Free Practice Exam 2

The Correct Answer is A. (A) Evaluating legal obligations under data privacy laws, such as HIPAA or GDPR, is essential when developing a risk scenario that involves a data breach. Understanding the regulatory consequences will allow the organization to accurately assess potential fines, legal actions, and reputational damage. (B) A full audit of the IT infrastructure is important for understanding technical vulnerabilities but does not address legal risks directly. (C) An employee training program is a preventative measure, but the scenario development phase focuses on potential risks and impacts. (D) Encryption protocols are a mitigation technique and should be considered after the risk scenario is fully understood. Therefore, understanding legal obligations is critical in this context.

The Correct Answer is B. The most critical action during the collection phase is obtaining explicit consent from customers and adhering to data minimization principles (B), which ensure that only necessary data is collected, in compliance with privacy regulations such as GDPR. Backups (A) and encryption (C) are important for protecting data, but they do not address the requirement for lawful and minimal data collection. Implementing DLP (D) helps prevent data loss but does not mitigate the risks associated with collecting excessive data or without consent.

The Correct Answer is B. In accordance with professional ethics, the consultant should report the questionable accounting practices to the audit committee (B) and refuse to continue unless the issue is addressed. Risk management professionals have a responsibility to ensure transparency and integrity in their work. Ignoring or concealing unethical behavior (A, C, D) would violate ethical standards and could lead to significant financial and legal consequences for the company and the consultant. By taking appropriate action, the consultant upholds professional integrity and ensures that all risks, including those stemming from unethical practices, are properly addressed.

The Correct Answer is B. The CRO should focus on identifying and assessing a broad range of risks (B) that could impact the company’s ability to achieve its AI leadership goal. This includes technological risks, regulatory hurdles, market competition, and other factors that could hinder AI development. Focusing solely on financial risks (A) would overlook critical areas, while prioritizing operational risks (C) could neglect the strategic risks involved in the AI initiative. Delaying AI development (D) could allow competitors to gain an advantage, and risk assessments should evolve alongside the project rather than act as a blocker.

The Correct Answer is A. In this scenario, establishing a contingency plan and allocating buffer time (A) is the most effective approach to address the risk of the software component being delayed. This ensures that if the vendor fails to deliver on time, the impact on the overall project timeline is minimized. While increasing the frequency of vendor meetings (B) can help monitor progress, it doesn’t fully mitigate the risk of late delivery. Shifting resources (C) may help in the short term but doesn’t address the risk of overall project delay. Procuring an alternative vendor (D) could introduce further delays and risks, such as compatibility issues or renegotiation of contracts, making it a less effective approach in this context.

The Correct Answer is B. The most important factor when choosing an encryption standard is its compliance with industry regulations such as PCI-DSS (B). Compliance ensures that the company meets legal requirements for protecting payment card information. Compatibility with existing systems (A) and real-time performance (D) are important but secondary to regulatory compliance. The cost (C) should be considered, but choosing a standard that does not comply with PCI-DSS would expose the company to fines and security vulnerabilities.

The Correct Answer is C. (A) Drafting data protection policies is important, but it typically follows after the risk assessment is complete. (B) Implementing encryption technologies is a mitigation strategy that should be applied after the risks are fully assessed and prioritized. (C) Prioritizing risks is the next logical step because it allows the team to focus on the most critical risks by analyzing both their likelihood and potential impact. This ensures that resources are directed towards mitigating the highest risks. (D) Engaging external auditors is useful for compliance but does not help with risk prioritization at this stage. Therefore, prioritizing risks is the correct next step.

The Correct Answer is B. Transferring the risk (B) by purchasing cyber insurance is appropriate when the financial impact of the risk is high and mitigating the risk would incur significant costs. Insurance provides coverage in case of a breach without having to bear the full cost of mitigation. Avoiding the risk by migrating data back to on-premise servers (A) would eliminate the risk but at a high operational and logistical cost, which might not be justified. Mitigating the risk by implementing additional encryption (C) could be overly costly for the organization. Accepting the risk (D) without taking any action could leave the firm exposed to substantial financial and reputational damage.

The Correct Answer is B. The Correct Answer is B. (A) Encrypting data in transit protects data while it’s being transmitted but does not address the control deficiency of data not being encrypted at rest. (B) The control deficiency in this scenario is the lack of encryption for data at rest. Implementing full-disk encryption ensures that patient data is protected even if the storage media is compromised, reducing the risk of unauthorized access. (C) A backup policy protects against data loss but does not directly address the encryption deficiency. (D) Penetration testing may reveal other issues but does not mitigate the immediate risk of unencrypted data. Therefore, full-disk encryption is the best solution to mitigate this specific risk.

The Correct Answer is A. (A) The risk register offers a detailed log of all identified risks, including their status, likelihood, impact, and mitigation efforts, which is crucial during an audit. Auditors can use this information to evaluate how effectively risks are managed and whether appropriate actions have been taken. (B) While regulatory compliance may be part of risk management, the primary function of a risk register is not specific to regulations but to overall risk management. (C) Documenting IT policies and procedures is important but not the role of the risk register. (D) Financial performance data is not tracked in the risk register; it focuses on risk identification and mitigation. Therefore, the risk register’s value lies in providing a complete view of risk management efforts.

The Correct Answer is A. In the design phase of the system development life cycle (SDLC), conducting a threat modeling exercise (A) is critical to identify potential vulnerabilities before development begins. This proactive approach helps to anticipate how the system might be attacked and allows the development team to design security controls to address those risks. Implementing encryption (B) is typically done during later stages such as development or testing. User manuals and documentation (C) are part of the deployment or maintenance phase. Performing vulnerability scans (D) is important but is more relevant during the testing phase, not the design phase.

The Correct Answer is A. During the processing phase, the primary risk is ensuring that the third-party provider processes data in compliance with regulatory requirements (A). This includes adherence to data processing agreements (DPAs) and regulations like GDPR, which impose strict rules on how data can be handled. Firewall protection (B) is essential for network security but does not address the risk of non-compliant processing. Encrypting data (C) before processing is important for security but may not be feasible for all types of processing operations. Monitoring compliance through audits (D) is useful, but adherence to agreements and regulations must be established first.

The Correct Answer is A. (A) Attack Trees are effective for visually mapping potential attack strategies, decomposing threats into various stages and identifying how an attacker might compromise the system. This makes it ideal for compiling a threat profile that focuses on external cyberattacks targeting sensitive data. (B) Data Flow Diagrams (DFD) are useful for understanding data flow but are less focused on attack strategies. (C) STRIDE is a framework for classifying threats, but it doesn’t provide the same strategic breakdown of attack paths as Attack Trees. (D) PASTA is excellent for simulating and prioritizing risks but is more complex and not as focused on simple entry point identification as Attack Trees. Therefore, Attack Trees are the most suitable in this case.

The Correct Answer is A. The most important factor is the alignment of IT risk management with the company's strategic objectives (A). This ensures that IT risks such as security breaches are considered in the broader context of enterprise risk, aligning technical risks with financial and reputational risks. While the likelihood of a breach (B) is important, it must be evaluated within the strategic framework. The financial savings (C) and IT team’s capability (D) are operational concerns that should be factored into decision-making but do not directly address the integration of IT risk into the enterprise’s risk management strategy.

The Correct Answer is B. In a blockchain-based system, a 51% attack (B) is the most significant threat, as it occurs when a single entity gains control of more than half of the network’s mining power, allowing them to manipulate the ledger and compromise the integrity of the blockchain. This type of attack could lead to fraudulent transactions or double spending. Increased regulatory scrutiny (A) and lack of interoperability (C) are challenges but do not pose immediate security threats. Delays in transaction processing (D) are performance-related issues, not security vulnerabilities.

The Correct Answer is C. In this scenario, the organization's risk appetite does not tolerate any breach of sensitive patient data, even though the likelihood is low. Therefore, simply accepting the risk (B) would not align with this risk appetite. While transferring the risk via insurance (A) could provide financial compensation, it does not address the fundamental issue of preventing unauthorized access to patient records. Avoiding the risk (D) by discontinuing electronic record storage would likely disrupt business operations and is not a feasible option. Mitigating the risk (C) by further enhancing access controls aligns best with the organization's low tolerance for data breaches, as it directly reduces the risk of unauthorized access.

The Correct Answer is C. The Chief Risk Officer (CRO) (C) is responsible for coordinating and consolidating all risk reports from various departments, such as financial risks from the CFO and data security risks from the CIO. The CRO ensures that all risks are aligned and presented to the board as part of the enterprise-wide risk management strategy. The CFO (A) and CIO (B) are responsible for managing their respective areas of risk but are not responsible for overall risk consolidation. The Audit Committee (D) provides oversight but does not handle the operational coordination of risk reporting.

The Correct Answer is A. The most critical data protection principle in this scenario is the principle of least privilege (A). This ensures that employees and systems have access to only the data they need to perform their jobs, minimizing the risk of unauthorized access to sensitive patient information. While regular backups (B) and encryption (D) are important data protection practices, they do not directly limit who can access the data. General security training (C) is useful, but it is less impactful than enforcing strict access control measures based on necessity.

The Correct Answer is B. The CRO should conduct a company-wide training program (B) to raise awareness about the importance of following formal risk processes. This approach fosters a risk-aware culture and helps employees understand the value of adhering to risk management procedures. Strict penalties (A) without addressing the underlying cultural issue would likely create resistance. Centralizing all risk decisions (C) would reduce engagement and ownership of risk management at lower levels, while increasing the number of auditors (D) focuses on enforcement rather than changing behaviors. Building a strong risk-aware culture is critical to aligning the organization with its risk management objectives.

The Correct Answer is B. Implementing an automated workflow (B) that incorporates necessary compliance checks would streamline the claims process while ensuring that regulatory requirements are met. This approach allows the company to maintain compliance without the delays caused by manual approvals. Eliminating all manual approvals (A) might result in non-compliance, while delegating approval authority (C) could increase risks if not carefully managed. Simply increasing staff (D) might reduce workload temporarily but would not address the underlying inefficiencies in the process. Automation ensures both efficiency and regulatory adherence.

The Correct Answer is D. Relying solely on the cloud provider’s reputation (A) is insufficient to mitigate compliance risks. Instead, additional security measures (D), such as encryption, must be implemented to protect sensitive patient data. An independent audit (B) may help assess the provider’s security, but without further action, it does not reduce the risk. Limiting the data stored (C) can minimize exposure but may hinder operational efficiency. Implementing encryption and protection mechanisms ensures that patient data is secure, even if the cloud provider’s security controls are compromised, addressing both legal and compliance concerns.

The Correct Answer is B. The best approach is to perform a tuning exercise (B) to reduce false positives and optimize the DLP solution. Tuning the DLP allows the organization to strike a balance between security and business operations by reducing unnecessary alerts while still protecting sensitive data. Disabling the DLP solution (A) would eliminate a critical control and expose the organization to data breaches. Accepting the disruptions (C) would negatively impact business efficiency. Replacing the DLP solution (D) may not be necessary if the current system can be effectively tuned, and it could introduce new issues without proper evaluation.

The Correct Answer is A. Implementing a standardized reporting template (A) ensures that data from different offices is consistent and comparable, which is crucial for accurately aggregating and analyzing cybersecurity threats across the organization. Allowing offices to report in their own format (B) would lead to inconsistent data, making it difficult to compare. Collecting data only from regions with major incidents (C) would skew the results and provide an incomplete picture. External benchmarks (D) are useful for comparison but do not help in aggregating internal incident data consistently across regions.

The Correct Answer is B. The most critical focus in this scenario is ensuring that the recovery time objectives (RTOs) (B) are aligned with the organization’s business continuity requirements. The RTOs should reflect the maximum acceptable downtime for critical services. Additionally, implementing faster failover mechanisms, such as automated disaster recovery solutions, helps reduce downtime. While increasing drills (A) and investing in cloud-based services (D) may help, they don’t directly address aligning the DRP with business needs. Redesigning the data center (C) might be impractical and costly without addressing the recovery strategy.

The Correct Answer is B. The most reliable method to validate the deployment of endpoint security software is to review system logs (B), which provide direct evidence that the software is installed and operational across all devices. Interviews with the IT team (A) or employee surveys (C) would not provide sufficient verification. Accepting the deployment report from the vendor (D) without independent verification could lead to gaps in ensuring that all devices are protected. System logs offer a comprehensive view of whether the software is functioning as intended across the organization.

NIST SP 800-66 (A) provides specific guidance on implementing the HIPAA Security Rule and is the most appropriate framework for ensuring complianThe Correct Answer is A. ce with HIPAA’s requirements for protecting electronic protected health information (ePHI). It helps organizations map NIST’s security controls to HIPAA’s requirements. ISO/IEC 27005 (B) is focused on risk management, but not specific to healthcare. COBIT (C) and ITIL (D) are governance and service management frameworks, respectively, and do not directly address HIPAA compliance.

The Correct Answer is C. (A) The inherent risk remains the same and does not need to be reassessed in this case. (B) Accepting an increased current risk without taking action exposes the company to potential data breaches. (C) The company should update its encryption protocols to reflect the latest security standards and continuously monitor for new vulnerabilities to ensure that the current risk does not exceed the calculated residual risk. (D) While physical security controls are important, they do not address the core issue of outdated encryption. Therefore, updating encryption is the most effective response.

The Correct Answer is B. The risk manager should use automated tools (B) to consolidate and standardize the data, given the large volume and varying formats. This approach ensures that the data is accurate and can be analyzed efficiently. Filtering by transaction type (A) could overlook risks in other transactions. Manually aggregating the data (C) would be time-consuming and prone to human error. Conducting analysis on a sample (D) might miss significant risk patterns, especially in a large and diverse data set. Automated tools ensure the data is accurately prepared for a comprehensive analysis.

The Correct Answer is C. Reviewing and optimizing the disaster recovery processes and recovery time objectives (RTOs) (C) is the best way to improve the KPI for system recovery. This ensures that the processes align with the company’s ability to restore operations within the desired time frame. Simply increasing investment in backup systems (A) may help but does not address potential inefficiencies in the recovery process. Shortening the time frame for exercises (B) could add pressure but may not lead to better results. Conducting more frequent exercises (D) is useful but should follow a review of the processes to ensure they are effective.

The Correct Answer is A. The percentage of access attempts successfully blocked (A) provides direct insight into the effectiveness of the organization’s security controls. It shows how well existing controls are working to prevent unauthorized access. The total number of users with access (B) does not directly indicate the effectiveness of security controls but relates to access management. The average time to detect attempts (C) is useful but does not indicate whether the attempts were stopped. The number of reported breaches (D) shows the consequences of control failures but does not assess control effectiveness before breaches occur.

The Correct Answer is B. Continuous monitoring of transaction logs (B) with automated alerts is the most effective way to detect unauthorized transactions in real-time and promptly respond to potential risks. This method provides proactive and ongoing visibility into the effectiveness of the controls. Quarterly audits (A) are periodic and may miss issues that occur between audits. Reviewing customer feedback (C) is reactive and may not catch technical control failures. Annual external audits (D) offer an external perspective but are too infrequent for ongoing monitoring and immediate response.

The Correct Answer is B. The firm should maintain a strict liquidity risk tolerance (B) while introducing more stringent controls to manage speculative investments. This allows the firm to pursue high-risk, high-reward investments while ensuring that liquidity risks are effectively managed. Increasing the liquidity risk tolerance (A) would expose the firm to excessive liquidity risks. Lowering the risk appetite for speculative investments (C) would limit growth opportunities unnecessarily. Eliminating liquidity risk tolerance limits (D) would lead to uncontrolled risks and could jeopardize the firm’s ability to meet its obligations.

The Correct Answer is C. The most critical element to review before the system upgrade is the effectiveness of the failover plan (C). For healthcare organizations, ensuring uninterrupted access to patient care systems is essential for safety and compliance. The failover plan should be tested to guarantee that critical services can seamlessly transition to backup systems if necessary. While backup power (A), IT staff capabilities (B), and vendor support (D) are important, the failover plan directly impacts business continuity during the upgrade.

(A) Penetration testing focuses on security vulnerabilities but does not address recovery time after an outage. (B) The next logical step after the BIA is toThe Correct Answer is B. determine the Recovery Time Objective (RTO) for the automated control systems. This defines how quickly the system must be restored to avoid financial losses and penalties. (C) While employee training may be helpful, it does not directly address the need to restore the automated systems. (D) Asset inventories are important but are typically part of broader IT management practices, not directly related to the next step in BIA. Therefore, determining the RTO is crucial for planning system recovery.

The Correct Answer is C. The greatest risk in a hybrid work model is the increased vulnerability to cyberattacks (C), especially when employees access corporate networks from unsecured locations, such as home networks or public Wi-Fi. This can expose the organization to threats like phishing, man-in-the-middle attacks, or malware. Lack of collaboration (A) and managing time and attendance (B) are management issues, while higher operational costs (D) are budgetary concerns, neither of which impact security as directly as the increased exposure to cyber threats.

The Correct Answer is A. (A) After identifying threats using STRIDE (such as Tampering and Information Disclosure), the next logical step is to develop mitigation controls that directly address these risks. For tampering, implementing input validation, and for information disclosure, encryption can effectively reduce the likelihood or impact of these threats. (B) Re-running the process with a different methodology could be redundant without first applying mitigation strategies. (C) Escalating without action delays risk mitigation, which is not best practice. (D) While cost-benefit analysis may come later, immediate mitigation is needed for high-risk issues. Therefore, developing appropriate controls is the best next step.

The Correct Answer is A. TOGAF (A) is the most appropriate framework for this scenario because it is highly adaptable to hybrid environments, supporting both on-premises and cloud-based architectures. It includes risk management as part of its iterative development cycle and provides tools for managing change and integration, making it well-suited for environments involving cloud services. The Zachman Framework (B) is a classification tool and lacks practical guidance for implementing hybrid environments. FEAF (C) is geared more toward federal organizations. SABSA (D) focuses primarily on security architecture, and while useful for cloud security, it does not offer the broader enterprise architecture support that TOGAF provides.

The Correct Answer is C. Under GDPR, the company must notify affected customers if the data breach is likely to result in a high risk to their rights and freedoms (C). This includes risks such as identity theft or fraud. The number of customers affected (A) or the duration of exposure (B) may influence the decision but are not the primary factors. If the breached data was encrypted (D), the risk may be reduced, but this does not automatically remove the obligation to notify customers.

The Correct Answer is C. Accepting the variability (A) could result in poor product performance and customer dissatisfaction. Avoiding variability (B) by restricting use to controlled environments would limit the product’s market potential. Offering extended warranties (D) would address customer dissatisfaction but does not prevent performance issues from occurring. The best approach is to mitigate the variability (C) by enhancing testing to simulate a wide range of environmental conditions, ensuring that the product can reliably perform across different scenarios.

The Correct Answer is B. In the first line of defense, risk practitioners are responsible for managing and mitigating risks within their operational areas (B). They implement risk management activities at the front line, ensuring that daily operations comply with established risk policies. Conducting independent audits (A) and providing assurance (D) are roles typically associated with the second and third lines of defense. Developing risk policies (C) is more aligned with the second line of defense, where risk management functions design and monitor the framework. The first line focuses on managing and controlling risks where they originate.

The Correct Answer is B. The most critical threat when implementing AI for fraud detection is the risk of adversarial inputs (B). Adversaries can manipulate AI algorithms by providing specially crafted inputs designed to mislead the AI, causing it to make incorrect decisions or bypass fraud detection. While high implementation costs (A) and integration challenges (C) are valid concerns, they are not direct threats to security. The need for specialized skills (D) is a human resource challenge, but it does not compromise the security of the AI system.

The Correct Answer is C. A third-party audit (C) is the most appropriate type of control assessment for ensuring compliance with regulatory standards. It involves an independent external auditor evaluating the effectiveness of the organization’s IT controls over a specific period. Continuous monitoring (A) involves real-time or frequent assessments, but it is typically performed internally rather than by an external auditor. A self-assessment (B) is conducted by the organization itself and lacks the independence required for regulatory compliance. An internal review (D) is conducted by the organization’s internal audit or compliance team but does not provide the same level of independent assurance as a third-party audit.

The Correct Answer is C. Accepting the risk (A) would expose the company to potential supply chain disruptions, which is not advisable. Avoiding the risk (B) by ceasing operations in the affected country could lead to lost revenue and market share. While transferring the risk (D) through insurance could help cover financial losses, it does not prevent the supply chain disruption from occurring. The best approach is to mitigate the risk (C) by diversifying logistics providers across different regions, reducing dependency on a single provider and ensuring that supply chain continuity is maintained despite geopolitical tensions.

The Correct Answer is B. The CRO should focus on integrating risk management processes into the startup’s decision-making workflows (B) without slowing down operations. This approach respects the company’s need for speed while ensuring that risks are considered. Enforcing strict compliance (A) or delaying initiatives (D) would conflict with the startup’s culture and could harm its competitive advantage. Outsourcing risk decisions (C) would create a disconnect between the core business and risk management, leading to misalignment. By embedding risk management into the existing fast-paced environment, the CRO can ensure that risks are managed without impeding growth.

The Correct Answer is A. In this scenario, Identity and Access Management (IAM) (A) is the most critical component, as it directly governs who has access to sensitive client data. Given the cloud environment, IAM ensures proper authentication, authorization, and monitoring of user actions, addressing risks related to unauthorized access, data breaches, and compliance with regulations like GDPR or PCI DSS. While network firewalls (B) protect the perimeter, they do not provide the granular access control needed within a cloud infrastructure. Backup and disaster recovery systems (C) are essential for data availability but do not address data privacy or access control. Endpoint security (D) is relevant for protecting devices, but it doesn’t mitigate cloud-specific risks associated with data privacy and compliance.

The Correct Answer is A. Implementing multifactor authentication (MFA) (A) is the best additional control to address the risk of insider threats. MFA provides a higher level of access security by requiring more than one form of authentication, which would make it more difficult for an insider to exploit access to production systems. Monitoring network traffic using IDS (B) is a detective control, which is helpful but does not prevent unauthorized access by insiders. Penetration testing (C) identifies external vulnerabilities but is not directly addressing insider threats. Backup and recovery (D) is focused on data recovery, not preventing unauthorized access.

The Correct Answer is C. Developing a knowledge transfer and succession plan (C) is the best strategy to mitigate the risk of critical team members leaving. This ensures that if a key team member departs, their knowledge and responsibilities can be smoothly transitioned to another team member, reducing the impact on the project. Increasing salaries (A) might help retain staff but doesn’t guarantee that the risk will be eliminated. Assigning multiple members to critical tasks (B) could introduce inefficiencies, and reallocating resources (D) without proper planning could disrupt other areas of the project without addressing the root risk.

The Correct Answer is B. Establishing clear risk appetite and tolerance levels (B) tied to strategic goals ensures that the ERM framework supports informed decision-making that aligns with the company’s overall objectives. ERM involves setting risk parameters that guide the organization in balancing risk and reward. Focusing solely on operational risks (A) or financial risks (C) would not provide the comprehensive view required for effective strategic alignment. Creating a separate risk team (D) may lead to siloed risk management, which conflicts with the integrated approach promoted by ERM. Aligning risk appetite with strategy is a key concept in enterprise risk management.

The Correct Answer is B. The most effective method to validate encryption is a technical review (B) that verifies encryption is applied both during data transmission and at rest. This ensures that data is protected at all times. Interviews with IT personnel (A) provide valuable context but do not confirm whether encryption is properly implemented. Monitoring logs (C) can detect errors but may not show whether encryption is fully enforced. Testing backup data (D) is useful but focuses only on one aspect of data protection. A full technical review covers all relevant encryption points.

The Correct Answer is B. The best approach is to coordinate with the IT operations team to apply the patches during low-traffic periods (B) while ensuring a rollback plan is available in case issues arise. This balances the need for security with minimal disruption to business operations. Postponing patches (A) increases the risk of vulnerabilities being exploited, while applying patches immediately (C) may disrupt operations unnecessarily. Performing a risk assessment (D) is important but does not eliminate the need to apply critical security patches.

The Correct Answer is B. (A) Data encryption is unrelated to addressing power failure risks. (B) The BIA has identified that a prolonged data center outage has severe business impacts, such as customer loss and regulatory fines. Given that the risk assessment highlights a high likelihood of power failures, the company should prioritize investments in backup power systems to prevent these critical outages. (C) Employee training is important but not the most effective immediate action to mitigate power failure risk. (D) Outsourcing could be considered, but the priority should be to address the power failures directly. Therefore, investing in backup power systems is the most appropriate action.

The Correct Answer is A. The most effective way to manage the risks associated with IoT devices is to implement network segmentation (A) to isolate the devices from critical systems. This reduces the risk of cyberattacks spreading from vulnerable IoT devices to the entire network. Monitoring industry trends (B) may provide useful insights but does not directly mitigate risks. Employee training (C) is important for operational continuity but does not address the cybersecurity risks posed by IoT devices. Accepting the risk (D) without taking proactive measures would expose the firm to potential security breaches and operational disruptions.

The Correct Answer is A. The first action the team should take is to investigate the reasons for the failed security patches (A) to understand whether the issue is technical, procedural, or related to specific regions. Escalating to senior management (B) is premature without understanding the problem’s root cause. Adjusting monitoring thresholds (C) would mask the issue rather than addressing it. Implementing manual patching (D) could be a temporary fix but should follow the investigation into why the patches are failing, as automating this process is more efficient in the long term.

The Correct Answer is B. The risk manager should collaborate with the IT security manager to recommend adding MFA (B), as it provides an additional layer of security beyond SSO, especially for sensitive data. SSO alone may simplify access management but is not sufficient to mitigate risks related to unauthorized access. Accepting SSO without strengthening it (A) could leave the organization vulnerable. Rejecting SSO entirely in favor of MFA alone (C) may reduce operational efficiency and user experience. Transferring the risk (D) is not appropriate here since both SSO and MFA can be implemented effectively internally. Combining MFA with SSO enhances security while maintaining ease of access.

The Correct Answer is B. The NIST Cybersecurity Framework emphasizes assessing the organization’s current cybersecurity posture and defining a target profile (B) to understand where improvements are needed. This approach ensures that risks are identified, and mitigation strategies are aligned with the organization’s desired security level. Focusing solely on threats (A) without considering existing controls would lead to an incomplete risk assessment. Conducting only a vulnerability assessment (C) is not sufficient to understand the overall risk posture. Implementing controls before the risk assessment (D) would prevent a thorough understanding of the current risks.

The Correct Answer is B. The company should prioritize an enterprise risk profile (B), as this will ensure that all types of risks—including information security and operational risks—are captured across the organization. This comprehensive view allows the company to manage risks holistically and align them with its strategic goals. A qualitative risk profile (A) would help understand the nature of risks but may lack the depth needed to integrate various risk types. An operational risk profile (C) would focus too narrowly on business operations, missing broader risks like data protection. A financial risk profile (D) would not adequately address non-financial risks such as data security and compliance.

The Correct Answer is B. Establishing a redundant network architecture with failover capabilities (B) is the best approach to ensuring continuous communication and data transfer during a network outage. This allows the system to automatically switch to a backup connection if the primary network fails, minimizing downtime. Real-time monitoring (A) helps detect problems but does not prevent outages. Increasing bandwidth (C) improves performance but does not protect against outages. Developing a manual process (D) is a reactive measure that could lead to delays and errors, rather than ensuring smooth operational continuity.

The Correct Answer is B. (A) Escalating the risks without further classification and analysis is premature. (B) Classifying the risks into categories such as financial, operational, and compliance allows the team to better understand the nature and potential impact of each risk, which will help in developing appropriate mitigation strategies. This classification helps in prioritizing risks and ensuring that nothing is missed. (C) Focusing solely on financially impactful risks ignores other critical aspects like regulatory compliance and operational integrity, which could have serious consequences. (D) Developing a mitigation plan before completing the identification process is premature, as there could still be unassessed risks.

The Correct Answer is B. Involving department heads to tailor the policy (B) ensures that security controls are integrated into business processes without causing unnecessary disruptions. This approach helps balance operational efficiency with security. Enforcing the policy without modification (A) could lead to resistance and reduced productivity, while allowing departments to adopt only parts of the policy (C) would undermine its effectiveness. Reducing the policy’s scope (D) could leave critical areas vulnerable. By customizing the policy with input from various departments, the organization ensures both operational continuity and adherence to security standards.

The Correct Answer is A. The CRO’s most ethical course of action is to report the bypassed controls to senior management and implement corrective actions immediately (A). This ensures transparency, addresses regulatory non-compliance, and upholds professional ethics in risk management. Allowing the departments to continue bypassing controls (B) or asking the audit team to ignore the violations (C) would compromise the company's legal standing and violate professional ethics. Delaying the report (D) risks further violations and does not align with the responsibility of a risk manager to act promptly and mitigate risks.

The Correct Answer is C. Ensuring consistent identity and access management (IAM) (C) across both on-premises and cloud environments is crucial to maintaining security in a hybrid cloud architecture. Without consistent IAM, the organization risks unauthorized access or weak access controls, which could lead to data breaches. While selecting a provider with a good SLA (A) and encrypting data (B) are important, they do not address access control directly. Backups (D) are essential for data recovery but do not mitigate the risk of unauthorized access.

The Correct Answer is A. ISO 27001 (A) is an international standard for information security management systems (ISMS) that helps organizations manage security risks, protect sensitive data, and comply with regulations such as HIPAA. It is particularly suited to environments where information security is critical, such as healthcare. PCI DSS (B) is specific to payment card security and does not address broader operational risks. ITIL (C) focuses on IT service management, not compliance and security. TOGAF (D) is an enterprise architecture framework and is not designed to directly address information security or regulatory compliance. ISO 27001 provides the comprehensive framework needed to handle both compliance and risk in healthcare.

The Correct Answer is B. The most important element for external auditors is detailed logs and supporting evidence (B), as these provide verifiable proof of control performance. Auditors need objective data to validate whether controls are functioning as intended. Historical data (A) is useful for understanding trends but is not sufficient without supporting evidence. A narrative (C) may help explain the context but is not a replacement for the evidence itself. Recommendations for improvements (D) are forward-looking and helpful but are not critical for validating the current status of controls.

The Correct Answer is C. A network intrusion detection system (NIDS) is a detective control (C) because it monitors network traffic to identify potential security incidents or breaches but does not prevent the incidents from occurring. Preventive controls (A), such as firewalls, are designed to stop unauthorized access before it happens. Corrective controls (B) are implemented after an event to mitigate its impact, such as patch management. Compensating controls (D) are alternative mechanisms when primary controls are not feasible, and they do not apply here. The NIDS helps detect breaches in real time, allowing the organization to respond appropriately.

The Correct Answer is B. (A) $50,000 is a miscalculation of the ALE. (B) ALE is calculated using the formula: Single Loss Expectancy (SLE) × Annual Rate of Occurrence (ARO). Here, the SLE is $5 million, and the ARO is 0.10 (10%). So, ALE = $5,000,000 × 0.10 = $500,000. (C) $5,000 is a miscalculation of the ALE. (D) $5 million represents the SLE, not the ALE. Therefore, the correct ALE for this scenario is $500,000, which represents the expected annual financial loss due to the data breach.

The Correct Answer is A. (A) To fully develop the scenario, the agency must assess the impact of the web portal’s downtime on citizens and critical services. Understanding how service interruptions affect the public and the agency’s operations is critical to evaluating the risk. (B) The cost of a decryptor tool is part of a mitigation strategy and should not be the focus during scenario development. (C) Cybersecurity insurance is important but is part of financial risk management, not scenario development. (D) Identifying the attacker may be useful, but it does not help develop the scenario’s full scope. Therefore, the agency should prioritize assessing the downtime and its impact.

The Correct Answer is B. The CRO should integrate business continuity planning into each department’s processes and conduct regular drills (B) to test the policy’s effectiveness. This ensures that the policy is not just a compliance exercise but is part of the company’s daily operations. Developing the policy without input from other departments (A) may lead to gaps in implementation, and focusing solely on compliance (C) could result in a policy that does not fully address the company’s specific risks. Simply distributing the policy (D) without active engagement and testing would likely lead to poor adoption and ineffective response in a crisis.

The Correct Answer is B. The second line of defense should collaborate with the first line (B) to integrate AI risk management into daily operations, ensuring that emerging risks are proactively addressed. Focusing only on existing risks (A) would leave the company exposed to AI-related vulnerabilities. Reassigning responsibility to internal audit (C) is inappropriate because the third line is responsible for assurance, not management. Delaying action (D) would increase exposure to potential risks as AI technologies evolve. Proactive collaboration is key to managing emerging risks within the three lines of defense model.

The Correct Answer is B. The head of compliance, as the risk owner, must conduct a risk review (B) and request that the IT department address the control gap to ensure that the transaction monitoring system is functioning properly. The risk owner is responsible for ensuring that the risk is managed, while the control owner (IT department) is responsible for implementing the technical solution. Adjusting system settings (A) is the control owner's responsibility, not the risk owner's. Accepting the risk (C) is not appropriate when controls are failing. Reporting the issue without taking further action (D) is insufficient, as the risk owner must ensure the issue is addressed.

The Correct Answer is B. Implementing a streamlined change management workflow with automated approvals for low-risk changes (B) reduces delays while ensuring that important updates are not held up unnecessarily. This helps mitigate security risks by ensuring timely patching and system improvements. Requiring executive approval for all changes (A) would slow the process further. Hiring a third-party vendor (C) may add costs and complexity without addressing internal inefficiencies. Reducing the frequency of updates (D) could exacerbate security risks by delaying patches.

The Correct Answer is A. Deploying a fully redundant, geographically dispersed IT infrastructure (A) is the most effective way to ensure enterprise resiliency for a healthcare organization. This ensures that if one data center or region is affected by a disaster, another can take over immediately, maintaining uninterrupted access to critical systems and patient data. While creating an incident response team (B) and increasing backup frequency (C) are important, they do not guarantee continuous operation during a disaster. Establishing a hotline (D) is reactive and does not directly address the need for system continuity.

The Correct Answer is B. A high-level dashboard (B) is the most effective way to communicate the risk to senior management because it presents trends and risk impact in a visual format that is easy to understand. Executives are more interested in the business implications of risk, not the technical details. A detailed report with technical metrics (A) or raw data (C, D) would be overwhelming and may not clearly convey the urgency or business impact of the issue.

The Correct Answer is A. (A) Reputational Risk is the correct answer, as the backlash on social media due to poor security controls directly impacts the company's public image. (B) Financial Risk refers to potential losses in revenue or financial resources, which could be a consequence, but not the primary risk identified in this case. (C) Legal Risk refers to risks related to lawsuits or regulatory penalties, which are not specifically mentioned in this scenario. (D) Strategic Risk refers to risks impacting long-term business objectives, which could relate to reputational damage, but this scenario focuses primarily on the company's reputation. Hence, the risk of social media backlash falls under Reputational Risk.

The Correct Answer is B. The most critical step in the initial phase of implementing ISO/IEC 27001 is performing a detailed risk assessment (B). This process identifies and prioritizes key security risks to the organization, which then informs the development of security controls and policies. Without a clear understanding of risks, the information security management system (ISMS) cannot effectively mitigate potential threats. Developing an incident response plan (A) and training employees (C) are essential, but they come later in the process. Security audits on third-party vendors (D) are also important but should be based on the identified risks.

The Correct Answer is C. (A) Categorizing risks using expert judgment is a qualitative method, not related to FAIR. (B) Ensuring compliance is not the primary function of FAIR; it focuses on quantifying risk. (C) FAIR is a quantitative risk analysis methodology that helps organizations understand and measure risk in financial terms using statistical models. It focuses on analyzing the probable frequency and probable magnitude of loss events, making it ideal for understanding third-party risks. (D) Developing a risk register is part of risk management, but FAIR specifically focuses on quantification. Therefore, quantifying financial impact is the key feature of the FAIR methodology.