لا تريد أن تفوت شيئا؟

نصائح اجتياز امتحان الشهادة

آخر أخبار الامتحانات ومعلومات الخصم

برعاية وحديثة من قبل خبرائنا

نعم، أرسل لي النشرة الإخبارية

خذ اختبارات أخرى عبر الإنترنت
السؤال #1
Which of the following should be PRIMARILY considered while designing information systems controls?
A. he IT strategic plan
B. he existing IT environment
C. he organizational strategic plan
D. he present IT budget
عرض الإجابة
اجابة صحيحة: C
السؤال #2
Which of the following can be interpreted from a single data point on a risk heat map?
A. isk appetite
B. isk magnitude
C. isk response
D. isk tolerance
عرض الإجابة
اجابة صحيحة: B
السؤال #3
A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?
A. n increase in attempted distributed denial of service (DDoS) attacks
B. n increase in attempted website phishing attacks
C. decrease in remediated web security vulnerabilities
D. decrease in achievement of service level agreements (SLAs)
عرض الإجابة
اجابة صحيحة: A
السؤال #4
Which of the following would be the BEST recommendation if the level of risk in the IT risk profile has decreased and is now below management’s risk appetite?
A. ecrease the number of related risk scenarios
B. ptimize the control environment
C. ealign risk appetite to the current risk level
D. educe the risk management budget
عرض الإجابة
اجابة صحيحة: B
السؤال #5
An organization must implement changes as the result of new regulations. Which of the following should the risk practitioner do FIRST to prepare for these changes?
A. ngage the legal department
B. onduct a gap analysis
C. mplement compensating controls
D. eview the risk profile
عرض الإجابة
اجابة صحيحة: B
السؤال #6
You and your project team have identified a few risk events in the project and recorded the events in the risk register. Part of the recording of the events includes the identification of a risk owner. Who is a risk owner?
A. risk owner is the party that will monitor the risk events
B. risk owner is the party that will pay for the cost of the risk event if it becomes an issue
C. risk owner is the party that has caused the risk event
D. risk owner is the party authorized to respond to the risk event
عرض الإجابة
اجابة صحيحة: D
السؤال #7
When collecting information to identify IT-related risk, a risk practitioner should FIRST focus on IT:
A. ecurity policies
B. rocess maps
C. isk tolerance level,
D. isk appetite
عرض الإجابة
اجابة صحيحة: A
السؤال #8
Which of the following role carriers will decide the Key Risk Indicator of the enterprise?Each correct answer represents a part of the solution. Choose two.
A. usiness leaders
B. enior management
C. uman resource
D. hief financial officer
عرض الإجابة
اجابة صحيحة: AB
السؤال #9
Which of the following BEST ensures that a firewall is configured in compliance with an enterprise's security policy?
A. nterview the firewall administrator
B. eview the actual procedures
C. eview the device's log file for recent attacks
D. eview the parameter settings
عرض الإجابة
اجابة صحيحة: D
السؤال #10
Which of the following is the greatest risk to reporting?
A. ntegrity of data
B. vailability of data
C. onfidentiality of data
D. eliability of data
عرض الإجابة
اجابة صحيحة: D
السؤال #11
Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?
A. control self-assessment
B. enchmarking against peers
C. ransaction logging
D. ontinuous monitoring
عرض الإجابة
اجابة صحيحة: D
السؤال #12
Courtney is the project manager for her organization. She is working with the project team to complete the qualitative risk analysis for her project. During the analysis Courtney encourages the project team to begin the grouping of identified risks by common causes. What is the primary advantage to group risks by common causes during qualitative risk analysis?
A. t helps the project team realize the areas of the project most laden with risks
B. t assist in developing effective risk responses
C. t saves time by collecting the related resources, such as project team members, to analyze the risk events
D. t can lead to the creation of risk categories unique to each project
عرض الإجابة
اجابة صحيحة: B
السؤال #13
An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:
A. dentify key process owners
B. alidate control process execution
C. etermine if controls are effective
D. onduct a baseline assessment
عرض الإجابة
اجابة صحيحة: D
السؤال #14
You work as a project manager for Bluewell Inc. You have identified a project risk. You have then implemented the risk action plan and it turn out to be non-effective. What type of plan you should implement in such case?
A. isk mitigation
B. isk fallback plan
C. isk avoidance
D. isk response plan
عرض الإجابة
اجابة صحيحة: B
السؤال #15
Which of the following is MOST important when developing key performance indicators (KPIs)?
A. lignment to management reports
B. lignment to risk responses
C. lerts when risk thresholds are reached
D. dentification of trends
عرض الإجابة
اجابة صحيحة: D
السؤال #16
Who should be accountable for ensuring effective cybersecurity controls are established?
A. ecurity management function
B. nterprise risk function
C. isk owner
D. T management
عرض الإجابة
اجابة صحيحة: C
السؤال #17
An organization has four different projects competing for funding to reduce overall IT risk. Which project should management defer?
A. roject Alpha
B. roject Bravo
C. roject Charlie
D. roject Delta
عرض الإجابة
اجابة صحيحة: C
السؤال #18
The PRIMARY objective of testing the effectiveness of a new control before implementation is to:
A. omply with the organization’s policy
B. nsure that risk is mitigated by the control
C. onfirm control alignment with business objectives
D. easure efficiency of the control process
عرض الإجابة
اجابة صحيحة: D
السؤال #19
Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?
A. tilize the change management process
B. alidate functionality by running in a test environment
C. erform an in-depth code review with an expert
D. mplement a service level agreement
عرض الإجابة
اجابة صحيحة: C
السؤال #20
If preventive controls cannot be implemented due to technology limitations, which of the following should be done FIRST to reduce risk?
A. edefine the business process to reduce the risk
B. valuate alternative controls
C. evelop a plan to upgrade technology
D. efine a process for monitoring risk
عرض الإجابة
اجابة صحيحة: B
السؤال #21
An interruption in business productivity is considered as which of the following risks?
A. t is a risk event that only has a negative side and not any positive result
B. t is a risk event that is created by the application of risk response
C. t is a risk event that is generated due to errors or omission in the project work
D. t is a risk event that cannot be avoided because of the order of the work
عرض الإجابة
اجابة صحيحة: B
السؤال #22
Which of the following are parts of SWOT Analysis?Each correct answer represents a complete solution. (Choose four.)
A. eport result
B. rioritizing risks
C. mplement monitoring
D. dentifying controls
عرض الإجابة
اجابة صحيحة: ACDE
السؤال #23
Which of the following controls would BEST decrease exposure if a password is compromised?
A. asswords have format restrictions
B. asswords are masked
C. assword changes are mandated
D. asswords are encrypted
عرض الإجابة
اجابة صحيحة: D
السؤال #24
FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?
A. nnually
B. uarterly
C. very three years
D. ever
عرض الإجابة
اجابة صحيحة: A
السؤال #25
Which of the following is the FIRST step in managing the security risk associated with wearable technology in the workplace?
A. evelop risk awareness training
B. onitor employee usage
C. dentify the potential risk
D. ssess the potential risk
عرض الإجابة
اجابة صحيحة: A
السؤال #26
An organization is considering modifying its system to enable acceptance of credit card payments. To reduce the risk of data exposure, which of the following should the organization do FIRST?
A. mplement additional controls
B. onduct a risk assessment
C. pdate the risk register
D. pdate the security strategy
عرض الإجابة
اجابة صحيحة: B
السؤال #27
Which of the following approaches will BEST help to ensure the effectiveness of risk awareness training?
A. eviewing content with senior management
B. sing reputable third-party training programs
C. iloting courses with focus groups
D. reating modules for targeted audiences
عرض الإجابة
اجابة صحيحة: D
السؤال #28
You are working in an enterprise. Your enterprise owned various risks. Which among the following is MOST likely to own the risk to an information system that supports a critical business process?
A. ystem users
B. enior management
C. T director
D. isk management department
عرض الإجابة
اجابة صحيحة: B
السؤال #29
Which of the following would be an IT business owner’s BEST course of action following an unexpected increase in emergency changes?
A. onducting a root-cause analysis
B. alidating the adequacy of current processes
C. valuating the impact to control objectives
D. econfiguring the IT infrastructure
عرض الإجابة
اجابة صحيحة: A
السؤال #30
A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session?
A. enior management allocation of risk management resources
B. enior management roles and responsibilities
C. he organization’s strategic risk management projects
D. he organization’s risk appetite and tolerance
عرض الإجابة
اجابة صحيحة: B
السؤال #31
Which of the following is the BEST way to identify changes in the risk profile of an organization?
A. onitor key risk indicators (KRIs)
B. onitor key performance indicators (KPIs)
C. onduct a gap analysis
D. nterview the risk owner
عرض الإجابة
اجابة صحيحة: C
السؤال #32
Which of the following vulnerability assessment software can check for weak passwords on the network?
A. assword cracker
B. ntivirus software
C. nti-spyware software
D. ireshark
عرض الإجابة
اجابة صحيحة: A
السؤال #33
Which of the following is an output of risk assessment process?
A. dentification of risk
B. dentification of appropriate controls
C. itigated risk
D. nterprise left with residual risk
عرض الإجابة
اجابة صحيحة: B
السؤال #34
Which of the following are the principles of risk management? Each correct answer represents a complete solution. Choose three.
A. eliability
B. ustainability
C. onsistency
D. istinct
عرض الإجابة
اجابة صحيحة: ABD
السؤال #35
A control for mitigating risk in a key business area cannot be implemented immediately. Which of the following is the risk practitioner’s BEST course of action when a compensating control needs to be applied?
A. ecord the risk as accepted in the risk register
B. btain the risk owner’s approval
C. nform senior management
D. pdate the risk response plan
عرض الإجابة
اجابة صحيحة: B
السؤال #36
John works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks associated to the time allowances for the activities or projects as a whole, with a width of the range indicating the degrees of risk?
A. ctivity duration estimates
B. ctivity cost estimates
C. isk management plan
D. chedule management plan
عرض الإجابة
اجابة صحيحة: A
السؤال #37
An organization has outsourced its IT security management function to an external service provider. The BEST party to own the IT security controls under this arrangement is the:
A. rganization’s risk function
B. ervice provider’s audit function
C. rganization’s IT management
D. ervice provider’s IT security function
عرض الإجابة
اجابة صحيحة: A
السؤال #38
You are the project manager for Bluewell Inc. You are studying the documentation of project plan. The documentation states that there are twenty-five stakeholders with the project. What will be the number of communication channel s for the project?
A. 0
B. 00
C. 0
D. 00
عرض الإجابة
اجابة صحيحة: D
السؤال #39
Controls should be defined during the design phase of system development because:
A. echnical specifications are defined during this phase
B. tructured programming techniques require that controls be designed before coding begins
C. ts more cost-effective to determine controls in the early design phase
D. tructured analysis techniques exclude identification of controls
عرض الإجابة
اجابة صحيحة: B
السؤال #40
During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:
A. control mitigation plan is in place
B. esidual risk is accepted
C. ompensating controls are in place
D. isk management is effective
عرض الإجابة
اجابة صحيحة: A
السؤال #41
When a risk cannot be sufficiently mitigated through manual or automatic controls, which of the following options will BEST protect the enterprise from the potential financial impact of the risk?
A. pdating the IT risk registry
B. nsuring against the risk
C. utsourcing the related business process to a third party
D. mproving staff-training in the risk area
عرض الإجابة
اجابة صحيحة: B
السؤال #42
Which of the following is the PRIMARY purpose of periodically reviewing an organization’s risk profile?
A. esign and implement risk response action plans
B. lign business objectives with risk appetite
C. nable risk-based decision making
D. pdate risk responses in the risk register
عرض الإجابة
اجابة صحيحة: C
السؤال #43
During qualitative risk analysis you want to define the risk urgency assessment. All of the following are indicators of risk priority except for which one?
A. arning signs
B. ymptoms
C. isk rating
D. ost of the project
عرض الإجابة
اجابة صحيحة: D
السؤال #44
A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?
A. hief risk officer (CRO)
B. usiness continuity manager (BCM)
C. uman resources manager (HRM)
D. hief information officer (CIO)
عرض الإجابة
اجابة صحيحة: D
السؤال #45
Which of the following is MOST useful when communicating risk to management?
A. isk policy
B. isk map
C. aturity model
D. udit report
عرض الإجابة
اجابة صحيحة: B
السؤال #46
The only output of qualitative risk analysis is risk register updates. When the project manager updates the risk register he will need to include several pieces of information including all of the following except for which one?
A. rends in qualitative risk analysis
B. isk probability-impact matrix
C. isks grouped by categories
D. atchlist of low-priority risks
عرض الإجابة
اجابة صحيحة: B
السؤال #47
You work as a project manager for BlueWell Inc. Your project is using a new material to construct a large warehouse in your city. This new material is cheaper than traditional building materials, but it takes some time to learn how to use the material properly. You have communicated to the project stakeholders that you will be able to save costs by using the new material, but you will need a few extra weeks to complete training to use the materials. This risk response of learning how to use the new material
A. n quality of work
B. n ease of access
C. n profession
D. n independence
عرض الإجابة
اجابة صحيحة: C
السؤال #48
Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?
A. t compares performance levels of IT assets to value delivered
B. t provides input to business managers when preparing a business case for new IT projects
C. t facilitates the alignment of strategic IT objectives to business objectives
D. t helps assess the effects of IT decisions on risk exposure
عرض الإجابة
اجابة صحيحة: B
السؤال #49
Your project spans the entire organization. You would like to assess the risk of your project but worried about that some of the managers involved in the project could affect the outcome of any risk identification meeting. Your consideration is based on the fact that some employees would not want to publicly identify risk events that could declare their supervision as poor. You would like a method that would allow participants to anonymously identify risk events. What risk identification method could you us
A. elphi technique
B. oot cause analysis
C. solated pilot groups
D. WOT analysis
عرض الإجابة
اجابة صحيحة: A
السؤال #50
The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner’s BEST recommendation?
A. mplement training on coding best practices
B. erform a code review
C. erform a root cause analysis
D. mplement version control software
عرض الإجابة
اجابة صحيحة: B
السؤال #51
You are elected as the project manager of GHT project. You are in project initialization phase and are busy in defining requirements for your project. While defining requirements you are describing how users will interact with a system. Which of the following requirements are you defining here?
A. rganizational levels
B. isk components
C. trategic objectives
D. isk objectives
عرض الإجابة
اجابة صحيحة: C
السؤال #52
An IT department has organized training sessions to improve user awareness of organizational information security policies. Which of the following is the BEST key performance indicator (KPI) to reflect effectiveness of the training?
A. umber of training sessions completes
B. ercentage of staff members who complete the training with a passing score
C. ercentage of attendees versus total staff
D. ercentage of staff members who attend the training with positive feedback
عرض الإجابة
اجابة صحيحة: C
السؤال #53
What is the MAIN purpose of designing risk management programs?
A. o reduce the risk to a level that the enterprise is willing to accept
B. o reduce the risk to the point at which the benefit exceeds the expense
C. o reduce the risk to a level that is too small to be measurable
D. o reduce the risk to a rate of return that equals the current cost of capital
عرض الإجابة
اجابة صحيحة: A
السؤال #54
A risk practitioner has populated the risk register with industry-based generic risk scenarios to be further assessed by risk owners. Which of the following is the GREATEST concern with this approach?
A. isk scenarios in the generic list may not help in building risk awareness
B. isk scenarios that are not relevant to the organization may be assessed
C. eveloping complex risk scenarios using the generic list will be difficult
D. elevant risk scenarios that do not appear in the generic list may not be assessed
عرض الإجابة
اجابة صحيحة: B
السؤال #55
Natural disaster is BEST associated to which of the following types of risk?
A. nternal accounting control
B. etective control
C. dministrative control
D. perational control
عرض الإجابة
اجابة صحيحة: C
السؤال #56
Following a significant change to a business process, a risk practitioner believes the associated risk has been reduced. The risk practitioner should advise the risk owner to FIRST:
A. eallocate risk response resources
B. eview the key risk indicators
C. onduct a risk analysis
D. pdate the risk register
عرض الإجابة
اجابة صحيحة: C
السؤال #57
You are the project manager of the NHH Project. You are working with the project team to create a plan to document the procedures to manage risks throughout the project. This document will define how risks will be identified and quantified. It will also define how contingency plans will be implemented by the project team. What document do you and your team is creating in this scenario?
A. roject plan
B. esource management plan
C. roject management plan
D. isk management plan
عرض الإجابة
اجابة صحيحة: D
السؤال #58
Which of the following is the BEST method to ensure a terminated employee’s access to IT systems is revoked upon departure from the organization?
A. ogin attempts are reconciled to a list of terminated employees
B. process to remove employee access during the exit interview is implemented
C. he human resources (HR) system automatically revokes system access
D. list of terminated employees is generated for reconciliation against current IT access
عرض الإجابة
اجابة صحيحة: D
السؤال #59
Which of the following is the BEST indicator of the effectiveness of IT risk management processes?
A. ime between when IT risk scenarios are identified and the enterprise’s response
B. ercentage of business users completing risk training
C. ercentage of high-risk scenarios for which risk action plans have been developed
D. umber of key risk indicators (KRIs) defined
عرض الإجابة
اجابة صحيحة: C
السؤال #60
Which of the following approaches would BEST help to identify relevant risk scenarios?
A. ngage line management in risk assessment workshops
B. scalate the situation to risk leadership
C. ngage internal audit for risk assessment workshops
D. eview system and process documentation
عرض الإجابة
اجابة صحيحة: A
السؤال #61
John works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks associated to the time allowances for the activities or projects as a whole, with a width of the range indicating the degrees of risk?
A. ctivity duration estimates
B. ctivity cost estimates
C. isk management plan
D. chedule management plan
عرض الإجابة
اجابة صحيحة: A
السؤال #62
All business units within an organization have the same risk response plan for creating local disaster recovery plans. In an effort to achieve cost effectiveness., the BEST course of action would be to:
A. utsource disaster recovery to an external provider
B. elect a provider to standardize the disaster recovery plans
C. valuate opportunities to combine disaster recovery plans
D. entralize the risk response function at the enterprise level
عرض الإجابة
اجابة صحيحة: C
السؤال #63
During testing, a risk practitioner finds the IT department’s recovery time objective (RTO) for a key system does not align with the enterprise’s business continuity plan (BCP). Which of the following should be done NEXT?
A. omplete a risk exception form
B. eport the gap to senior management
C. onsult with the business owner to update the BCP
D. onsult with the IT department to update the RTO
عرض الإجابة
اجابة صحيحة: B
السؤال #64
An IT license audit has revealed that there are several unlicensed copies of commercial applications installed on company laptops. The risk practitioner’s BEST course of action would be to:
A. mmediately uninstall the unlicensed software from the laptops
B. rocure the requisite licenses for the software to minimize business impact
C. eport the issue to management so appropriate action can be taken
D. entralize administration rights on laptops so that installations are controlled
عرض الإجابة
اجابة صحيحة: D
السؤال #65
A rule-based data loss prevention (DLP) tool has recently been implemented to reduce the risk of sensitive data leakage. Which of the following is MOST likely to change as a result of this implementation?
A. isk velocity
B. isk impact
C. isk likelihood
D. isk appetite
عرض الإجابة
اجابة صحيحة: B
السؤال #66
Which of the following BEST enables the risk profile to serve as an effective resource to support business objectives?
A. pdating the risk profile with risk assessment results
B. ssigning quantitative values to qualitative metrics in the risk register
C. ngaging external risk professionals to periodically review the risk
D. rioritizing global standards over local requirements in the risk profile
عرض الإجابة
اجابة صحيحة: B
السؤال #67
Which of the following would require updates to an organization’s IT risk register?
A. iscovery of an ineffectively designed key IT control
B. anagement review of key risk indicators (KRIs)
C. hanges to the team responsible for maintaining the register
D. ompletion of the latest internal audit
عرض الإجابة
اجابة صحيحة: A
السؤال #68
Which of the following is true for Single loss expectancy (SLE), Annual rate of occurrence (ARO), and Annual loss expectancy (ALE)?
A. LE= ARO/SLE
B. RO= SLE/ALE
C. RO= ALE*SLE
D. LE= ARO*SLE
عرض الإجابة
اجابة صحيحة: D
السؤال #69
Which of the following is a PRIMARY benefit of engaging the risk owner during the risk assessment process?
A. ccurate measurement of loss impact
B. arly detection of emerging threats
C. dentification of controls gaps that may lead to noncompliance
D. rioritization of risk action plans across departments
عرض الإجابة
اجابة صحيحة: A
السؤال #70
Which of the following would be MOST helpful when estimating the likelihood of negative events?
A. usiness impact analysis
B. ost-benefit analysis
C. isk response analysis
D. hreat analysis
عرض الإجابة
اجابة صحيحة: D
السؤال #71
You are the project manager of GHT project. You are performing cost and benefit analysis of control. You come across the result that costs of specific controls exceed the benefits of mitigating a given risk. What is the BEST action would you choose in this scenario?
A. he enterprise may apply the appropriate control anyway
B. he enterprise should adopt corrective control
C. he enterprise may choose to accept the risk rather than incur the cost of mitigation
D. he enterprise should exploit the risk
عرض الإجابة
اجابة صحيحة: C
السؤال #72
Which of the following is the GREATEST benefit of analyzing logs collected from different systems?
A. eveloping threats are detected earlier
B. orensic investigations are facilitated
C. ecurity violations can be identified
D. record of incidents is maintained
عرض الإجابة
اجابة صحيحة: D
السؤال #73
Risks with low ratings of probability and impact are included for future monitoring in which of the following?
A. isk alarm
B. bservation list
C. atch-list
D. isk register
عرض الإجابة
اجابة صحيحة: C
السؤال #74
You are the project manager of GHT project. You have identified a risk event on your project that could save $100,000 in project costs if it occurs. Which of the following statements BEST describes this risk event?
A. his risk event should be mitigated to take advantage of the savings
B. his is a risk event that should be accepted because the rewards outweigh the threat to the project
C. his risk event should be avoided to take full advantage of the potential savings
D. his risk event is an opportunity to the project and should be exploited
عرض الإجابة
اجابة صحيحة: D
السؤال #75
A risk assessment has identified that departments have installed their own WiFi access points on the enterprise network. Which of the following would be MOST important to include in a report to senior management?
A. lanned remediation actions
B. he network security policy
C. he WiFi access point configuration
D. otential business impact
عرض الإجابة
اجابة صحيحة: D
السؤال #76
You work as a project manager for BlueWell Inc. Management has asked you to work with the key project stakeholder to analyze the risk events you have identified in the project. They would like you to analyze the project risks with a goal of improving the project's performance as a whole. What approach can you use to achieve this goal of improving the project's performance through risk analysis with your project stakeholders?
A. roject risks are uncertain as to when they will happen
B. isks can happen at any time in the project
C. roject risks are always in the future
D. isk triggers are warning signs of when the risks will happen
عرض الإجابة
اجابة صحيحة: D
السؤال #77
Which of the following is MOST effective against external threats to an organization’s confidential information?
A. ingle sign-on
B. trong authentication
C. ata integrity checking
D. ntrusion detection system
عرض الإجابة
اجابة صحيحة: D
السؤال #78
Who is at the BEST authority to develop the priorities and identify what risks and impacts would occur if there were loss of the organization's private information?
A. xternal regulatory agencies
B. nternal auditor
C. usiness process owners
D. ecurity management
عرض الإجابة
اجابة صحيحة: D
السؤال #79
Which of the following is the MOST important reason to maintain key risk indicators (KRIs)?
A. n order to avoid risk
B. omplex metrics require fine-tuning
C. isk reports need to be timely
D. hreats and vulnerabilities change over time
عرض الإجابة
اجابة صحيحة: D
السؤال #80
The analysis of which of the following will BEST help validate whether suspicious network activity is malicious?
A. ntrusion detection system (IDS) rules
B. enetration test reports
C. ulnerability assessment reports
D. ogs and system events
عرض الإجابة
اجابة صحيحة: D
السؤال #81
Which of the following statements is NOT true regarding the risk management plan?
A. he risk management plan is an output of the Plan Risk Management process
B. he risk management plan is an input to all the remaining risk-planning processes
C. he risk management plan includes a description of the risk responses and triggers
D. he risk management plan includes thresholds, scoring and interpretation methods, responsible parties, and budgets
عرض الإجابة
اجابة صحيحة: C
السؤال #82
John is the project manager of the HGH Project for her company. He and his project team have agreed that if the vendor is late by more than ten days they will cancel the order and hire the NBG Company to fulfill the order. The NBG Company can guarantee orders within three days, but the costs of their products are significantly more expensive than the current vendor. What type of response does John adopt here?
A. ontingent response strategy
B. isk avoidance
C. isk mitigation
D. xpert judgment
عرض الإجابة
اجابة صحيحة: A
السؤال #83
After the implementation of Internet of Things (IoT) devices, new risk scenarios were identified. What is the PRIMARY reason to report this information to risk owners?
A. o reevaluate continued use of IoT devices
B. o recommend changes to the IoT policy
C. o confirm the impact to the risk profile
D. o add new controls to mitigate the risk
عرض الإجابة
اجابة صحيحة: D
السؤال #84
When an organization’s disaster recovery plan has a reciprocal agreement, which of the following risk treatment options is being applied?
A. ransfer
B. voidance
C. cceptance
D. itigation
عرض الإجابة
اجابة صحيحة: D
السؤال #85
A business unit has decided to accept the risk of implementing an off-the-shelf, commercial software package that uses weak password controls. The BEST course of action would be to:
A. btain management approval for policy exception
B. ontinue the implementation with no changes
C. evelop an improved password software routine
D. elect another application with strong password controls
عرض الإجابة
اجابة صحيحة: C
السؤال #86
You are the project manager of your project. You have to analyze various project risks. You have opted for quantitative analysis instead of qualitative risk analysis. What is the MOST significant drawback of using quantitative analysis over qualitative risk analysis?
A. ower objectivity
B. igher cost
C. igher reliance on skilled personnel
D. ower management buy-in
عرض الإجابة
اجابة صحيحة: B
السؤال #87
Which of the following is the MOST important factor affecting risk management in an organization?
A. he risk manager’s expertise
B. egulatory requirements
C. oard of director’s expertise
D. he organization’s culture
عرض الإجابة
اجابة صحيحة: D
السؤال #88
A PRIMARY advantage of involving business management in evaluating and managing risk is that management:
A. an make better informed business decisions
B. etter understands the system architecture
C. an balance technical and business risk
D. s more objective than risk management
عرض الإجابة
اجابة صحيحة: A
السؤال #89
A risk practitioner’s PRIMARY focus when validating a risk response action plan should be that risk response:
A. dvances business objectives
B. uantifies risk impact
C. educes risk to an acceptable level
D. ligns with business strategy
عرض الإجابة
اجابة صحيحة: D
السؤال #90
To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:
A. learly define the project scope
B. erform background checks on the vendor
C. otify network administrators before testing
D. equire the vendor to sign a nondisclosure agreement
عرض الإجابة
اجابة صحيحة: A
السؤال #91
Which of the following is a detective control?
A. imit check
B. ccess control software
C. eriodic access review
D. erun procedures
عرض الإجابة
اجابة صحيحة: D
السؤال #92
Which of the following is NOT the method of Qualitative risk analysis?
A. corecards
B. ttribute analysis
C. ikelihood-impact matrix
D. usiness process modeling (BPM) and simulation
عرض الإجابة
اجابة صحيحة: D
السؤال #93
The risk associated with a high-risk vulnerability in an application is owned by the:
A. ecurity department
B. endor
C. usiness unit
D. T department
عرض الإجابة
اجابة صحيحة: C
السؤال #94
Which of the following would present the GREATEST challenge when assigning accountability for control ownership?
A. nclear reporting relationships
B. eak governance structures
C. enior management scrutiny
D. omplex regulatory environment
عرض الإجابة
اجابة صحيحة: A
السؤال #95
You are the project manager of GHT project. Your project utilizes a machine for production of goods. This machine has the specification that if its temperature would rise above 450 degree Fahrenheit then it may result in burning of windings. So, there is an alarm which blows when machine's temperature reaches 430 degree Fahrenheit and the machine is shut off for 1 hour. What role does alarm contribute here?
A. f risk indicator
B. f risk identification
C. f risk trigger
D. f risk response
عرض الإجابة
اجابة صحيحة: A
السؤال #96
What are the functions of audit and accountability control?Each correct answer represents a complete solution. (Choose three.)
A. isk level increases above risk appetite
B. isk level increase above risk tolerance
C. isk level equates risk appetite
D. isk level equates the risk tolerance
عرض الإجابة
اجابة صحيحة: ACD
السؤال #97
An organization maintains independent departmental risk registers that are not automatically aggregated. Which of the following is the GREATEST concern?
A. esources may be inefficiency allocated
B. anagement may be unable to accurately evaluate the risk profile
C. ultiple risk treatment efforts may be initiated to treat a given risk
D. he same risk factor may be identified in multiple areas
عرض الإجابة
اجابة صحيحة: B
السؤال #98
Which of the following is the HIGHEST risk of a policy that inadequately defines data and system ownership?
A. ser management coordination does not exist
B. udit recommendations may not be implemented
C. sers may have unauthorized access to originate, modify or delete data
D. pecific user accountability cannot be established
عرض الإجابة
اجابة صحيحة: C
السؤال #99
Which of the following controls will BEST detect unauthorized modification of data by a database administrator?
A. eviewing database access rights
B. eviewing changes to edit checks
C. omparing data to input records
D. eviewing database activity logs
عرض الإجابة
اجابة صحيحة: C
السؤال #100
Where are all risks and risk responses documented as the project progresses?
A. isk management plan
B. roject management plan
C. isk response plan
D. isk register
عرض الإجابة
اجابة صحيحة: D
السؤال #101
How residual risk can be determined?
A. y determining remaining vulnerabilities after countermeasures are in place
B. y transferring all risks
C. y threat analysis
D. y risk assessment
عرض الإجابة
اجابة صحيحة: D
السؤال #102
You are the project manager of your enterprise. You have introduced an intrusion detection system for the control. You have identified a warning of violation of security policies of your enterprise. What type of control is an intrusion detection system (IDS)?
A. etective
B. orrective
C. reventative
D. ecovery
عرض الإجابة
اجابة صحيحة: A
السؤال #103
You are the risk official in Techmart Inc. You are asked to perform risk assessment on the impact of losing a network connectivity for 1 day. Which of the following factors would you include?
A. ggregate compensation of all affected business users
B. ourly billing rate charged by the carrier
C. alue that enterprise get on transferring data over the network
D. inancial losses incurred by affected business units
عرض الإجابة
اجابة صحيحة: D
السؤال #104
Which of the following is the MOST important reason to maintain key risk indicators (KRIs)?
A. n order to avoid risk
B. omplex metrics require fine-tuning
C. isk reports need to be timely
D. hreats and vulnerabilities change over time
عرض الإجابة
اجابة صحيحة: D
السؤال #105
Which of the following would be MOST useful when measuring the progress of a risk response action plan?
A. esource expenditure against budget
B. n up-to-date risk register
C. ercentage of mitigated risk scenarios
D. nnual loss expectancy (ALE) changes
عرض الإجابة
اجابة صحيحة: C
السؤال #106
The MAIN purpose of having a documented risk profile is to:
A. nable well-informed decision making
B. omply with external and internal requirements
C. eep the risk register up-to-date
D. rioritize investment projects
عرض الإجابة
اجابة صحيحة: A
السؤال #107
When developing a new risk register, a risk practitioner should focus on which of the following risk management activities?
A. isk response planning
B. isk identification
C. isk monitoring and control
D. isk management strategy planning
عرض الإجابة
اجابة صحيحة: C
السؤال #108
You work as the project manager for Bluewell Inc. Your project has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks?
A. esource Management Plan
B. isk Management Plan
C. takeholder management strategy
D. ommunications Management Plan
عرض الإجابة
اجابة صحيحة: D
السؤال #109
Which of the following changes would be reflected in an organization’s risk profile after the failure of a critical patch implementation?
A. nherent risk is increased
B. isk tolerance is decreased
C. isk appetite is decreased
D. esidual risk is increased
عرض الإجابة
اجابة صحيحة: D
السؤال #110
When evaluating enterprise IT risk management, it is MOST important to:
A. reate new control processes to reduce identified IT risk scenarios
B. eview alignment with the organization’s investment plan
C. eport identified IT risk scenarios to senior management
D. onfirm the organization’s risk appetite and tolerance
عرض الإجابة
اجابة صحيحة: B
السؤال #111
You work as a Project Manager for Company Inc. You are incorporating a risk response owner to take the job for each agreed-to and funded risk response. On which of the following processes are you working?
A. uantitative Risk Analysis
B. dentify Risks
C. lan risk response
D. ualitative Risk Analysis
عرض الإجابة
اجابة صحيحة: C
السؤال #112
Which of the following serve as the authorization for a project to begin?
A. pproval of project management plan
B. pproval of a risk response document
C. pproval of risk management document
D. pproval of a project request document
عرض الإجابة
اجابة صحيحة: D
السؤال #113
You are the project manager of the NHQ project in Bluewell Inc. The project has an asset valued at $200,000 and is subjected to an exposure factor of 45 percent. If the annual rate of occurrence of loss in this project is once a month, then what will be the Annual Loss Expectancy (ALE) of the project?
A. 2,160,000
B. 95,000
C. 108,000
D. 90,000
عرض الإجابة
اجابة صحيحة: C
السؤال #114
Which of the following would BEST help an enterprise prioritize risk scenarios?
A. ndustry best practices
B. egree of variances in the risk
C. ost of risk mitigation
D. lacement on the risk map
عرض الإجابة
اجابة صحيحة: D
السؤال #115
Which of the following should be of MOST concern to a risk practitioner reviewing findings from a recent audit of an organization’s data center?
A. wnership of an audit finding has not been assigned
B. he data center is not fully redundant
C. udit findings were not communicated to senior management
D. ey risk indicators (KRIs) for the data center do not include critical components
عرض الإجابة
اجابة صحيحة: C
السؤال #116
IT stakeholders have asked a risk practitioner for IT risk profile reports associated with specific departments to allocate resources for risk mitigation. The BEST way to address this request would be to use:
A. istorical risk assessments
B. ey risk indicators (KRIs)
C. he cost associated with each control
D. nformation from the risk register
عرض الإجابة
اجابة صحيحة: A
السؤال #117
Mortality tables are based on what mathematical activity?Each correct answer represents a complete solution. Choose three.
A. ransference
B. itigation
C. cceptance
D. voidance
عرض الإجابة
اجابة صحيحة: ABD
السؤال #118
Jane is the project manager of the NHJ Project for his company. He has identified several positive risk events within his project and he thinks these events can save the project time and money. Positive risk events, such as these within the NHJ Project are referred to as?
A. ontingency risks
B. enefits
C. esidual risk
D. pportunities
عرض الإجابة
اجابة صحيحة: D
السؤال #119
Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?
A. quantitative presentation of risk assessment results
B. qualitative presentation of risk assessment results
C. comparison of risk assessment results to the desired state
D. n assessment of organizational maturity levels and readiness
عرض الإجابة
اجابة صحيحة: A
السؤال #120
Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?
A. mplement segregation of duties
B. nforce an internal data access policy
C. nforce the use of digital signatures
D. pply single sign-on for access control
عرض الإجابة
اجابة صحيحة: D
السؤال #121
Which of the following are external risk factors?Each correct answer represents a complete solution. Choose three.
A. xploit
B. void
C. itigate
D. ransfer
عرض الإجابة
اجابة صحيحة: AD
السؤال #122
You are the project manager of GHT project. You have initiated the project and conducted the feasibility study. What result would you get after conducting feasibility study?Each correct answer represents a complete solution. (Choose two.)
A. takeholder identification
B. endor selection process
C. uality baseline
D. rocess improvement plan
عرض الإجابة
اجابة صحيحة: AD
السؤال #123
You work as a project manager for BlueWell Inc. You are involved with the project team on the different risk issues in your project. You are using the applications of IRGC model to facilitate the understanding and managing the rising of the overall risks that have impacts on the economy and society. One of your team members wants to know that what the need to use the IRGC is. What will be your reply?
A. echnical requirement
B. roject requirement
C. unctional requirement
D. usiness requirement
عرض الإجابة
اجابة صحيحة: A
السؤال #124
What activity should be done for effective post-implementation reviews during the project?
A. stablish the business measurements up front
B. llow a sufficient number of business cycles to be executed in the new system
C. dentify the information collected during each stage of the project
D. dentify the information to be reviewed
عرض الإجابة
اجابة صحيحة: A
السؤال #125
Mary is a project manager in her organization. On her current project she is working with her project team and other key stakeholders to identify the risks within the project. She is currently aiming to create a comprehensive list of project risks so she is using a facilitator to help generate ideas about project risks. What risk identification method is Mary likely using?
A. elphi Techniques
B. xpert judgment
C. rainstorming
D. hecklist analysis
عرض الإجابة
اجابة صحيحة: C
السؤال #126
You work as a project manager for BlueWell Inc. You are about to complete the quantitative risk analysis process for your project. You can use three available tools and techniques to complete this process. Which one of the following is NOT a tool or technique that is appropriate for the quantitative risk analysis process?
A. ata gathering and representation techniques
B. xpert judgment
C. uantitative risk analysis and modeling techniques
D. rganizational process assets
عرض الإجابة
اجابة صحيحة: D
السؤال #127
Who is BEST suited to determine whether a new control properly mitigates data loss risk within a system?
A. ontrol owner
B. isk owner
C. ata owner
D. ystem owner
عرض الإجابة
اجابة صحيحة: D
السؤال #128
You are the Risk Official in Bluewell Inc. You have detected much vulnerability during risk assessment process. What you should do next?
A. rioritize vulnerabilities for remediation solely based on impact
B. andle vulnerabilities as a risk, even though there is no threat
C. nalyze the effectiveness of control on the vulnerabilities' basis
D. valuate vulnerabilities for threat, impact, and cost of mitigation
عرض الإجابة
اجابة صحيحة: D
السؤال #129
You are the project manager of GHT project. Your hardware vendor left you a voicemail saying that the delivery of the equipment you have ordered would not arrive on time. You identified a risk response strategy for this risk and have arranged for a local company to lease you the needed equipment until yours arrives. This is an example of which risk response strategy?
A. void
B. ransfer
C. cceptance
D. itigate
عرض الإجابة
اجابة صحيحة: D
السؤال #130
Which of the following processes is described in the statement below?"It is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions."
A. isk governance
B. RGC
C. isk response planning
D. isk communication
عرض الإجابة
اجابة صحيحة: D
السؤال #131
Which of the following control audit is performed to assess the efficiency of the productivity in the operations environment?
A. roject risk management has been concluded with the project planning
B. roject risk management happens at every milestone
C. roject risk management is scheduled for every month in the 18-month project
D. t every status meeting the project team project risk management is an agenda item
عرض الإجابة
اجابة صحيحة: C
السؤال #132
Malicious code protection is which type control?
A. onfiguration management control
B. ystem and information integrity control
C. edia protection control
D. ersonal security control
عرض الإجابة
اجابة صحيحة: B
السؤال #133
Which negative risk response usually has a contractual agreement?
A. haring
B. ransference
C. itigation
D. xploiting
عرض الإجابة
اجابة صحيحة: B
السؤال #134
Risk mitigation procedures should include:
A. uying an insurance policy
B. cceptance of exposures
C. eployment of countermeasures
D. nterprise architecture implementation
عرض الإجابة
اجابة صحيحة: C
السؤال #135
You are the project manager of GHT project. You identified a risk of noncompliance with regulations due to missing of a number of relatively simple procedures.The response requires creating the missing procedures and implementing them. In which of the following risk response prioritization should this case be categorized?
A. usiness case to be made
B. uick win
C. isk avoidance
D. eferrals
عرض الإجابة
اجابة صحيحة: B
السؤال #136
Which of the following will BEST support management reporting on risk?
A. risk register
B. ey performance indicators
C. ontrol self-assessment
D. isk policy requirements
عرض الإجابة
اجابة صحيحة: B
السؤال #137
What are the requirements of monitoring risk?Each correct answer represents a part of the solution. Choose three.
A. isk transfer
B. isk acceptance
C. isk avoidance
D. isk mitigation
عرض الإجابة
اجابة صحيحة: BCD
السؤال #138
A risk practitioner observes that hardware failure incidents have been increasing over the last few months. However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:
A. o action is required as there was no impact
B. root cause analysis is required
C. ardware needs to be upgraded
D. ontrols are effective for ensuring continuity
عرض الإجابة
اجابة صحيحة: D
السؤال #139
An organization has recently hired a large number of part-time employees. During the annual audit, it was discovered that many user IDs and passwords were documented in procedure manuals for use by the part-time employees. This situation would be considered:
A. risk
B. n incident
C. threat
D. vulnerability
عرض الإجابة
اجابة صحيحة: D
السؤال #140
Which of the following activities would BEST contribute to promoting an organization-wide risk-aware culture?
A. ommunicating components of risk and their acceptable levels
B. erforming a benchmark analysis and evaluating gaps
C. articipating in peer reviews and implementing best practices
D. onducting risk assessments and implementing controls
عرض الإجابة
اجابة صحيحة: D
السؤال #141
Which of the following processes is described in the statement below?"It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project."
A. erform Quantitative Risk Analysis
B. onitor and Control Risks
C. dentify Risks
D. erform Qualitative Risk Analysis
عرض الإجابة
اجابة صحيحة: B
السؤال #142
Which of the following come under the phases of risk identification and evaluation? Each correct answer represents a complete solution. Choose three.
A. nd node
B. oot node
C. vent node
D. ecision node
عرض الإجابة
اجابة صحيحة: ABC
السؤال #143
Suppose you are working in Company Inc. and you are using risk scenarios for estimating the likelihood and impact of the significant risks on this organization. Which of the following assessment are you doing?
A. T security assessment
B. T audit
C. hreat and vulnerability assessment
D. isk assessment
عرض الإجابة
اجابة صحيحة: C
السؤال #144
Which of the following do NOT indirect information?
A. nformation about the propriety of cutoff
B. eports that show orders that were rejected for credit limitations
C. eports that provide information about any unusual deviations and individual product margins
D. he lack of any significant differences between perpetual levels and actual levels of goods
عرض الإجابة
اجابة صحيحة: A
السؤال #145
Senior management has asked a risk practitioner to develop technical risk scenarios related to a recently developed enterprise resource planning (ERP) system. These scenarios will be owned by the system manager. Which of the following would be the BEST method to use when developing the scenarios?
A. ottom-up approach
B. ause-and-effect diagram
C. op-down approach
D. elphi technique
عرض الإجابة
اجابة صحيحة: D
السؤال #146
Which of the following controls is an example of non-technical controls?
A. ccess control
B. hysical security
C. ntrusion detection system
D. ncryption
عرض الإجابة
اجابة صحيحة: B
السؤال #147
A risk practitioner is developing a set of bottom-up IT risk scenarios. The MOST important time to involve business stakeholders is when:
A. dentifying risk mitigation controls
B. ocumenting the risk scenarios
C. alidating the risk scenarios
D. pdating the risk register
عرض الإجابة
اجابة صحيحة: C
السؤال #148
You are the project manager of GHT project. A stakeholder of this project requested a change request in this project. What are your responsibilities as the project manager that you should do in order to approve this change request?Each correct answer represents a complete solution. Choose two.
A. hort-term
B. ong-term
C. iscontinuous
D. arge impact
عرض الإجابة
اجابة صحيحة: AC
السؤال #149
Which among the following is the BEST reason for defining a risk response?
A. o eliminate risk from the enterprise
B. o ensure that the residual risk is within the limits of the risk appetite and tolerance
C. o overview current status of risk
D. o mitigate risk
عرض الإجابة
اجابة صحيحة: B
السؤال #150
You are the program manager for your organization and you are working with Alice, a project manager in her program. Alice calls you and insists you to add a change to program scope. You agree for that the change. What must Alice do to move forward with her change request?
A. dd the change to the program scope herself, as she is a project manager
B. reate a change request charter justifying the change request
C. ocument the change request in a change request form
D. dd the change request to the scope and complete integrated change control
عرض الإجابة
اجابة صحيحة: C
السؤال #151
What are the functions of the auditor while analyzing risk?Each correct answer represents a complete solution. Choose three.
A. ost change control system
B. onfiguration management system
C. cope change control system
D. ntegrated change control
عرض الإجابة
اجابة صحيحة: ACD
السؤال #152
You are the risk official in Bluewell Inc. You are supposed to prioritize several risks. A risk has a rating for occurrence, severity, and detection as 4, 5, and 6, respectively. What Risk Priority Number (RPN) you would give to it?
A. 20
B. 00
C. 5
D. 0
عرض الإجابة
اجابة صحيحة: A
السؤال #153
When it appears that a project risk is going to happen, what is this term called?
A. urrency with changing legislative requirements
B. umber of employees
C. omplexity of the organizational structure
D. ultural differences between physical locations
عرض الإجابة
اجابة صحيحة: C
السؤال #154
While defining the risk management strategies, what are the major parts to be determined first? Each correct answer represents a part of the solution. Choose two.
A. ias towards risk in new resources
B. isk probability and impact matrixes
C. ncertainty in values such as duration of schedule activities
D. isk identification
عرض الإجابة
اجابة صحيحة: BC
السؤال #155
Which of the following is NOT true for effective risk communication?
A. isk information must be known and understood by all stakeholders
B. se of technical terms of risk
C. ny communication on risk must be relevant
D. or each risk, critical moments exist between its origination and its potential business consequence
عرض الإجابة
اجابة صحيحة: B
السؤال #156
Which of the following is true for risk management frameworks, standards and practices? Each correct answer represents a part of the solution. Choose three.
A. eporting risk
B. perational risk
C. egal risk
D. trategic risk
عرض الإجابة
اجابة صحيحة: ACD
السؤال #157
Which of the following controls focuses on operational efficiency in a functional area sticking to management policies?
A. ey risk indicators
B. apability maturity models
C. ey performance indicators
D. etric thresholds
عرض الإجابة
اجابة صحيحة: C
السؤال #158
Capability maturity models are the models that are used by the enterprise to rate itself in terms of the least mature level to the most mature level. Which of the following capability maturity levels shows that the enterprise does not recognize the need to consider the risk management or the business impact from IT risk?
A. evel 2
B. evel 0
C. evel 3
D. evel 1
عرض الإجابة
اجابة صحيحة: B
السؤال #159
You are the project manager of your enterprise. While performing risk management, you are given a task to identify where your enterprise stands in certain practice and also to suggest the priorities for improvements. Which of the following models would you use to accomplish this task?
A. apability maturity model
B. ecision tree model
C. ishbone model
D. imulation tree model
عرض الإجابة
اجابة صحيحة: A
السؤال #160
Which of the following is described by the definition given below? "It is the expected guaranteed value of taking a risk."
A. ertainty equivalent value
B. isk premium
C. isk value guarantee
D. ertain value assurance
عرض الإجابة
اجابة صحيحة: A
السؤال #161
An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan. Which of the following is the risk practitioner’s BEST course of action?
A. evert the implemented mitigation measures until approval is obtained
B. alidate the adequacy of the implemented risk mitigation measures
C. eport the observation to the chief risk officer (CRO)
D. pdate the risk register with the implemented risk mitigation actions
عرض الإجابة
اجابة صحيحة: B
السؤال #162
What is the GREATEST concern with maintaining decentralized risk registers instead of a consolidated risk register?
A. ggregated risk may exceed the enterprise’s risk appetite and tolerance
B. uplicate resources may be used to manage risk registers
C. tandardization of risk management practices may be difficult to enforce
D. isk analysis may be inconsistent due to non-uniform impact and likelihood scales
عرض الإجابة
اجابة صحيحة: D
السؤال #163
Which of the following are the principles of access controls?Each correct answer represents a complete solution. Choose three.
A. isk reports need to be timely
B. omplex metrics require fine-tuning
C. hreats and vulnerabilities change over time
D. hey help to avoid risk
عرض الإجابة
اجابة صحيحة: ABD
السؤال #164
According to the Section-302 of the Sarbanes-Oxley Act of 2002, what does certification of reports implies? Each correct answer represents a complete solution. Choose three.
A. isk management
B. isk response integration
C. isk response implementation
D. isk response tracking
عرض الإجابة
اجابة صحيحة: BCD
السؤال #165
Which of the following is MOST important to the effectiveness of key performance indicators (KPIs)?
A. anagement approval
B. utomation
C. nnual review
D. elevance
عرض الإجابة
اجابة صحيحة: B
السؤال #166
Which one of the following is the only output for the qualitative risk analysis process?
A. roject management plan
B. isk register updates
C. rganizational process assets
D. nterprise environmental factors
عرض الإجابة
اجابة صحيحة: B
السؤال #167
Which of the following BEST enables the identification of trends in risk levels?
A. easurements for key risk indicators (KRIs) are repeatable
B. ualitative definitions for key risk indicators (KRIs) are used
C. uantitative measurements are used for key risk indicators (KRIs)
D. orrelation between risk levels and key risk indicators (KRIs) is positive
عرض الإجابة
اجابة صحيحة: C
السؤال #168
Jane, the Director of Sales, contacts you and demands that you add a new feature to the software your project team is creating for the organization. In the meeting she tells you how important the scope change would be. You explain to her that the software is almost finished and adding a change now could cause the deliverable to be late, cost additional funds, and would probably introduce new risks to the project. Jane stands up and says to you, "I am the Director of Sales and this change will happen in the
A. nclude the change in the project scope immediately
B. irect your project team to include the change if they have time
C. o not implement the verbal change request
D. eport Jane to your project sponsor and then include the change
عرض الإجابة
اجابة صحيحة: C
السؤال #169
One of the risk events you've identified is classified as force majeure. What risk response is likely to be used?
A. cceptance
B. ransference
C. nhance
D. itigation
عرض الإجابة
اجابة صحيحة: A
السؤال #170
Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?
A. n increase in control vulnerabilities
B. n increase in inherent risk
C. decrease in control layering effectiveness
D. n increase in the level of residual risk
عرض الإجابة
اجابة صحيحة: B
السؤال #171
Which of the following matrices is used to specify risk thresholds?
A. isk indicator matrix
B. mpact matrix
C. isk scenario matrix
D. robability matrix
عرض الإجابة
اجابة صحيحة: A
السؤال #172
You are the project manager of GHT project. You have identified a risk event on your current project that could save $670,000 in project costs if it occurs. Your organization is considering hiring a vendor to help establish proper project management techniques in order to assure it realizes these savings. Which of the following statements is TRUE for this risk event?
A. his risk event should be accepted because the rewards outweigh the threat to the project
B. his risk event should be mitigated to take advantage of the savings
C. his risk event is an opportunity to the project and should be exploited
D. his is a risk event that should be shared to take full advantage of the potential savings
عرض الإجابة
اجابة صحيحة: D
السؤال #173
There are five inputs to the quantitative risk analysis process. Which one of the following is NOT an input to quantitative risk analysis process?
A. isk management plan
B. nterprise environmental factors
C. ost management plan
D. isk register
عرض الإجابة
اجابة صحيحة: B
السؤال #174
An unauthorized individual has socially engineered entry into an organization’s secured physical premises. Which of the following is the BEST way to prevent future occurrences?
A. equire security access badges
B. mploy security guards
C. nstall security cameras
D. onduct security awareness training
عرض الإجابة
اجابة صحيحة: D
السؤال #175
Which of the following would be of GREATEST assistance when justifying investment in risk response strategies?
A. ost-benefit analysis
B. usiness impact analysis
C. otal cost of ownership
D. esource dependency analysis
عرض الإجابة
اجابة صحيحة: A
السؤال #176
Which of the following is the PRIMARY reason to perform ongoing risk assessments?
A. he risk environment is subject to change
B. he information security budget must be justified
C. merging risk must be continuously reported to management
D. ew system vulnerabilities emerge at frequent intervals
عرض الإجابة
اجابة صحيحة: A
السؤال #177
Which of the following is the BEST method to maintain a common view of IT risk within an organization?
A. stablishing and communicating the IT risk profile
B. erforming and publishing an IT risk analysis
C. ollecting data for IT risk assessment
D. tilizing a balanced scorecard
عرض الإجابة
اجابة صحيحة: B
السؤال #178
Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:
A. rovide a current reference to stakeholders for risk-based decisions
B. inimize the number of risk scenarios for risk assessment
C. ggregate risk scenarios identified across different business units
D. uild a threat profile of the organization for management review
عرض الإجابة
اجابة صحيحة: A
السؤال #179
Which of the following is the BEST indication of an effective risk management program?
A. isk action plans are approved by senior management
B. itigating controls are designed and implemented
C. esidual risk is within the organizational risk appetite
D. isk is recorded and tracked in the risk register
عرض الإجابة
اجابة صحيحة: B
السؤال #180
Which of the following should be included in a risk scenario to be used for risk analysis?
A. esidual risk
B. isk tolerance
C. isk appetite
D. hreat type
عرض الإجابة
اجابة صحيحة: D
السؤال #181
During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?
A. uthentication
B. dentification
C. ata validation
D. ata integrity
عرض الإجابة
اجابة صحيحة: A
السؤال #182
Which of the following is the BEST way to promote adherence to the risk tolerance level set by management?
A. voiding risks that could materialize into substantial losses
B. ncreasing organizational resources to mitigate risks
C. efining expectations in the enterprise risk policy
D. ommunicating external audit results
عرض الإجابة
اجابة صحيحة: C
السؤال #183
Ben works as a project manager for the MJH Project. In this project, Ben is preparing to identify stakeholders so he can communicate project requirements, status, and risks. Ben has elected to use a salience model as part of his stakeholder identification process. Which of the following activities best describes a salience model?
A. escribing classes of stakeholders based on their power (ability to impose their will), urgency (need for immediate attention), and legitimacy (their involvement is appropriate)
B. rouping the stakeholders based on their level of authority ("power") and their level or concern ("interest") regarding the project outcomes
C. nfluence/impact grid, grouping the stakeholders based on their active involvement ("influence") in the project and their ability to affect changes to the project\'s planning or execution ("impact")
D. rouping the stakeholders based on their level of authority ("power") and their active involvement ("influence") in the project
عرض الإجابة
اجابة صحيحة: A
السؤال #184
A program manager has completed an unsuccessful disaster recovery test. Which of the following should the risk practitioner recommend as the NEXT course of action?
A. dentify what additional controls are needed
B. pdate the business impact analysis (BIA)
C. rioritize issues noted during the testing window
D. ommunicate test results to management
عرض الإجابة
اجابة صحيحة: B
السؤال #185
Which of the following is the BEST indication of the effectiveness of a business continuity program?
A. usiness continuity tests are performed successfully and issues are addressed
B. usiness continuity and disaster recovery plans are regularly updated
C. usiness impact analyses are reviewed and updated in a timely manner
D. usiness units are familiar with the business continuity plans and process
عرض الإجابة
اجابة صحيحة: A
السؤال #186
A risk practitioner is preparing a report to communicate changes in the risk and control environment. The BEST way to engage stakeholder attention is to:
A. nclude a roadmap to achieve operational excellence
B. nclude a summary linking information to stakeholder needs
C. ublish the report on-demand for stakeholders
D. nclude detailed deviations from industry benchmarks
عرض الإجابة
اجابة صحيحة: A
السؤال #187
When prioritizing risk response, management should FIRST:
A. valuate the organization’s ability and expertise to implement the solution
B. valuate the risk response of similar organizations
C. etermine which risk factors have high remediation costs
D. ddress high risk factors that have efficient and effective solutions
عرض الإجابة
اجابة صحيحة: A
السؤال #188
You are working in an enterprise. You project deals with important files that are stored on the computer. You have identified the risk of the failure of operations. To address this risk of failure, you have guided the system administrator sign off on the daily backup. This scenario is an example of which of the following?
A. perational
B. inancial
C. nformation
D. trategic
عرض الإجابة
اجابة صحيحة: D
السؤال #189
Wendy has identified a risk event in her project that has an impact of $75,000 and a 60 percent chance of happening. Through research, her project team learns that the risk impact can actually be reduced to just $15,000 with only a ten percent chance of occurring. The proposed solution will cost $25,000. Wendy agrees to the $25,000 solution. What type of risk response is this?
A. itigation
B. voidance
C. ransference
D. nhancing
عرض الإجابة
اجابة صحيحة: A
السؤال #190
Which of the following is the MOST critical security consideration when an enterprise outsource is major part of IT department to a third party whose servers are in foreign company?
A. security breach notification may get delayed due to time difference
B. he enterprise could not be able to monitor the compliance with its internal security and privacy guidelines
C. aws and regulations of the country of origin may not be enforceable in foreign country
D. dditional network intrusion detection sensors should be installed, resulting in additional cost
عرض الإجابة
اجابة صحيحة: C
السؤال #191
You are the project manager for your organization. You are preparing for the quantitative risk analysis. Mark, a project team member, wants to know why you need to do quantitative risk analysis when you just completed qualitative risk analysis. Which one of the following statements best defines what quantitative risk analysis is?
A. uantitative risk analysis is the review of the risk events with the high probability and the highest impact on the project objectives
B. uantitative risk analysis is the process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact
C. uantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives
D. uantitative risk analysis is the planning and quantification of risk responses based on probability and impact of each risk event
عرض الإجابة
اجابة صحيحة: C
السؤال #192
After a high-profile systems breach at an organization’s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments: Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor’s control environment?
A. xternal audit
B. nternal audit
C. endor performance scorecard
D. egulatory examination
عرض الإجابة
اجابة صحيحة: B
السؤال #193
You are the project manager of the NKJ Project for your company. The project's success or failure will have a significant impact on your organization's profitability for the coming year. Management has asked you to identify the risk events and communicate the event's probability and impact as early as possible in the project.Management wants to avoid risk events and needs to analyze the cost-benefits of each risk event in this project. What term is assigned to the low-level of stakeholder tolerance in this
A. itigation-ready project management
B. isk avoidance
C. isk utility function
D. isk-reward mentality
عرض الإجابة
اجابة صحيحة: C
السؤال #194
Which of the following is the MOST important element of a successful risk awareness training program?
A. apping to a recognized standard
B. roviding metrics for measurement
C. ustomizing content for the audience
D. roviding incentives to participants
عرض الإجابة
اجابة صحيحة: B
السؤال #195
Which of the following statements are true for risk communication? Each correct answer represents a complete solution. Choose three.
A. t is an unknown event that can affect the project scope
B. t is an uncertain event or condition within the project execution
C. t is an uncertain event that can affect the project costs
D. t is an uncertain event that can affect at least one project objective
عرض الإجابة
اجابة صحيحة: ACD
السؤال #196
Which of the following is MOST important for successful incident response?
A. he quantity of data logged by the attack control tools
B. he ability to trace the source of the attack
C. he timeliness of attack recognition
D. locking the attack route immediately
عرض الإجابة
اجابة صحيحة: C
السؤال #197
Shawn is the project manager of the HWT project. In this project Shawn's team reports that they have found a way to complete the project work cheaply than what was originally estimated earlier. The project team presents a new software that will help to automate the project work. While the software and the associated training costs$25,000 it will save the project nearly $65,000 in total costs. Shawn agrees to the software and changes the project management plan accordingly. What type of risk response had bee
A. voiding
B. ccepting
C. xploiting
D. nhancing
عرض الإجابة
اجابة صحيحة: C
السؤال #198
The BEST reason to classify IT assets during a risk assessment is to determine the:
A. ppropriate level of protection
B. nterprise risk profile
C. riority in the risk register
D. usiness process owner
عرض الإجابة
اجابة صحيحة: A
السؤال #199
After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?
A. he risk practitioner
B. he risk owner
C. he control owner
D. he business process owner
عرض الإجابة
اجابة صحيحة: A
السؤال #200
While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the:
A. ontrol is ineffective and should be strengthened
B. isk is inefficiently controlled
C. isk is efficiently controlled
D. ontrol is weak and should be removed
عرض الإجابة
اجابة صحيحة: B
السؤال #201
Which of the following are the common mistakes while implementing KRIs? Each correct answer represents a complete solution. Choose three.
A. perational
B. inancial
C. dministrative
D. pecialized
عرض الإجابة
اجابة صحيحة: ACD
السؤال #202
Which of the following BEST ensures that a firewall is configured in compliance with an enterprise's security policy?
A. nterview the firewall administrator
B. eview the actual procedures
C. eview the device's log file for recent attacks
D. eview the parameter settings
عرض الإجابة
اجابة صحيحة: D
السؤال #203
Which of the following is the MOST effective method for indicating that the risk level is approaching a high or unacceptable level of risk?
A. isk register
B. ause and effect diagram
C. isk indicator
D. eturn on investment
عرض الإجابة
اجابة صحيحة: C
السؤال #204
Which of the following BEST enables a risk practitioner to enhance understanding of risk among stakeholders?
A. hreat analysis
B. ey risk indicators
C. isk scenarios
D. usiness impact analysis
عرض الإجابة
اجابة صحيحة: A
السؤال #205
You are the project manager of GHT project. You have planned the risk response process and now you are about to implement various controls. What you should do before relying on any of the controls?
A. here is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk
B. ecisions involving risk lack credible information
C. isk appetite and tolerance are applied only during episodic risk assessments
D. isk management skills exist on an ad hoc basis, but are not actively developed
عرض الإجابة
اجابة صحيحة: AC
السؤال #206
An organization has completed a project to implement encryption on all databases that host customer data. Which of the following elements of the risk register should be updated to reflect this change?
A. isk tolerance
B. nherent risk
C. isk appetite
D. isk likelihood
عرض الإجابة
اجابة صحيحة: B
السؤال #207
Which of the following baselines identifies the specifications required by the resource that meet the approved requirements?
A. unctional baseline
B. llocated baseline
C. roduct baseline
D. evelopmental baseline
عرض الإجابة
اجابة صحيحة: B
السؤال #208
Which of the following BEST indicates the condition of a risk management program?
A. umber of controls
B. mount of residual risk
C. umber of risk register entries
D. evel of financial support
عرض الإجابة
اجابة صحيحة: B
السؤال #209
Which of the following is the MOST common concern associated with outsourcing to a service provider?
A. ombining incompatible duties
B. nauthorized data usage
C. enial of service attacks
D. ack of technical expertise
عرض الإجابة
اجابة صحيحة: B
السؤال #210
Which of the following comes under phases of risk management?
A. nitiate incident response
B. pdate the risk register
C. liminate the risk completely
D. ommunicate lessons learned from risk events
عرض الإجابة
اجابة صحيحة: ABCD
السؤال #211
Who is accountable for risk treatment?
A. isk owner
B. isk mitigation manager
C. nterprise risk management team
D. usiness process owner
عرض الإجابة
اجابة صحيحة: A
السؤال #212
Which of the following BEST illustrates the relationship of actual risk exposure to appetite?
A. esidual risk that exceeds appetite
B. isk events in the risk profile
C. ercentage of high risk scenarios
D. ontrols that exceed risk appetite
عرض الإجابة
اجابة صحيحة: D
السؤال #213
Effective risk communication BEST benefits an organization by:
A. mproving the effectiveness of IT controls
B. elping personnel make better informed decisions
C. ncreasing participation in the risk assessment process
D. ssisting the development of a risk register
عرض الإجابة
اجابة صحيحة: A
السؤال #214
Beth is a project team member on the JHG Project. Beth has added extra features to the project and this has introduced new risks to the project work. The project manager of the JHG project elects to remove the features Beth has added. The process of removing the extra features to remove the risks is called what?
A. etective control
B. reventive control
C. orrective control
D. cope creep
عرض الإجابة
اجابة صحيحة: B
السؤال #215
Assessing the probability and consequences of identified risks to the project objectives, assigning a risk score to each risk, and creating a list of prioritized risks describes which of the following processes?
A. ualitative Risk Analysis
B. lan Risk Management
C. dentify Risks
D. uantitative Risk Analysis
عرض الإجابة
اجابة صحيحة: A
السؤال #216
You are the risk official in Bluewell Inc. You are supposed to prioritize several risks. A risk has a rating for occurrence, severity, and detection as 4, 5, and 6, respectively. What Risk Priority Number (RPN) you would give to it?
A. 20
B. 00
C. 5
D. 0
عرض الإجابة
اجابة صحيحة: A
السؤال #217
Which of the following should be the HIGHEST priority when developing a risk response?
A. he risk response is accounted for in the budget
B. he risk response aligns with the organization’s risk appetite
C. he risk response is based on a cost-benefit analysis
D. he risk response addresses the risk with a holistic view
عرض الإجابة
اجابة صحيحة: C
السؤال #218
A risk heat map is MOST commonly used as part of an IT risk analysis to facilitate risk:
A. reatment
B. dentification
C. ommunication
D. ssessment
عرض الإجابة
اجابة صحيحة: D
السؤال #219
An organization is considering acquiring a new line of business and wants to develop new IT risk scenarios to guide its decisions. Which of the following would add the MOST value to the new risk scenarios?
A. udit findings
B. xpected losses
C. ost-benefit analysis
D. rganizational threats
عرض الإجابة
اجابة صحيحة: D
السؤال #220
Which of the following is the BEST evidence that a user account has been properly authorized?
A. otification from human resources that the account is active
B. ormal approval of the account by the user’s manager
C. ser privileges matching the request form
D. n email from the user accepting the account
عرض الإجابة
اجابة صحيحة: C
السؤال #221
Which of the following is the BEST way to mitigate the risk associated with fraudulent use of an enterprise’s brand on Internet sites?
A. tilizing data loss prevention technology
B. canning the Internet to search for unauthorized usage
C. onitoring the enterprise’s use of the Internet
D. eveloping training and awareness campaigns
عرض الإجابة
اجابة صحيحة: B
السؤال #222
Which of the following would be considered a vulnerability?
A. elayed removal of employee access
B. orruption of files due to malware
C. uthorized administrative access to HR files
D. erver downtime due to a denial of service (DoS) attack
عرض الإجابة
اجابة صحيحة: A
السؤال #223
You are the project manager of the HJK Project for your organization. You and the project team have created risk responses for many of the risk events in the project. Where should you document the proposed responses and the current status of all identified risks?
A. ost of response
B. apability to implement response
C. mportance of risk
D. fficiency of response
عرض الإجابة
اجابة صحيحة: C
السؤال #224
You are the administrator of your enterprise. Which of the following controls would you use that BEST protects an enterprise from unauthorized individuals gaining access to sensitive information?
A. onitoring and recording unsuccessful logon attempts
B. orcing periodic password changes
C. sing a challenge response system
D. roviding access on a need-to-know basis
عرض الإجابة
اجابة صحيحة: D
السؤال #225
Risk management strategies are PRIMARILY adopted to:
A. chieve compliance with legal requirements
B. ake necessary precautions for claims and losses
C. void risk for business and IT assets
D. chieve acceptable residual risk levels
عرض الإجابة
اجابة صحيحة: B
السؤال #226
An organization’s internal auditors have identified a new IT control deficiency in the organization’s identity and access management (IAM) system. It is most important for the risk practitioner to:
A. erform a follow-up risk assessment to quantify the risk impact
B. erify that applicable risk owners understand the risk
C. mplement compensating controls to address the deficiency
D. ecommend replacement of the deficient system
عرض الإجابة
اجابة صحيحة: C
السؤال #227
You work as a Project Manager for Company Inc. You have to conduct the risk management activities for a project. Which of the following inputs will you use in the plan risk management process?Each correct answer represents a complete solution. (Choose three.)
A. uality management plan
B. isk management plan
C. isk register
D. roject charter
عرض الإجابة
اجابة صحيحة: BCD
السؤال #228
When updating the risk register after a risk assessment, which of the following is MOST important to include?
A. ctor and threat type of the risk scenario
B. istorical losses due to past risk events
C. ost to reduce the impact and likelihood
D. ikelihood and impact of the risk scenario
عرض الإجابة
اجابة صحيحة: D
السؤال #229
What are the PRIMARY objectives of a control?
A. etect, recover, and attack
B. revent, respond, and log
C. revent, control, and attack
D. revent, recover, and detect
عرض الإجابة
اجابة صحيحة: D
السؤال #230
You are the project manager for your organization to install new workstations, servers, and cabling throughout a new building, where your company will be moving into. The vendor for the project informs you that the cost of the cabling has increased due to some reason. This new cost will cause the cost of your project to increase by nearly eight percent. What change control system should the costs be entered into for review?
A. ost change control system
B. ontract change control system
C. cope change control system
D. nly changes to the project scope should pass through a change control system
عرض الإجابة
اجابة صحيحة: A
السؤال #231
Establishing an organizational code of conduct is an example of which type of control?
A. irective
B. reventive
C. etective
D. ompensating
عرض الإجابة
اجابة صحيحة: A
السؤال #232
Which of the following is the BEST way to validate whether controls to reduce user device vulnerabilities have been implemented according to management’s action plan?
A. urvey device owners
B. eview awareness training assessment results
C. e-scan the user environment
D. equire annual end user policy acceptance
عرض الإجابة
اجابة صحيحة: C
السؤال #233
Which of the following should be the PRIMARY consideration when implementing controls for monitoring user activity logs?
A. uilding correlations between logs collected from different sources
B. nsuring the control is proportional to the risk
C. mplementing log analysis tools to automate controls
D. nsuring availability of resources for log analysis
عرض الإجابة
اجابة صحيحة: D

عرض الإجابات بعد التقديم

يرجى إرسال البريد الإلكتروني الخاص بك والواتس اب للحصول على إجابات الأسئلة.

ملحوظة: يرجى التأكد من صلاحية معرف البريد الإلكتروني وWhatsApp حتى تتمكن من الحصول على نتائج الاختبار الصحيحة.

بريد إلكتروني:
رقم الواتس اب/الهاتف:


Copyright © 2024. Designer by SPOTO Official Website. All Rights Reserved.