Question 1

How can metrics on training effectiveness and needs for additional training be gathered?

Options :

A : Questionnaires, testing, help desk activity, operational errors

B : Management interviews only

C : Audits only

D : Incident reporting only

Answer: A

Question 2

The status of IT-related risk should to be communicated to the relevant stakeholders and:

Options :

A : Express risk in a manner that is useful to support business decisions.

B : Never updated

C : Should focus on best-case and least-probable scenarios.

D : Be as concise as possible and as such exclude probabilities of gain and loss.

Answer: A

Question 3

What category of control is represented by employing a firewall to obstruct traffic on ports linked to malicious tools?

Options :

A : Detective

B : Preventive

C : Compensating

D : Corrective

Answer: B

Question 4

What determines the suitability of risk analysis approaches?

Options :

A : Culture, resources, skills, environment, and risk appetite

B : Potential consequences of a given risk scenario

C : Criticality and sensitivity of IT assets

D : Frequency and magnitude of a given risk scenario

Answer: A

Question 5

Which activity is commonly linked with analyzing Information and Technology (I&T) related risks?

Options :

A : Estimating the frequency and impact of I&T-related risk scenarios.

B : Identifying potential vulnerabilities within the I&T infrastructure and systems.

C : Documenting IT controls that mitigate similar risk types.

D : Cataloging I&T-related risk scenarios.

Answer: A