You are the project manager of the PFO project. You are working with your project team members and two subject matter experts to assess the identified risk events in the project. Which of the following approaches is the best to assess the risk events in the project?
A. Interviews or meetings
B. Determination of the true cost of the risk event
C. Probability and Impact Matrix
D. Root cause analysis
When testing the security of an IT system, il is MOST important to ensure that;
A. tests are conducted after business hours.
B. operators are unaware of the test.
C. external experts execute the test.
D. agreement is obtained from stakeholders.
When a high-risk security breach occurs, which of the following would be MOST important to the person responsible for managing the incident?
A. An analysis of the security logs that illustrate the sequence of events
B. An analysis of the impact of similar attacks in other organizations
C. A business case for implementing stronger logical access controls
D. A justification of corrective action taken
Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?
A. Implement segregation of duties.
B. Enforce an internal data access policy.
C. Enforce the use of digital signatures.
D. Apply single sign-on for access control.
The PRIMARY basis for selecting a security control is:
A. to achieve the desired level of maturity.
B. the materiality of the risk.
C. the ability to mitigate risk.
D. the cost of the control.
Which of the following would MOST likely cause a risk practitioner to reassess risk scenarios?
A. A change in the risk management policy
B. A major security incident
C. A change in the regulatory environment
D. An increase in intrusion attempts
A payroll manager discovers that fields in certain payroll reports have been modified without authorization. Which of the following control weaknesses could have contributed MOST to this problem?
A. The user requirements were not documented.
B. Payroll files were not under the control of a librarian.
C. The programmer had access to the production programs.
D. The programmer did not involve the user in testing.
Which of the following should be of MOST concern to a risk practitioner reviewing findings from a recent audit of an organization's data center?
A. Ownership of an audit finding has not been assigned
B. The data center is not fully redundant
C. Audit findings were not communicated to senior management
D. Key risk indicators (KRIs) for the data center do not include critical components