Chapter 3: Risk Response and Reporting Flashcards
What is the MOST important control that should be in place to safeguard against the misuse of the corporate social media account?
A.Social media account monitoring
B.Two-factor authentication
C.Awareness training
D.Strong passwords
B is the correct answer.
Justification
Social media account monitoring is a detective control that identifies violations after the fact, as opposed to a proactive measure, such as two-factor authentication.
Use of two-factor authentication will proactively protect the account from unauthorized access.
Awareness training may be effective with legitimate users; however, two-factor authentication is a preventive control as opposed to a deterrent control.
Using strong passwords will help prevent unauthorized access; however, two-factor authentication provides a proactive control in case the password is compromised.
What is the FIRST step for a risk practitioner when an enterprise has decided to outsource all IT services and support to a third party?
A.Validate that the internal systems of the service provider are secure.
B.Enforce the regulations and standards associated with outsourcing data management for restrictions on transborder data flow.
C.Ensure that security requirements are addressed in all contracts and agreements.
D.Build a business case to perform an on-site audit of the third-party vendor.
C is the correct answer.
Justification
A risk practitioner will rarely have access to validate the security of a third party, and must seek other assurances from an external audit or other standards.
A risk practitioner can advise on risk associated with outsourcing and regulations but cannot enforce such rules.
A contract only covers the topics listed in the contract. If security is not explicitly included in the contract terms, the enterprise may not be properly protected.
Even though IT management has been outsourced, the enterprise that outsourced the service function remains responsible for protecting its data.
Which of the following is the MOST effective means of ensuring that third-party providers comply with the enterprise’s information security policy?
A.Security awareness training
B.Penetration testing
C.Service level monitoring
D.Periodic auditing
D is the correct answer.
Justification
Training can increase user awareness of the information security policy but is not more effective than auditing.
Penetration testing can identify security vulnerability but cannot ensure information compliance.
Service level monitoring can only pinpoint operational issues in the enterprise’s operational environment.
A regular audit exercise can spot any gaps in information security compliance.
A critical business function has been outsourced to an external supplier. Management has assigned a project team to oversee the transition and successful handoff to the new supplier and has requested regular status reports of project progress and challenges. The risk practitioner would be responsible for which of the following tasks?
A.Design and implement action plans to address risk associated with the project.
B.Select controls to reduce risk associated with the project.
C.Review and maintain the supplier’s risk register and risk profile.
D.Consult with and support the project team to implement action plans.
D is the correct answer.
Justification
Risk practitioners do not design and implement action plans to address risk. Rather, they provide guidance to risk owners on the selection of controls to reduce risk to an acceptable level.
Risk practitioners do not select the controls but provide guidance to risk owners on their selection.
This is a task for the external supplier, not the client.
The risk practitioner’s role is to consult with or assist risk owners in the development of risk action plans that include key elements (e.g., risk response/mitigation, cost, target date).
Which of the following choices is the MOST important part of any outsourcing contract?
A.The right to audit the outsourcing provider
B.Provisions to assess the compliance of the provider
C.Procedures for dealing with incident notification
D.Requirements to encrypt hosted data
B is the correct answer.
Justification
The service provider may not allow the outsourcing company the ability to conduct an audit directly, but may provide proof of compliance conducted by an independent auditor.
If a contract contains no provision to monitor and hold a supplier accountable for security, then the outsourcing enterprise cannot ensure compliance or proper handling of its data.
The outsourcing contract usually will not contain details on the procedures to follow when dealing with incidents.
Encryption may not be required for all data; it may be required only for sensitive data.
An enterprise has outsourced several business functions to a firm in another country, including IT development, data hosting and support. What is the MOST important question the risk professional will ask in relation to the outsourcing arrangements?
A.Are policies and procedures in place to handle security exceptions?
B.Is the outsourcing supplier meeting the terms of the service level agreements?
C.Is the security program of the outsourcing provider based on an international standard?
D.Are specific security controls mandated in the outsourcing contract/agreement?
D is the correct answer.
Justification
There should be policies and procedures to handle incidents or exceptional circumstances; however, this is not the most important consideration.
Whether the provider meets the service level agreements (SLAs) is of concern to the outsourcing enterprise and the auditors; however, this is not the most important consideration.
The contract should stipulate the required levels of security and risk management. Basing the security program on a recognized international standard may be an excellent foundation for the security program but is not the most important consideration.
Without enumerating security requirements directly in the outsourcing contract, the outsourcing company has no assurance that the provider will comply with specific security requirements.
Which of the following is the MOST important consideration for an enterprise structuring a contract with a third party? The inclusion of a:
A.right-to-audit clause.
B.confidentiality clause.
C.limitation of liability.
D.service level agreement.
B is the correct answer.
Justification
A right-to-audit clause is important, but alternatives exist. For example, the enterprise could review third-party audit reports.
The contract should have a confidentiality clause because the third-party vendor must have proper controls over the enterprise’s data, and inclusion in the contract provides contractual protections.
Limitation of liability is not necessary. It typically limits the third party’s liability.
A service level agreement is necessary, but confidentiality is a more important consideration.
Which of the following threats associated with third-party management is BEST addressed through the establishment of a service level agreement?
A.Service interruption at the client home office
B.Undetected degradations in service performance
C.Financial losses resulting from service interruption
D.Bankruptcy of the third-party organization
C is the correct answer.
Justification
Third-party service level agreements (SLAs) do not guarantee against system failure at the client home office.
The third party’s reporting related to SLAs may not be comprehensive enough to notify parties when there is a degradation in service.
An SLA addresses immediate and measurable financial losses due to service levels not being met.
Many SLAs will provide monetary payments should levels not be maintained, but such guarantees are based on the solvency of the enterprise making them. In cases of bankruptcy, a customer entity that has an SLA claim will be only one of many creditors competing for access to the provider’s assets.
What should an enterprise use to assess the security controls of a third party hosting its server infrastructure?
A.Enterprise security requirements
B.Internal audit recommendations
C.Applicable laws and regulations
D.Security good practices
A is the correct answer.
Justification
The enterprise should develop its own security requirements considering many factors such as audit recommendations and good practices. Third-party security controls should be evaluated in the context of the enterprise’s security requirements, which may inform the terms of any agreement with a third party regarding hosting.
Internal audit recommendations help management improve the security control environment but do not constitute specific requirements.
Compliance with applicable laws and regulations reflects a subset of the enterprise’s own security requirements.
Security good practices should be considered in developing the enterprise’s own security requirements.
Which of the following is the BEST way to ensure that contract programmers comply with organizational security policies?
A.Have the contractors acknowledge the security policies in writing.
B.Perform periodic security reviews of the contractors.
C.Explicitly refer to contractors in the security standards.
D.Create penalties for noncompliance in the contracting agreement.
B is the correct answer.
Justification
Written acknowledgments of security policies do not help detect the failure of contract programmers to comply.
Periodic reviews are the most effective way of obtaining compliance because they provide insight into which contractors are following organizational policies and which are not.
Referring to the contract programs within security standards does not help detect the failure of contract programmers to comply with organizational security policies. It may establish responsibility for a control implementation and maintenance, but the control ownership and accountability remains within the enterprise itself.
Penalties do not help detect failure of contract programmers to comply with organizational security policies and can only be enforced once they are detected either by an audit or an incident.
Which of the following MOST effectively ensures that service provider controls are within the guidelines set forth in the enterprise’s information security policy?
A.Service level monitoring
B.Penetration testing
C.Security awareness training
D.Periodic auditing
D is the correct answer.
Justification
Service level monitoring helps pinpoint the service provider’s operational issues but is not designed to ensure compliance.
Penetration testing helps identify system vulnerabilities but is not designed to ensure compliance.
Security awareness training is a preventive measure to increase user awareness of the information security policy but is not designed to ensure compliance.
Periodic audits help ensure compliance with the enterprise’s information security policy.
Which of the following outcomes of outsourcing noncore processes is of GREATEST concern to the management of an enterprise?
A.Total cost of ownership exceeds projections.
B.Internal information systems experience is lost.
C.Employees of the vendor are disloyal to the client enterprise.
D.Processing of sensitive data is subcontracted by the vendor.
D is the correct answer.
Justification
Total cost of ownership (TCO) exceeding projections is significant but not uncommon. Because TCO is based on modeling, some variation can be expected.
Loss of internal information systems experience can be problematic when core processes or subprocesses are outsourced. However, for noncore processes, the loss of such experience would not be a concern.
Lack of vendor loyalty to the client enterprise is generally managed via service level agreements.
The greatest risk in third-party relationships is the fact that the enterprise is ceding direct control of its IS processes. Subcontracting will increase this risk; therefore, the subcontracting process must be reviewed because sensitive data are involved.
Which of the following is an effective monitoring process to ensure a third party is performing in accordance with contract requirements?
A.Review independent audit reports
B.Review the third party’s service level agreements
C.Review the number of third party security-related incidents
D.Ongoing third-party oversight
D is the correct answer.
Justification
Reviewing audit reports is only one aspect of the process. Third-party management encompasses more than audit reports.
The service level agreement is one of many ways to measure contractual compliance.
Reviewing the number of incidents is only one aspect of the ongoing monitoring process.
Third-party management should be an ongoing process that monitors for compliance with agreements, adequate insurance coverage, business continuity tests, results of independent audits, and policy reviews.
Which of the following poses the GREATEST risk to an enterprise that recently engaged the services of a cloud provider?
A.The cloud provider’s primary facility is in the same vicinity as the subscriber.
B.The service level agreement is ambiguous.
C.References from other customers were not obtained.
D.Auditing the vendor requires dependence on a third-party audit firm.
B is the correct answer.
Justification
There is no direct impact if the subscriber and the cloud provider reside in the same geographic region, provided the latter has a continuity plan that is unlikely to be affected by the same local event.
If the service level agreement is ambiguous, it will be difficult to determine whether the provider complies.
References are important, but they cannot provide reasonable assurance that the vendor will deliver.
Inability to audit a third-party provider is less than desirable; however, it is allowed in reporting under Statement on Standards for Attestation Engagements No. 18 (SSAE 18).
Which of the following practices BEST mitigates the risk associated with outsourcing a business function?
A.Performing audits to verify compliance with contract requirements
B.Requiring all vendor staff to complete annual awareness training sessions
C.Retaining copies of all sensitive data on internal systems
D.Reviewing the financial records of the vendor to verify financial soundness
A is the correct answer.
Justification
When an outsourcing relationship is established, the risk of noncompliance with the agreement must be met through review, monitoring and enforcement of the contract terms. Therefore, conducting regular audits to verify that the vendor is compliant with contract requirements is an important practice to mitigate the outsourcing risk.
Requiring the vendor’s staff to complete annual awareness training sessions would not provide the same level of mitigation as the verification of adherence to contract requirements.
Keeping copies of all sensitive data is an unnecessary expenditure and may result in errors or inconsistencies with data stored at the vendor site. In addition, duplicating sensitive data makes the enterprise liable for protecting data in two or more locations and increases the possibility of inappropriate access or data leakage.
Although it is common practice to review financial solvency before selecting a vendor to ensure that the vendor can function without the threat of liquidation for the foreseeable future, reviewing solvency is not the best practice to address risk related to outsourcing an IT or business function.
A risk treatment plan should PRIMARILY specify the:
A.responsibility for implementing the chosen risk treatment.
B.approach to integrate risk treatment into day-to-day operations.
C.risk acceptance decisions made by the risk owners.
D.best approach to implement all the identified risk treatment options.
A is the correct answer.
Justification
A risk treatment plan will provide the details needed to implement the risk treatment options and the selected controls, including the responsibility for implementing the chosen risk treatment.
Integrating risk treatment into day-today operations is not a part of the risk treatment plan, but a part of the risk strategy.
If the risk is already accepted by risk owners, a risk treatment plan is not required.
It may not be necessary or feasible to implement all identified risk treatment options.
An enterprise has just completed an information systems audit and numerous findings have been generated. This list of findings is BEST addressed by:
A.a risk treatment plan.
B.a business impact analysis.
C.an incident management plan.
D.revisions to information security procedures.
A is the correct answer.
Justification
A risk treatment plan is the proper tool to address the identified risk. This will put forward a schedule and strategy for addressing the audit findings.
A business impact analysis is a process to determine the impact of losing the support of any resource.
An incident management plan is used to prepare for, detect, respond to, and mitigate the effects of incidents.
Revisions to information security procedures would likely address only a portion of the audit findings.
Risk treatment plans are necessary to describe how the:
A.identified risk is further analyzed.
B.chosen treatment options will be implemented.
C.accepted risk is treated.
D.risk indicators will monitor the risk.
B is the correct answer.
Justification
Risk treatment plans describe the plan of action for the chosen treatment and would not further analyze identified risk.
A risk treatment plan includes the plan of action for the chosen treatment, how it will be implemented, who will implement it, key dates and resource requirements.
Once the risk is accepted, a risk treatment plan is not needed.
Risk indicators are used to identify emerging risk and are not part of a risk treatment plan.
The risk treatment plan PRIMARILY provides treatment for:
A.high risk areas reported to senior management.
B.identified risk that exceeds risk tolerance.
C.every risk identified on the risk register.
D.risk that has already materialized.
B is the correct answer.
Justification
The risk treatment plan addresses all risk that exceeds risk tolerance, not just high-risk items.
Risk treatment plans would cover all the risk identified in the risk register that exceeds the enterprise risk tolerance level and, therefore, needs to be further treated.
Not every identified risk requires a risk treatment plan.
Risk treatment plans treat all risk, not just materialized risk.
In the event that available resources for risk treatment are not sufficient, the risk treatment plan should:
A.define the priorities across all treatments to assist in resource allocation.
B.recommend postponing the treatment until resources are available.
C.recommend reassessing the risk treatment options.
D.suggest increasing the priority of the treatment to ensure resource availability.
A is the correct answer.
Justification
When the available resources for treating the risk are not sufficient, the risk treatment plan should include prioritization of the risk so resources can be properly allocated.
Postponing the risk treatment activities until resources are available may not be the most appropriate option as the prioritization should drive resource allocation.
Prioritization of risk treatment options has already been determined through a defined process. Without assigning any priorities to the risk, the reassessment of options would not be the most appropriate recommendation.
Suggesting a higher priority to the treatment would not consider the priorities of other efforts in the risk treatment plan.
Which of the following would BEST help finalize the risk treatment plan?
A.Vulnerability analysis
B.Impact analysis
C.Cost-benefit analysis
D.SWOT analysis
C is the correct answer.
Justification
A vulnerability analysis provides insight into which risk to treat but is not useful when evaluating risk treatment options.
Impact analysis is a part of the risk assessment but on its own would not help finalize a risk treatment plan.
A cost-benefit analysis helps determine if the benefit of a control outweighs the cost of implementing the control.
A SWOT (strengths, weaknesses, opportunities and threats) analysis can be helpful, but the results must be translated in terms of risk, including costs and benefits, to be useful.
A risk response report includes recommendations for:
A.acceptance.
B.assessment.
C.evaluation.
D.quantification.
A is the correct answer.
Justification
Acceptance of a risk is an alternative to be considered in the risk response process.
The risk assessment process is completed prior to determining appropriate risk responses.
Risk evaluation is part of the risk assessment process that is completed prior to determining appropriate risk responses.
Risk quantification is achieved during risk analysis; it is an input into the risk response process and occurs prior to determining appropriate risk responses.
The GREATEST benefit of implementing a risk treatment plan is:
A.to reduce the impact and likelihood of risk occurrence.
B.to identify the unmitigated risk that can be transferred.
C.to exploit the risk to test organizational preparedness.
D.to enhance the overall risk appetite of the enterprise.
A is the correct answer.
Justification
Implementing the risk treatment plan reduces the negative impact and likelihood of a risk occurrence.
Transferring is not the only response option for unmitigated risk.
Exploiting the risk is not the aim of the risk treatment plan and can create more risk.
Risk appetite is established to identify the level of acceptable risk in an enterprise. Implementing a risk treatment plan will not influence the risk appetite.
While monitoring the risk treatment plans for different risk, senior management is MOST concerned if a high percentage of:
A.incidents are not in the scope of the risk treatment plan.
B.risk issues are within the risk appetite of the enterprise.
C.risk treatment plans have been developed for all identified risk.
D.risk treatment action plans have been approved.
A is the correct answer.
Justification
Unexpected incidents identify risk that were not formally part of the current risk treatment plan. This is a chief concern because it indicates the incompleteness of the risk register and risk management process.
Risk issues that fall within the risk appetite of an enterprise would not necessarily be a major concern for management. They are already in scope of the current risk treatment plan.
The development of risk treatment plans is important; however, management should have concern over realized risk (in scope) that was not previously part of a risk treatment plan.
Approved risk treatment plans are not a concern because the actions are taking place to implement or adopt responses to risk.
Which of the following is the MOST important information to include in a risk treatment plan that already has an appropriate resolution and a date for completion?
A.responsible personnel.
B.mitigating factors.
C.likelihood of occurrence.
D.cost of completion.
A is the correct answer.
Justification
Risk response activities must be assigned to a responsible person or group; if this assignment is not included, it will be unclear who will implement the countermeasure.
Mitigating factors can be included but are not as important as responsible personnel.
Compensating controls can be included but are not as important as responsible personnel.
Cost for completion is an optional field and is not necessary.
Which of the following is the MOST desirable strategy when developing risk mitigation options associated with the unavailability of IT services due to a natural disaster?
A.Assume the worst-case incident scenarios.
B.Target low-cost locations for alternate sites.
C.Develop awareness focused on natural disasters.
D.Enact multiple tiers of authority delegation.
A is the correct answer.
Justification
To be prepared for a natural disaster, it is appropriate to assume the worst-case scenario; otherwise, the resulting impact may exceed the enterprise’s ability to recover.
Setting up a low-cost location for an alternate site may not always be a good strategy against natural disasters. Adequate investment should be made based on an impact analysis and the enterprise’s acceptable level of risk .
An awareness training program is a key factor for business continuity. However, its effectiveness may be limited.
Delegation of authority will work somewhat in case of emergency. However, it may be a situational decision in the event of natural disaster.
Which of the following leads to the BEST optimal return on security investment?
A.Deploying maximum security protection across all the information assets
B.Focusing on the most important information assets and then determining their protection
C.Deploying minimum protection across all the information assets
D.Investing only after a major security incident is reported to justify investment
B is the correct answer.
Justification
Deploying maximum controls across all information assets will overprotect some less critical information assets; therefore, investment will not be optimized.
To optimize return on security investment, the primary focus should be identifying the important information assets and protecting them appropriately to optimize investment (i.e., important information assets get more protection than less important or critical assets).
Deploying minimum protection across all the information assets will compromise the security of the more critical information assets; therefore, investment will not be optimized.
Investing only after a major security event is a reactive approach that may severely compromise business operations—in some cases, to the extent that the business does not survive.
When a risk cannot be sufficiently mitigated through manual or automatic controls, which of the following options will BEST protect the enterprise from the potential financial impact of the risk?
A.Insuring against the risk
B.Updating the IT risk registry
C.Improving staff training in the risk area
D.Outsourcing the related process to a third party
A is the correct answer.
Justification
An insurance policy can compensate the enterprise monetarily for the impact of the risk by transferring the risk to the insurance company.
Updating the risk registry (with lower values for impact and probability) will not change the risk; it will only change management’s perception of it.
Staff capacity to detect or mitigate the risk may potentially reduce the financial impact, but insurance allows for the risk to be completely mitigated.
Outsourcing the process containing the risk does not necessarily remove or change the risk.
Which of the following risk response options is MOST likely to increase the liability of the enterprise?
A.Risk acceptance
B.Risk reduction
C.Risk transfer
D.Risk avoidance
A is the correct answer.
Justification
An enterprise may choose to accept risk without knowing the correct level of risk that is being accepted; this may result in accusations of negligence.
Risk reduction indicates an attempt to reduce the risk level. It may not be as effective as intended, but is not likely to increase the level of risk.
Risk transfer allocates a portion of risk to another party (e.g., insurance).
Risk avoidance will terminate a process that is considered to have an unacceptable level of risk that cannot be mitigated economically.
Which of the following would BEST help an enterprise select an appropriate risk response?
A.An analysis of change in the risk environment
B.An analysis of risk that can be transferred were it not eliminated
C.An analysis of the likelihood and impact of various risk scenarios
D.An analysis of control costs and benefits
D is the correct answer.
Justification
The degree of change in the risk environment will not provide sufficient information on actual controls and benefits to make the decision.
Risk can never be eliminated and an analysis of what risk can be transferred will be inadequate for a complete risk response.
Likelihood and impact help establish the amount or level of risk but are inadequate for selecting an appropriate risk response.
An analysis of costs and benefits for controls helps an enterprise understand if it can mitigate the risk to an acceptable level.
Which of the following is BEST addressed by transferring risk?
A.An antiquated fire suppression system in the computer room
B.The threat of disgruntled employee sabotage
C.The threat of disgruntled employee theft
D.A building located in a 100-year flood plain
D is the correct answer.
Justification
Although an enterprise may hold insurance policies for physical assets such as computer equipment, the most appropriate risk remediation strategy is to update the fire suppression system.
This risk is not readily transferable. Full risk response planning should be performed for all risk that could happen at any time during routine business activities.
This risk is not readily transferable. Removable media policies and procedures should proactively be in place to mitigate the risk of lost or stolen media.
Purchasing an insurance policy transfers the risk of a flood. Risk transfer is the process of assigning risk to another entity, usually through the purchase of an insurance policy or through outsourcing the service.
Which of the following is the BEST reason for an enterprise to decide not to reduce an identified risk?
A.There is no regulatory requirement to reduce the risk.
B.There are mitigating controls in place.
C.The cost of mitigation exceeds the risk.
D.The budget for risk mitigation is limited.
C is the correct answer.
Justification
Regulatory requirements are not the only risk factors affecting an enterprise’s decision to reduce risk; other factors may include reputational damage, financial repercussions and other costs.
The residual risk after existing mitigating controls may still be above acceptable levels. In this case, further risk reduction would be needed.
Enterprises will accept the risk when the cost of mitigation exceeds the risk.
Enterprises may choose to reduce a risk even when the budget is exceeded, such as when the cost of reducing the risk is lower than the risk.
When proposing the implementation of a specific risk treatment, a risk practitioner PRIMARILY uses a:
A.technical evaluation report.
B.business case.
C.vulnerability assessment report.
D.budgetary requirements.
B is the correct answer.
Justification
A technical evaluation report supplements the business case.
A manager should base any proposed risk response on a risk assessment in the context of business objectives and requirements (e.g., launching a new product, implementing changes in routine processes, compliance with regulations). The manager must document costs of controls and compare them against benefits of the risk response. The manager should understand business case development in order to illustrate the costs and benefits of risk response.
A vulnerability assessment report supplements the business case.
Budgetary requirements represent one input into the business case.
Previously accepted risk should be:
A.reassessed periodically because the risk can be escalated to an unacceptable level due to revised conditions.
B.removed from the risk log once it is accepted.
C.accepted permanently because management has already spent resources (time and labor) to conclude that the risk level is acceptable.
D.avoided next time because risk avoidance provides the best protection to the enterprise.
A is the correct answer.
Justification
Accepted risk should be reviewed regularly to ensure that the initial risk acceptance rationale is still valid within the current business context.
Even risk that has been accepted should be monitored for changing conditions that could alter the original decision.
The rationale for the initial risk acceptance may no longer be valid due to changes, and therefore, the risk cannot be accepted permanently.
Risk is an inherent part of business, and it is impractical and costly to eliminate all risk.
The cost of mitigating a risk should not exceed the:
A.expected benefit to be derived.
B.annual loss expectancy.
C.value of the physical asset.
D.cost to exploit the weakness.
A is the correct answer.
Justification
The cost of mitigating a risk should never exceed the value that is expected to result from its implementation. It is illogical to spend US$1,000 to protect against a risk that would create a loss of less than US$100 in a worst-case scenario.
Remoteness of likelihood may cause the ALE to be quite low. However, it may be worthwhile to spend an amount in excess of the ALE to protect against a loss that, if it occurred, would be significantly higher.
It may be worthwhile to spend more than the value of a physical asset when that asset contains something of even higher value. The value of a backup tape is not so much the cost of the tape as what is stored on that tape.
The cost to exploit a weakness may be very low compared to its impact. For example, a freely available exploit from the Internet can be used to execute a denial-of-service attack on an e-commerce site. The amount that an enterprise spends on risk mitigation must be directly related to the likelihood and impact of a specific risk and how the control mitigates that risk.
After the completion of a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. The BEST risk response is that the risk be:
A.treated.
B.terminated.
C.accepted.
D.transferred.
C is the correct answer.
Justification
Treating the risk in the described scenario incurs a cost that is greater than the benefit to be derived; this is not the best option.
Risk termination is not a risk management term; while risk can be avoided, it can generally not be terminated.
When the cost of control is more than the cost of the potential impact, the risk should be accepted.
Transferring risk is of limited benefit if the cost of the risk response is more than the cost of the potential impact and likelihood of the risk itself.
It is MOST important for risk mitigation to:
A.eliminate threats and vulnerabilities.
B.reduce the likelihood of risk occurrence.
C.reduce risk within acceptable cost.
D.reduce inherent risk to zero.
C is the correct answer.
Justification
Threats are often outside the reach of the enterprise’s influence and cannot be affected. Vulnerabilities can be reduced but cannot be eliminated.
The likelihood of risk occurrence depends on many factors, many of which cannot be influenced internally.
Risk should be reduced or mitigated to an acceptable level within an acceptable cost.
Inherent risk of any activity cannot be affected. It is the risk level or the exposure without taking into account the actions that management has taken or might take (e.g., implementing controls). Inherent risk will also never be completely eliminated.
In a situation in which the cost of anti-malware exceeds the loss expectancy of malware threats, what is the MOST viable risk response?
A.Risk elimination
B.Risk acceptance
C.Risk transfer
D.Risk mitigation
B is the correct answer.
Justification
Risk elimination is not a risk response because it is not possible to reduce risk to zero.
When the cost of a risk response (i.e., the implementation of anti-malware) exceeds the loss expectancy, the most viable risk response is risk acceptance.
Transferring risk to a third party is most viable in situations in which the potential likelihood is low and the potential impact is high. Transfer of risk—like any risk response—must be based on a cost-benefit analysis. If the cost of transferring the risk exceeds the cost of the expected loss, the most viable risk response is to accept the risk.
Risk mitigation is a method to reduce the likelihood or impact of risk to an acceptable level. Risk mitigation—like any risk response—must be based on a cost-benefit analysis. If the cost of risk mitigation exceeds the cost of the expected loss, the most viable risk response is to accept the risk.
A chief information security officer (CISO) has recommended several controls, such as anti-malware, to protect the enterprise’s information systems. Which approach to handling risk is the CISO recommending?
A.Risk transference
B.Risk mitigation
C.Risk acceptance
D.Risk avoidance
B is the correct answer.
Justification
Risk transfer involves transferring the risk to another entity, such as an insurance company.
By implementing controls, the company is trying to reduce the risk to an acceptable level, thereby mitigating risk.
Risk acceptance involves making an educated decision to accept the risk and taking no action.
Risk avoidance involves stopping any activity causing the risk.
An enterprise decides to address risk associated with an IT project by outsourcing part of the IT activities to a third party with a specialized skill set. In relation to the project itself, this is an example of:
A.risk transfer.
B.risk avoidance.
C.risk acceptance.
D.risk mitigation.
D is the correct answer.
Justification
Outsourcing part of an activity in itself does not transfer risk; the risk remains with the enterprise. Risk transfer assigns risk to another enterprise, usually through the purchase of an insurance policy or by outsourcing the service.
Outsourcing part of an activity is not risk avoidance. Risk avoidance is the process for systematically steering away from a specific risk, generally by not engaging in a specific activity, such as e-commerce or cloud computing. Risk avoidance generally also affects the potential opportunity offered by engaging in the activity.
Outsourcing part of an activity is not risk acceptance. Risk acceptance means that the enterprise makes an educated decision not to take action relative to a particular risk and accepts loss if it occurs.
When specific activities are outsourced to an entity with a specialized skill set, the inherent risk of the activity is reduced. The outsourcing process works as a control in this case.
Which of the following activities is MOST important in determining the risk mitigation strategy?
A.Review vulnerability assessment results.
B.Perform a cost-benefit analysis related to risk acceptance.
C.Conduct a business impact analysis of affected areas.
D.Align the strategy with the security controls framework.
B is the correct answer.
Justification
Results from a vulnerability assessment are used in a risk assessment to determine the level of risk but are not used in the selection of a mitigation strategy.
Risk mitigation ensures that residual risk is maintained at an acceptable level. Cost-benefit analysis ensures that the cost of mitigating risk does not exceed the cost to the enterprise if an incident should occur.
Business impact analysis facilitates development of mitigation and recovery strategy because it documents processes, key deliverables and recovery time objectives. However, the cost of mitigation is the key criterion for the enterprise.
Understanding the enterprise’s security controls framework assists with design and implementation of controls once the mitigation strategy is determined for a given risk.
Which of the following is MOST likely to be reduced to achieve acceptable risk?
A.Risk appetite
B.Control risk
C.Residual risk
D.Inherent risk
C is the correct answer.
Justification
Risk appetite is the amount of risk that an entity is willing to accept. It does not change with risk mitigation activities.
Control risk is incurred whenever controls can fall short of their objectives and is not necessarily related to residual risk.
Residual risk is the remaining risk after management has implemented a risk response. Acceptable risk is achieved when the residual risk is reduced to the levels within the enterprise’s risk appetite.
Inherent risk is a risk that is part of an activity; it cannot be minimized, only avoided by not engaging in the activity itself.
A risk practitioner receives a message late at night that critical IT equipment will be delivered several days late due to flooding. Fortunately, a reciprocal agreement exists with another company for a replacement until the equipment arrives. This is an example of risk:
A.transfer.
B.avoidance.
C.acceptance.
D.mitigation.
D is the correct answer.
Justification
Risk transfer is not the correct answer because the described risk is not transferred using insurance or another risk transfer strategy.
Arranging for a standby is a risk mitigation strategy, not a risk avoidance strategy.
The risk is not accepted; if it were accepted, the enterprise would, for example, continue operating without the expected IT equipment until it was delivered.
Risk mitigation attempts to reduce the impact when a risk event occurs. Making plans such as a reciprocal arrangement with another company reduces the consequence of the risk event.
Which of the following is the BEST example of risk avoidance behavior?
A.Taking no action against the risk.
B.Outsourcing the related process.
C.Insuring against a specific event.
D.Exiting the process that gives rise to risk.
D is the correct answer.
Justification
Taking no action is an example of risk acceptance. No action is taken relative to a particular risk, and loss is accepted if it occurs. This is different from being ignorant of risk; accepting risk assumes that the risk is known (i.e., an informed decision has been made by management).
Outsourcing a process is an example of risk transfer/sharing. It reduces risk frequency or impact by transferring or otherwise sharing a portion of the risk. In both a physical and legal sense this risk transfer does not relieve an enterprise of a risk but can involve the skills of another party in managing the risk and thus reduce the financial consequence if an adverse event occurs.
Insuring against a specific event is an example of risk transfer/sharing. It reduces risk frequency or impact by transferring or otherwise sharing a portion of the risk. In both a physical and legal sense risk transfer does not relieve an enterprise of a risk but can involve the skills of another party in managing the risk and thus reduce the financial consequence if an adverse event occurs.
Avoidance means exiting the activities or conditions that give rise to risk. Risk avoidance applies when no other risk response is adequate. Some IT-related examples of risk avoidance include relocating a data center away from a region with significant natural hazards or declining to engage in a very large project when the business case shows a notable risk of failure.
A global financial institution has decided not to take any further action on a denial-of-service vulnerability found by the risk assessment team. The MOST likely reason for making this decision is that:
A.the needed countermeasure is too complicated to deploy.
B.there are sufficient safeguards in place to prevent this risk from happening.
C.the likelihood of the risk occurring is unknown.
D.the cost of countermeasure outweighs the value of the asset and potential loss.
D is the correct answer.
Justification
While countermeasures can be too complicated to deploy, this does not necessarily mean that they are cost prohibitive.
Any safeguards placed to prevent the risk need to match the risk impact.
It is likely that a global financial institution may be exposed to such denial-of-service attacks, but the frequency cannot be predicted. This would not be the reason for risk acceptance.
An enterprise may decide to accept a specific risk because the protection would cost more than the potential loss.
Senior management at a data center provider is reviewing feedback from its annual client satisfaction survey. Some major clients expressed dissatisfaction with the frequency of service disruptions resulting from systems and infrastructure component failures. Management chooses to address the concern and sets up a project team to improve continuity of operations and minimize service disruptions. Which of the following risk management activities will MOST benefit this initiative?
A.Develop key risk indicators.
B.Determine risk and control ownership.
C.Update the risk register.
D.Develop IT risk scenarios.
D is the correct answer.
Justification
Key risk indicators assist management in understanding potential changes in the control environment. A risk scenario more directly identifies circumstances that can adversely affect the enterprise’s business or assets.
Although risk and control ownership with clear lines of responsibility plays an important role in managing risk, the identification of risk scenarios is more important to determine who within the enterprise should have ownership responsibility based on business objectives.
Risk items within the risk register, including risk scenarios, will benefit continuity and disaster recovery management planning because they provide valuable insight into past events and future probability. Constructed narrowly, however, the risk scenarios specifically correlate potential adverse events to business outcomes.
The relationship between IT risk scenarios and business impact must be established to understand the effects of possible adverse events on enterprise objectives.
Budget has been approved for patching vulnerabilities detected through regularly scanning web-facing applications. This is an example of:
A.risk mitigation.
B.risk acceptance.
C.risk transfer.
D.risk avoidance.
A is the correct answer.
Justification
In order to mitigate the risk, the enterprise has decided to patch vulnerabilities.
Risk acceptance occurs when no further action is taken to prevent a risk.
Risk transfer occurs when some amount of the risk is transferred, or shared, with another party, such as with an insurance policy.
Risk avoidance would mean to cease performing the action that puts the enterprise at risk.
Which of the following would PRIMARILY help an enterprise select and prioritize risk responses?
A.A cost-benefit analysis of available risk mitigation options
B.The level of acceptable risk per risk appetite
C.The potential to transfer or eliminate the risk
D.The number of controls necessary to reduce the risk
A is the correct answer.
Justification
The selection and priorities of a risk response will consider the cost-benefit of the various risk mitigation options in order to get the highest return on investment and reduce the risk to an acceptable level.
The level of acceptable risk will not prioritize the risk response but will indicate whether the risk response is adequate.
Risk can be reduced, accepted or transferred. Risk can be transferred (insurance policy), which is an acceptable risk response, but this factor in itself would not help in prioritizing risk responses.
The priority for risk mitigation will not be based on the number of controls necessary to reduce the risk, but rather on the implementation of the controls with the greatest cost benefit.
Which of the following BEST helps ensure that the cost is justifiable when selecting an IT control?
A.The investment cost is within budget.
B.The risk likelihood and impact are reflected.
C.The net present value of the IT control cost is high.
D.Low cost open source technology is used.
B is the correct answer.
Justification
The fact that the cost of a control is within budget does not necessarily justify the cost of a control. The cost of a control should be less than the projected benefit of the control.
While other factors may be relevant, the total cost of ownership of a control should not exceed the projected likelihood times the impact of the risk it is intended to mitigate.
The net present value is calculated by using an after-tax discount rate of an investment and a series of expected incremental cash outflows (the initial investment and operational costs) and cash inflows (cost savings or revenues) that occur at regular periods during the life cycle of the investment. It does not justify the cost of the control because it does not relate the cost to the expected benefit.
While open source technology is generally a low-cost option, the low cost itself does not justify the cost of the control.
Which of the following would ensure that critical dependencies are addressed in the risk treatment plan?
A.Implement the risk treatment strategy for all possible risk.
B.Verify the accomplishment of business objectives through a top-down process review.
C.Treat each risk independently
D.Verify the accomplishment of business objectives through a bottom-up process review.
B is the correct answer.
Justification
It may not be economically feasible to implement risk treatment plans for all possible risk.
Development of an overall risk treatment strategy should be a top-down process, driven jointly by the need to achieve business objectives and to apply economically feasible constraints while controlling uncertainty within the enterprise risk appetite.
If each risk is treated independently, efforts would be wasted in overall risk management because gaps could exist within interdependencies.
A bottom-up approach does not ensure that critical dependencies are addressed in the risk treatment plan as it takes the opposite approach as a top-down process.
Purchasing insurance is a form of:
A.risk avoidance.
B.risk mitigation.
C.risk acceptance.
D.risk transfer.
D is the correct answer.
Justification
Risk avoidance means that activities or conditions that give rise to risk are discontinued.
Risk mitigation is the management of risk through the use of countermeasures and controls. Risk transfer is one form of risk mitigation.
Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs.
Transferring risk typically involves insurance policies to share the financial risk.
Which of the following approaches BEST helps address significant system vulnerabilities that were discovered during a network scan?
A.All significant vulnerabilities must be mitigated in a timely fashion.
B.Treatment should be based on threat, impact and cost considerations.
C.Compensating controls must be implemented for major vulnerabilities.
D.Mitigation options should be proposed for management approval.
B is the correct answer.
Justification
Some vulnerabilities may not have significant impact and may not require mitigation. A threat assessment can affect the level of urgency, and the impact of mitigation on the business may determine when mitigation occurs.
The treatment should consider the degree of exposure and potential impact and the costs of various treatment options.
Compensating controls are considered only when there is a viable threat and impact, and only if the primary control is inadequate.
Management approval will depend on a mitigation plan based on threat, impact and cost considerations.
Which of the following choices is the BEST approach for organizational risk response?
A.Mitigating risk on the basis of frequency of occurrence
B.Performing a countermeasure analysis for deployed controls
C.Selecting controls based on ease of implementation
D.Mitigating risk in line with the risk priority sequence
D is the correct answer.
Justification
Responding to risk on the basis of frequency of occurrence will not be comprehensive; without risk prioritization, too much effort may be spent on risk treatment.
Performing countermeasure analysis for every control deployed will not be beneficial because there may not be a countermeasure for every control; even if there were, it would not help in risk response.
Ease of implementation is less of a priority when selecting controls. Without risk prioritization, addressing important risk, which may take more time and resources but will be more useful to the enterprise in the long run, may not take place.
If risk is prioritized and addressed in line with the risk treatment strategy, it balances the costs and benefits of managing IT risk.
Which of the following activities provides the BEST information to guide a decision on risk treatment? Evaluating the:
A.effectiveness of the current state of existing controls
B.effectiveness of key risk indicators
C.effectiveness of the control selection processes
D.accuracy of identified risk
A is the correct answer.
Justification
A comprehensive understanding of the existing state of controls is the best information to determine what additional risk treatment is necessary to bring the level of risk to an acceptable level.
Evaluating the effectiveness of key risk indicators (KRIs) will reveal whether the associated risk is effective. A KRI may suggest the necessity of a risk treatment but will not provide the best information.
Evaluating the effectiveness of control selection processes does not necessarily provide information to guide a risk treatment decision.
Evaluating the accuracy of an identified risk is important when evaluating the current state of existing controls.
Which of the following risk responses relieves the enterprise of risk ownership?
A.Mitigation
B.Avoidance
C.Transference
D.Acceptance
B is the correct answer.
Justification
The mitigation of risk is accomplished through the application of controls that reduce the likelihood of an adverse event or the impact of risk should such an event occur. However, the reduced risk is thereby accepted by the enterprise, which explicitly acknowledges ownership of the reduced risk.
When an enterprise avoids a risk, it relieves itself of ownership of the risk by ceasing to engage in the activities with which the risk is associated.
Although the term “transference” often creates the impression that ownership of a risk is transferred, this response only creates conditions under which an adverse event can be addressed with the benefit of skills provided by a third party—for example, the financial resources of an insurance company or the expertise of a third-party software developer. As long as the enterprise continues to engage in the activities with which the risk is associated, it remains fundamentally responsible for the risk in both a physical and legal sense.
An enterprise that accepts a risk explicitly acknowledges ownership of the risk.
What should the risk treatment strategy be if the residual risk exposure level is deemed unacceptable by management?
A.Risk avoidance
B.Risk transfer
C.Risk acceptance
D.Risk mitigation
A is the correct answer.
Justification
Risk avoidance is the right strategy, as the risk is not acceptable to management.
There would still be a cost to transfer risk; furthermore, management does not accept the risk.
Management deems the risk unacceptable.
Residual risk is not acceptable to management.
Maintaining a set of decryption keys with an escrow service is MOST likely an example of:
A.transferring the risk of loss to the escrow service.
B.increasing the residual risk of keeping data private.
C.mitigating risk with the use of encryption keys.
D.accepting the risk of using encryption technology.
C is the correct answer.
Justification
Transferring risk, or risk sharing, means that the consequences of a risk event are shared between different parties. No risk has been transferred to the escrow services provider, but rather, the use of the escrow services provider has mitigated the risk of not having access to decryption keys.
The residual risk associated with using encryption is not being able to decrypt encrypted information when the decryption keys are no longer accessible. This residual risk is reduced by having the decryption keys stored with an escrow services provider.
Risk mitigation is action taken to reduce the likelihood of a risk event. In this case, the risk is the inability to access the decryption keys. By storing the decryption keys with an escrow service, the risk is mitigated, making access to the decryption keys possible.
Accepting risk implies that no action has been taken to mitigate the risk. The use of the escrow services provider, on the other hand, mitigates the risk of not being able to access the decryption keys when needed.
Which of the following risk responses is BEST for an enterprise whose products and services are highly regulated?
A.Risk mitigation
B.Risk acceptance
C.Risk transfer
D.Risk avoidance
A is the correct answer.
Justification
A regulatory risk that could lead to the withdrawal of an operating license is a risk that must be addressed by the enterprise because it can affect the enterprise’s ability to continue operations.
The risk should only be accepted if it is at a level that management is willing to accept.
The risk could be transferred, but management must realize that if the third party fails to meet the compliance requirements, it is the client enterprise that will suffer the consequences of the regulator’s actions.
The risk cannot be avoided without removing or ending the product line or service at risk, which could put the enterprise out of business.
Which of the following actions is the BEST when a critical risk has been identified and the resources to mitigate are not immediately available?
A.Log the risk in the risk register and review it with senior management on a regular basis.
B.Capture the risk in the risk register once resources are available to address the risk.
C.Escalate the risk report to senior management to obtain the resources to mitigate the risk.
D.Review the risk level with senior management and determine whether the risk calculations are correct.
C is the correct answer.
Justification
Because this is a critical risk, logging and reviewing risk on a regular basis would not be a suitable option. It should be escalated to senior management immediately.
Because this is a critical risk, capturing the risk once resources are available would not be a suitable option. It should be escalated to senior management.
If resources are not available or priorities need to be adjusted, it is important to engage senior management to assist in escalating the remediation.
A review of the risk level should already have been performed. This will not resolve the problem with a risk that exceeds the risk acceptance level.
Which of the following activities is an example of risk sharing?
A.Moving a function to another department
B.Selling a product or service to another company
C.Deploying redundant firewalls
D.Contracting with a third party
D is the correct answer.
Justification
Moving a function to another department would not share the risk outside of the enterprise’s direct responsibility.
Selling a product or service with high risk to another company would be an example of risk avoidance, not of risk sharing, because the original enterprise no longer has any involvement.
Deploying redundant firewalls is risk mitigation, but not risk sharing or transfer.
Contracting with a third party to share the responsibility for supporting activities can provide a form of risk transference as long as it is documented in the outsourcing contract.
Faced with numerous risk scenarios, the prioritization of treatment options will be MOST effective when based on:
A.the existence of identified threats and vulnerabilities.
B.the likelihood of compromise and subsequent impact.
C.the results of vulnerability scans and exposure.
D.the exposure of corporate assets and operational risk.
B is the correct answer.
Justification
The existence of threats and vulnerabilities affects risk likelihood, but without considering the potential impact, the prioritization of risk treatment will not be effective.
The probability of compromise and the likely impact will be the most important considerations for selecting treatment options.
Vulnerability scan results provide prioritized input into the decision-making process to remediate technical risk. Vulnerability scans provide only a subset of overall enterprise risk and do not consider the cost to remediate.
Exposure of assets and operational risk are factors in determination of prioritization of risk treatment options, but only when used in combination with the cost-benefit of the risk treatment options. Operational risk is a subset of overall risk.
What is the BEST risk response for risk scenarios where the likelihood is low and financial impact is high?
A.Transfer the risk to a third party.
B.Accept the high cost of protection.
C.Implement detective controls.
D.Implement compensating controls.
A is the correct answer.
Justification
High-impact, low-likelihood situations are typically most cost effectively covered by transferring the risk to a third party (e.g., insurance).
Even though financial impact is high, the cost of protection is not necessarily high.
A detective control alone does not limit the impact.
Implementing compensating controls may be cost prohibitive and is not feasible when the likelihood is already low. Moreover, compensating controls should be used only when the main control is not adequate.
Which of the following risk response selection parameters results in a decrease in magnitude of an event?
A.Efficiency of response
B.Cost of response
C.Effectiveness of response
D.Capability to implement response
C is the correct answer.
Justification
Efficiency of response is the relative benefit promised by the response in comparison to:
Cost of response is the cost of the response to reduce risk to within tolerance levels.
Effectiveness of response is the extent to which the response reduces the likelihood and impact.
The capability to implement the response will not affect the magnitude of an event.
When the cost of risk related to a specific business process is greater than the potential opportunity, the BEST risk response is:
A.transfer.
B.acceptance.
C.mitigation.
D.avoidance.
D is the correct answer.
Justification
Risk transfer is the process of assigning risk to another enterprise, usually through the purchase of an insurance policy or by outsourcing the service.
Risk acceptance means that no action is taken relative to a particular risk, and loss is accepted if it occurs.
Risk mitigation is the management of risk through the use of countermeasures and controls.
Risk avoidance is the process for systematically avoiding risk, constituting one approach to managing risk.
Which indicator ensures that the enterprise’s risk is effectively treated?
A.An indicator that is used to define the control environment and measures toward tolerance
B.An indicator implemented to detect and signal the root cause of a risk event
C.An indicator used to define and monitor changes in the risk profile
D.An indicator used to define performance targets and measure progress toward goals
A is the correct answer.
Justification
Control indicators are used to determine the effectiveness of an enterprise’s controls designed to treat risk.
Leading indicators are used to detect the root cause of a risk event and to provide early warning if the achievement of a strategic goal would be in jeopardy.
Key risk indicators answer questions about the changes in the enterprise’s risk profile and if those changes are within the enterprise’s desired risk tolerance levels.
Key performance indicators enable the enterprise to define performance targets and monitor progress toward achieving those targets.
Which of the following can be expected when a key control is being maintained at an optimal level?
A.The shortest lead time until the control breach comes to the surface
B.Balance between control effectiveness and cost
C.An adequate maturity level of the risk management process
D.An accurate estimation of operational risk amounts
B is the correct answer.
Justification
Even though a key control is in place, it may take time until a breach surfaces if escalation procedures are not adequately set up. Thus, a key control alone does not ensure the shortest lead time for a breach to be communicated to management.
Maintaining controls at an optimal level translates into a balance between control cost and derived benefit.
Measurement of the maturity level in risk management may depend on the function of key controls. However, the key control is not the major driver to assess the maturity of risk management.
The key control does not directly contribute to the accurate estimation of operational risk amounts. Maintenance of an incident database and the application of statistical methods are essential for the estimation of operational risk.
Which of the following would BEST measure the effectiveness of operational controls?
A.Control matrix
B.Key performance indicator
C.Statement of applicability
D.Key control indicator
D is the correct answer.
Justification
The control matrix is a tool used to analyze a systems flowchart (and related narrative) to determine the control plans appropriate to a process and to relate those plans to the control goals of the process.
Key performance indicators do not measure the effectiveness of operational risk controls
Statement of applicability is specific to the ISO 27001 standard, and although it has a list of controls, it will not help in measuring the effectiveness of particular operational risk controls.
Key control indicators, also referred to as control effectiveness indicators, are metrics that provide information on the degree to which a control is working.
Which of the following is the MAIN reason senior management monitors and analyzes trends in key control indicators?
A.It provides feedback on the overall control environment.
B.It helps in identifying redundant controls.
C.It proactively identifies impacts to the risk profile.
D.It helps determine if additional controls are required.
C is the correct answer.
Justification
The control environment is primarily the responsibility of the operations team, and not senior management. Tuning and related feedback is the responsibility of the operations team.
Redundancy is a design and operations responsibility, not senior management.
The primary objective of key control indicators (KCIs) is to ensure that controls actually mitigate risk at an effective level. Analysis of KCI trends provides information on the overall effectiveness of controls and provides management information on the status of risk management.
Determining the need for additional controls is the responsibility of operations, not senior management. KCIs would not necessarily identify the need for additional controls.
Which of the following is PRIMARILY defined before establishing key control indicators?
A.Desired capacity
B.Desired risk threshold
C.Desired tolerances
D.Desired risk appetite
C is the correct answer.
Justification
Desired capacity pertains to capacity management and is not aligned to control effectiveness.
Key control indicators (KCIs) are not related to risk thresholds.
The goal of KCIs is to track performance of control actions relative to tolerances, providing insight into the ongoing adequacy of a given control in keeping risk within acceptable levels; for this reason, KCIs are sometimes called control effectiveness indicators. Therefore, tolerances would need to be defined before a KCI could be established.
KCIs are not related to risk appetite.
What is the PRIMARY reason for reporting significant changes in information risk to senior management?
A.To revise the key risk indicators
B.To enable educated decision-making
C.To gain support for new countermeasures
D.To recalculate the value of existing information assets
B is the correct answer.
Justification
Revisions in key risk indicators have to be communicated to management; however, they are not the way to communicate significant new information risk.
The changes in information risk will impact critical business processes. The risk practitioner should report this to management so that management is able make informed risk response decisions.
Gaining support for new countermeasures is not a primary reason to report changes in information risk to senior management. Some significant changes may not require new countermeasures.
Recalculation of asset values is not a primary reason to report changes in information risk to senior management. Senior management generally understands the importance of critical assets and does not wait for significant risk to reconsider the asset value.
Which of the following BEST enables a peer review of an enterprise’s risk management process?
A.A balanced scorecard
B.An industry survey
C.A capability maturity model
D.A framework
C is the correct answer.
Justification
A balanced scorecard is a coherent set of performance measures organized into four categories that include traditional financial measures, customer processes, internal business processes and learning and growth perspectives.
An industry survey does provide a view of current practices; however, because survey results are generally presented in an aggregated manner, they do not enable a peer review of an enterprise’s risk management process.
A capability maturity model describes essential elements and criteria for effective processes for one or more disciplines. It also outlines an evolutionary improvement path from ad hoc, immature processes to disciplined, mature processes with improved quality and effectiveness.
A framework is a set of concepts, assumptions and practices that define how a given discipline or function can be approached or understood; relationships among its various components; roles of those involved; and conceptual and organizational boundaries.
Which of the following BEST ensures that appropriate mitigation occurs on identified information systems vulnerabilities?
A.Presenting root cause analysis to the management of the enterprise
B.Implementing software to input the action points
C.Incorporating the findings into the annual report to shareholders
D.Assigning action plans with deadlines to responsible personnel
D is the correct answer.
Justification
Presenting findings to management will increase management awareness; however, it does not ensure that action will be taken by the staff.
Software can help in monitoring the progress of mitigations, but it will not ensure that the mitigation will be completed.
Reporting to shareholders does not ensure that the mitigation will be completed.
Assigning mitigation to personnel establishes responsibility for its completion within the deadline.
Which of the following is MOST suitable for reporting IT-related business risk to senior management?
A.Balanced scorecards
B.Gantt charts
C.Technical vulnerability reports
D.Dashboards
D is the correct answer.
Justification
A balanced scorecard is a coherent set of performance measures organized into four categories: traditional financial measures, and customer, internal business process, and learning and growth perspectives.
Gantt charts show the critical path for a project but are not suitable for reporting IT-related business risk.
Technical vulnerability reports provide a detailed overview of system vulnerabilities and often include leading practices on how to mitigate vulnerabilities. Often, they are not tied to the business impact and are too granular to be used for reporting IT-related business risk to senior management.
Dashboards are most suitable for reporting risk to senior management because they provide a high-level overview of risk levels that can be easily understood.
Which of the following BEST helps while presenting the current risk profile to executive management and the board of directors?
A.Risk response dashboard
B.Emerging risk report
C.Risk register dashboard
D.Key risk indicators report
C is the correct answer.
Justification
Risk response is a component of the risk register and would not present a complete picture to executive management.
An emerging risk report would not be included as part of a presentation to executive management and the board of directors.
A risk register dashboard would provide a comprehensive overview of the risk profile of the enterprise.
A key risk indicators report is only one component of the risk register dashboard.
The presentation of a risk report should be PRIMARILY tailored to the:
A.risk rating.
B.target audience.
C.scope of activities.
D.threat levels.
B is the correct answer.
Justification
The risk rating should be stated in the presentation. However, the risk report presentation should be tailored to the target audience.
The purpose of risk reporting is to allow informed decisions to be made and appropriate actions to be taken. Risk reporting can take a variety of forms, from structured email to integration governance, risk and compliance systems. In some cases, personal meetings with stakeholders are appropriate. Each audience is different, and the format of a risk report should be tailored to the target audience to ensure that the information is presented so that it can be understood and used.
The purpose of risk reporting is to allow informed decisions to be made and appropriate actions to be taken. Different audiences prefer or require different levels of detail. The format of a risk report should be tailored to the target audience.
The purpose of risk reporting is to allow informed decisions to be made and appropriate actions to be taken. Different audiences have varying degrees of concern regarding the threat levels that drive associated risk. The format of a risk report should be tailored to the target audience.
The PRIMARY objective of risk reporting is to:
A.keep stakeholders informed and reduce the level of enterprise risk.
B.provide the risk owner with information to initiate risk response.
C.control the threat environment by limiting the potential consequences.
D.guarantee the open sharing of information related to enterprise risk.
B is the correct answer.
Justification
Keeping stakeholders informed is part of any reporting process. Risk reporting is completed to meet regulatory compliance and inform risk owners and senior leadership of the results of assessments and what actions may be required; emerging threats; and the status of existing indicators, controls and remediation efforts. Reporting does not directly reduce enterprise risk but is the basis for risk mitigation. The decision to mitigate a reported risk depends on the relationship of the risk to the enterprise’s risk appetite and tolerance.
The risk owner is accountable for properly managing any given risk to an acceptable level, which is based on the enterprise’s risk appetite and tolerance. Risk reporting provides the risk owner with a summary of the risk assessment results (in accordance with regulatory requirements) and highlights areas that require attention by the risk owner. In particular, reporting highlights areas where corrective action is necessary, such as controls out of line with control objectives, control thresholds that have been exceeded, or controls that are not adequate to meet current or emerging regulatory requirements.
Risk reporting does not directly control the threat environment by limiting the potential consequences. Risk reporting may be used as the basis for risk mitigation, but the two are distinct. Within the context of mitigation, threat and consequences are also distinct components. Neither can be used to influence the other, nor is either typically addressed as the primary focus of mitigation. The risk component that is most clearly under an enterprise’s control is vulnerability.
Risk reporting cannot guarantee the open sharing of information related to enterprise risk—quite the opposite. Risk information should be known and communicated only to those parties with a genuine need. A risk register with all documented risk is not public information and should be properly protected against internal and external parties with no need for it.
Which of the following controls protects the integrity of the event logs on a stand-alone logging system?
A.Users must be authenticated in order to gain read-access to the event logs.
B.The event logging system is configured to have a mirror system in a remote data center.
C.The event logging system changes are administered under dual control.
D.The event logs are written directly to a shared network drive.
C is the correct answer.
Justification
Users authenticating in order to gain read-access to the event logs improves confidentiality of the data; it does not protect integrity because it is only relevant read-access.
Configuring the event logging system to have a mirror system in a remote data center improves the availability of the data but not its integrity, because the event logging system would immediately copy unauthorized changes to the mirror system.
The event logging system changes administered under dual control protect data integrity by reducing the likelihood that a single actor would be able to perpetrate an unauthorized modification of system configurations or records.
The event logs written directly to a shared network drive do not improve integrity because log data would be publicly writable.
During which stage of the overall risk management process is the cost-benefit analysis PRIMARILY performed? During the:
A.initial risk assessment
B.information asset classification
C.definition of the risk profile
D.risk response selection
D is the correct answer.
Justification
The cost-benefit analysis is performed not only once, but every time controls need to be decided, which can happen many times over a risk management life cycle.
In information asset classification, levels are assigned based on the importance of the asset that needs protection, and not based on cost-benefit analysis.
The risk profile is defined based on threats and vulnerabilities and what risk needs to be addressed. At this point, no cost-benefit analysis is required, since it should be performed while selecting between different control options or when deciding to select a specific control.
During risk response selection, a range of controls that can mitigate the risk will be identified; the cost-benefit analysis in this process will help identify the right controls to address the risk at acceptable levels within the budget.
Which of the following categories of information security controls addresses a deficiency or weakness in the control structure of an enterprise?
A.Corrective
B.Preventive
C.Compensating
D.Directive
C is the correct answer.
Justification
Corrective controls, such as backups, allow recovery after a violation is detected.
Preventive controls, such as authentication, reduce or eliminate the probability of a violation occurring.
Compensating controls are deployed to mitigate risk to an acceptable level when a requirement cannot be met explicitly through remediation due to a legitimate technical or business constraint. An example of a compensating control is adding multiple challenge-response instances to compensate for an inability to implement multifactor authentication.
Directive controls, such as policies, specify what actions are and are not permitted.
A healthcare enterprise has implemented role-based access controls for its users on systems that manage patient data. Which of the following statements BEST describes how the control reduces risk to the enterprise?
A.The control reduces the probability and impact of an insider attack event.
B.The control reduces the impact of reputation damage in the event of a successful breach.
C.The control reduces the probability and impact of an outsider attack event.
D.The control reduces the probability that a sensitive report will be delivered to the wrong recipient.
A is the correct answer.
Justification
Role-based access controls address the amount of sensitive data available to users (thereby minimizing impact) and the number of attack vectors (thereby lowering probability).
The control is not designed to reduce risk after a breach.
The control is not designed to reduce risk events related to an outsider attack.
Although the control might reduce the impact of an accidental-disclosure event, it does not reduce the probability.
