When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?

• A.Exception handling policy
• B.Risk analysis results
• C.Benchmarking assessments
• D.Vulnerability assessment results

Comment: *

Name: *

Email: *

Verification: *

An IT organization is replacing the customer relationship management (CRM) system. Who should own the risk associated with customer data leakage caused by insufficient IT security controls for the new system?

• A.Business process owner
• B.Chief risk officer
• C.IT controls manager
• D.Chief information security officer

Comment: *

Name: *

Email: *

Verification: *

Which of the following is true for risk evaluation?

• A.Risk evaluation is done only when there is significant change.
• B.Risk evaluation is done once a year for every business processes.
• C.Risk evaluation is done annually or when there is significant change.
• D.Risk evaluation is done every four to six months for critical business processes.

Comment: *

Name: *

Email: *

Verification: *

Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are:

• A.accountable for the affected processes.
• B.members of senior management.
• C.independent from the business operations.
• D.authorized to select risk mitigation options.

Comment: *

Name: *

Email: *

Verification: *

An organization has raised the risk appetite for technology risk. The MOST likely result would be:

• A.increased inherent risk
• B.lower risk management cost
• C.decreased residual risk
• D.higher risk management cost

Comment: *

Name: *

Email: *

Verification: *