- (Exam Topic 3)
An organization automatically approves exceptions to security policies on a recurring basis. This practice is MOST likely the result of:

1. A. a lack of mitigating actions for identified risk
2. B. decreased threat levels
3. C. ineffective service delivery
4. D. ineffective IT governance

Correct Answer: D

- (Exam Topic 2)
Which of the following is the BEST way to ensure ongoing control effectiveness?

1. A. Establishing policies and procedures
2. B. Periodically reviewing control design
3. C. Measuring trends in control performance
4. D. Obtaining management control attestations

Correct Answer: C

- (Exam Topic 2)
An organization has initiated a project to implement an IT risk management program for the first time. The BEST time for the risk practitioner to start populating the risk register is when:

1. A. identifying risk scenarios.
2. B. determining the risk strategy.
3. C. calculating impact and likelihood.
4. D. completing the controls catalog.

Correct Answer: A

- (Exam Topic 2)
Which of the following is the GREATEST concern associated with the transmission of healthcare data across the internet?

1. A. Unencrypted data
2. B. Lack of redundant circuits
3. C. Low bandwidth connections
4. D. Data integrity

Correct Answer: A

- (Exam Topic 3)
A department allows multiple users to perform maintenance on a system using a single set of credentials. A risk practitioner determined this practice to be high-risk. Which of the following is the MOST effective way to mitigate this risk?

1. A. Single sign-on
2. B. Audit trail review
3. C. Multi-factor authentication
4. D. Data encryption at rest

Correct Answer: B