Top of Form

Question Results

Score 0 of 1

Question:

An organization has experienced several incidents of extended network outages that have exceeded
tolerance. Which of the following should be the risk practitioner’s FIRST step to address this situation?

Response:

Recommend additional controls to address the risk

Recommend a root cause analysis of the incidents

Update the risk tolerance level to acceptable thresholds

Update the incident-related risk trend in the risk register

Score 0 of 1

Question:

In the project initiation phase of System Development Life Cycle, there is information on project
initiated by which of the following role carriers?

Response:

CRO

CIO

Business management

Sponsor

Score 1 of 1

Question:

Security measures implemented to ensure that processes are performed to a certain standard, degree,
or depth are called __________.

Response:
 Requirements

Risks

Controls

Objectives

Score 0 of 1

Question:

The __________ framework is not IT security–centric and was developed with organizational
governance in mind.

Response:

COBIT

ISACA IT Risk Management

CRISC

NIST 800-37, revision 1

Score 1 of 1

Question:

When determining which control deficiencies are most significant, which of the following would provide
the MOST useful information?

Response:

Benchmarking assessments

Exception handling policy

Vulnerability assessment results

Risk analysis results

Score 1 of 1

Question:

Which of the following statements is true for risk analysis?

Response:

Risk analysis should address the potential size and likelihood of loss.

Risk analysis should assume an equal degree of protection for all assets.

Risk analysis should give more weight to the likelihood than the size of loss.

Risk analysis should limit the scope to a benchmark of similar companies

Score 0 of 1

Question:

When reviewing management’s IT control self-assessments, a risk practitioner noted an ineffective

control that links to several low residual risk scenarios. What should be the NEXT course of action?

Response:

Assess management’s risk tolerance

Propose mitigating controls

Re-evaluate the risk scenarios associated with the control

Recommend management accept the low risk scenarios

Score 1 of 1

Question:

Which of the following is the process of numerically analyzing the effects of identified risks on the
overall enterprise's objectives?

Response:

Identifying Risks

Monitoring and Controlling Risks

Quantitative Risk Assessment

Qualitative Risk Assessment

Score 0 of 1

Question:
Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention
(DLP) control that has been implemented to prevent the loss of credit card data?

Response:

Testing the DLP rule change control process

Reviewing logs for unauthorized data transfers

Configuring the DLP control to block credit card numbers

Testing the transmission of credit card numbers

Score 1 of 1

Question:

What process would help you deal with risks that require an exemption to policy?

Response:

Exception management process

Risk acceptance process

Risk mitigation process

Risk management process

Score 0 of 1

Question:

You are the project manager of RFT project. You have identified a risk that the enterprise's IT system and
application landscape is so complex that, within a few years, extending capacity will become difficult and
maintaining software will become very expensive.

To overcome this risk the response adopted is re-architecture of the existing system and purchase of
new integrated system. In which of the following risk prioritization options would this case be
categorized?

Response:

Deferrals

Quick win
 Contagious risk

Business case to be made

Score 1 of 1

Question:

Which negative risk response usually has a contractual agreement?

Response:

Mitigation

Transference

Sharing

Exploiting

Score 1 of 1

Question:

What is the IMMEDIATE step after defining set of risk scenarios?

Response:

Risk mitigation

Risk management

Risk analysis

Risk monitoring

Score 0 of 1

Question:

Which of the following risks is the risk that happen with an important business partner and affects a
large group of enterprises within an area or industry?

Response:

Operational risk
 Reporting risk

Contagious risk

Systemic risk

Score 1 of 1

Question:

Which of the following is a performance measure that is used to evaluate the efficiency of an investment
or to compare the efficiency of a number of different investments?

Response:

Return On Investment

Redundant Array of Inexpensive Disks

Return On Security Investment

Total Cost of Ownership

Score 1 of 1

Question:

FISMA requires federal agencies to protect IT systems and data. How often should compliance be
audited by an external organization?

Response:

Never

Annually

Every three years

Quarterly

Score 0 of 1

Question:

Which of the following items is considered as an objective of the three dimensional model within the
framework described in COSO ERM?
Response:

Monitoring

Risk assessment

Financial reporting

Control environment

Score 1 of 1

Question:

Which of the following risk responses include feedback and guidance from well-qualified risk officials
and those internal to the project?

Response:

Risk Acceptance

Expert judgment

Contingent response strategy

Risk transfer

Score 1 of 1

Question:

Which of the following control is used to ensure that users have the rights and permissions they need to
perform their jobs, and no more?

Response:

System and Communications protection control

Identification and Authentication control

Access control

Audit and Accountability control

Score 0 of 1

Question:
You are the project manager of GHT project. You have applied certain control to prevent the
unauthorized changes in your project. Which of the following control you would have applied for this
purpose?

Response:

Personnel security control

Configuration management control

Physical and environment protection control

Access control

Score 1 of 1

Question:

Which of the following controls do NOT come under technical class of control?

Response:

System and Communications Protection control

Identification and Authentication control

Program management control

Access Control

Score 0 of 1

Question:

Which control framework might be specifically applied to industrial control systems?

Response:

ISA 62443-3-3:2013

ISO/IEC 15408

COBIT 5

Australian Signals Directorate’s “Strategies to Mitigate Targeted Cyber Intrusions”

Score 1 of 1

Question:

Which of the following is the greatest risk to reporting?

Response:

Integrity of data

Confidentiality of data

Availability of data

Reliability of data

Score 0 of 1

Question:

Which of the following control detects problem before it can occur?

Response:

Deterrent control

Preventative control

Detective control

Compensation control

Score 0 of 1

Question:

Which of the following regulations requires a formalized risk management program in order to protect
electronic patient health information?

Response:

PCI-DSS

HIPAA

GLBA
 FISMA

Score 1 of 1

Question:

For which of the following risk management capability maturity levels do the statement given below is
true?

"Real-time monitoring of risk events and control exceptions exists, as does automation of policy
management"

Response:

Level 5

Level 0

Level 2

Level 3

Score 0 of 1

Question:

Which of the following controls focuses on operational efficiency in a functional area sticking to
management policies?

Response:

Internal accounting control

Administrative control

Detective control

Operational control

Score 1 of 1

Question:

Which of the following do NOT indirect information?

Response:
 The lack of any significant differences between perpetual levels and actual levels of goods.

Reports that show orders that were rejected for credit limitations.

Reports that provide information about any unusual deviations and individual product margins.

Information about the propriety of cutoff

Score 1 of 1

Question:

The BEST way to determine the likelihood of a system availability risk scenario is by assessing the:

Response:

redundancy of technical infrastructure

strategic plan for business growth

availability of fault tolerant software

vulnerability scan results of critical systems

Score 1 of 1

Question:

You are the risk professional of your enterprise. You need to calculate potential revenue loss if a certain
risks occurs.

Your enterprise has an electronic (e-commerce) web site that is producing US $1 million of revenue each
day, then if a denial of service (DoS) attack occurs that lasts half a day creates how much loss?

Response:

US $1 million loss

US $100,000 loss

US $500,000 loss

US $250,000 loss

Score 1 of 1

Question:
Which of the following are the security plans adopted by the organization?
Each correct answer represents a complete solution. Choose all that apply.

Response:

Disaster recovery plan

Project management plan

Business continuity plan

Backup plan

Score 0 of 1

Question:

Which of the following is a key component of strong internal control environment?

Response:

Automated tools

RMIS

Manual control

Segregation of duties

Score 0 of 1

Question:

Which the following collects information about different actors and negative events that could exploit
the vulnerabilities in a system?

Response:

Threat assessment

Compliance assessment

Penetration test
 Vulnerability assessment

Score 1 of 1

Question:

Which of the following will significantly affect the standard information security governance model?

Response:

Number of employees

Complexity of the organizational structure

Currency with changing legislative requirements

Cultural differences between physical locations

Score 0 of 1

Question:

For the first time, the procurement department has requested that IT grant remote access to third-party
suppliers. Which of the following is the BEST course of action for IT in responding to the request?

Response:

Design and implement a secure remote access process

Adequate internal standards to fit the new business case

Design and implement key authentication controls

Propose a solution after analyzing IT risk

Score 0 of 1

Question:

Which of the following is the BEST metric to demonstrate the effectiveness of an organization’s change
management process?

Response:

Increase in the frequency of changes

 Average time to complete changes

Percent of unauthorized changes

Increase in the number of emergency changes

Score 1 of 1

Question:

Which of the following management and governance frameworks incorporates both the Risk IT
Framework and the Val IT framework?

Response:

NIST SP 800-53

ISO/IEC 27001

SANS Top 20 CSC

COBIT 5

Score 0 of 1

Question:

Which of the following scenarios best describes a control gap?

Response:

Permissions on a sensitive network share that allow all users to read the contents

Whitelisting only specific applications that are allowed on a workstation

A firewall that successfully blocks all traffic except for that specifically allowed

Encryption settings that encrypt both sensitive and nonsensitive data

Score 0 of 1

Question:

Which of the following provides the BEST measurement of an organization’s risk management maturity
level?
Response:

The results of a gap analysis

IT alignment to business objectives

Key risk indicators (KRIs)

Level of residual risk

Score 1 of 1

Question:

Which of the following establishes mandatory rules, specifications and metrics used to measure
compliance against quality, value, etc?

Response:

Framework

Standard

Practices

Legal requirements

Score 1 of 1

Question:

Which of the following should be the MOST important consideration when determining controls
necessary for a highly critical information system?

Response:

The level of acceptable risk to the organization

The number of vulnerabilities to the system

The number of threats to the system

The organization’s available budget

Score 0 of 1

Question:
All of the following are valid supporting factors in building a business case to justify implementing an IT
control, except which one?

Response:

Security goals

Profitability

Governance

Liability

Score 0 of 1

Question:

Which of the following is a vulnerability associated with the integrity aspect of data management?

Response:

Failure to assign correct permissions to sensitive tables in a database

Lack of encryption for sensitive data being transferred between two systems

Failure of a DBMS to perform transaction checking on data

Faulty backup processes that do not completely back up all sensitive data

Score 1 of 1

Question:

Which of the following frameworks might be used in business governance and IT enterprise
management?

Response:

NIST RMF

The Risk IT Framework

ISO 27001

COBIT
Score 1 of 1

Question:

Wendy is about to perform qualitative risk analysis on the identified risks within her project. Which one
of the following will NOT help Wendy to perform this project management activity?

Response:

Stakeholder register

Risk register

Project scope statement

Risk management plan

Score 0 of 1

Question:

The best way to test the operational effectiveness of a data backup procedure is to:

Response:

conduct an audit of files stored offsite

interview employees to compare actual with expected procedures

demonstrate a successful recovery from backup files

inspect a selection of audit trails and backup logs

Score 1 of 1

Question:

You are the project manager of GHT project. You have identified a risk event on your current project
that could save $670,000 in project costs if it occurs.

Your organization is considering hiring a vendor to help establish proper project management
techniques in order to assure it realizes these savings.

Which of the following statements is TRUE for this risk event?

Response:
 This is a risk event that should be shared to take full advantage of the potential savings.

This risk event should be mitigated to take advantage of the savings.

This risk event is an opportunity to the project and should be exploited.

This risk event should be accepted because the rewards outweigh the threat to the project.

Score 1 of 1

Question:

You are the project manager of HWD project. It requires installation of some electrical machines. You
and the project team decided to hire an electrician as electrical work can be too dangerous to perform.

What type of risk response are you following?

Response:

Mitigation

Acceptance

Transference

Avoidance

Score 0 of 1

Question:

You are the project manager for GHT project. You need to perform the Qualitative risk analysis process.
When you have completed this process, you will produce all of the following as part of the risk register
update output except which one?

Response:

Probability of achieving time and cost estimates

Priority list of risks

Watch list of low-priority risks

Risks grouped by categories

Score 0 of 1
Question:

How can ISSE processes assist the control design and implementation process?

Response:

By ensuring security is considered throughout the entire SDLC process

By minimizing threats to assets and threat actors

By ensuring that vulnerabilities are not exposed to threats

By eliminating risk for a particular asset as it is designed, developed, and implemented

Score 0 of 1
(skipped)

Question:

You are completing the qualitative risk analysis process with your project team and are relying on the
risk management plan to help you determine the budget, schedule for risk management, and risk
categories.

You discover that the risk categories have not been created. When the risk categories should have been
created?

Response:

Define scope process

Risk identification process

Plan risk management process

Create work breakdown structure process

Score 0 of 1
(skipped)

Question:

A business wants to look at expanding into a developing country where the risks are high along with the
rewards. The business needs to understand which of the following?
(Choose two.)

Response:
 Risk response

Risk tolerance

Risk appetite

Risk strategy

Score 0 of 1
(skipped)

Question:

Which of the following is not a valid risk response option?

Response:

Risk avoidance

Risk acceptance

Risk prediction

Risk transference

Score 0 of 1
(skipped)

Question:

Which is the MOST important parameter while selecting appropriate risk response?

Response:

Cost of response

Capability to implement response

Importance of risk

Efficiency of response

Score 0 of 1
(skipped)

Question:
__________ are designed to exploit weaknesses on a system.

Response:

Threat assessments

Penetration tests

Vulnerability assessments

White-box tests

Score 0 of 1
(skipped)

Question:

When developing a business continuity plan (BCP), it is MOST important to:

Response:

develop a multi-channel communication plan

prioritize critical services to be restored

identify a geographically dispersed disaster recovery site

identify an alternative location to host operations

Score 0 of 1
(skipped)

Question:

Which of the following would be considered a direct internal threat to the IT operations management
business process?

Response:

Outside hacker

Unintended consequences from configuration changes

Market fluctuations

New regulations on data protection

Score 0 of 1
(skipped)

Question:

Which of the following is the MOST effective way to incorporate stakeholder concerns when developing
risk scenarios?

Response:

Evaluating risk impact

Creating quarterly risk reports

Establishing key performance indicators

Conducting internal audits

Score 0 of 1
(skipped)

Question:

Which of the following is the GREATEST advantage of implementing a risk management program?

Response:

Promoting a risk-aware culture

Improving security governance

Enabling risk-aware decisions

Reducing residual risk

Score 0 of 1
(skipped)

Question:

You are the project manager of your enterprise. While performing risk management, you are given a
task to identify where your enterprise stand in certain practice and also to suggest the priorities for
improvements.

Which of the following models would you use to accomplish this task?

Response:
 Capability maturity model

Decision tree model

Fishbone model

Simulation tree model

Score 0 of 1
(skipped)

Question:

__________ are considered to be highly probable indicators designed to accurately predict important
levels of risk based on defined thresholds.

Response:

Key performance indicators

Key control indicators

Key risk indicators

Key monitoring indicators

Score 0 of 1
(skipped)

Question:

You are the project manager of GHT project. You and your team have developed risk responses for those
risks with the highest threat to or best opportunity for the project objectives.

What are the immediate steps you should follow, after planning for risk response process?

Each correct answer represents a complete solution. Choose three.

Response:

Updating Project management plan and Project document

Applying controls

Updating Risk register

 Prepare Risk-related contracts

Score 0 of 1
(skipped)

Question:

Which of the following are two elements that are critical in risk scenario development?
(Choose two.)

Response:

Asset identification and valuation

Likelihood calculation

Impact calculation

Threat assessment

Score 0 of 1
(skipped)

Question:

Which of the following control sets would AC-7 belong to?

Response:

NIST SP 800-53

COBIT

PCI-DSS

ISA 62443-2-1:2009

Score 0 of 1
(skipped)

Question:

Your business just went through a major storm that flooded your data center. Members of your
recovery team are attempting to salvage equipment, as well as locate critical data backups.

No one seems to know exactly what they’re supposed to do, and they don’t have the right equipment
available to them. Additionally, there is no coordinated effort within the team to perform specific tasks.
Which of the following vulnerabilities most likely led up to this scenario?

Response:

Failure to back up sensitive data

Failure to acquire an alternate processing site

Lack of a business impact analysis

Failure to test the disaster recovery plan

Score 0 of 1
(skipped)

Question:

Which of the following characteristics of risk controls answers the aspect about the control given below:

"Will it continue to function as expressed over the time and adopts as changes or new elements are
introduced to the environment"

Response:

Reliability

Sustainability

Consistency

Distinct

Score 0 of 1
(skipped)

Question:

Which of the following vulnerability assessment software can check for weak passwords on the
network?

Response:

Password cracker

Antivirus software

Anti-spyware software
 Wireshark

Score 0 of 1
(skipped)

Question:

Which of the following would be considered primary stakeholders with regard to risk scenario
development?

Response:

Production control managers

Accounting executives

Vendors

Asset managers

Score 0 of 1
(skipped)

Question:

You are the project manager of GHT project. Your project team is in the process of identifying project
risks on your current project. The team has the option to use all of the following tools and techniques to
diagram some of these potential risks EXCEPT for which one?

Response:

Process flowchart

Ishikawa diagram

Influence diagram

Decision tree diagram

Score 0 of 1
(skipped)

Question:

What type of policy would an organization use to forbid its employees from using organizational email
for personal use?

Response:
 Anti-harassment policy

Acceptable use policy

Intellectual property policy

Privacy policy

Score 0 of 1
(skipped)

Question:

What is the open source alternative for thorough and practical security testing?

Response:

NIST 800-64

NIST 800-115

ISACA COBIT

OSSTMM

Score 0 of 1
(skipped)

Question:

Which of the following is the MOST important benefit of key risk indicators (KRIs)?

Response:

Assisting in continually optimizing risk governance

Providing an early warning to take proactive actions

Enabling the documentation and analysis of trends

Ensuring compliance with regulatory requirements

Score 0 of 1
(skipped)

Question:
Which of the following is BEST described by the definition below?

"They are heavy influencers of the likelihood and impact of risk scenarios and should be taken into
account during every risk analysis, when likelihood and impact are assessed."

Response:

Obscure risk

Risk factors

Risk analysis

Risk event

Score 0 of 1
(skipped)

Question:

The analysis of which of the following will BEST help validate whether suspicious network activity is
malicious?

Response:

Intrusion detection system (IDS) rules

Penetration test reports

Vulnerability assessment reports

Logs and system events

form-mhjB7FiWcu d90b163360701d quiz_report_form

Bottom of Form

Question Results
Score 1 of 1

Question:

Which of the following would be an IT business owner’s BEST course of action following
an unexpected increase in emergency changes?
 Response:

Reconfiguring the IT infrastructure

Evaluating the impact to control objectives
Validating the adequacy of current processes
Conducting a root-cause analysis
Score 1 of 1

Question:

An organization that has been the subject of multiple social engineering attacks is
developing a risk awareness program. The PRIMARY goal of this program should be to:

Response:

communicate the consequences for violations

reduce the organization’s risk appetite
reduce the risk to an acceptable level
implement industry best practices
Score 0 of 1

Question:

You work as a project manager for Bluewell Inc. You have identified a project risk. You
have then implemented the risk action plan and it turn out to be non-effective. What type
of plan you should implement in such case?

Response:

Risk mitigation
Risk response plan
Risk fallback plan
Risk avoidance
Score 0 of 1
(skipped)

Question:

Jim wants to conduct a scan using a tool that can be used during business hours with
minimum disturbance to operations. Which is the most likely to support his needs?

Response:
 Active tools
Impact tools
Penetration tools
Passive tools
Score 1 of 1

Question:

When an organization’s disaster recovery plan has a reciprocal agreement, which of the
following risk treatment options is being applied?

Response:

Mitigation
Avoidance
Acceptance
Transfer
Score 1 of 1

Question:

Which of the following is the BEST way to confirm whether appropriate automated
controls are in place within a recently implemented system?

Response:

Interview process owners

Conduct user acceptance testing
Review the key performance indicators (KPIs)
Perform a post-implementation review
Score 0 of 1
(skipped)

Question:

You are implementing an organizational-wide risk management strategy, and you are
using the NIST Risk Management Framework (RMF). You have just completed step 1 of
the RMF, categorize information systems.

Which of the following steps should you complete next in the RMF sequence?

Response:
 Authorize system
Assess security controls
Continuous monitoring
Select security controls
Score 1 of 1

Question:

Which of the following is a vulnerability associated with the integrity aspect of data
management?

Response:

Lack of encryption for sensitive data being transferred between two systems
Failure of a DBMS to perform transaction checking on data
Faulty backup processes that do not completely back up all sensitive data
Failure to assign correct permissions to sensitive tables in a database
Score 1 of 1

Question:

Which of the following is a vulnerability that affects the business processes that deal with
third-party providers?

Response:

Failure to conduct a business impact analysis

Lack of a well-written service level agreement
Failure to test new technologies as they are integrated into the existing
infrastructure
Lack of common data formats between internal systems
Score 1 of 1

Question:

Which of the following matrices is used to specify risk thresholds?

Response:

Impact matrix
Risk indicator matrix
Probability matrix
 Risk scenario matrix
Score 1 of 1

Question:

In which of the following risk management capability maturity levels does the enterprise
takes major business decisions considering the probability of loss and the probability of
reward?

Each correct answer represents a complete solution. Choose two.

Response:

Level 5
Level 2
Level 4
Level 0
Score 0 of 1

Question:

Which of the following nodes of the decision tree analysis represents the start point of
decision tree?

Response:

Decision node
Event node

Root node
End node
Score 1 of 1

Question:

What is the value of exposure factor if the asset is lost completely?

Response:

Infinity
10
0
1
Score 1 of 1

Question:

FISMA requires federal agencies to protect IT systems and data. How often should
compliance be audited by an external organization?

Response:

Every three years

Quarterly
Annually
Never
Score 1 of 1

Question:

As a risk practitioner in a larger organization, you have been asked to review the
company’s SDLC model for potential risk areas.

The model includes the Requirements, Design, Development, Implementation, and Disposal
phases. Software and systems are moved from the development environment immediately
into the production environment and implemented.

Which SDLC phase would you recommend that the business add to reduce risk of
integration or functionality issues as the system is implemented?

Response:

Initiation
Maintenance
Sustainment
Test
Score 1 of 1

Question:

You are the project manager of the QPS project. You and your project team have
identified a pure risk. You along with the key stakeholders, decided to remove the pure risk
from the project by changing the project plan altogether.

What is a pure risk?

Response:
 It is a risk event that only has a negative side and not any positive result.
It is a risk event that cannot be avoided because of the order of the work.
It is a risk event that is created by the application of risk response.
It is a risk event that is generated due to errors or omission in the project work.
Score 1 of 1

Question:

You are the project manager of GHT project. You have identified a risk event on your
project that could save $100,000 in project costs if it occurs. Which of the following
statements BEST describes this risk event?

Response:

This is a risk event that should be accepted because the rewards outweigh the threat
to the project.
This risk event is an opportunity to the project and should be exploited.
This risk event should be mitigated to take advantage of the savings.
This risk event should be avoided to take full advantage of the potential savings.
Score 1 of 1

Question:

Which of the following is the MOST important factor affecting risk management in an
organization?

Response:

Board of director’s expertise

Regulatory requirements
The risk manager’s expertise
The organization’s culture
Score 1 of 1

Question:

Which of the following is the BEST course of action to reduce risk impact?

Response:

Leverage existing technology

Implement corrective measures
 Create an IT security policy
Implement detective controls
Score 1 of 1

Question:

You are the project manager of GFT project. Your project involves the use of electrical
motor. It was stated in its specification that if its temperature would increase to 500 degree
Fahrenheit the machine will overheat and have to be shut down for 48 hours.

If the machine overheats even once it will delay the project's arrival date. So to prevent this
you have decided while creating response that if the temperature of the machine reach 450,
the machine will be paused for at least an hour so as to normalize its temperature.

This temperature of 450 degree is referred to as?

Response:

Risk trigger
Risk event
Risk response
Risk identification
Score 1 of 1

Question:

What process would help you deal with risks that require an exemption to policy?

Response:

Risk acceptance process

Risk mitigation process
Risk management process
Exception management process
Score 1 of 1

Question:

Which of the following should be the PRIMARY objective of promoting a risk-aware

culture within an organization?

Response:
 Enabling risk-based decision making
Better understanding of the risk appetite
Increasing process control efficiencies
Improving audit results
Score 0 of 1

Question:

Improvements in the design and implementation of a control will MOST likely result in an
update to:

Response:

inherent risk
risk tolerance

residual risk
risk appetite
Score 1 of 1

Question:

You are the project manager of GHT project. You are performing cost and benefit analysis
of control. You come across the result that costs of specific controls exceed the benefits of
mitigating a given risk.

What is the BEST action would you choose in this scenario?

Response:

The enterprise should adopt corrective control.

The enterprise may apply the appropriate control anyway.
The enterprise should exploit the risk.
The enterprise may choose to accept the risk rather than incur the cost of
mitigation.
Score 0 of 1

Question:

An enterprise has identified risk events in a project. While responding to these identified
risk events, which among the following stakeholders is MOST important for reviewing risk
response options to an IT risk.

Response:
 Internal auditors
Business managers

Information security managers

Incident response team members
Score 0 of 1

Question:

Which of the following would be considered primary stakeholders with regard to risk
scenario development?

Response:

Asset managers

Accounting executives
Production control managers
Vendors
Score 0 of 1

Question:

Which of the following would require updates to an organization’s IT risk register?

Response:

Changes to the team responsible for maintaining the register

Discovery of an ineffectively designed key IT control

Management review of key risk indicators (KRIs)

Completion of the latest internal audit
Score 0 of 1
(skipped)

Question:

Jane, the Director of Sales, contacts you and demands that you add a new feature to the
software your project team is creating for the organization. In the meeting she tells you
how important the scope change would be.

You explain to her that the software is almost finished and adding a change now could
cause the deliverable to be late, cost additional funds, and would probably introduce new
risks to the project. Jane stands up and says to you, "I am the Director of Sales and this
change will happen in the project." And then she leaves the room.

What should you do with this verbal demand for a change in the project?

Response:

Include the change in the project scope immediately.

Direct your project team to include the change if they have time.
Do not implement the verbal change request.
Report Jane to your project sponsor and then include the change.
Score 0 of 1
(skipped)

Question:

You work as a project manager for BlueWell Inc. You are preparing for the risk
identification process.

You will need to involve several of the project's key stakeholders to help you identify and
communicate the identified risk events. You will also need several documents to help you
and the stakeholders identify the risk events.

Which one of the following is NOT a document that will help you identify and
communicate risks within the project?

Response:

Stakeholder registers
Activity duration estimates
Activity cost estimates
Risk register
Score 0 of 1
(skipped)

Question:

You work as a project manager for BlueWell Inc. You are preparing to plan risk responses
for your project with your team. How many risk response types are available for a negative
risk event in the project?

Response:

5
 7
1
4
Score 0 of 1
(skipped)

Question:

Which of the following assets are the examples of intangible assets of an enterprise?
Each correct answer represents a complete solution. Choose two.

Response:

Customer trust
Information
People
Infrastructure
Score 0 of 1
(skipped)

Question:

Which of the following risk responses include feedback and guidance from well-qualified
risk officials and those internal to the project?

Response:

Contingent response strategy

Risk Acceptance
Expert judgment
Risk transfer
Score 0 of 1
(skipped)

Question:

The __________ framework is not IT security–centric and was developed with

organizational governance in mind.

Response:

ISACA IT Risk Management

 COBIT
NIST 800-37, revision 1
CRISC
Score 0 of 1
(skipped)

Question:

The PRIMARY benefit of conducting continuous monitoring of access controls is the

ability to identify

Response:

possible noncompliant activities that lead to data disclosure

leading or lagging key risk indicators (KRIs)
inconsistencies between security policies and procedures
unknown threats to undermine existing access controls
Score 0 of 1
(skipped)

Question:

Which of the following would be MOST helpful to an information security management

team when allocating resources to mitigate exposures?

Response:

Internal audit findings

Relevant risk case studies
Risk assessment results
Penetration testing results
Score 0 of 1
(skipped)

Question:

You work as a Project Manager for www.company.com Inc. You have to measure the
probability, impact, and risk exposure. Then, you have to measure how the selected risk
response can affect the probability and impact of the selected risk event.

Which of the following tools will help you to accomplish the task?

Response:
 Project network diagrams
Delphi technique
Decision tree analysis
Cause-and-effect diagrams
Score 0 of 1
(skipped)

Question:

Which of the following are concerns with the IT infrastructure in terms of how it affects
risk scenarios?
(Choose all that apply.)

Response:

Level of modernization
Level of performance
Internal and external interfaces and connections
Cost
Score 0 of 1
(skipped)

Question:

Which of the following parameters are considered for the selection of risk indicators?
Each correct answer represents a part of the solution. Choose three.

Response:

Size and complexity of the enterprise

Type of market in which the enterprise operates
Risk appetite and risk tolerance
Strategy focus of the enterprise
Score 0 of 1
(skipped)

Question:

One of the risk events you've identified is classified as force majeure. What risk response is
likely to be used?
 Response:

Acceptance
Transference
Enhance
Mitigation
Score 0 of 1
(skipped)

Question:

A __________ is dedicated hardware or software that collects network traffic for the
purposes of examination, either to determine network issues or to capture plain-text
usernames, passwords, or other sensitive information being sent in the clear.

Response:

Port scanner
Protocol analyzer
Vulnerability scanner
Penetration tester
Score 0 of 1
(skipped)

Question:

What are the steps that are involved in articulating risks?

Each correct answer represents a complete solution. Choose three.

Response:

Identify business opportunities.

Identify the response
Communicate risk analysis results and report risk management activities and the
state of compliance.
Interpret independent risk assessment findings.
Score 0 of 1
(skipped)

Question:
For a negative event or action to materialize and cause risk to an organization or system,
what other factor must be present?

Response:

Risk factor
Vulnerability
Threat agent
Threat
Score 0 of 1
(skipped)

Question:

A project team member has just identified a new project risk.

The risk event is determined to have significant impact but a low probability in the project.
Should the risk event happen it'll cause the project to be delayed by three weeks, which will
cause new risk in the project.

What should the project manager do with the risk event?

Response:

Add the identified risk to a quality control management chart.

Add the identified risk to the issues log.
Add the identified risk to the risk register.
Add the identified risk to the low-level risk watch-list.
Score 0 of 1
(skipped)

Question:

Mike is the project manager of the NNP Project for his organization. He is working with
his project team to plan the risk responses for the NNP Project. Mike would like the
project team to work together on establishing risk thresholds in the project.

What is the purpose of establishing risk threshold?

Response:

It is a study of the organization's risk tolerance.

It is a warning sign that a risk event is going to happen.
It is a limit of the funds that can be assigned to risk events.
 It helps to identify those risks for which specific responses are needed.
Score 0 of 1
(skipped)

Question:

Risk scenarios are all the elements of risk, except for __________ and __________.
(Choose two.)

Response:

Threat
Likelihood
Impact
Vulnerability
Score 0 of 1
(skipped)

Question:

A risk practitioner has observed that risk owners have approved a high number of
exceptions to the information security policy. Which of the following should be the risk
practitioner’s GREATEST concern?

Response:

Aggregate risk approaching the tolerance threshold

Vulnerabilities are not being mitigated
Security policies are not being reviewed periodically
Risk owners are focusing more on efficiency
Score 0 of 1
(skipped)

Question:

You are working as the project manager of the ABS project. The project is for establishing
a computer network in a school premises.

During the project execution, the school management asks to make the campus Wi-Fi
enabled. You know that this may impact the project adversely. You have discussed the
change request with other stakeholders.

What will be your NEXT step?

 Response:

Update project management plan.

Issue a change request.
Analyze the impact.
Update risk management plan.
Score 0 of 1
(skipped)

Question:

Which of the following is described by the definition given below?

"It is the expected guaranteed value of taking a risk."

Response:

Certainty equivalent value

Risk premium
Risk value guarantee
Certain value assurance
Score 0 of 1
(skipped)

Question:

Your project spans the entire organization. You would like to assess the risk of your
project but worried about that some of the managers involved in the project could affect
the outcome of any risk identification meeting.

Your consideration is based on the fact that some employees would not want to publicly
identify risk events that could declare their supervision as poor. You would like a method
that would allow participants to anonymously identify risk events.

What risk identification method could you use?

Response:

Delphi technique
Root cause analysis
Isolated pilot groups
SWOT analysis
Score 0 of 1
(skipped)

Question:

Which of the following business requirements MOST relates to the need for resilient
business and information systems processes?

Response:

Confidentiality
Effectiveness
Integrity
Availability
Score 0 of 1
(skipped)

Question:

John is the project manager of the NHQ Project for his company. His project has 75
stakeholders, some of which are external to the organization. John needs to make certain
that he communicates about risk in the most appropriate method for the external
stakeholders.

Which project management plan will be the best guide for John to communicate to the
external stakeholders?

Response:

Risk Response Plan

Communications Management Plan
Project Management Plan
Risk Management Plan
Score 0 of 1
(skipped)

Question:

During qualitative risk analysis you want to define the risk urgency assessment. All of the
following are indicators of risk priority except for which one?

Response:

Warning signs
 Symptoms
Risk rating
Cost of the project
Score 0 of 1
(skipped)

Question:

The Identify Risk process determines the risks that affect the project and document their
characteristics. Why should the project team members be involved in the Identify Risk
process?

Response:

They are the individuals that will most likely cause and respond to the risk events.
They are the individuals that will have the best responses for identified risks events
within the project.
They are the individuals that are most affected by the risk events.
They are the individuals that will need a sense of ownership and responsibility for
the risk events.
Score 0 of 1
(skipped)

Question:

What are the functions of audit and accountability control?

Each correct answer represents a complete solution. Choose all that apply.

Response:

Provides details on how to protect the audit logs

Implement effective access control
Implement an effective audit program
Provides details on how to determine what to audit
Score 0 of 1
(skipped)

Question:

An organization has outsourced its lease payment process to a service provider who lacks
evidence of compliance with a necessary regulatory standard. Which risk treatment was
adopted by the organization?
 Response:

Acceptance
Transfer
Mitigation
Avoidance
Score 0 of 1
(skipped)

Question:

A risk practitioner is summarizing the results of a high-profile risk assessment sponsored

by senior management. The BEST way to support risk-based decisions by senior
management would be to:

Response:

quantify key risk indicators (KRIs)

recommend risk tolerance thresholds
provide a quantified detailed analysis
map findings to objectives
Score 0 of 1
(skipped)

Question:

An organization has granted a vendor access to its data in order to analyze customer
behavior. Which of the following would be the MOST effective control to mitigate the risk
of customer data leakage?

Response:

Restrict access to customer data on a "need to know" basis

Enforce criminal background checks
Mask customer data fields
Require vendor to sign a confidentiality agreement
Score 0 of 1
(skipped)

Question:

Which of the following role carriers will decide the Key Risk Indicator of the enterprise?
Each correct answer represents a part of the solution. Choose two.
 Response:

Business leaders
Senior management
Human resource
Chief financial officer
Score 0 of 1
(skipped)

Question:

You are the project manager of the GHY Project for your company. You need to complete
a project management process that will be on the lookout for new risks, changing risks, and
risks that are now outdated.

Which project management process is responsible for these actions?

Response:

Risk planning
Risk monitoring and controlling
Risk identification
Risk analysis
Score 0 of 1
(skipped)

Question:

Which of the following serve as the authorization for a project to begin?

Response:

Approval of project management plan

Approval of a risk response document
Approval of risk management document
Approval of a project request document
Score 0 of 1
(skipped)

Question:

You work as the project manager for Company Inc. The project on which you are working
has several risks that will affect several stakeholder requirements.
Which project management plan will define who will be available to share information on
the project risks?

Response:

Resource Management Plan

Communications Management Plan
Risk Management Plan
Stakeholder management strategy
Score 0 of 1
(skipped)

Question:

Which of the following describes a set of mandatory procedures or processes used by an

organization?

Response:

Standard
Framework
Practice
Policy
Score 0 of 1
(skipped)

Question:

Which of the following operational risks ensures that the provision of a quality product is
not overshadowed by the production costs of that product?

Response:

Information security risks

Contract and product liability risks
Project activity risks
Profitability operational risks
Score 0 of 1
(skipped)

Question:

Who is ultimately responsible for risk ownership within an organization?

 Response:

Risk assessor
Mid-level manager
Designated risk owner
Senior executives and board of directors
Score 0 of 1
(skipped)

Question:

Which of the following come under the phases of risk identification and evaluation?
Each correct answer represents a complete solution. Choose three.

Response:

Maintain a risk profile

Collecting data
Analyzing risk
Applying controls
Score 0 of 1
(skipped)

Question:

Suppose you are working in Company Inc. and you are using risk scenarios for estimating
the likelihood and impact of the significant risks on this organization.

Which of the following assessment are you doing?

Response:

IT security assessment
IT audit
Threat and vulnerability assessment
Risk assessment
Score 0 of 1
(skipped)

Question:
You are the project manager for BlueWell Inc. Your current project is a high priority and
high profile project within your organization.

You want to identify the project stakeholders that will have the most power in relation to
their interest on your project. This will help you plan for project risks, stakeholder
management, and ongoing communication with the key stakeholders in your project.

In this process of stakeholder analysis, what type of a grid or model should you create
based on these conditions?

Response:

Stakeholder power/interest grid

Stakeholder register
Influence/impact grid
Salience model
Score 0 of 1
(skipped)

Question:

Which of the following is MOST helpful to ensure effective security controls for a cloud
service provider?

Response:

Internal audit reports from the vendor

A control self-assessment
A third-party security assessment report
Service level agreement monitoring
Score 0 of 1
(skipped)

Question:

Which of the following data collection methods is the most subjective?

Response:

Documentation reviews
Interviews
System observations
System security testing
Score 0 of 1
(skipped)

Question:

What is the PRIMARY reason to categorize risk scenarios by business process?

Response:

To determine aggregated risk levels by risk owner

To identify situations that result in over-control
To enable management to implement cost-effective risk mitigation
To show business activity deficiencies that need to be improved
Score 0 of 1
(skipped)

Question:

You are the project manager of GHT project. Your project utilizes a machine for
production of goods. This machine has the specification that if its temperature would rise
above 450 degree Fahrenheit then it may result in burning of windings.

So, there is an alarm which blows when machine's temperature reaches 430 degree
Fahrenheit and the machine is shut off for 1 hour.

What role does alarm contribute here?

Response:

Of risk indicator
Of risk identification
Of risk trigger
Of risk response
Score 0 of 1
(skipped)

Question:

Which of the following statements most accurately reflects the effect of information
technology (IT) on risk to the business enterprise?
(Choose two.)

Response:
 Information technology is a serious risk to the mission of the organization.
Information technology is used to protect the organization’s information.
Information technology is used to eliminate risk to the mission of the organization.
Information technology is used to generate the organization’s information.
Score 0 of 1
(skipped)

Question:

You are working in an enterprise. Assuming that your enterprise periodically compares
finished goods inventory levels to the perpetual inventories in its ERP system.

What kind of information is being provided by the lack of any significant differences
between perpetual levels and actual levels?

Response:

Direct information
Indirect information
Risk management plan
Risk audit information
Score 0 of 1
(skipped)

Question:

In a __________ test, those charged with defending the network are unaware of the testing
and are tested on their ability to react and defend as if a real-world attack were taking
place.

Response:

Double-blind
Gray-box
White-box
Penetration
Score 0 of 1
(skipped)

Question:
You are the project manager of a SGT project. You have been actively communicating and
working with the project stakeholders. One of the outputs of the "manage stakeholder
expectations" process can actually create new risk events for your project.

Which output of the manage stakeholder expectations process can create risks?

Response:

Project management plan updates

An organizational process asset updates
Change requests
Project document updates
Score 0 of 1
(skipped)

Question:

Henry is the project manager of the QBG Project for his company. This project has a
budget of $4,576,900 and is expected to last 18 months to complete. The CIO, a stakeholder
in the project, has introduced a scope change request for additional deliverables as part of
the project work.

What component of the change control system would review the proposed changes' impact
on the features and functions of the project's product?

Response:

Cost change control system

Configuration management system
Scope change control system
Integrated change control
Score 0 of 1
(skipped)

Question:

Mary is a project manager in her organization. On her current project she is working with
her project team and other key stakeholders to identify the risks within the project. She is
currently aiming to create a comprehensive list of project risks so she is using a facilitator
to help generate ideas about project risks.

What risk identification method is Mary likely using?

Response:
 Delphi Techniques
Expert judgment
Brainstorming
Checklist analysis
Score 0 of 1
(skipped)

Question:

Which of the following approaches to risk scenario development begins with business
objectives and attempts to identify risk scenarios that could affect those objectives?

Response:

Bottom-up approach
Top-down approach
Cross-functional approach
Quantitative approach
Score 0 of 1
(skipped)

Question:

You are the risk official of your enterprise. You have just completed risk analysis process.
You noticed that the risk level associated with your project is less than risk tolerance level
of your enterprise.

Which of following is the MOST likely action you should take?

Response:

Apply risk response

Update risk register
No action
Prioritize risk response options
Score 0 of 1
(skipped)

Question:

You are the project manager of GHT project. Your project team is in the process of
identifying project risks on your current project. The team has the option to use all of the
following tools and techniques to diagram some of these potential risks EXCEPT for which
one?

Response:

Process flowchart
Ishikawa diagram
Influence diagram
Decision tree diagram
Score 0 of 1
(skipped)

Question:

In which of the following risk management capability maturity levels risk appetite and
tolerance are applied only during episodic risk assessments?

Response:

Level 3
Level 2
Level 4
Level 1
Score 0 of 1
(skipped)

Question:

You are the project manager of project for a client. The client has promised your company
a bonus, if the project is completed early. After studying the project work, you elect to
crash the project in order to realize the early end date.

This is an example of what type of risk response?

Response:

Negative risk response, because crashing will add risks.

Positive risk response, as crashing is an example of enhancing.
Positive risk response, as crashing is an example of exploiting.
Negative risk response, because crashing will add costs.
Score 0 of 1
(skipped)
Question:

Which of the following represents lack of adequate controls?

Response:

Vulnerability
Threat
Asset
Impact
Score 0 of 1
(skipped)

Question:

Which of the following is the MOST important use of KRIs?

Response:

Providing a backward-looking view on risk events that have occurred

Providing an early warning signal
Providing an indication of the enterprise's risk appetite and tolerance
Enabling the documentation and analysis of trends
Score 0 of 1
(skipped)

Question:

There are five inputs to the quantitative risk analysis process. Which one of the following is
NOT an input to quantitative risk analysis process?

Response:

Risk management plan

Enterprise environmental factors
Cost management plan
Risk register
Score 0 of 1
(skipped)

Question:
You are the project manager of GHT project. You have planned the risk response process
and now you are about to implement various controls. What you should do before relying
on any of the controls?

Response:

Review performance data

Discover risk exposure
Conduct pilot testing
Articulate risk
Score 0 of 1
(skipped)

Question:

Which among the following is the MOST crucial part of risk management process?

Response:

Risk communication
Auditing
Risk monitoring
Risk mitigation
Score 0 of 1
(skipped)

Question:

Compliance is a factor that influences risk scenarios as a direct result of organizational

__________.

Response:

Threats
Risk management strategy
Governance
Vulnerabilities
Score 0 of 1
(skipped)

Question:
A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST
important time to involve business stakeholders is when:

Response:

identifying risk migration controls

documenting the risk scenarios
validating the risk scenarios
updating the risk register
Score 0 of 1
(skipped)

Question:

Which of the following is the greatest risk to reporting?

Response:

Integrity of data
Availability of data
Confidentiality of data
Reliability of data
Score 0 of 1
(skipped)

Question:

Using which of the following one can produce comprehensive result while performing
qualitative risk analysis?

Response:

Scenarios with threats and impacts

Cost-benefit analysis
Value of information assets.
Vulnerability assessment
Score 0 of 1
(skipped)

Question:

Which of the following process ensures that extracted data are ready for analysis?
 Response:

Data analysis
Data validation
Data gathering
Data access
Score 0 of 1
(skipped)

Question:

Who should be responsible for implementing and maintaining security controls?

Response:

Data custodian
Internal auditor
Data owner
End user
Score 0 of 1
(skipped)

Question:

All of the following statements describe characteristics of controls except which one?

Response:

Controls are defined and implemented in terms of addressing a specific

vulnerability or deficiency in asset protection.
They are used to specify what measures should be taken to ensure security and
reduce risk.
Controls are designed to be effective in completely eliminating a particular risk.
Specific control sets may be required by legal governance.
Score 0 of 1
(skipped)

Question:

There are four inputs to the Monitoring and Controlling Project Risks process. Which one
of the following will NOT help you, the project manager, to prepare for risk monitoring
and controlling?
 Response:

Risk register
Work Performance Information
Project management plan
Change requests
Score 0 of 1
(skipped)

Question:

Which of the following is the MOST effective inhibitor of relevant and efficient
communication?

Response:

A false sense of confidence at the top on the degree of actual exposure related to IT
and lack of a well-understood direction for risk management from the top down
The perception that the enterprise is trying to cover up known risk from
stakeholders
Existence of a blame culture
Misalignment between real risk appetite and translation into policies
Score 0 of 1
(skipped)

Question:

Which of the following is MOST important to update when an organization’s risk appetite
changes?

Response:

Key risk indicators (KRIs)

Risk taxonomy
Key performance indicators (KPIs)
Risk reporting methodology
Score 0 of 1
(skipped)

Question:
A __________ is a piece of software designed to scan a system to determine what services
the system is running and whether any unnecessary open ports, operating systems and
applications, or back doors can be exploited because of a lack of patching or other flaw.

Response:

Port scanner
Protocol analyzer
Vulnerability scanner
Penetration tester
Score 0 of 1
(skipped)

Question:

The KPI category of _____ deals with maintaining baselines of systems and applications.

Response:

Awareness and training

Audit and accountability
Access control
Configuration management
Score 0 of 1
(skipped)

Question:

The BEST way to determine the likelihood of a system availability risk scenario is by
assessing the:

Response:

availability of fault tolerant software

strategic plan for business growth
vulnerability scan results of critical systems
redundancy of technical infrastructure
Score 0 of 1
(skipped)

Question:
Which of the following IT controls is MOST useful in mitigating the risk associated with
inaccurate data?

Response:

Audit trails for updates and deletions

Encrypted storage of data
Links to source data
Check totals on data records and data fields
Score 0 of 1
(skipped)

Question:

Billy is the project manager of the HAR Project and is in month six of the project. The
project is scheduled to last for 18 months. Management asks Billy how often the project
team is participating in risk reassessment in this project.

What should Billy tell management if he's following the best practices for risk
management?

Response:

Project risk management has been concluded with the project planning.
Project risk management happens at every milestone.
Project risk management is scheduled for every month in the 18-month project.
At every status meeting the project team project risk management is an agenda
item.
Score 0 of 1
(skipped)

Question:

What are the PRIMARY requirements for developing risk scenarios?

Each correct answer represents a part of the solution. Choose two.

Response:

Potential threats and vulnerabilities that could lead to loss events

Determination of the value of an asset at risk
Determination of actors that has potential to generate risk
Determination of threat type
Score 0 of 1
(skipped)

Question:

While developing obscure risk scenarios, what are the requirements of the enterprise?
Each correct answer represents a part of the solution. Choose two.

Response:

Have capability to cure the risk events

Have capability to recognize an observed event as something wrong
Have sufficient number of analyst
Be in a position that it can observe anything going wrong
Score 0 of 1
(skipped)

Question:

All of the following are valid supporting factors in building a business case to justify
implementing an IT control, except which one?

Response:

Profitability
Security goals
Liability
Governance
Score 0 of 1
(skipped)

Question:

Which of the following vulnerabilities could affect the management of the IT infrastructure
within an organization?
(Choose all that apply.)

Response:

Failure to meet internal service level agreements

Failure of the business to succeed in a particular market segment
Lack of a service level agreement with a third-party provider
 Lack of resources committed to explore new technologies
Score 0 of 1
(skipped)

Question:

Which of the following is the GREATEST concern associated with redundant data in an
organization’s inventory system?

Response:

Data inconsistency
Unnecessary data storage usage
Poor access control
Unnecessary costs of program changes
Score 0 of 1
(skipped)

Question:

Which of the following do NOT indirect information?

Response:

Information about the propriety of cutoff

Reports that show orders that were rejected for credit limitations.
Reports that provide information about any unusual deviations and individual
product margins.
The lack of any significant differences between perpetual levels and actual levels
of goods.
Score 0 of 1
(skipped)

Question:

The BEST reason to classify IT assets during a risk assessment is to determine the:

Response:

appropriate level of protection

enterprise risk profile
priority in the risk register
business process owner
Score 0 of 1
(skipped)

Question:

__________ are elements that influence the development of risk scenarios, as well as their
likelihood and impact.

Response:

Risk agents
Risk indicators
Risk factors
Threat agents
Score 0 of 1
(skipped)

Question:

A business knowingly decides it wants to capitalize on an opportunity that contains a level

of risk deemed within its acceptable levels of risk. No controls are applied to lower the risk
further. In this case, the approach would be best defined as which of the following?

Response:

Risk tolerance
Risk mitigation
Risk acceptance
Risk avoidance
Score 0 of 1
(skipped)

Question:

Which of the following terms describes an entity that initiates a threat?

Response:

Threat agent
Vulnerability
Risk
Risk factor
Score 0 of 1
(skipped)

Question:

An organization is considering outsourcing user administration controls for a critical

system. The potential vendor has offered to perform quarterly self-audits of its controls
instead of having annual independent audits.

Which of the following should be of GREATEST concern to the risk practitioner?

Response:

The vendor will not achieve best practices

The vendor will not ensure against control failure
The controls may not be properly tested
Lack of a risk-based approach to access control
Score 0 of 1
(skipped)

Question:

What is phase 4 of the SDLC?

Response:

Sunset (disposition)
Implementation/assessment
Acquisition/development
Operations/maintenance
Score 0 of 1
(skipped)

Question:

Which of the following aspect of monitoring tool ensures that the monitoring tool has the
ability to keep up with the growth of an enterprise?

Response:

Scalability
Customizability
Sustainability
 Impact on performance
Score 0 of 1
(skipped)

Question:

Jenny is the project manager for the NBT projects. She is working with the project team
and several subject matter experts to perform the quantitative risk analysis process.
During this process she and the project team uncover several risks events that were not
previously identified.

What should Jenny do with these risk events?

Response:

The events should be entered into qualitative risk analysis.

The events should be determined if they need to be accepted or responded to.
The events should be entered into the risk register.
The events should continue on with quantitative risk analysis.
Score 0 of 1
(skipped)

Question:

When considering control and risk ownership, which of the following is the main concern?

Response:

How much a control costs to maintain

Accountability
Organizational structuring
Ensuring that risk and control owners are separate to ensure that there is no conflict
of interest
Score 0 of 1
(skipped)

Question:

Which of the following is MOST important when developing key performance indicators
(KPIs)?

Response:

Alignment to management reports

 Alignment to risk responses
Alerts when risk thresholds are reached
Identification of trends
Score 0 of 1
(skipped)

Question:

Which of the following is a technical control?

Response:

Creation of a demilitarized zone within the enterprise architecture

Implementation of a physical security policy
Mandating two people to open secure areas together
Requiring segregation of duties across sensitive duty areas
Score 0 of 1
(skipped)

Question:

All the following are domains of the Val IT framework except which one?

Response:

Value Governance
Security Management
Portfolio Management
Investment Management
Score 0 of 1
(skipped)

Question:

When developing IT risk scenarios, it is CRITICAL to involve:

Response:

process owners
IT managers
internal auditors
senior management
Score 0 of 1
(skipped)

Question:

Which of the following is true for Single loss expectancy (SLE), Annual rate of occurrence
(ARO), and Annual loss expectancy (ALE)?

Response:

ALE= ARO/SLE
ARO= SLE/ALE
ARO= ALE*SLE
ALE= ARO*SLE
Score 0 of 1
(skipped)

Question:

Which of the following is true for risk management frameworks, standards and practices?
Each correct answer represents a part of the solution. Choose three.

Response:

They act as a guide to focus efforts of variant teams.

They result in increase in cost of training, operation and performance
improvement.
They provide a systematic view of "things to be considered" that could harm clients
or an enterprise.
They assist in achieving business objectives quickly and easily.
Score 0 of 1
(skipped)

Question:

When determining which control deficiencies are most significant, which of the following
would provide the MOST useful information?

Response:

Exception handling policy

Benchmarking assessments
Vulnerability assessment results
 Risk analysis results
Score 0 of 1
(skipped)

Question:

Which of the following is an acceptable method for handling positive project risk?

Response:

Exploit
Avoid
Mitigate
Transfer
Score 0 of 1
(skipped)

Question:

You are the project manager of the GHY project for your company. This project has a
budget of $543,000 and is expected to last 18 months. In this project, you have identified
several risk events and created risk response plans.

In what project management process group will you implement risk response plans?

Response:

Monitoring and Controlling

In any process group where the risk event resides
Planning
Executing
Score 0 of 1
(skipped)

Question:

Qualitative risk assessment uses which of the following terms for evaluating risk level?
Each correct answer represents a part of the solution. Choose two.

Response:

Impact
Annual rate of occurrence
 Probability
Single loss expectancy
Score 0 of 1
(skipped)

Question:

When it appears that a project risk is going to happen, what is this term called?

Response:

Issue
Contingency response
Trigger
Threshold
Score 0 of 1
(skipped)

Question:

Which of the following elements of risk can controls be used to reduce?

(Choose two answers.)

Response:

Likelihood
Impact
Threat
Threat agent
Score 0 of 1
(skipped)

Question:

Which of the following role carriers has to account for collecting data on risk and
articulating risk?

Response:

Enterprise risk committee

Business process owner
Chief information officer (CIO)
 Chief risk officer (CRO)
Score 0 of 1
(skipped)

Question:

__________ often occur from an internal point looking across the organization to get the
best look at the vulnerabilities without the interference of the perimeter protections.

Response:

Threat assessments
Penetration tests
Vulnerability assessments
Black-box tests
Score 0 of 1
(skipped)

Question:

A risk practitioner is preparing a report to communicate changes in the risk and control
environment. The BEST way to engage stakeholder attention is to:

Response:

include a roadmap to achieve operational excellence

include a summary linking information to stakeholder needs
publish the report on-demand for stakeholders
include detailed deviations from industry benchmarks
Score 0 of 1
(skipped)

Question:

Natural disaster is BEST associated to which of the following types of risk?

Response:

Short-term
Long-term
Discontinuous
Large impact
Score 0 of 1
(skipped)

Question:

You are the project manager of the AFD project for your company. You are working with
the project team to reassess existing risk events and to identify risk events that have not
happened and whose relevancy to the project has passed.

What should you do with these events that have not happened and would not happen now
in the project?

Response:

Add the risk to the issues log

Close the outdated risks
Add the risks to the risk register
Add the risks to a low-priority watch-list
Score 0 of 1
(skipped)

Question:

Which of the following BEST measures the operational effectiveness of risk management
capabilities?

Response:

Capability maturity models (CMMs)

Metric thresholds
Key risk indicators (KRIs)
Key performance indicators (KPIs)
Score 0 of 1
(skipped)

Question:

Which of the following is the PRIMARY consideration when establishing an organization’s

risk management methodology?

Response:

Risk tolerance level

Benchmarking information
 Resource requirements
Business context
Score 0 of 1
(skipped)

Question:

Which of the following events refer to loss of integrity?

Each correct answer represents a complete solution. Choose three.

Response:

Someone sees company's secret formula

Someone makes unauthorized changes to a Web site
An e-mail message is modified in transit
A virus infects a file
Score 0 of 1
(skipped)

Question:

Which of the following is the GREATEST advantage of implementing a risk management

program?

Response:

Promoting a risk-aware culture

Improving security governance
Enabling risk-aware decisions
Reducing residual risk
Score 0 of 1
(skipped)

Question:

__________ can contain valuable information about past and ongoing activities and, when
handled properly, can be timely.

Response:

Metrics
Accreditations
 Indicators
Logs
Score 0 of 1
(skipped)

Question:

You and your project team have identified a few risk events in the project and recorded the
events in the risk register. Part of the recording of the events includes the identification of a
risk owner. Who is a risk owner?

Response:

A risk owner is the party that will monitor the risk events.
A risk owner is the party that will pay for the cost of the risk event if it becomes an
issue.
A risk owner is the party that has caused the risk event.
A risk owner is the party authorized to respond to the risk event.
Score 0 of 1
(skipped)

Question:

__________ help(s) you quantify the effectiveness of your implemented risk response over
its life.

Response:

Leaders
Reports
Automation
Metrics
Score 0 of 1
(skipped)

Question:

Which of the following is the BEST key performance indicator (KPI) to measure the
effectiveness of a vulnerability management process?

Response:

Percentage of vulnerabilities remediated within the agreed service level

 Number of vulnerabilities identified during the period
Number of vulnerabilities re-opened during the period
Percentage of vulnerabilities escalated to senior management
Score 0 of 1
(skipped)

Question:

Who defines the organization’s mission, goals, and objectives?

Response:

Senior management
Government regulators
Risk managers
External corporate auditors
Score 0 of 1
(skipped)

Question:

A teaming agreement is an example of what type of risk response?

Response:

Acceptance
Mitigation
Transfer
Share