The correct answer is D because data anonymization best mitigates privacy risk while still enabling testing. It allows the organization to use realistic data sets for development or testing purposes without exposing identifiable personal information. This supports business needs while reducing the chance of privacy violations.
The other options are less effective for this specific purpose:
A. Data classification helps determine protection requirements, but it does not by itself make the data safe for testing.
B. Data sanitization can remove sensitive data, but anonymization is the more direct privacy-preserving method for retaining usable test data.
C. Data encryption protects data from unauthorized access, but the data remains personal information once decrypted for testing.
Exact Extracts supporting the answer:
“A privacy impact assessment can help enterprises weigh the benefits of their data processing activities against risk to determine the appropriate response.”
“The MAIN benefit of information classification is that it helps select security measures proportional to risk.”
“To determine the level of protection required for securing personally identifiable information a risk practitioner should PRIMARILY consider the sensitivity property of the information.”
“The MOST important principle of data protection that a risk practitioner should advocate for is that data should be accurate.”
These extracts support that personal information should be processed in a way that reduces privacy risk while preserving appropriate business use. For testing, data anonymization is the best answer.
===========
QUESTION NO: 101 [Risk Assessment]
Which of the following is the FIRST step in a risk assessment process?
A. Identifying risk owners
B. Documenting vulnerabilities
C. Assessing the likelihood of threats
D. Identifying assets
Answer: D
The correct answer is D because the first step in a risk assessment process is identifying assets . Before vulnerabilities can be documented, threats assessed, or owners assigned, the organization must first know what systems, data, applications, infrastructure, or business resources are in scope for the assessment.
The other options come later in the process:
A. Identifying risk owners follows once the assets, processes, and risks are understood.
B. Documenting vulnerabilities requires prior understanding of the assets being assessed.
C. Assessing the likelihood of threats also occurs after assets and scenarios have been identified.
Exact Extracts supporting the answer:
“The FIRST step in identifying and assessing IT risk is to gather information on the current and future environment.”
“The PRIMARY reason for determining the security boundary prior to conducting a risk assessment is to identify the scope of the risk assessment.”
“Understanding the system and its subsystems is the MOST effective method to conduct a risk assessment on an internal system in an enterprise.”
“Risk assessment is the risk management activity that initially identifies critical business functions and key business risk.”
These extracts support that risk assessment begins with understanding the environment and scope, which in this question is best represented by identifying assets .
===========
QUESTION NO: 102 [Risk Assessment]
A risk assessment has determined that an organization is highly susceptible to a vulnerability in its IT infrastructure. Which of the following is MOST important to communicate to the board?
A. Results of the most recent penetration test
B. Impact to the organization if the vulnerability is exploited
C. Results of a root cause analysis of the vulnerability
D. Open source intelligence reports on successful attacks
Answer: B
The correct answer is B because the board needs to understand the business impact to the organization if the vulnerability is exploited. The board’s focus is strategic oversight, organizational exposure, and the effect on mission, operations, and enterprise objectives rather than detailed technical findings.
The other options are less appropriate for the board:
A. Results of the most recent penetration test are useful technical evidence, but they are not the most important board-level message.
C. Results of a root cause analysis of the vulnerability are more useful for management and remediation teams.
D. Open source intelligence reports on successful attacks may provide context, but the key issue for the board is business impact.
Exact Extracts supporting the answer:
“IT risk is measured by its impact on business operations.”
“The primary reason risk professionals conduct risk assessments is to identify risk with the highest business impact.”
“The board of directors is accountable for overall enterprise strategy for risk governance.”
“Dashboards are MOST suitable for reporting IT-related business risk to senior management.”
These extracts support that board communication should focus on business impact. Therefore, the most important thing to communicate is the impact to the organization if the vulnerability is exploited .
===========
QUESTION NO: 103 [Governance]
Which of the following is MOST important for ensuring anonymous reporting of non-compliant activity?
A. Establishing an employee feedback channel
B. Establishing a dedicated compliance function
C. Implementing an incentive program
D. Implementing homomorphic encryption
Answer: A
The correct answer is A because the most important factor for ensuring anonymous reporting of non-compliant activity is a trusted employee feedback/reporting channel . Anonymous reporting depends on having a practical and secure method for individuals to raise concerns without exposing their identity.
The other options are less suitable:
B. Establishing a dedicated compliance function may support oversight, but does not by itself enable anonymous reporting.
C. Implementing an incentive program may encourage reporting, but it does not ensure anonymity.
D. Implementing homomorphic encryption is not the practical organizational control needed for anonymous misconduct reporting.
Exact Extracts supporting the answer:
“The greatest benefit of a risk-aware culture is that issues are escalated when suspicious activity is noticed.”
“The best proactive approach for practicing professional ethics within an enterprise is to provide ethics awareness training.”
“The most effective way to support adherence to an enterprise ' s code of ethics is by ensuring periodic training evaluation and attestation of employees.”
“Developing and practicing ethical behavior within an enterprise contributes the most to building the risk culture.”
These extracts support that issues should be escalated and reported. The most important mechanism for anonymous reporting is establishing an employee feedback channel .
===========
QUESTION NO: 104 [Risk Response and Mitigation]
Which of the following is MOST important to document when accepting risk?
A. Risk owner
B. Risk identification date
C. Risk mitigation date
D. Risk impact level
Answer: A
The correct answer is A because when accepting risk, the most important item to document is the risk owner . Risk acceptance must be tied to clear accountability. The organization must know who has the authority to accept the risk and who remains accountable for monitoring and managing it afterward.
The other options are important supporting details, but not the most important:
B. Risk identification date is useful for tracking, but not as critical as accountability.
C. Risk mitigation date may not apply if the risk is being accepted rather than mitigated.
D. Risk impact level is important to understand the risk, but acceptance must ultimately be assigned to an accountable owner.
Exact Extracts supporting the answer:
“Accountability for a risk treatment plan lies with the risk owner.”
“The PRIMARY objective of risk reporting is to provide the risk owner with information to initiate risk response.”
“For an organizational business unit the most accurate description of risk-related roles and responsibilities is that the management team owns the risk and is responsible for identifying assessing and mitigating risk and reporting to the appropriate support functions and the board of directors.”
“During the risk assessment process it is most important to establish a clear line of accountability to ensure that risk ownership is assigned to the appropriate level.”
These extracts directly support that risk acceptance must be tied to documented accountability. Therefore, the most important item to document is the risk owner .
===========
QUESTION NO: 105 [Risk and Control Monitoring and Reporting]
Which of the following is the MOST effective way for an organization to track emerging risk?
A. Conduct peer benchmarking
B. Adjust the risk taxonomy
C. Capture it in the risk register
D. Re-perform relevant risk assessments
Answer: C
The correct answer is C because the most effective way to track emerging risk is to capture it in the risk register . The risk register is the primary enterprise tool for documenting identified risks, their status, ownership, mitigation actions, and ongoing changes over time. Once an emerging risk is identified, placing it in the risk register ensures it can be monitored, communicated, prioritized, and acted upon.
The other options are less effective as the primary tracking mechanism:
A. Conduct peer benchmarking may provide context, but it does not serve as the formal internal tracking tool.
B. Adjust the risk taxonomy may help classification, but not active tracking of a specific emerging risk.
D. Re-perform relevant risk assessments may be necessary later, but the first and most effective way to track the risk is to record it formally.
Exact Extracts supporting the answer:
“The risk register is the best tool for identifying changes in an enterprise’s risk profile.”
“The MAIN reason an enterprise maintains a risk register is to act as a repository of identified risk for decision-making.”
“The BEST tool for documenting the status of risk mitigation and risk ownership at the enterprise level is the risk register.”
“An emerging risk should be added to the risk register by the risk practitioner when the activity that triggers the risk initiates.”
“An updated risk register ensures effective prioritization and treatment of risk.”
These extracts directly support that emerging risk should be formally documented and tracked through the risk register .
Submit