The correct answer is B because the primary reason for conducting background checks on individuals who will have elevated access to production systems is to reduce internal threats . Personnel with privileged access can significantly affect confidentiality, integrity, and availability. Background screening is a preventive governance and personnel security control intended to lower the likelihood of insider misuse, fraud, abuse of privilege, or other harmful actions.
The other options are less appropriate:
A. To eliminate risk associated with personnel is incorrect because risk cannot be fully eliminated.
C. To ensure new hires have the required skills is handled more directly through recruitment, vetting, and qualification review, not primarily through background checks.
D. To reduce exposure to vulnerabilities is too indirect; vulnerabilities are weaknesses in systems or controls, while this question is about personnel risk.
Exact Extracts supporting the answer:
“The MOST effective measure against insider threats to confidential information is role-based access control.”
“The PRIMARY reason that an enterprise would establish segregation of duties controls is to prevent errors or fraudulent activity on high-risk transactions.”
“The control that focuses directly on preventing the risk of collusion is mandatory job rotation.”
“The MOST concern to the risk practitioner regarding applications running in production is backdoors.”
These extracts support that elevated access roles create significant internal threat exposure and require preventive controls focused on reducing insider risk. Therefore, the primary reason for background checks is to reduce internal threats .
===========
QUESTION NO: 91 [Risk Assessment]
Which of the following would be MOST helpful to review when prioritizing the implementation of multiple IT-related initiatives?
A. Risk awareness program objectives
B. Risk assessment results
C. Risk profile
D. Risk policy
Answer: C
The correct answer is C because the risk profile provides the most useful enterprise-level view when prioritizing multiple IT-related initiatives. It reflects the aggregated level of risk facing the organization, helps identify which exposures are most significant, and supports comparison across initiatives based on business impact, likelihood, and current exposure.
The other options are less useful for prioritization at this level:
A. Risk awareness program objectives relate to culture and communication, not implementation prioritization.
B. Risk assessment results are important, but the risk profile is more useful when consolidating and prioritizing across multiple initiatives.
D. Risk policy sets direction and expectations, but it does not provide the comparative view needed for prioritization.
Exact Extracts supporting the answer:
“The most important aspect to consider in relation to a risk profile is the aggregated risk to the enterprise.”
“The main purpose of risk monitoring is to provide timely information on the actual status of the enterprise with regard to risk with the risk profile offering an overall risk status.”
“When reporting the status of the IT control environment to management the most important component is the risk profile of the enterprise.”
“The PRIMARY result of a risk assessment process is input for risk-aware decisions.”
These extracts show that the risk profile is the best consolidated basis for prioritizing multiple IT-related initiatives.
===========
QUESTION NO: 92 [Risk and Control Monitoring and Reporting]
Which of the following attributes of data provided to an automated log analysis tool is MOST important for effective risk monitoring?
A. Confidentiality
B. Scalability
C. Retention
D. Relevancy
Answer: D
The correct answer is D because the most important attribute of data fed into an automated log analysis tool is relevancy . For effective risk monitoring, the tool must receive data that is meaningful, useful, and directly related to the risks, events, controls, and activities being monitored. Irrelevant data reduces signal quality, obscures important indicators, and weakens timely detection.
The other options are less important for monitoring effectiveness itself:
A. Confidentiality is important for protecting the data, but it does not by itself make the monitoring effective.
B. Scalability is a system capability, not a core attribute of the data itself.
C. Retention is important for historical review and forensics, but not the most important factor for effective real-time or ongoing monitoring.
Exact Extracts supporting the answer:
“If the correct information was not received by the necessary recipients in time to allow proper action this can be categorized as relevance risk.”
“The most important consideration when implementing key risk indicators is linking the metric to a specific risk.”
“The MOST essential criterion for the effectiveness of operational metrics is relevance to the recipient.”
“The main purpose of continuous monitoring is detecting changes to the enterprise’s risk environment.”
These extracts directly support that relevant information is essential for useful monitoring and effective action. Therefore, relevancy is the most important attribute.
===========
QUESTION NO: 93 [Risk Assessment]
In the context of a business impact analysis (BIA) which of the following activities would be MOST complex and time-consuming for a risk practitioner in a large global organization?
A. Calculating recovery time objectives (RTOs)
B. Analyzing the financial impact of a disruption
C. Analyzing the interdependences between business departments
D. Identifying critical IT business processes and procedures
Answer: C
The correct answer is C because in a large global organization, the most complex and time-consuming BIA activity is analyzing the interdependencies between business departments . Large enterprises have numerous cross-functional, regional, operational, legal, and technical dependencies. Understanding how disruption in one area affects another is often the most difficult and resource-intensive part of a business impact analysis.
The other options are important, but generally less complex in a large global environment:
A. Calculating recovery time objectives (RTOs) is important, but it is usually derived after understanding process criticality and dependencies.
B. Analyzing the financial impact of a disruption can be difficult, but interdependency mapping is often broader and more complicated.
D. Identifying critical IT business processes and procedures is foundational, but in a global organization the network of dependencies is typically the harder task.
Exact Extracts supporting the answer:
“The objective of a business impact analysis is best described as the identification of time-sensitive critical business functions and interdependencies.”
“The most useful process in developing a series of recovery time objectives is business impact analysis.”
“A business impact analysis is primarily used to evaluate the impact of disruption on an enterprise’s ability to operate over time.”
“The main outcome of a business impact analysis (BIA) is the criticality of business processes.”
These extracts show that identifying interdependencies is central to BIA. In a large global organization, that makes it the most complex and time-consuming activity.
===========
QUESTION NO: 94 [Risk and Control Monitoring and Reporting]
Which of the following criteria is MOST important to include in an agreement with a penetration testing vendor?
A. Details of testing methods to be used
B. Expectations of code escrow safeguards
C. Scope of the systems to be assessed
D. Steps to remediate identified vulnerabilities
Answer: C
The correct answer is C because the most important criterion to include in an agreement with a penetration testing vendor is the scope of the systems to be assessed . Clear scope is essential to define what is authorized, what assets may be tested, what environments are in scope, and what boundaries apply. Without a clearly defined scope, testing could miss key assets or unintentionally affect systems that were not authorized for assessment.
The other options are less important as the primary agreement requirement:
A. Details of testing methods to be used are useful, but they come after scope is clearly established.
B. Expectations of code escrow safeguards are unrelated to most penetration testing agreements.
D. Steps to remediate identified vulnerabilities may follow from the test results, but they are not the most important initial contractual criterion.
Exact Extracts supporting the answer:
“Prior to conducting a penetration test the most important step is obtaining senior management approval of exercise parameters.”
“Before beginning a black box penetration test it ' s crucial to have a clearly stated definition of scope in place.”
“To best preserve service availability during a penetration test it ' s essential to schedule testing of critical systems during maintenance windows.”
“For an Internet-facing application penetration testing is the most effective control assessment type.”
These extracts directly support that clear scope is the most important criterion in an agreement with a penetration testing vendor.
Submit