Risks to an organization's image are referred to as what kind of risk?
A. Operational
B. Financial
C. Information
D. Strategic
A risk assessment has identified increased losses associated with an IT risk scenario. It is MOST important for the risk practitioner to:
A. update the risk rating.
B. reevaluate inherent risk.
C. develop new risk scenarios.
D. implement additional controls.
Which of the following will BEST help an organization select a recovery strategy for critical systems?
A. Review the business impact analysis.
B. Create a business continuity plan.
C. Analyze previous disaster recovery reports.
D. Conduct a root cause analysis.
Which of the following is MOST important information to review when developing plans for using emerging technologies?
A. Existing IT environment
B. IT strategic plan
C. Risk register
D. Organizational strategic plan
Which of the following BEST indicates that an organization has implemented IT performance requirements?
A. Service level agreements (SLA)
B. Vendor references
C. Benchmarking data
D. Accountability matrix
Calculation of the recovery time objective (RTO) is necessary to determine the:
A. time required to restore files.
B. point of synchronization
C. priority of restoration.
D. annual loss expectancy (ALE).
Whose risk tolerance matters MOST when making a risk decision?
A. Customers who would be affected by a breach
B. Auditors, regulators and standards organizations
C. The business process owner of the exposed assets D. The information security manager
A risk practitioner has populated the risk register with industry-based generic risk scenarios to be further assessed by risk owners. Which of the following is the GREATEST concern with this approach?
A. Risk scenarios in the generic list may not help in building risk awareness
B. Risk scenarios that are not relevant to the organization may be assessed
C. Developing complex risk scenarios using the generic list will be difficult
D. Relevant risk scenarios that do not appear in the generic list may not be assessed
A risk practitioner has been asked to evaluate a new cloud-based service to enhance an organization's access management capabilities. When is the BEST time for the risk practitioner to provide opinions on control strength?
A. After the initial design
B. After a few weeks in use
C. Before production rollout
D. Before end-user testing
A risk assessment has revealed that the probability of a successful cybersecurity attack is increasing. The potential loss could exceed the organization's risk appetite. Which of the following would be the MOST effective course of action?
A. Purchase cybersecurity insurance
B. Re-evaluate the organization's risk appetite
C. Outsource the cybersecurity function
D. Review cybersecurity incident response procedures