Chapter 2: IT Risk Assessment Flashcards

Question 1

Q

Which of the following BEST ensures effective prioritization and treatment of risk?

A.An updated risk register
B.A completed risk assessment report
C.Exception processes for low-impact risk
D.An updated risk map profile

Answer

A

A is the correct answer.

Justification
The risk register enables prioritization and treatment of risk as it gives a central view of all the enterprise’s risk.
Completing the risk assessment does not give visibility into all the enterprise’s risk.
The exception process does not give visibility into the all the enterprise’s risk.
A risk map is a graphic tool for ranking and displaying risk by defined ranges of frequency and magnitude; it does not necessarily give visibility into all the enterprise’s risk.

Question 2

Q

Which of the following information in the risk register BEST helps in developing proper risk scenarios? A list of:

A.potential threats to assets.
B.residual risk on individual assets.
C.accepted risk.
D.security incidents.

Answer

A

A is the correct answer.

Justification
Identifying potential threats to business assets will help isolate vulnerabilities and associated risk, all of which contribute to developing proper risk scenarios.
Identifying residual risk on individual assets does not help develop a proper risk scenario.
Accepted risk generally reflects a small subset of entries in the risk register. Accepted risk should be included in the risk register to ensure that events continue to be monitored in case an actual incident alters current acceptance of the risk.
Previous security incidents at the enterprise itself or at entities with a similar profile may inspire the inclusion of similar risk scenarios in the risk register. However, the best approach to create a meaningful risk register is to capture potential threats on tangible and intangible assets.

Question 3

Q

Which of the following statements BEST describes the value of a risk register?

A.It captures the risk inventory.
B.It drives the risk response plan.
C.It is a risk reporting tool.
D.It lists internal risk and external risk.

Answer

A

B is the correct answer.

Justification
A risk register provides detailed information on each identified risk including risk owner, details of the risk scenario, assumptions, affected stakeholders, causes/indicators, detailed scores (i.e., risk ratings) on the risk analysis, and detailed information on the risk response (e.g., action owner and risk response status, time frame for action, related projects, and risk tolerance level). These components can also be defined as the risk universe.
Risk registers serve as the main reference for all risk-related information, supporting risk-related decisions such as risk response activities and their prioritization.
Risk register data are used to generate management reports, but a risk register is not in itself a risk reporting tool.
The risk register tracks all internal and external risk, the quality and quantity of the controls, and the likelihood and impact of the risk.

Question 4

Q

What is the BEST tool for documenting the status of risk mitigation and risk ownership at the enterprise level?

A.Risk action plans
B.Risk scenarios
C.Business impact analysis documents
D.Risk register

Answer

A

D is the correct answer.

Justification
Risk action plans define risk activities for a defined scope, not for an entire entity.
Risk scenarios help develop a thorough understanding of an enterprise’s risk profile; however, they are not suitable for capturing risk mitigation, contingency plans and ownership for an enterprise.
The business impact analysis documents show ownership and describe processes and assets that are critical to the business; they do not describe risk mitigation strategies or specifically lay out the technical details of the contingency plan.
A risk register is designed to document all risk identified for the enterprise. For each risk it records, at a minimum, the likelihood, potential impact, priority, status of mitigation and owner.

Question 5

Q

The preparation of a risk register begins in which risk management process?

A.Risk response planning
B.Risk monitoring and control
C.Risk management planning
D.Risk identification

Answer

A

D is the correct answer.

Justification
In the risk response planning process, appropriate responses are determined by consensus and included in the risk register.
Risk monitoring and control often require identification of new risk and reassessment of known risk. Outcomes of risk reassessments, risk audits and periodic risk reviews trigger updates to the risk register.
Risk management planning describes how risk management will be structured and performed.
The risk register details all identified risk, including description, category, cause, probability of occurring, impact on objectives, proposed responses, owners and current status. The primary outputs of risk identification are the initial entries into the risk register.

Question 6

Q

To help establish the annual strategic direction of the enterprise, management needs to understand the existing IT challenges and assessment of risk. Where will management find this information?

A.The risk profile
B.A business case
C.The risk action plan
D.The risk register

Answer

A

D is the correct answer.

Justification
A risk profile is the overall portfolio of (identified) risk to which the enterprise is exposed.
A business case rationalizes a given investment to inform the decision-making on whether to proceed with the investment. It also functions as an operational tool to manage the investment through its full economic life cycle.
The risk action plan documents the priority for implementation of individual risk actions and how they should be implemented.
The results from the risk assessment are contained in the risk register. The risk register documents key attributes of potential and known IT risk issues. Attributes may include name, description, owner, expected/actual frequency, potential/actual magnitude, potential/actual business impact and disposition.

Question 7

Q

Where is the MOST useful place for enterprise management to store data related to a potential information breach?

A.Incident log
B.Problem management log
C.Risk register
D.Change management log

Answer

A

C is the correct answer.

Justification
The incident register captures incidents and not potential information-breach findings.
The problem register captures problems and not potential information-breach findings.
The risk register captures all information related to exposure, including action plans, residual risk rating and relevant stakeholders.
The change register captures changes and not potential information-breach findings.

Question 8

Q

If risk has been identified, but not yet mitigated, the enterprise would:

A.record and mitigate serious risk and disregard low-level risk.
B.obtain management commitment to mitigate all identified risk within a reasonable time frame.
C.document identified risk in the risk register and maintain the remediation status.
D.conduct an annual risk assessment, but disregard previous assessments to prevent risk bias.

Answer

A

C is the correct answer.

Justification
All levels of risk identified should be documented in the risk register. It is important to be able to identify where low-level risk can be aggregated within the register.
Not all identified risk will necessarily be mitigated. The enterprise will conduct a cost-benefit analysis before determining the appropriate risk response.
All identified risk should be included in the risk register. The register should capture the proposed remediation plan, the risk owner, and the anticipated date of completion.
Annual risk assessments should consider previous risk assessments.

Question 9

Q

The risk register is PRIMARILY a document communicating risk to:

A.the public.
B.the employees.
C.regulatory bodies and compliance.
D.relevant stakeholders.

Answer

A

D is the correct answer.

Justification
As it contains security risk and weaknesses information, the risk register is not made public.
The risk register is not typically communicated to all employees since it may not contain information relevant to all employees in the job functions.
The risk register is not intended for use by regulatory bodies and compliance teams.
As it contains information regarding risk and weaknesses relevant to the enterprise, the risk register is shared only with relevant stakeholders.

Question 10

Q

Which of the following presents the GREATEST risk when updating the risk register? Updates are:

A.carried out jointly with other functions.
B.carried out following incidents.
C.carried out annually.
D.subject to approval by the chief information security officer.

Answer

A

C is the correct answer.

Justification
In some cases, the risk-related aspects may be managed by multiple functions and hence updated jointly.
While updating the risk register only following incidents presents a risk, it is not the greatest risk when compared to carrying out updates to risk only once a year.
Updating the risk register only annually means the risk register does not reflect the true status of IT risk in the enterprise.
Updating the risk register only with the approval of the chief information security officer is problematic, but it is not as great a risk compared to only annual updates.

Question 11

Q

The GREATEST benefit of using an IT risk register is that it is:

A.a list of potential events that have been identified to understand their impact.
B.a document used to track risk that has been identified, analyzed and prioritized.
C.a list of risk that can be shared with all stakeholders in an easy-to-read format.
D.the basis for choosing a commercial, off-the-shelf risk management tool.

Answer

A

B is the correct answer.

Justification
The IT risk register includes a list of potential events, along with the likelihood and impact of the potential risk, but that is not its greatest benefit.
The greatest benefit of a risk register is that it provides information about the likelihood, impact and prioritization of all identified IT risk.
The IT risk register is a standardized format that can be easily shared, but that is not its greatest benefit. The greatest benefit of an IT risk register is the prioritization of the analyzed risk.
The IT register can provide inputs into what commercial software solutions need to provide in terms of functionality, but that is not the greatest benefit of a risk register.

Question 12

Q

Risk tolerance levels, risk ratings, related projects, affected stakeholders, assessment details and risk owners are all captured in which of the following items?

A.Risk register
B.Risk subject
C.Risk factors
D.Risk treatment plan

Answer

A

A is the correct answer.

Justification
A risk register includes risk tolerance levels, risk ratings, related projects, affected stakeholders, assessment details and risk owners.
A risk subject refers to the risk owner and affected business unit but does not address projects.
Risk factors reference internal and external context, risk management and IT-related capabilities.
A risk treatment plan includes risk scenarios requiring mitigation, root cause analysis, risk response evaluation criteria, accountability and responsibility, proposed actions, required resources, performance measurements and constraints, cost-benefit analysis, reporting and monitoring requirements, and timing and scheduling.

Question 13

Q

The PRIMARY advantage of creating and maintaining a risk register is to:

A.ensure that an inventory of identified risk is maintained.
B.record all risk scenarios considered during the risk identification process.
C.collect similar data on all risk identified within the enterprise.
D.run reports based on various risk scenarios.

Answer

A

A is the correct answer.

Justification
Once assets and risk are identified, the risk register is used as an inventory of that risk. The risk register can accelerate risk decision-making and establish accountability for specific risk.
Recording all considered scenarios in the register and reassessing them annually are good practices; however, maintaining the inventory is the primary advantage.
Similar data elements can be collected in a spreadsheet or governance, risk and compliance tool in a single format, but ensuring the inventory is still the primary advantage.
Running reports is a benefit of the risk registry, but not its primary purpose.

Question 14

Q

An emerging risk should be added to the risk register by the risk practitioner when:

A.the impact of the risk can be quantified
B.the probability of occurrence is high.
C.a competitor has added the risk to its register.
D.the activity that triggers the risk initiates.

Answer

A

D is the correct answer.

Justification
While impact quantification is important, it is not the factor that decides when emerging risk will be added to the risk register.
A high impact need not be the only criterion deciding when risk gets added to the risk register.
An industry benchmark should not be used as a criterion to add risk to the register because risk relevant to one enterprise may not be relevant to another due to each enterprise’s unique operating environment.
Risk identification usually starts when planning an activity, and risk identified at planning needs to be added to the risk register to ensure effective risk management.

Question 15

Q

Which of the following BEST improves decision-making related to risk?

A.Maintaining a documented risk register of all possible risk
B.Risk awareness training in line with the risk culture
C.Maintaining updated security policies and procedures
D.Allocating accountability of risk to the department as a whole

Answer

A

A is the correct answer.

Justification
Maintaining a documented risk register improves decision-making related to risk response because a risk register captures the population of relevant risk scenarios and provides a basis for prioritization of risk responses.
Offering risk awareness training to stakeholders and customizing its content according to the enterprise’s risk culture will sensitize stakeholders and users to their risk responsibilities. Training helps enhance accountability to make decisions on acceptance of residual risk but is less useful with respect to emerging threats.
Maintaining policies and procedures will not necessarily improve decisions related to residual risk.
Allocating accountability to the department as a whole dilutes ownership because there will be no individual owner for risk.

Question 16

Q

71.4% complete
Question
Which of the following BEST describes the information needed for each risk in a risk register?

A.Risk scenario including date, description, impact, probability, risk score, mitigation action and owner
B.Risk scenario including date, description, risk score, cost to remediate, communication plan and owner
C.Risk scenario including date, description, impact, cost to remediate and owner
D.Various activities leading to risk management planning

Answer

A

A is the correct answer.

Justification
Information required for each risk in a risk register includes date, description, impact, probability, risk score, mitigation action and owner.
Some of these elements are necessary to facilitate informed decisions, but others are needed as well (impact, probability, mitigation action). A communication plan is not required for each risk in a risk register.
In addition to these elements, probability, risk score and mitigation action are needed for each risk in a risk register to make informed decisions.
A risk register results from risk management planning, not the other way around.

Question 17

Q

Which of the following is the BEST way to ensure that an accurate risk register is maintained over time?

A.Monitor key risk indicators and record the findings in the risk register.
B.Publish the risk register centrally with workflow features that periodically poll risk assessors.
C.Distribute the risk register to business process owners for review and updating.
D.Use audit personnel to perform regular audits and to maintain the risk register.

Answer

A

B is the correct answer.

Justification
Monitoring key risk indicators will only provide insights to known and identified risk and will not account for risk that has yet to be identified.
Centrally publishing the risk register and enabling periodic polling of risk assessors through workflow features will ensure accuracy of content. A knowledge management platform with workflow and polling features will automate the process of maintaining the risk register.
Business process owners typically cannot effectively identify risk to their business processes. They may not have the ability to be unbiased in their review and may not have the appropriate skills or tools to effectively evaluate risk.
Audit personnel may not have the appropriate business knowledge or training in risk assessment to appropriately identify risk. Regular audits of business processes can also be a hindrance to business activities and most likely will not be allowed by business leadership.

Question 18

Q

The risk register for a project should be PRIMARILY maintained until:

A.the project plan is approved.
B.management accepts the risk.
C.the project is closed.
D.the business case is approved.

Answer

A

C is the correct answer.

Justification
Risk continues to be relevant even after the project plan is approved, so it is important to continue maintaining the risk register.
Even after management accepts the risk, risk continues to remain relevant and should be in the risk register. Mere acceptance of the risk does not mean the risk is gone or will not occur.
Project risk will be relevant until the project is closed; therefore, the risk register should be maintained until that time.
Project management begins once the business case is approved. The project risk register should be maintained through the life cycle of the project.

Question 19

Q

Risk may be removed from the risk register when the risk:

A.has been eliminated.
B.is transferred to the vendor.
C.threshold is exceeded.
D.is no longer relevant.

Answer

A

D is the correct answer.

Justification
Risk cannot be eliminated. Therefore if the risk is relevant, it will remain in the risk register.
Although risk is transferred to vendor, the enterprise is still accountable for the risk and it will remain in the risk register.
If the risk threshold is exceeded, it means the risk continues to be relevant and remains in the risk register.
If a risk is relevant, it will be listed in the risk register. Once the risk is no longer relevant, it may be removed.

Question 20

Q

The PRIMARY advantage of creating and updating a risk register is to:

A.ensure that an inventory of identified risk is maintained.
B.record all risk scenarios considered during the risk identification process.
C.collect similar data on all risk identified within the enterprise.
D.run reports based on various risk scenarios.

Answer

A

A is the correct answer.

Justification
Once assets and risk are identified, the risk register is used as an inventory of that risk. The risk register can accelerate risk decision-making and establish accountability for specific risk.
Recording all considered scenarios in the register and reassessing them annually are good practices; however, maintaining the inventory is the primary advantage.
Similar data elements can be collected in a spreadsheet or governance, risk and compliance (GRC) tool in a single format, but ensuring the inventory is still the primary advantage.
Running reports is a benefit of the risk registry but not its primary purpose.

Question 21

Q

The MAIN reason an enterprise maintains a risk register is that it:

A.acts as a repository of identified risk for decision-making.
B.helps in benchmarking against the risk impacting industry peers.
C.improves the risk culture by communicating risk to all employees.
D.establishes the risk indicators that an enterprise can focus upon.

Answer

A

A is the correct answer.

Justification
The risk register has the identified risk and is a repository that helps in decision-making.
The risk registers from industry peers are never published, so benchmarking is not possible.
Risk culture can be improved through awareness, but the risk register itself is not a means of communicating risk awareness.
The risk register may include information that the risk owner could use to establish risk indicators, but that is not its main purpose.

Question 22

Q

Which is the FIRST step in identifying IT risk scenarios?

A.Estimate IT risk.
B.Estimate remediation costs.
C.Identify risk factors.
D.Identify the enterprise’s risk appetite.

Answer

A

C is the correct answer.

Justification
IT risk scenarios are determined prior to estimating IT risk.
IT risk scenarios are determined prior to estimating remediation costs.
Identifying risk factors involves data collection necessary in creating risk scenarios. It is the first step in identifying such scenarios.
Identifying the enterprise’s risk appetite is a separate process from developing IT risk scenarios.

Question 23

Q

Which of the following MOST affects a risk scenario?

A.A threat type
B.An event
C.An asset
D.An actor

Answer

A

D is the correct answer.

Justification
There is no scenario without an actor.
There is no scenario without an actor.
There is no scenario without an actor.
Someone needs to exploit the vulnerability.

Question 24

Q

Which of the following uses risk scenarios when estimating the likelihood and impact of significant risk to the enterprise?

A.An IT audit
B.A security gap analysis
C.A threat and vulnerability assessment
D.An IT security assessment

Answer

A

C is the correct answer.

Justification
An IT audit typically uses technical evaluation tools or assessment methodologies to enumerate risk.
A security gap analysis typically uses technical evaluation tools or assessment methodologies to enumerate risk or areas of noncompliance but does not use risk scenarios.
A threat and vulnerability assessment typically evaluates all elements of a business process for threats and vulnerabilities and identifies the likelihood of occurrence and the business impact if the threats were realized.
An IT security assessment typically uses technical evaluation tools or assessment methodologies to enumerate risk or areas of noncompliance but does not use risk scenarios.

Question 25

Q

Risk scenarios should be created PRIMARILY based on which of the following?

A.Input from senior management
B.Previous security incidents
C.Threats that the enterprise faces
D.Results of the risk analysis

Answer

A

C is the correct answer.

Justification
Input from senior management is not as critical as enterprise threats in developing risk scenarios.
Previous incidents are not as critical as enterprise threats in developing risk scenarios.
When creating risk scenarios, the most important factor to consider is the likelihood of threats or threat actions occurring due to the risk.
Risk scenarios should be an input to the risk analysis, not vice versa.

Question 26

Q

The organizational structure, policies, standards, technology, architecture and controls criteria are PRIMARILY used to:

A.develop risk reporting.
B.analyze risk scenarios.
C.perform risk analysis.
D.determine risk appetite.

Answer

A

B is the correct answer.

Justification
A risk report contains the result of the risk analysis and evaluation based on the criteria.
The organizational structure, policies, standards, technology, architecture and controls are the criteria used when analyzing risk scenarios.
Risk analysis is based on the risk scenarios that have already considered organizational criteria.
The determination of risk appetite has an influence on how management develops risk scenarios and evaluates risk criteria.

Question 27

Q

Which of the following BEST estimates the likelihood of significant events affecting an enterprise?

A.Threat analysis
B.Cost-benefit analysis
C.Scenario analysis
D.Countermeasure analysis

Answer

A

C is the correct answer.

Justification
Threat analysis does not provide sufficient information to estimate likelihood. While there may be a threat, many other factors, including existing controls, must be considered to determine the likelihood of a threat.
Cost-benefit analysis is used in selecting controls and does not help estimate the likelihood of significant events.
Scenario analysis, along with vulnerability analysis, best determines whether a particular risk is relevant to the enterprise, and helps estimate the likelihood that significant events will affect the enterprise.
Countermeasure analysis is used to assess controls that address specific attacks, sometimes while an attack is occurring. Countermeasure analysis does not help estimate the likelihood of significant events.

Question 28

Q

An enterprise assessed risk by identifying the potential methods of attack, vulnerabilities, motivations and skill of the attacker, and possible damage. What approach to risk scenario development was used?

A.Vulnerability-based
B.Asset/impact
C.Business impact analysis
D.Threat-based

Answer

A

D is the correct answer.

Justification
A vulnerability-based approach to risk assessment identifies the enterprise’s known vulnerabilities and attempts to determine the threats that could exploit them.
The asset/impact approach to risk assessment identifies critical and sensitive assets and the ways they could be damaged.
The business impact analysis approach to risk assessment determines the impact of the risk on target assets over time.
A threat-based approach to risk assessment identifies potential methods of attack, vulnerabilities that could be exploited, intent and skill of the attacker, and potential damage.

Question 29

Q

When developing risk scenarios for an enterprise, which of the following is the BEST approach?

A.The top-down approach to consider overall business impact
B.The top-down approach because it has the support of senior management
C.The bottom-up approach to understand the impact of system outages more accurately
D.The top-down and the bottom-up approach because they have different perspectives

Answer

A

D is the correct answer.

Justification
Business impact is important, and IT risk must be measured relative to associated business practices. However, an exclusive assessment from business objectives will lack detail grounded in daily processes.
Management buy-in is essential, but risk scenarios should also consider the impact of individual system outages.
A bottom-up approach is too narrow; risk cannot be separated from business objectives.
Top-down and bottom-up risk scenario development integrates both perspectives. In a top-down approach, one starts from the overall business objectives and performs an analysis of the most relevant and probable risk scenarios affecting business objectives. The bottom-up approach builds on generic risk scenarios to create more concrete and customized scenarios, applied to the individual enterprise’s situation. A combined approach affords the best of both.

Question 30

Q

Which of the following approaches results in risk scenarios applicable to an enterprise’s identified risk?

A.A bottom-up approach based on generic scenarios
B.A bottom-up approach emphasizing threat events
C.A top-down approach based on magnitude of loss
D.A top-down approach driven by business objectives

Answer

A

D is the correct answer.

Justification
Generic risk scenarios help ensure that no risk is overlooked; they encourage the enterprise to avoid blind spots outside its normal frame of reference. However, the bottom-up approach is not tailored to specific identified risk. Most enterprises will combine the bottom-up and top-down approaches to ensure business relevance.
Threat events represent only one component of a risk scenario.
Magnitude of loss does not entail probability. If risk scenarios are developed primarily on the basis of potential impact, they may become highly theoretical and appear unrealistic to business owners.
A top-down approach ensures that an enterprise’s unique perspectives and business objectives are prioritized in risk scenarios.

Question 31

Q

Which of the following BEST addresses the potential for bias in developing risk scenarios?

A.Using representative and significant historical data
B.Securing participation of a large team of functional experts
C.Establishing a clearly defined escalation process
D.Integrating quantitative risk analysis techniques

Answer

A

A is the correct answer.

Justification
Using representative and significantly broad historical data helps to avoid bias that may otherwise characterize the selection of data by individual functional experts.
Securing participation of a large team of functional experts can help reduce subjectivity to some extent. However, it will not preclude bias because each expert may provide data based on individual experience and knowledge.
Establishing a clearly defined escalation process will provide opportunities to challenge risk values but in itself will not address potential bias.
Integrating quantitative risk analysis techniques will not reduce bias unless factual internal and external data are available in the first place.

Question 32

Q

When developing IT-related risk scenarios with a top-down approach, it is MOST important to identify the:

A.information system environment.
B.business objectives.
C.hypothetical risk scenarios.
D.internal and external risk scenarios.

Answer

A

B is the correct answer.

Justification
Top-down risk scenario development identifies the enterprise’s business objectives and builds risk scenarios based on risk that may jeopardize those objectives. The information system environment would be a risk factor.
Typically, top-down risk scenario development is performed by identifying business objectives and recognizing risk scenarios with the greatest potential to jeopardize business objectives.
The identification of generic risk scenarios is usually related to a bottom-up risk identification method.
It is important to identify both external and internal risk scenarios.

Question 33

Q

Risk scenarios enable the risk assessment process because they:

A.cover a wide range of potential risk.
B.minimize the need for quantitative risk analysis techniques.
C.segregate IT risk from business risk for easier risk analysis.
D.help estimate the frequency and impact of risk.

Answer

A

D is the correct answer.

Justification
When used correctly, risk scenarios can address a wide range of risk, but this is not always the result. However, risk scenarios always help to address the frequency and impact of risk—two key elements in the risk assessment process.
Risk scenarios do not necessarily minimize the need for quantitative risk analysis.
Risk scenarios can be applied to both IT risk and business risk and there is no question of segregating the risk.
While risk scenarios may address a wide range of risk, risk scenarios help to estimate the frequency and impact of risk—two key elements of the risk assessment process. These elements aid subsequent steps in risk management by making risk relevant to business process owners.

Question 34

Q

Which of the following is MOST effective in assessing business risk?

A.A use case analysis
B.A business case analysis
C.Risk scenarios
D.A risk plan

Answer

A

C is the correct answer.

Justification
A use case analysis identifies business requirements for a system or process.
Business cases are generally part of a project charter and help define the project’s purpose.
Risk scenarios are the most effective technique in assessing business risk. Scenarios help determine the likelihood and impact of an identified risk.
A risk plan is the output of the risk assessment.

Question 35

Q

Which of the following factors should be assessed after the likelihood of a loss event has been determined?

A.Risk tolerance
B.Magnitude of impact
C.Residual risk
D.Compensating controls

Answer

A

B is the correct answer.

Justification
Risk tolerance reflects acceptable deviation from acceptable risk. Risk tolerance requires quantification of risk, which in turn requires determining the magnitude of impact.
Once likelihood has been determined, the next step is to determine magnitude of impact.
Residual risk is the risk that remains after management implements a risk response. It cannot be calculated until controls are selected.
Compensating controls are internal controls that reduce the risk of an existing or potential control weakness that can result in errors and omissions. They would not be assessed directly in conjunction with assessing the likelihood of a loss event.

Question 36

Q

Which of the following statements is a risk scenario?

A.The password for the configuration of the tape backup system is set to the vendor default.
B.A program that processes records does not include data input validation.
C.Dedicated capacity for processing on an enterprise system exceeds projected maximum usage, resulting in wasted infrastructure resources.
D.Attackers develop a new piece of malware based on a known, but patched, vulnerability.

Answer

A

C is the correct answer.

Justification
If the password to configure a tape backup system is set to its vendor default, the password reflects the state of a technology control. Its state is not an event that could result in a loss.
A program that processes records without data input validation presents a vulnerability. It is not an event that could result in a loss.
Dedicated processing capacity that exceeds projected maximum usage and therefore results in wasted infrastructure resources constitutes potential loss.
If attackers develop a new piece of malware based on a known, but patched, vulnerability, their actions constitute a threat, but not a valid risk, because the vulnerability has already been patched.

Question 37

Q

Which of the following risk management activities initially identifies critical business functions and key business risk?

A.Risk monitoring
B.Risk analysis
C.Risk assessment
D.Risk evaluation

Answer

A

C is the correct answer.

Justification
Risk monitoring provides timely information on the actual status of risk in the enterprise.
Risk analysis estimates the frequency and magnitude of IT risk scenarios.
Risk assessment identifies and evaluates risk and its potential effects. It includes recognizing and assessing critical functions and processes necessary for an enterprise to continue operating, defines the controls in place to reduce exposure, and evaluates the cost of such controls.
Risk evaluation compares estimated risk against given risk criteria to determine the significance of the risk.

Question 38

Q

The MOST important of the following external factors that should be considered in risk assessment is:

A.the discovery of new vulnerabilities.
B.the number of viruses and other malware being developed.
C.international crime statistics and political unrest.
D.the connectivity of many unsecured devices on the Internet.

Answer

A

D is the correct answer.

Justification
Discovery of new vulnerabilities is relevant only if they affect the assets in use by an enterprise.
The number of new malware types being developed is something worth watching, but it is not a factor that the risk professional can use directly to calculate risk for a risk assessment report.
International crime statistics and political unrest may raise concerns, but compared to unsecured devices they are not an immediate threat.
The proliferation of unsecured devices (i.e., the Internet of Things) creates a serious external threat that must be considered.

Question 39

Q

Which risk assessment technique would the practitioner use to analyze system exposure to personnel?

A.Hazard and operability studies
B.Markov analysis
C.Human reliability analysis
D.Scenario analysis

Answer

A

C is the correct answer.

Justification
The hazard and operability studies analysis technique does not focus exclusively on human error.
The Markov analysis technique does not exclusively focus on human error.
Human reliability analysis exclusively focuses on the effects of human error in enterprise systems.
The scenario analysis technique does not exclusively focus on human error.

Question 40

Q

Once a risk assessment has been completed, the documented test results should be:

A.destroyed.
B.retained.
C.summarized.
D.published.

Answer

A

B is the correct answer.

Justification
Test results should be stored in a secure manner for future reference and comparison and not destroyed.
Test results should be retained in order to ensure that future tests can be compared with past results and ensure reporting consistency.
Test results are summarized as part of the risk assessment process.
Assessment results are not usually published due to vulnerability disclosure.

Question 41

Q

Risk assessment techniques should be used by a risk practitioner to:

A.maximize the return on investment.
B.provide documentation for auditors and regulators.
C.justify the selection of risk mitigation strategies.
D.quantify the risk that would otherwise be subjective.

Answer

A

C is the correct answer.

Justification
Maximizing the return on investment may be a key objective of implementing risk responses, but it is not part of the risk assessment process.
A risk assessment does not focus on auditors or regulators as primary recipients of the risk assessment documentation. However, risk assessment results may provide input into the audit process.
A risk practitioner should use risk assessment techniques to justify and implement a risk mitigation strategy as efficiently as possible.
Risk assessment is generally high-level, whereas risk analysis can be either quantitative or qualitative, based on the needs of the enterprise.

Question 42

Q

The PRIMARY reason to have the risk management process reviewed by an independent risk management professional is to:

A.validate cost-effective solutions for mitigating risk.
B.validate control weaknesses detected by the internal team.
C.assess the validity of the end-to-end process.
D.assess whether the risk profile and risk factors are properly defined.

Answer

A

C is the correct answer.

Justification
Cost-effective solutions can be provided by the internal teams.
The internal team can find weaknesses. It is not necessary to involve an external risk professional to validate the weaknesses detected by the internal team.
The independent risk professional will be unbiased to review the risk management process end to end. The independent reviewer will not have any involvement in any stage of the risk management process and will be unaffected by all internal factors.
The risk profile and risk factors are properly defined when the risk assessment process is performed correctly. An independent assessment may result in further improvements.

Question 43

Q

At the end of which phase of risk management would information about newly discovered risk be communicated to decision makers and relevant stakeholders?

A.Risk identification
B.Risk response and mitigation
C.Risk assessment
D.Risk and control monitoring and reporting

Answer

A

C is the correct answer.

Justification
The risk identification phase determines what could happen to cause a potential loss and to gain insight into how, where and why the loss might happen. Until the risk has been analyzed, the likelihood and impact are unknown. Risk analysis occurs after risk identification and prior to risk communication.
In the risk response and mitigation phase, controls to reduce, retain, avoid or transfer risk should be selected, and a risk treatment plan should be defined. The risk analysis must be communicated to the risk owners for them to select the proper risk response.
During the risk assessment phase, identified risk is being analyzed and evaluated for likelihood and impact. Risk-based decision-making is enabled through communication of the results of the risk assessment.
In the risk and control monitoring and reporting phase, risk should be monitored and reviewed to identify any changes in the context of the enterprise at an early stage and to maintain an overview of the complete risk picture.

Question 44

Q

IT risk is measured by its:

A.level of damage to IT systems.
B.impact on business operations.
C.cost of countermeasures.
D.annual loss expectancy.

Answer

A

B is the correct answer.

Justification
Measurement by IT damage alone is not comprehensive; business risk must also be considered.
IT risk includes information and communication technology risk but is primarily measured by its impact on the business. IT risk is the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.
The cost and benefit of countermeasures is concerned with risk response, not with risk assessment.
Annual loss expectancy is a quantitative measure and must be used in conjunction with qualitative measures, such as loss of reputation.

Question 45

Q

The PRIMARY benefit of using a maturity model to assess the enterprise’s data management process is that it:

A.can be used for benchmarking.
B.helps identify gaps.
C.provides goals and objectives.
D.enforces continuous improvement.

Answer

A

B is the correct answer.

Justification
While maturity models can be used for benchmarking, the benchmarking is not a primary benefit.
Maturity models can be used to help identify gaps between the current and the desired state to help enterprises determine necessary remediation efforts.
While maturity models help determine goals and objectives, their primary value is to identify current and desired states. Understanding gaps between the two states can help define remedial action.
Continuous improvement may not always be an objective of an enterprise, particularly when the current maturity level meets its needs.

Question 46

Q

The PRIMARY result of a risk assessment process is:

A.a defined business plan.
B.input for risk-aware decisions.
C.data classification.
D.minimized residual risk.

Answer

A

B is the correct answer.

Justification
Risk assessment deliverables are not the primary input into the business plan as a business plan defines how a business goal will be achieved.
Risk assessment identifies and prioritizes risk and relates the aggregated risk to the enterprise’s risk appetite and risk tolerance levels to enable risk-aware decision-making.
Establishing data classification can be one outcome of a risk assessment but it is not the primary result of risk assessment.
Risk assessment itself does not minimize any risk. Residual risk is an outcome after controls are implemented. It is an outcome of risk assessment and risk treatment.

Question 47

Q

Which data analysis method will be MOST effective in a comprehensive review of both hardware and human failures to identify the source of an incident?

A.Cause and effect analysis
B.Fault tree analysis
C.Sensitivity analysis
D.Bayesian analysis

Answer

A

B is the correct answer.

Justification
Cause and effect analysis identifies why processes and controls do not operate as intended.
Fault tree analysis can identify potential causes of failures before the failures occur, not afterward. It combines assessment of potential hardware and human failures to identify the source of an incident.
Sensitivity analysis (also known as what-if or simulation analysis) can predict the outcome of a decision under a given set of assumptions but not the root cause of an event or incident.
Bayesian analysis is a technique of risk analysis, not a method of data analysis. It revises the assessment of probability for a given hypothesis as more evidence or information becomes available.

Question 48

Q

What is a PRIMARY advantage of performing a risk assessment on a consistent basis?

A.It lowers the costs of assessing risk.
B.It provides evidence of threats.
C.It indicates trends in the risk profile.
D.It eliminates the need for periodic audits.

Answer

A

C is the correct answer.

Justification
There may be some minor cost benefits to performing risk assessments on a consistent basis, but that is not a primary benefit.
A risk assessment provides evidence of risk; however, it is not intended to provide evidence of threats.
Tracking trends in evolving risk is of significant benefit to managing risk and ensuring that appropriate controls are in place.
The performance of risk assessment on a consistent basis does not preclude the requirement to perform periodic independent audits.

Question 49

Q

A risk practitioner has become aware of a potential merger with another enterprise. What action should the risk practitioner take?

A.Evaluate how the changes in business operations and culture could affect the risk assessment.
B.Monitor the situation to see if any new risk emerges due to the proposed changes.
C.Continue to monitor and enforce the current risk program because it is already tailored appropriately for the enterprise.
D.Implement changes to the risk program to prepare for the transition.

Answer

A

A is the correct answer.

Justification
Changes to the business may impact risk calculations, and the risk practitioner should be proactive and be prepared to deal with any changes as they happen.
The risk practitioner should continue to evaluate the risk levels, but should also evaluate how new risk may emerge as a result of changes to the business.
Risk assessment is a continuous process and should be revisited whenever a significant change is pending.
Because this is a potential change, the risk practitioner should prepare for, but not immediately make, changes to the risk program.

Question 50

Q

Which of the following is MOST important during the quantitative risk analysis process?

A.Statistical analysis
B.Decision trees
C.Expected monetary value
D.Net present value

Answer

A

C is the correct answer.

Justification
Statistical analysis may be used because it helps risk managers make better decisions under conditions of uncertainty. However, it is not the most important.
Decision trees help determine the optimal course of action in complex situations with uncertain outcomes.
Expected monetary value reflects the weighted average of probable outcomes. It represents the expected average payoff if you make a given decision, using the same payoffs and probabilities, an infinite number of times.
Net present value is calculated by using an after-tax discount rate of an investment and a series of expected incremental cash outflows (the initial investment and operational costs) and cash inflows (cost savings or revenues) that occur at regular periods during the life cycle of the investment.

Question 51

Q

Which of the following activities is MOST important when evaluating and assessing the risk to an enterprise or business process?

A.Identification of controls that are currently in place to mitigate identified risk
B.Threat intelligence, including likelihood of identified threats
C.Historical risk assessment data
D.Control testing results

Answer

A

B is the correct answer.

Justification
Identification of controls that are currently in place is an important part of the risk assessment process but is not as important as threat intelligence.
One of the key requirements of effective risk assessment is its association and alignment with current intelligence that includes data on the likelihood of identified threats. The probability of risk being realized is one of the primary determinations of risk prioritization.
Historical risk assessment data are useful in understanding previously identified risk but are not essential to the risk assessment process.
Control testing results are a component of risk assessment that helps support conclusions. Threat intelligence will often drive the testing of specific controls based on the identification of risk scenarios during the evaluation and assessment activity. These data are valuable to the risk assessment process but are not as valuable as accurate threat intelligence.

Question 52

Q

Which of the following is the PRIMARY reason for conducting periodic risk assessments?

A.Changes to the asset inventory
B.Changes to the threat and vulnerability profile
C.Changes in asset classification levels
D.Changes in the risk appetite

Answer

A

B is the correct answer.

Justification
Changes in the asset inventory occur as assets move in and out of commission; they generally are not a trigger for a periodic risk assessment unless there are significant changes due to a system migration, data center build or other nonoperational event.
Changes in threats and vulnerabilities, including new occurrences of either, are the primary reasons to conduct periodic risk assessments.
Changes in asset classification levels are fairly rare and generally are not a trigger for periodic risk assessments. However, a low-value asset that is excluded from assessment may be reclassified as a regulatory-related or critical asset because it is supporting a high-value process; the reclassification would trigger a risk assessment and future periodic assessments for the asset.
Changes in risk appetite do not trigger a new risk assessment; however, they will affect how the business responds to risk.

Question 53

Q

Which of the following is the BEST reason to perform a risk assessment?

A.To satisfy regulatory requirements
B.To budget appropriately for needed controls
C.To analyze the effect on the business
D.To help determine the current state of risk

Answer

A

D is the correct answer.

Justification
Performing a risk assessment may satisfy regulatory requirements but that is not the reason to perform a risk assessment.
Budgeting may improve, but that is not the reason to perform a risk assessment.
Analyzing the effect on the business is part of the process, and understanding the current state of risk will better inform how those effects impact the business and what responses would be appropriate to take, if any.
The risk assessment is used to identify and evaluate the impact of failure on critical business processes (and IT components supporting them) and to determine time frames, priorities, resources and interdependencies. It is part of the process to help determine the current state of risk and helps determine risk countermeasures in alignment with business objectives.

Question 54

Q

The PRIMARY reason an external risk assessment team reviews documentation as the first step in the risk assessment is to gain a thorough understanding of:

A.the technologies used.
B.gaps in the documentation.
C.the enterprise’s business processes.
D.the risk assessment plan.

Answer

A

C is the correct answer.

Justification
Technology can be reviewed during the risk assessment.
Gaps in documentation can be surfaced during the risk assessment.
In order to evaluate risk, the external assessment team should thoroughly understand the enterprise’s business processes before the assessment, because risk is always formulated within the context of business objectives.
The risk assessment plan should be created by the external auditors.

Question 55

Q

Which of the following capability dimensions is MOST important when using a maturity model for assessing the risk management process?

A.Effectiveness
B.Efficiency
C.Profitability
D.Performance

Answer

A

D is the correct answer.

Justification
Effectiveness is a subset of the performance capability criterion.
Efficiency is a subset of the performance capability criterion.
Profitability is generally not considered when using a capability maturity model for assessing the risk management process.
Performance is achieved when the implemented process fulfills its purpose; thus, performance is the most important capability dimension when using a capability maturity model to assess the risk management process.

Question 56

Q

Risk assessments should be repeated at regular intervals because:

A.omissions in earlier assessments can be addressed.
B.periodic assessments allow various methodologies.
C.business threats are constantly changing.
D.they help raise risk awareness among staff.

Answer

A

C is the correct answer.

Justification
Omissions not found in earlier assessments do not necessarily justify regular reassessments.
Unless the environment changes, risk assessments should be performed using the same methodologies.
As business objectives and methods change, the nature and relevance of threats also change.
There are better ways of raising security awareness than by performing a risk assessment, such as risk awareness training.

Question 57

Q

While prioritizing the risk for treatment, the IT risk practitioner should PRIMARILY consider the:

A.risk impact
B.risk appetite
C.risk exposure
D.risk rating

Answer

A

D is the correct answer.

Justification
The risk impact is only one component of the risk assessment and prioritization process. A high-impact event may have a low likelihood, thus resulting in a low risk rating.
The risk appetite is only one component of the risk assessment and prioritization process. Risk should be quantified to determine if it falls within the enterprise’s risk appetite; therefore, the risk rating is needed.
The risk exposure is only one component of the risk assessment and prioritization process. It may or may not be quantifiable at the time of prioritization.
The risk rating quantifies the risk by providing a ranking (for example, high, medium, low) that can be used to prioritize treatment.

Question 58

Q

Which of the following BEST assists a risk practitioner in measuring the existing level of development of risk management processes against the desired state?

A.A capability maturity model
B.Risk management audit reports
C.A balanced scorecard
D.Enterprise security architecture

Answer

A

A is the correct answer.

Justification
The capability maturity model grades processes on a scale of 0 to 5, based on their maturity, and is commonly used by entities to measure their existing state and then to determine the desired one.
Risk management audit reports offer a limited view of the current state of risk management.
A balanced scorecard enables management to measure the implementation of strategy and assists in its translation into action.
Enterprise security architecture explains the security architecture of an entity in terms of business strategy, objectives, relationships, risk, constraints and enablers; it also provides a business-driven and business-focused view of security architecture.

Question 59

Q

Which type of risk assessment method involves conducting interviews and using anonymous questionnaires answered by subject matter experts (Delphi method)?

A.Quantitative
B.Probabilistic
C.Deterministic
D.Qualitative

Answer

A

D is the correct answer.

Justification
Quantitative risk assessments use a mathematical calculation based on security metrics on the asset (system or application).
Probabilistic risk assessments use a mathematical model to construct the qualitative risk assessment approach while using the quantitative risk assessment techniques and principles.
Deterministic methods use point estimates that are often (but not necessarily always) worst-case estimates.
Qualitative risk assessment methods include interviewing and using anonymous questionnaires (the Delphi method).

Question 60

Q

The chief information security officer wants to provide a view of risk assessment results to the board that highlights links between possible causes, controls and consequences. Which risk assessment technique will produce the desired view?

A.Bow tie analysis
B.Markov analysis
C.Scenario analysis
D.Sneak circuit analysis

Answer

A

A is the correct answer.

Justification
Bow tie analysis conveys risk assessment results through a diagram displaying links between possible causes, controls and consequences.
Markov analysis does not use diagrams to communicate results. Its focus is analysis of systems that exist in multiple states.
Scenario analysis examines possible future scenarios and does not communicate risk assessment results through a diagram.
Sneak circuit analysis identifies design errors or sneak conditions and does not communicate assessment results through a diagram.

Question 61

Q

Which of the following is BEST suited for the review of IT risk analysis results before the results are sent to management for approval and use in decision-making?

A.An internal audit review
B.A peer review
C.A compliance review
D.A risk policy review

Answer

A

B is the correct answer.

Justification
An internal audit review is not best suited for the review of IT risk analysis results. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an enterprise’s operations. It helps an enterprise accomplish its objectives through a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
It is effective, efficient and good practice to perform a peer review of IT risk analysis results before sending them to management.
A compliance review is not best suited for the review of IT risk analysis results. Compliance reviews measure conformance with a specific, measurable standard.
A review of the risk policy may change the content and methodology of the risk analysis eventually, but this is not a way of reviewing IT risk analysis results before sending them to management.

Question 62

Q

Assessing information systems risk is BEST achieved by:

A.using the enterprise’s past actual loss experience to determine current exposure.
B.reviewing published loss statistics from comparable enterprises.
C.evaluating threats associated with existing information systems assets.
D.reviewing information systems control weaknesses identified in audit reports.

Answer

A

C is the correct answer.

Justification
Past actual loss experience is potentially useful input to the risk assessment process, but it does not address realistic risk scenarios that have not occurred in the past.
Published loss statistics from comparable enterprises are a potentially useful input to the risk assessment process but do not address enterprise-specific risk scenarios or those that have not occurred in the past.
To assess IT risk, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches.
Control weaknesses and other vulnerabilities are an important input to the risk assessment process, but by themselves are not useful.

Question 63

Q

During an internal risk assessment in a global enterprise, a risk manager notes that local management has proactively mitigated some of the high-level risk related to the global purchasing process. This means that:

A.the local management is now responsible for the risk.
B.the risk owner is the corporate chief risk officer.
C.the risk owner is the local purchasing manager.
D.corporate management remains responsible for the risk.

Answer

A

D is the correct answer.

Justification
While the local management has mitigated the risk, corporate management remains responsible for the risk.
The corporate chief risk officer is responsible for the corporate risk management program, yet does not own the risk related to the global purchasing process.
The risk owner is the global purchasing manager.
Corporate management remains responsible for the risk, even when the risk response is executed at a lower organizational level.

Question 64

Q

The MOST effective method to conduct a risk assessment on an internal system in an enterprise is to start by understanding the:

A.performance metrics and indicators.
B.policies and standards.
C.recent audit findings and recommendations.
D.system and its subsystems.

Answer

A

D is the correct answer.

Justification
The person performing the risk assessment should already understand the performance metrics and indicators.
The person performing the risk assessment should already understand the policies and standards of the enterprise.
Recent audit findings and recommendations could be useful but are not as important as understanding the system.
To conduct a proper risk assessment, the risk practitioner must understand the system and subsystems, and how they work. This knowledge provides the basis for understanding how policies and standards are applied within the system and subsystems, and for understanding process-specific risk, existing interdependencies and performance indicators.

Answer 65

A

C is the correct answer.

Justification
The dollar amount of the fine is the same for both enterprises, but it is proportionally much larger for Enterprise A.
The utility of money is not linear, so this statement is incorrect.
The utility of money is directly correlated to the proportion of the money in relation to the capital of the entity affected by the event.
The impact to the organizations is tangible and should be measured in terms of the probability of lost utility in the event of a fine.

Answer 66

A

A is the correct answer.

Justification
The decision to implement a control is based on whether the cost of implementing and maintaining the control will exceed the cost savings associated with the risk the control is meant to address. Cost-benefit analysis compares these factors and delivers a result (based on assumptions) that management can use to make a decision.
The payback period is a calculation of the time that must elapse before an investment pays for itself in savings. Many controls do not contribute direct savings absent a disruptive event whose impact they reduce. As a result, the payback period is not typically decisive in evaluating the implementation of controls.
Root cause analysis is a process of diagnosis to establish the origins of events; it can be used to learn from consequences, typically resulting from errors and problems. The information is then used to determine what sort of control would effectively remediate a vulnerability. After the control is selected, cost-benefit analysis is used to decide whether it should be implemented.
Net present value (NPV) is a financial technique used to value future dollars in current terms, expressing the principle that money is more valuable today than it will be tomorrow because of potential investment or inflation. Calculations such as NPV may factor into how an enterprise values the cost of a control, but the decision whether to implement that control is informed by a cost-benefit analysis. However, it may be the case that cost and benefit are calculated by the enterprise.

Answer 67

A

A is the correct answer.

Justification
Factors that affect likelihood include the skill and motivation of the attacker; knowledge of vulnerabilities; use of popular hardware or software; value of the asset (which varies directly with motivation); and environmental factors such as politics, activists, and disgruntled employees or dissatisfied customers.
Monitoring systems may detect an attack but will not usually affect the likelihood of an attack. An exception occurs when the attacker becomes aware of being monitored, realizes the likelihood of being caught is high, and accordingly becomes less likely to launch an attack.
The ability to respond is important but is only relevant once an attack has been conducted. It will not affect likelihood.
Controls may deter, prevent, detect or aid recovery from an attack, but they will not necessarily affect the likelihood of someone trying to attack.

Answer 68

A

A is the correct answer.

Justification
The probability and impact of a specific event are required components of a risk calculation.
The impact of the event is addressed but not the probability.
The probability of the event is addressed but not the impact.
The impact of the event is addressed but not the probability.

Answer 69

A

C is the correct answer.

Justification
The addition and removal of assets from the asset inventory is an ongoing process and will not generally trigger a risk assessment.
Asset classification requirements do not trigger comprehensive periodic risk assessment.
Changes in the business environment, including new threats, vulnerabilities, or changes to information asset deployment, will trigger comprehensive periodic risk assessment. Based on periodic risk assessment, policies may be modified. However, risk assessment is not necessarily performed because policy changes are made.
Information security policies may change when a risk assessment indicates deficiencies at the level of security policies; however, changes to security policies do not trigger risk assessments.

Answer 70

A

D is the correct answer.

Justification
The impact of a threat can be determined based on the type of threat that occurs.
The value of an asset should be easy to ascertain.
Annual loss expectancy will not be difficult to calculate if you know the correct frequency of threat occurrence.
It can be challenging to obtain an accurate figure representing the frequency of threat occurrence.

Answer 71

A

B is the correct answer.

Justification
Market conditions influence business objectives and may affect available resources, but these impacts tend to be distributed broadly and do not have any special applicability to risk assessment.
Attributes and relationships for configuration items are subject to frequent change, and risk assessments must have accurate and up-to-date configuration item data in order to target correct information assets.
Lack of staff education represents an increase in general enterprise vulnerability and does not have any special applicability to risk assessment.
The growing capabilities of attackers represent an increase in the general threat environment and do not have any special applicability to risk assessment.

Answer 72

A

C is the correct answer.

Justification
Management will make decisions based on the risk assessment provided. If management makes decisions based only on financial values, then a quantitative risk analysis is appropriate. If the decision will be based on non-numerical values regarding conceptual elements, then a qualitative analysis is appropriate.
The amount of time available may be a factor in deciding between a quantitative and qualitative analysis, but it is not the primary factor.
The availability of data is the primary factor in deciding between a quantitative and qualitative risk analysis. The requirement of data sets for both methods is altogether different. Quantitative analysis provides benefit relative to the adequacy and availability of data.
The cost involved with a risk assessment may be a factor in deciding between a quantitative and qualitative analysis, but it is not the primary factor.

Answer 73

A

B is the correct answer.

Justification
Aligning IT risk management with enterprise risk management is important to ensure the cost-effectiveness of the overall risk management process. However, risk analysis does not enable such an alignment.
Risk analysis estimates the likelihood and magnitude of IT risk scenarios. Risk analysis helps ensure that areas with the greatest risk likelihood and impact are prioritized above those with lower likelihood and impact. Prioritization of IT risk helps maximize return on investment in risk responses.
Risk analysis evaluates risk on the basis of likelihood and impact and includes financial, environmental, regulatory and other risk. It considers regulatory risk as one of many types of risk. It is not specifically designed to satisfy legal and regulatory compliance requirements.
Risk analysis occurs after risk identification and evaluation. Risk identification uncovers threats and vulnerabilities; risk evaluation assesses levels of risk and creates valid risk scenarios. Risk analysis quantifies risk along vectors of likelihood and impact to help prioritize risk responses.

Answer 74

A

A is the correct answer.

Justification
The quantification of risk is based on the probability (likelihood) of a threat exploiting a vulnerability resulting in a damaging consequence (impact) to an asset.
A threat is anything (e.g., object, substance, human actor) that is capable of acting against an asset in a manner that can result in harm. The impact is the effect of the threat on the asset. Threat and impact are not sufficient to quantify risk.
A threat is anything (e.g., object, substance, human actor) that is capable of acting against an asset in a manner that can result in harm. Exposure reflects potential loss due to the occurrence of an adverse event. Threat and exposure are not sufficient to quantify risk.
Sensitivity is a measure of the impact that improper disclosure of information may have on an enterprise. Exposure reflects potential loss due to the occurrence of an adverse event but is not used to quantify risk.

Answer 75

A

B is the correct answer.

Justification
The Delphi method is a forecasting method based on expert opinions that are gathered over several iterations of anonymous surveys.
A quantitative approach to risk evaluations would be the best approach because it is formula-based and puts a monetary amount on the potential loss resulting from a risk scenario, which is of most interest to senior management.
Qualitative analysis does not quantify the risk and loss in numbers and therefore is not the best option.
Financial risk modeling determines aggregate risk in a financial portfolio. It is generally not used to provide the financial impact of individual risk scenarios.

Answer 76

A

C is the correct answer.

Justification
An audit report provides recommendation and remediation areas.
Penetration test results help identify vulnerabilities.
Risk analysis results provide a basis for prioritizing risk responses and allocating resources.
Vulnerability test results provide an enterprise with a list of known vulnerabilities for the systems that have been assessed. They do not take “control-in-depth” considerations into account and are not a meaningful tool for determining the allocation of risk response resources.

Answer 77

A

B is the correct answer.

Justification
A vulnerability assessment itself provides a one-sided view unless it is linked to specific risk scenarios that help determine likelihood and impact.
Using a list of possible scenarios with threats and impacts will better frame the range of risk and facilitate a more informed discussion and decision.
The value of information assets is an important starting point when performing a qualitative risk analysis. However, value without consideration of realistic threats and determination of likelihood and impact is not sufficient for a risk analysis.
Estimated productivity losses may be necessary to project magnitude of impact but are insufficient for a risk analysis.

Answer 78

A

A is the correct answer.

Justification
When an existing enterprise decides to rebrand itself, it is taking a risk that the new branding will not be accepted by customers. Therefore, when considering developing a new logo, enterprises should conduct surveys and focus groups to gain customer opinion rather than relying on historical or industry data. Qualitative analysis is ideally suited to this case.
Approximating the magnitude of impact in financial terms is the purpose of quantitative risk analysis.
Reliance on external data is a technique associated with quantitative risk analysis.
Established lines of manufacturing are able to draw on considerable quantities of data and are ideally suited to statistical process control, a technique associated with quantitative risk analysis.

Answer 79

A

A is the correct answer.

Justification
Risk is constantly changing. Evaluating risk annually or when there is a significant change offers the best alternative; this approach considers reasonable frequency of review and allows flexibility to address significant intervening change.
Evaluating risk once a year is insufficient if important changes take place.
Evaluating risk every three to six months for critical processes may not be necessary; because there is a cost associated with evaluation activities, annually or whenever significant change takes place is the right strategy to adopt.
Evaluating risk only after significant changes occur may fail to consider less significant changes that collectively affect overall risk.

Answer 80

A

A is the correct answer.

Justification
With the Delphi technique, polling or information gathering is done either anonymously or privately between the interviewer and interviewee.
Participants generally do not identify risk anonymously within isolated pilot groups.
With a SWOT (strengths, weaknesses, opportunities and threats) analysis, participants generally do not identify risk anonymously.
With a root cause analysis, participants generally do not identify risk anonymously.

Answer 81

A

A is the correct answer.

Justification
Risk evaluation should consider the potential size and likelihood of a loss.
Although inherent and control risk should be considered in the analysis, the impact of the risk (potential likelihood and impact of loss) should be the primary driver.
Risk evaluation can include comparisons with a group of companies of similar size.
Risk evaluation should not assume an equal degree of protection for all assets because assets may have different risk factors.

Answer 82

A

C is the correct answer.

Justification
Risk aggregation is the process of integrating risk assessments at a corporate level to obtain a complete view of the overall risk for the enterprise and assessing more specifically for exploit opportunities, whereas a series or combination of types of low-level risk left unaddressed can provide an attacker with a means to exploit one or more enterprise resources.
An exploit using several individual attacks in sequence to launch an attack is not an example of risk aggregation but of a chained exploit.
Individual or singular, discrete, low-level incidents may have minimal impact, and considered independently, the risk may remain relatively low. However, significant overall risk can accrue if several instances are aggregated to defeat risk controls. For example, one machine cannot flood a network, but many machines working together can. Likewise, illicit access to an individual record in a database is not generally considered a high risk; however, if multiple records are accessed and manipulated, an attacker may gather or compromise sufficient information to classify the incident at a higher level.
Many attacks start at a low level and then increase their capability as they move through the system. Such attacks are often facilitated through accounts with excessive levels of access. This is not an example of risk aggregation.

Answer 83

A

D is the correct answer.

Justification
A qualitative risk assessment process uses scenarios and ranking of risk levels in calculating the level of risk.
A failure modes and effects analysis determines the extended impact of an adverse event on other systems or operational areas.
A fault tree analysis risk assessment determines threats by considering all sources that threaten a business process.
A quantitative risk assessment uses likelihood and impact to calculate the monetary value of risk.

Answer 84

A

A is the correct answer.

Justification
Quantitative risk analysis derives the probability and impact of risk scenarios from statistical methods and data.
A risk scenario analysis generally includes several risk analysis methods, including quantitative, semi-quantitative and qualitative.
A qualitative risk analysis would use non-quantitative measures to estimate the likelihood and impact of adverse events. These might include low, medium and high for likelihood; and low, medium, high and catastrophic for the impact.
Probabilistic risk assessments are mostly applied to risk associated with complex engineered technology (e.g., nuclear plants, airplanes). They rely on a systematic and comprehensive methodology and consider both quantitative and qualitative risk analysis.

Answer 85

A

B is the correct answer.

Justification
Determining the resource requirements to resume normal operations is part of business continuity planning.
A business impact analysis (BIA) is primarily intended to evaluate the impact of disruption over time to an enterprise’s ability to operate. It determines the urgency of each business activity. Key deliverables include recovery time objectives and recovery point objectives.
Likelihood and impact are calculated during risk analysis.
High-level business requirements are defined during the early phases of a system development life cycle, not as part of a BIA.

Answer 86

A

B is the correct answer.

Justification
Project prioritization is a core focus of program management and seeks to optimize resource utilization. It is not the main outcome of a business impact analysis.
A business impact analysis measures the total impact of tangible and intangible assets on business processes. Therefore, the sum of the value and opportunity lost plus the investment and time required to recover indicates the criticality of business processes.
A root cause analysis investigates and diagnoses the origins of events. It typically assesses consequences of errors and problems and is not an outcome of a BIA.
Third-party vendor risk should be documented during the BIA process, but it is not a main outcome.

Answer 87

A

C is the correct answer.

Justification
Risk assessment provides information on the likelihood of occurrence of security incidents. It assists in the selection of countermeasures but not in the prioritization of actions.
A vulnerability assessment provides information regarding the security weaknesses of the system and supports the risk identification process.
The business impact analysis is the most critical process for deciding which part of the information system/business process should be given priority in case of a security incident that may lead to business disruption.
Business process mapping does not help in decision-making, but it does help in implementing a decision.

Answer 88

A

B is the correct answer.

Justification
A business impact analysis (BIA) should be updated periodically because existing environments, systems, risk and applications change, and new systems are added.
A BIA raises enterprise-wide awareness of risk to business recovery and continuity.
A BIA should use both qualitative and quantitative estimates; however, the analysis can be completed and estimates determined with or without minimum historical data.
Although a BIA is a part of the documentation used during a risk analysis, it cannot eliminate the need to perform a risk analysis.

Answer 89

A

D is the correct answer.

Justification
Regression analysis is used to test changes to program modules.
Risk analysis is the process by which frequency and impact of risk scenarios are estimated; it is a component of a business impact analysis (BIA).
Gap analysis addresses differences between a current state and an ideal future state.
Recovery time objectives (RTOs) are a primary deliverable of a BIA. RTOs relate to the financial impact of system downtime.

Answer 90

A

B is the correct answer.

Justification
Security information and event management solutions will primarily account for technical risk and typically do not evaluate the impact that business process objectives have on operational components.
A business impact analysis should include the examination of risk, incidents and interdependencies to identify consequences for business objectives.
Enterprise risk management steering committees are useful for reviewing analyses that have been completed, but not for conducting analysis.
Interviews with business leaders will assist in identifying risk tolerance and key business objectives and activities, but will not yield risk or incident analysis.

Answer 91

A

D is the correct answer.

Justification
The maintenance of the risk register is part of the ongoing risk assessment process.
Management chooses the right risk response strategy based on risk analysis. A risk assessment itself is not sufficient to make educated risk response decisions.
Assurance on risk management is not the main reason risk assessment is performed by the risk professional.
All decisions should be taken in the context of business impact. For each action to be taken, consideration ultimately must be given to its positive or negative impact on the business.

Answer 92

A

A is the correct answer.

Justification
The value of the server should be based on its replacement cost; however, the financial impact to the enterprise may be much broader, based on the function that the server performs and the value it brings to the enterprise.
The annual loss expectancy for all risk related to the server does not represent the server’s value.
The software can be restored from backup media.
The original cost may be significantly different from the current cost and, therefore, not as relevant.

Answer 93

A

C is the correct answer.

Justification
The identification of threats, risk and vulnerabilities is the objective of risk identification and analysis.
The development of procedures for initial response and stabilization during an emergency is a key output of preparedness and response planning.
Identification of time-sensitive critical business functions and interdependencies is a deliverable of the business impact analysis (BIA); the BIA includes metrics like recovery-time objectives and recovery-point objectives.
Communication procedures are beneficial to every business process, including crisis management; however, they are not the main deliverable of the BIA and relate more closely to business continuity and disaster recovery planning.

Answer 94

A

C is the correct answer.

Justification
The risk is not solely dependent on the IT-related costs of the failed equipment. The impact on the business can be much higher than the cost of replacement of failed equipment.
Gathering cost estimates is a quantitative method of risk assessment; it may not reflect the total impact of the event if only the finance department’s costs are taken into consideration.
An event in one department may affect many areas of the enterprise, and the impact on all areas should be included in the risk calculation. Using quantitative and qualitative methods will provide the information required to assess the effects of the failure.
The regulatory and contractual requirements must be included in the risk calculation, but they are not the only relevant factors.

Answer 95

A

C is the correct answer.

Justification
Although tying control risk to business units may improve accountability, it is not as desirable as minimizing residual risk to acceptable levels.
The fact that overall risk is quantified does not necessarily indicate the existence of a successful risk management practice.
A successful risk management practice minimizes the residual risk to the enterprise to acceptable levels.
It is virtually impossible to eliminate inherent risk.

Answer 96

A

D is the correct answer.

Justification
Risk transfer is the process of assigning risk to another enterprise, usually through the purchase of an insurance policy or through outsourcing the service. In both a physical and legal sense, risk transfer does not relieve an enterprise of a risk, but it can leverage the skills of another party to help manage the risk and thus reduce the financial consequence of adverse events.
Control risk is the risk that a material error would not be prevented or detected on a timely basis by the system of internal controls.
Inherent risk reflects a level of risk or exposure apart from actions that management has taken or might take (e.g., implementing controls). Inherent risk cannot be minimized.
Residual risk is the risk that remains after all controls have been applied; therefore, acceptable risk is achieved when residual risk is aligned with the enterprise risk appetite.

Answer 97

A

A is the correct answer.

Justification
Deciding what level of risk is acceptable to an enterprise is fundamentally a function of management. At its discretion, enterprise management may decide to accept risk. The target risk level for a control is, therefore, subject to management discretion.
Failure to comply with regulatory requirements has consequences, but those consequences are considered in the context of enterprise risk. In some cases, the cost of failure to comply may be lower than the cost of compliance; in this case, management may decide to accept the risk.
The acceptable level of residual risk is determined by management and is not dependent on the results of the risk assessment.
The results of an internal audit determine the actual level of residual risk within a specific audit scope, but whether this level is acceptable is fundamentally a management decision.

Answer 98

A

C is the correct answer.

Justification
Control risk refers to the risk that a misstatement, defect or error could occur but may not be detected and corrected or prevented by the enterprise’s internal control mechanism.
Detection risk reflects the probability that the audit procedures may fail to detect a material error or fraud.
Inherent risk refers to risk in the nature of the business or transaction. Without implementing any countermeasures, the management accepts the inherent risk.
Residual risk is remaining risk after management has implemented a risk response. In this case, the management decided not to implement any countermeasures to reduce the risk.

Answer 99

A

A is the correct answer.

Justification
The business owner and security manager should be notified and the risk should be documented on the operational or security risk register to enable appropriate risk treatment.
Enabling encryption without further assessment and input from the business owner is inappropriate because the vulnerability may indicate further issues with security that need to be resolved.
Alerting all staff without discussing the risk with the business owner and having a plan to rectify the issue could be damaging.
The database administrator is not the owner of the corporate address book application and, therefore, does not have authority to accept business risk.

Answer 100

A

B is the correct answer.

Justification
Control risk may be high, but it would follow from failure to identify, evaluate or test internal controls, not from the number of users or business areas affected.
Inherent risk normally grows as the number of users and business areas that may be affected increases. Inherent risk reflects risk or exposure without accounting for mitigating action by management. It is often higher whenever multiple parties may have conflicting responsibilities for a business process.
Compliance risk reflects the penalty applied to current and future earnings for nonconformance to laws and regulations; number of users and affected business areas will not necessarily increase compliance risk.
Residual risk is risk that persists after management implements a risk response. It is not based on the number of users or business areas affected.

Answer 101

A

A is the correct answer.

Justification
Residual risk arises where there is a risk response or control in place, but the potential for loss is still probable. There is a risk of data loss, but management tolerance for risk is such that it is willing to accept that loss.
The control could reduce risk to an even lower level; however, it would be at a higher cost that may not be deemed reasonable.
The effectiveness of the control needs to be matched against the control objective. As long as the control objective to perform weekly backups is carried out by management, implementation of the control is still effective, even if it may not be adequate.
The resulting risk associated with performing weekly backups is not inherent risk but residual risk. Inherent risk is risk that exists in the absence of any controls.

Answer 102

A

A is the correct answer.

Justification
The classic definition of residual risk is any risk that remains after implementing a risk response, which is typically a control.
Residual risk is the risk that remains after implementation of controls; it is not mitigated.
Residual risk is identified after, not prior to, implementation of controls.
Residual risk can be rated at any level; it’s not limited to high risk.

Answer 103

A

A is the correct answer.

Justification
The primary reason to verify the completion of the risk mitigation response is to confirm that residual risk is within acceptable thresholds or to plan for further action if it is not.
Verifying if vulnerabilities are no longer exploitable is not the primary reason to verify completion of a risk mitigation response as new exploits continuously emerge.
Accuracy of the risk register is not the primary reason for monitoring residual risk.
Risk reporting is not the primary reason to verify residual risk and its impact to the enterprise.

Answer 104

A

A is the correct answer.

Justification
Ensuring that all residual risk is maintained at a level acceptable to the business is the objective of a risk management program.
Implementing controls for every threat is not the objective of the risk management program. The program considers known threats and determines the risk response to those threats as determined by the enterprise’s risk appetite and acceptance levels.
A risk management program is not intended to remove every identified risk.
Inherent risk—the risk level of an activity, business process or entity without taking into account the actions that management has taken or may take—is always greater than zero.

Answer 105

A

B is the correct answer.

Justification
Wiping hard disks after each job is not appropriate without a prior risk assessment. The data may be useful for forensic investigation; furthermore, the consumption of processing resources may affect printer performance.
Risk assessment is most appropriate because it yields risk mitigation techniques that are appropriate for enterprise risk context and appetite.
Focusing solely on risk and ignoring opportunity are inappropriate. A risk associated with nonvolatile storage is not a sufficient reason for changing vendors. Default archiving of copies to the internal disk may be a general industry trend with printers; furthermore, it may bring business benefits in addition to the risk, which should be evaluated.
Notifying staff is not a sufficient control and does not mitigate risk associated with printers serviced by an external party.

Answer 106

A

B is the correct answer.

Justification
Destruction of obsolete computer equipment is an example of an operational activity. Obsolete equipment does not necessarily represent a vulnerability and risk.
Theft of a smartphone is an example of a risk that should be addressed by an appropriate response.
Sanitization of a flash drive is an example of an operational activity and does not necessarily represent a vulnerability and risk.
Deletion of a file is an example of an operational activity; the need to delete a file does not necessarily represent a vulnerability and risk.

Answer 107

A

A is the correct answer.

Justification
Risk identification is the process of determining and documenting the risk that an enterprise faces. The identification of risk is based on the recognition of threats, vulnerabilities, assets and controls in the enterprise’s operational environment.
Ensuring that risk factors and root causes are addressed is the objective of the risk response process, not of risk identification.
Ensuring that risk factors and root causes are addressed is the objective of the risk response process, not of risk identification.
Qualitative risk impact values derive from the risk assessment process.

Answer 108

A

D is the correct answer.

Justification
Every business decision is driven by cost and benefit considerations. A risk practitioner’s contribution to the process is most likely a risk assessment, identifying both the risk and opportunities related to the proposed solution.
A recommendation to revise the current policy should not be triggered by a single request without conducting a risk assessment.
While a risk practitioner may conduct a risk assessment to enable a risk-aware business decision, it is management that will make the final decision.
A risk assessment should be conducted to clarify the risk whenever the enterprise’s policies cannot be followed. The solution should be implemented only if the related risk is formally accepted by the enterprise.

Answer 109

A

D is the correct answer.

Justification
A new chief information officer may undertake a new enterprise risk assessment, but it would not necessarily be required because the CIO could review the last risk assessment if there were no changes to the environment.
Senior management adjusting risk appetite will significantly affect risk responses but does not require a risk assessment.
Risk changing on a frequent basis will be captured during the annual risk assessment.
Introduction of new systems adds to overall risk of business objectives. The level of new or added risk should be determined via an ad hoc risk assessment.

Answer 110

A

A is the correct answer.

Justification
A complete threat analysis would be performed on a yearly basis; it could be broken down into monthly or quarterly increments, if desired.
Malware could be detected at any time in a filtering system and not do any harm. Even if malware did infect the enterprise, that would not trigger a complete threat analysis.
Changes in regulations would mandate an analysis of the effect on information and information systems, but not a complete threat analysis.
Following a security incident, the risk professional will want to perform a threat analysis of the affected areas, but not necessarily a complete threat analysis.

Answer 111

A

D is the correct answer.

Justification
Although an assessment can never be perfect and invariably contains some errors, this is not the most important reason for periodic reassessment.
Optimizing control cost is an insufficient reason.
Demonstrating the value of the risk management function to senior management is an insufficient reason.
Risk is constantly changing, so a previously conducted risk assessment may not include measured risk introduced since the last assessment.

Answer 112

A

D is the correct answer.

Justification
Only critical members of the IT management team should be notified of the threat.
Information should be given on a need-to-know basis; all employees do not need to know of a potential threat to the company.
Contacting law enforcement is premature, although law enforcement may need to be contacted in the future with management approval.
All senior managers need to be aware of the threat, so they can be prepared if an incident takes place.

Answer 113

A

C is the correct answer.

Justification
A vulnerability is a weakness in the design, implementation, operation or internal control of a process that can expose the system to adverse threats from threat events.
A vulnerability event reflects a material increase in vulnerability as a result of changes in control conditions or changes in threat capability/force.
A threat is any event in which an asset is exposed to a threat condition or action that has the potential to directly result in harm.
Environmental risk factors can be internal and external. Internal environmental factors are, to a large extent, under the control of the enterprise, although they may not always be easy to change. External environmental factors are, to a large extent, outside the control of the enterprise.

Answer 114

A

C is the correct answer.

Justification
A risk practitioner must understand the risk appetite of senior management and the associated risk tolerance level. However, risk tolerance primarily informs risk response and does not facilitate risk identification and assessment.
Identification of relevant threats and vulnerabilities is important but must be supplemented by consideration of pending changes to the enterprise’s environment; anticipated changes may widen or narrow the scope of relevance.
The first step in any risk assessment is to gather information about the current state and pending internal and external changes to the enterprise’s environment (scope, technology, incidents, modifications, etc.).
While the review of past incident reports may be an input for the identification and assessment of IT risk, focusing on these factors is not adequate.

Answer 115

A

A is the correct answer.

Justification
A penetration test simulates the actions of real attackers to test security defenses and detect vulnerabilities.
Intrusion prevention systems are designed to detect attacks and prevent the target hosts from being affected. They do not scan for vulnerabilities.
Antivirus systems block malware. They do not detect vulnerabilities.
Spam filtering systems block spam email. They do not detect vulnerabilities.

Answer 116

A

A is the correct answer.

Justification
The likelihood of a similar incident occurring at the risk practitioner’s enterprise should be assessed first, based on available information.
Discontinuing vulnerable technology is not necessarily required; furthermore, the technology is likely to be needed to support the enterprise.
Reporting to senior management that the enterprise is not affected is premature until the risk practitioner assesses the likelihood of a similar incident.
Pending further research, the risk practitioner cannot be certain that no similar security breaches have taken place.

Answer 117

A

A is the correct answer.

Justification
Controls are deployed to achieve control objectives based on risk assessments and business requirements. The gap between desired control objectives and actual control design and operational effectiveness identifies control deficiencies in information systems.
Without knowing the gap between desired state and current state, one cannot identify control deficiencies relative to a desired state. The current IT risk profile does not expose this gap.
The IT controls framework is a generic document with no information on the desired future state of IS controls or the current state of the enterprise; therefore, it will not help identify IS control deficiencies.
Countermeasure analysis helps only in identifying deficiencies in countermeasures and not in the full set of primary controls.

Answer 118

A

C is the correct answer.

Justification
Impact measures the financial loss posed by a threat.
A risk indicator is a metric capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds its defined risk appetite.
The lack of adequate controls represents a vulnerability, exposing sensitive processes and/or data to the possibility of malicious damage, attack, or unauthorized access by hackers. Vulnerabilities can result in loss of sensitive information, financial loss, legal penalties, etc.
A threat is a potential cause or actor behind an adverse incident.

Answer 119

A

D is the correct answer.

Justification
The current risk profile may be adjusted as the result of the activities performed during the risk and control analysis.
Risk response options are reviewed during the risk monitoring phase of risk management.
Determination of the current control environment occurs during risk assessment and is a subset of assessing gaps between current and desired states.
Assessing gaps between current and desired states is the function of the risk and control analysis.

Answer 120

A

B is the correct answer.

Justification
Key risk indicators are highly relevant and possess a high probability of predicting or indicating important risk. They are not used after a loss event occurs.
Cause-and-effect analysis is a predictive or diagnostic analytical tool used to explore the root causes or factors that contribute to positive or negative effects or outcomes. It can also be used to identify potential risk. A typical form is the fishbone diagram.
Business process modeling is not used for root cause analysis.
Business impact analysis is a process to determine the impact of losing the support of any resource and is not used for root cause analysis.

Answer 121

A

A is the correct answer.

Justification
Lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack, or unauthorized access by hackers. This could result in a loss of sensitive information, financial loss, legal penalties, etc.
Impact is the measure of financial loss incurred by a threat or incident.
Assets have tangible or intangible value worth protecting and include people, systems, infrastructure, finances and reputation.
A threat is a potential cause of a security incident.

Answer 122

A

B is the correct answer.

Justification
This scenario describes a weakness in the insurance premium payment process, which is considered a vulnerability, based on a management decision.
A lapsed insurance premium describes a vulnerability. A vulnerability is a weakness in the design, implementation, operation or internal control of a process that could expose the enterprise to a threat condition or actor.
A threat is anything (e.g., object, substance, human actor) that is capable of acting against an asset in a manner that can result in harm. In this case, the flood is the threat.
Negligence is a legal term describing a civil wrong causing injury or harm to another person or to property as the result of doing something or failing to provide a proper or reasonable level of care. Negligence is not specifically related to risk management.

Answer 123

A

C is the correct answer.

Justification
Cost-benefit analysis evaluates whether it will cost more to implement and maintain a control than the control will save the enterprise by avoiding losses associated with the risk it is meant to address. It delivers a result (based on assumptions) that management can use to make a decision regarding a particular control, but knowing which control should be analyzed on a cost-benefit basis requires root cause analysis.
Gap analysis compares a current state to a desired future state and identifies what would need to change to attain it. Gap analysis can be useful in determining a proposed control that can address the root cause only after the root cause has been identified.
Root cause analysis is used to determine the actual cause of the event, which is typically different from what initially appears to be responsible. Identifying a root cause allows an enterprise to address the cause rather than a symptom, which increases the odds that the mitigation will be effective at reducing the likelihood or impact of similar events in the future.
Impact analysis prioritizes loss events based on consequences. It is not directly beneficial in devising a mitigation strategy for a particular risk.

Answer 124

A

C is the correct answer.

Justification
Native database audit logs are a good detective control but do not provide information about the application server performance.
Documentation of performance objectives is important but does not provide information about the application server performance.
With continuous monitoring it is possible to track key performance metrics and also possible to address critical issues with minimum impact.
Documentation of associated security modules may be helpful but does not provide information about the application server performance.

Answer 125

A

A is the correct answer.

Justification
When validation checks are missing in data input fields, attackers are able to exploit other weaknesses in the system. For example, they can submit part of a structured query language (SQL) statement (SQL injection attack) to retrieve application data illegally, deface or even disable the web application. Input validation checks are effective countermeasures.
Noncomplex passwords may make accounts vulnerable to brute force attacks, but those attacks can be countered in other ways besides complexity (e.g., lockout thresholds).
If application transaction log management is weak, confidential information could inadvertently be written to the application transaction log. Sufficient care should therefore be given to log management. However, it is uncommon for attackers to use the log server to steal database information.
It is quite common that the application and database share a single access ID. If the supporting domain architecture is sufficiently secure, the overall risk is low.

Brainscape's Knowledge GenomeTM

Chapter 2: IT Risk Assessment Flashcards

Brainscape's Knowledge Genome^TM