinational company needs to implement a new centralized security system. The risk practitioner has identified a conflict between the organization's data-handling policy and local privacy regulations. Which of the following would be the BEST recommendation?
Who should be accountable for authorizing information system access to internal users?
Which of the following BEST enables detection of ethical violations committed by employees?
Which of the following BEST reduces the likelihood of fraudulent activity that occurs through use of a digital wallet?
When confirming whether implemented controls are operating effectively, which of the following is MOST important to review?
Which of the following is the GREATEST impact of implementing a risk mitigation strategy?
Which of the following should be the PRIMARY focus of a disaster recovery management (DRM) framework and related processes?
Which of the following should be the PRIMARY consideration when assessing the risk of using Internet of Things (loT) devices to collect and process personally identifiable information (PII)?
In the three lines of defense model, a PRIMARY objective of the second line is to:
Which of the following is the PRIMARY benefit of integrating risk and security requirements in an organization's enterprise architecture (EA)?
Which of the following events is MOST likely to trigger the need to conduct a risk assessment?
Which of the following is MOST useful when performing a quantitative risk assessment?
Within the three lines of defense model, the responsibility for managing risk and controls resides with:
Which of the following BEST enables the timely detection of changes in the security control environment?
Which of the following would present the GREATEST challenge for a risk practitioner during a merger of two organizations?
WhichT5f the following is the MOST effective way to promote organization-wide awareness of data security in response to an increase in regulatory penalties for data leakage?
A risk practitioner identifies an increasing trend of employees copying company information unrelated to their job functions to USB drives. Which of the following elements of the risk register should be updated to reflect this observation?