Isaca IT-RISK-FUNDAMENTALS Online Practice Questions and Exam Preparation

Isaca IT-RISK-FUNDAMENTALS Online Questions & Answers

• Question 91:

  Which of the following is the PRIMARY outcome of a risk scoping activity?

  A. Identification of major risk factors to be benchmarked against industry competitors
  B. Identification of potential high-impact risk areas throughout the enterprise
  C. Identification of risk scenarios related to emerging technologies
  B. Identification of potential high-impact risk areas throughout the enterprise

• Question 92:

  Which of the following is MOST important when defining an organization's risk scope?

  A. Understanding the impacts of the risk environment to the organization
  B. Developing a top-down approach to risk management
  C. Developing requirements for risk reporting to executive management
  A. Understanding the impacts of the risk environment to the organization

• Question 93:

  Of the following, who is BEST suited to be responsible for continuous monitoring of risk?

  A. Chief risk officer (CRO)
  B. Risk analysts
  C. Risk owners
  C. Risk owners

• Question 94:

  Which of the following is the PRIMARY objective of vulnerability assessments?

  A. To determine the best course of action based on the threat and potential impact
  B. To improve the knowledge of deficient control conditions within IT systems
  C. To reduce the amount of effort to identify and catalog new vulnerabilities
  B. To improve the knowledge of deficient control conditions within IT systems

• Question 95:

  Which of the following is the MOST likely reason that a list of control deficiencies identified in a recent security assessment would be excluded from an IT risk register?

  A. The deficiencies have no business relevance.
  B. The deficiencies are actual misconfigurations.
  C. The deficiencies have already been resolved.
  C. The deficiencies have already been resolved.

• Question 96:

  If the residual risk associated with a particular control is within the enterprise risk appetite, the residual risk should be:

  A. accepted and updated in the risk register.
  B. mitigated through additional controls.
  C. transferred and managed by a third party.
  A. accepted and updated in the risk register.

• Question 97:

  When evaluating the current state of controls, which of the following will provide the MOST comprehensive analysis of enterprise processes, incidents, logs, and the threat environment?

  A. Enterprise architecture (EA) assessment
  B. IT operations and management evaluation
  C. Third-party assurance review
  B. IT operations and management evaluation

• Question 98:

  An enterprise is currently experiencing an unacceptable 8% processing error rate and desires to manage risk by establishing a policy that error rates cannot exceed 5%. In addition, management wants to be alerted when error rates meet or exceed 4%. The enterprise should set a key performance indicator (KPI) metric at which of the following levels?

  A. 5%
  B. 4%
  C. 8%
  B. 4%

• Question 99:

  Which of the following is the BEST indication of a good risk culture?

  A. The enterprise learns from negative outcomes and treats the root cause.
  B. The enterprise enables discussions of risk and facts within the risk management functions.
  C. The enterprise places a strong emphasis on the positive and negative elements of risk.
  A. The enterprise learns from negative outcomes and treats the root cause.

• Question 100:

  Which of the following MUST be consistent with the defined criteria when establishing the risk management context as it relates to calculation of risk?

  A. Risk appetite and tolerance levels
  B. Formulas and methods for combining impact and likelihood
  C. Key risk indicators (KRIs) and key performance indicators (KPIs)
  B. Formulas and methods for combining impact and likelihood