Which of the following is MOST appropriate method to evaluate the potential impact of legal, regulatory, and contractual requirements on business objectives?

• A.Communication with business process stakeholders
• B.Compliance-oriented business impact analysis
• C.Compliance-oriented gap analysis
• D.Mapping of compliance requirements to policies and procedures
• E.Explanation:
  A compliance-oriented BIA will identify all the compliance requirements to which the enterprise has
  to align and their impacts on business objectives and activities. It is a discovery process meant to
  uncover the inner workings of any process. Hence it will also evaluate the potential impact of legal,
  regulatory, and contractual requirements on business objectives.
• F.is incorrect. Mapping of compliance requirements to policies and procedures will
  identify only the way the compliance is achieved but not the business impact.
• G.is incorrect. Communication with business process stakeholders is done so as to
  identify the business objectives, but it does not help in identifying impacts.

Comment: *

Name: *

Email: *

Verification: *

Which of the following is the MOST appropriate key risk indicator (KRI) for backup media that is recycled monthly?

• A.Time required for backup restoration testing
• B.Percentage of failed restore tests
• C.Change in size of data backed up
• D.Successful completion of backup operations

Comment: *

Name: *

Email: *

Verification: *

You are the project manager of HFD project. You have identified several project risks. You have adopted alternatives to deal with these risks which do not attempt to reduce the probability of a risk event or its impacts. Which of the following response have you implemented?

• A.Acceptance
• B.Mitigation
• C.Avoidance
• D.Contingent response
• E.Explanation:
  Contingent response strategy, also known as contingency planning, involves adopting alternatives to deal with the risks in case of their occurrence. Unlike the mitigation planning in which mitigation looks to reduce the probability of the risk and its impact, contingency planning doesn't necessarily attempt to reduce the probability of a risk event or its impacts. Contingency comes into action when the risk event actually occurs.
• F.is incorrect. Risk mitigation attempts to reduce the probability of a risk event and its impacts to an acceptable level. Risk mitigation can utilize various forms of control carefully integrated together. The main control types are:
  Managerial(e.g.,policies)
  Technical (e.g., tools such as firewalls and intrusion detection systems)
  Operational (e.g., procedures, separation of duties)
  Preparedness activities
• G.is incorrect. Risk acceptance means that no action is taken relative to a particular risk;
  loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider
  who can accept the risk. Risk should be accepted only by senior management in relationship with
  senior management and the board. There are two alternatives to the acceptance strategy, passive
  and active.
  Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk but
  willing to accept the consequences of the risk.
  Active acceptance is the second strategy and might include developing contingency plans and
  reserves to deal with risks.

Comment: *

Name: *

Email: *

Verification: *

An organization's internal auditors have identified a new IT control deficiency in the organization's identity and access management (IAM) system. It is most important for the risk practitioner to:

• A.perform a follow-up risk assessment to quantify the risk impact
• B.verify that applicable risk owners understand the risk
• C.implement compensating controls to address the deficiency
• D.recommend replacement of the deficient system

Comment: *

Name: *

Email: *

Verification: *

Which of the following should be the risk practitioner's FIRST course of action when an organization plans to adopt a cloud computing strategy?

• A.Perform a controls assessment.
• B.Request a budget for implementation
• C.Create a cloud computing policy.
• D.Conduct a threat analysis.

Comment: *

Name: *

Email: *

Verification: *