Chapter 3: IT Risk Response and Mitigation

Question 1

The risk response decision is based on

Answer 1

the information provided in the earlier steps of risk identification and assessment

Question 2

The risk response must ensure that

Answer 2

business operations are protected but not unduly impaired or impacted by controls that are put in place to address risk

Question 3

What are the four commonly accepted risk response options?

Answer 3

risk acceptance
risk mitigation
risk avoidance
risk transfer

Question 4

In risk acceptance, who is responsible for the risk in case it occurs?

Answer 4

Management

Question 5

What is risk acceptance?

Answer 5

It is the amount of risk that senior management has determined is within acceptable or permissible bounds

Question 6

What is risk ignorance?

Answer 6

It is the failure to identify or acknowledge risk or it is a decision to blindly accept risk without knowing what the risk level really is

Question 7

When is risk tolerance used?

Answer 7

in an exceptional circumstance where the level of risk may exceed the risk acceptance boundary set by senior management but the decision is made to accept the risk anyway

Question 8

What is self insurance?

Answer 8

Deciding to absorb the potential costs of an incident

Question 9

What is risk mitigation?

Answer 9

Acton is taken to reduce the frequency and/or impact of risk

Question 10

What is risk avoidance?

Answer 10

Exiting the activities or conditions that give rise to the risk

Question 11

When does risk avoidance apply?

Answer 11

there is no other cost-effective response that can succeed in reducing the frequency and impact below the defined thresholds for risk appetite
the risk cannot be shared or transferred
the exposure level is deemed unacceptable by management

Question 12

What is risk transfer?

Answer 12

the decision to reduce loss through sharing the risk of loss with another organization

Question 13

What factors should be considered in selecting a risk response?

Answer 13

priority of the risk
recommended control from the risk assessment report
other response alternatives
cost of the various response options
requirements for compliance with regulations or legislation
alignment of the response option with the strategy of the organization
possibility of integrating the response with other organizational initiatives
compatibility with other controls in place
time, resources, and budget available

Question 14

This analysis is used to justify the expense associated with the implementation of controls

Answer 14

cost benefit analysis

Question 15

What are the factors that must be included in the calculating the total cost of the control:

Answer 15

Cost of acquisition
Cost of maintenance
Cost to remove / replace the control