Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

IT Risk > Questions > Flashcards

Questions Flashcards

1
Q

Risk policy item should have (multiple choice)

a) Scope and authority tied to risk appetite or tolerance
b) Stakeholder roles and responsibilities
c) Examples of how to process
d) Consequences
e) Always have as responsible the IT management
f) KPI of to fulfill compliance of the policy
g) Exception handling

A

a) Scope and authority tied to risk appetite or tolerance
b) Stakeholder roles and responsibilities
f) How policy compliance is checked and measured
d) Consequences of failing to comply with the policy
g) Means for handling policy exceptions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following statement BEST describes the relationship between threats and vulnerabilities?

a) Threats are aimed to exploit vulnerabilities
b) Threats and vulnerabilities both represent control weaknesses
c) Threat are initiated externally, while vulnerabilities exist internally

A

a) CORRECT Threats are aimed to exploit vulnerabilities. Which are control conditions that are deemed to be deficient relative to requirements of the threat levels being faced by the enterprise
b) INCORRECT. Vulnerabilities aline are control conditions that are deemed to be deficient relative to requirements of the threat levels being faced by the enterprise
c) INCORRECT- Threats can be external or internal. While vulnerabilities exist within IT system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The risk of a sudden and impactful change in customer preferences for an enterprise’s core products is a primary example of

a) Strategic risk
b) Operational risk
c) Market Risk

A

a) CORRECT. Strategic risk involves an enterprise’s future business plans and strategies. A sudden and impactful change in customer preferences for an enterprise core products would represent a risk to these future plans and strategies, either positive or negatively

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following I&T related activities is part of the second line of defense within a good governance structure
A) Establishing I&T controls to mitigate risk
B) Monitoring I&T control effectiveness
C)Managing I&T related risk

A

A)INCORRECT. This is the first line
B) CORRECT Monitoring I&T control effectiveness.
C)INCORRECT. This is part of the first line.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following documents empowers risk management and clearly describes how IT will be governed and managed within an enterprise?
A)IT Standard
B)IT procedure
C)IT Policy

A

A)INCORRECT. Standard is a mandatory requirement and are implemented to comply with the requirements and direction of an IT policy to limit risk and support efficient bus operation.
B)INCORRECT. An IT procedure contains detailed descriptions of the steps of operations to comply with the standards.
C)CORRECT. Empower risk management and should clearly state the position of senior management toward the protection of information, which allows the development of procedures, standards and baselines that reflect management priorities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Match letters with numbers.
A)An improved understanding of operational I&T related risk-an important component of an overall I&T risk management framework
B)An improved understanding of I&T related risK and its significance in investment and portfolio management
C)More informed assessment of an enterprise’s approach to I&T risk management

1) CFO
2) Regulators
3) IT Service Managers

A

A)An improved understanding of operational I&T related risk-an important component of an overall I&T risk management framework MATCH WITH 3)IT Service Managers

B)An improved understanding of I&T related risK and its significance in investment and portfolio management MATCH 1)CFO

C)More informed assessment of an enterprise’s approach to I&T risk management MATCH WITH 2)Regulators

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Place in order:

A-Monitoring, reporting and communicating to senior management
B-Identification of assets, common risk factor and documenting risk.
C-Context settling
D-Response and mitigation.
F-Analysis. Qualitive and quantitively analysis of impact and probability
G-Assessment. Asses and prioritize risk

A

C-Context settling
B-Identification of assets, common risk factor and documenting risk.
G-Assessment. Asses and prioritize
F-Analysis. Qualitive and quantitively analysis of impact and probability
D-Response and mitigation.
A-Monitoring, reporting and communicating to senior management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The selection of items included in the risk activities are generally based on understanding the full risk universe and then selecting the specific part of the enterprise to which the risk activities will be applied. This often is referred to as

A)Risk policy
B)Risk mitigation
C)Risk management
D)Risk scope

A

D)Risk scope

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following defines, at strategic, tactical and operational levels how the risk of an enterprise need to be governed and managed pursuant to its business objectives?

A)Information security policy
B)Core IT risk policy
C)Crisis policy
D)Continuity policy

A

B)Core IT risk policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following have governance authority over I&T Risk management?

A)Board of directors
B)Risk management
C)Business management
D)Senior management

A

A)Board of directors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Identify the most common business risk types, select all that apply:

A)Administrative
B)External
C)Compliance
D)Strategic
F)Environmental
D)Market
A

C)Compliance
D)Strategic
F)Environmental
D)Market

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following is one of the four level of risk

A)Strategic
B)Regulatory
C)Management

A

A)Strategic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is an example of the first line of defense? Select all that apply

A)IT governance
B)Risk IT
C)Information Security
D)Internal Audit

A

A)IT governance

C)Information Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is an example of the second line of defense? Select all that apply

A)Compliance IT
B)Risk IT
C)Information Security
D)Internal Audit

A

A)Compliance IT

B)Risk IT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is NOT an example of managerial controls.

a) Policy & procedures
b) compliance reporting
c) passwords and antivirus software

A

c)passwords and antivirus software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following approached to risk governance could result in an enterprise NOT taking risk that unintentionally exposes the parts of the enterprise?

A)Establishing a risk governance function to oversee the operations of risk management activities
B)Enforcing a departmental approach to risk where each department manager risk independently of other departments
C)Making risk decision only after evaluation the full range of opportunities and consequences of each decision and its impact of the enterprise

A

A)INCORRECT. As a part of establishing and maintaining a common view of risk, the risk governance function must oversee the
operations of the risk management team
B)CORRECT. Taking a departmental approach to risk could lead to unacceptable consequences. There must be an understanding that risk in one department or system may pose an unacceptable risk to another department or system requires the integration of risk management into the enterprise
C)Making risk decision only after evaluation the full range of opportunities and consequences of each decision and its impact of the enterprise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

The effective governance and management of I&T- related risk responses are implemented and prioritized;

A)According to the ease of developing new controls over considering existing controls
B)Based on a cost/benefit analysis or where there can be greatest impact
C)Independent of the enterprise-stated risk

A

B)CORRECT Based on a cost/benefit analysis or where there can be greatest impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A risk aware culture:

A)Ensures that acceptable levels of risk are understood and maintained
B)Restricts a discussion of risk to only those responsible for managing risk
C)Allows business units to voice their complaint when other business units are not meeting expectations

A

A) CORRECT. a risk aware culture ensures acceptable levels of risk are understood and maintained
B)INCORRECT
C)INCORRECT. Allows business units to voice their complaint when other business units are not meeting expectations. Risk aware culture should avoid blame, because it inhibits relevant and efficient communication and fails to foster collaboration trough the enterprise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Risk scoping is used to focus risk management activities on:

A)The full risk universe that an enterprise is subject to
B)Potential high-impact risk areas throughout the enterprise
C)Only risk that the enterprise has an ability to influence.

A

B)CORRECT. Potential high-impact risk areas throughout the enterprise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A(n) creates an understating of risk, risk factors and the various types of risk that an enterprise face
A)Vulnerability assessment
B)Risk awareness program
Intrusion detection system

A

B)Risk awareness program

21
Q 
Vulnerabilities that may be identifies by an assesment include which of the following -Select all that apply:
a)Network Vulnerabilities
B)Disruption to utilities
C)Insecure Applications
D)Access Controls
E)untrained personal
A 
ALL
a)Network Vulnerabilities
B)Disruption to utilities
C)Insecure Applications
D)Access Controls
E)untrained personal
22
Q

The use of risk scenarios can enhance the risk management effort y helping the risk team to ___.
a) Ensure that the business objectives remains achievable
B)Identify all possible outcomes related to risk
C)Understand and explain risk to the business process owner and the other stakeholders

A

C)Understand and explain risk to the business process owner and the other stakeholders

23
Q

Which of the following risk event are keys to developing risk scenarios? Select all that apply

a) Changes in the market place
b) Supply chain failures
c) changes in personal
d) changes in government or leadership
e) Governing regulations

A

a) Changes in the market place
b) Supply chain failures
d) changes in government or leadership

24
Q

When stabilizing a process for the valuation of IT assets, it is MOST important to

a) establish an approach to prioritize IT assets
b) determine a highly accurate value for all it assets
c) assemble a complete inventory of all IT assets
d) assign both qualitative and quantitative values of IT assets

A

a)establish an approach to prioritize IT assets

25
Q

Which of the statement pertaining to threats actors is TRUE?

a) every threat requires a threat actor
b) threat actors refer exclusively to humans
c) threat actors include competitors and regulators
d) threats actors that lack treats still pose a significant risk

A

c)threat actors include competitors and regulators

26
Q

A vulnerability assesment:
A)identifies how specific vulnerabilities expose IT assets
B) Only renders data where a vulnerability exist
C)Uses known vulnerabilities to confirm exposures
D)Discovers potential point of compromise or weakness

A

D)Discovers potential point of compromise or weakness

27
Q

As it pertains to an enterprise’s IT platform, which of the following situations would cause the GREATES concerns and risk?
A)The it platform is managed by a service provider
B)the it platform has been hardened
C)the it platform utilizes a legacy system and applications
D)the enterprise’s IT infrastructure is decentralized in multiple locations

A

c)the it platform utilizes a legacy system and applications

28
Q

The use of risk scenarios is MOST effective when they:
A)Include all potential risk vents that an enterprise may encounter
B)Exclusively utilize all actual past risk event that an enterprise has experienced
C)are developed independently of business objectives and impacts to the enterprise
D)only focus on real and relevant potential risk events that an enterprise may encounter

A

D)only focus on real and relevant potential risk events that an enterprise may encounter

29
Q

Which of the following activities is MOST often associated with I&T related risk analysis
A. I&T-related risk scenarios are catalogued.
B. The frequency and impact of the I&T-related risk scenarios are estimated
C. IT controls that provide mitigation for similar risk types are documented

A

B. Risk analysis is th process by which frequency and magnitude of the I&T-related risk scenarios are estimated. As part of the evaluation of risk, an analysis of the individual scenarios is necessary to determine the probabilities of a particular event, taking into account frequency of the risk scenarios.

30
Q

A risk scenario utilizes a measure of the rate by which events occurs over a certain period of time. This measure is known as:
A. Magnitude
B. Frecuency
C. Impact

A

B. Frequency is a measure of the rate by which events occur over a certain period of time

31
Q

A quantitative risk analysis approach is MOST likely to be chosen when:
A. Financial resources to conduct an analysis are limited.
B.A cost-benefit analysis is required
C. Reputation and employee morale are being quantified.

A

B. A quantitative approach is particularly suited for cost-benefit analysis, because risk that can be mapped to monetary value scan easily and directly be compared to the cost of various risk responses.

32
Q

A risk register is MOST likely to include:
A. A list of control deficiencies discovered during penetration test
B. Missing software patches from a server
C. A statement describing insiders taking advantage of credentials to exfiltrate data

A

C. A risk registed should contain statements of risk such as a sttement describing insiders taking adbantage of credentials to exfiltrate data.

33
Q

The use of a firewall to block all traffic on ports that are known to be associated with malicious tools is what type of controls?
A. Preventive
B. Detective
C. Compensating

A

A. The use of a firewall to block all traffic on ports that are known to be associated with malicious tools is a preventive control. The purpose of a preventative controls is to try to keep something from happening, For example, to protect the enterprise from a successful attacks.

34
Q 
SELECT ALL THAT APPLY:
What contains a risk assessment report:
A- Cost/benefit analysis
B- Methodology used
C- Internal factors or limitations
D-Resources and references
E- Assumptions
F- Stakeholder feedback
G- Unknown factors
H- Existing issues
A 
B- Methodology used
C- Internal factors or limitations
D-Resources and references
E- Assumptions
G- Unknown factors
H- Existing issues
35
Q 
A risk register provides insight into which of the following: -SELECT ALL THAT APPLY:
A. Status of risk mitigating efforts.
B. Assets in use across the enterprise
C. Future investment opportunities
D. Emergence of newly documented risk
F. Outstanding risk issues
A

A. Status of risk mitigating efforts.
D. Emergence of newly documented risk
F. Outstanding risk issues

36
Q

Fill the blank. When considering I&T-related risk, each should be evaluated or _______?
A. Registered and tracked
B. Presented to executives
C. Intentionally bypassed

A

C. Intentionally bypassed

37
Q

A control owner is which of the following? SELEC ALL THAT APPLY
A. Has the authority and accountability for control and risk-management related decision
B. Responsible to ensure control is implemented and is operating effectively and efficiently
C. Provides support to the business and stakeholder as custodians for implemented controls

A

A. Has the authority and accountability for control and risk-management related decision
B. Responsible to ensure control is implemented and is operating effectively and efficiently

38
Q

Which of the following activities is MOST often associated with I&T related risk analysis
A. I&-related risk scenarios are cataloged and documented
B. The frequency and impact of I&T risk scenarios are estimated
C. IT controls that provide mitigation for similar risk types are documented

A

B. The frequency and impact of I&T risk scenarios are estimated

39
Q

A risk scenario utilizes a measure of the rate by which events occur over a certain period of time. This measure is known as:
A. Magnitude
B. Impact
C. Frequency

A

C. Frequency

40
Q

A risk map is MOST useful for:
A. Making decisions about risk actions
B. Quantifying risk
C. Ranking and displaying risk

A

C. Ranking and displaying risk. It defines probability and magnitude

41
Q

A risk response strategy that embeds risk awareness activities into the regular business workflow, so that they become part of the regular course of daily activities is an example of risk
A. Mitigation
B. Transfer
C. Avoidance

A

A. Mitigation

42
Q

Which of the following is the MOST important consideration when choosing to implement a new control
A. The type of controls that the enterprise currently utilizes
B. The intended effectiveness of the new control.
C. The number of business processes that the new control will address.

A

B. The intended effectiveness of the new control.

43
Q

Which of the following is MOST likely to have a negative impact on an enterprise’s ability to secure evidence after an incident has occurred?
A. Attempting to get affected systems and operations back intro normal service as quickly as possible.
B. Using an internal response team to collect and secure evidence.
C. Using external resources to collect and secure evidence.

A

A. Attempting to get affected systems and operations back intro normal service as quickly as possible.

44
Q

Residual risk is risk that exist:
A. After management has implemented a response to new risk
B. In the moment with existing risk responses applied.
C. Before any risk response has been applied

A

A. After management has implemented a response to new risk

45
Q

A quick win risk response option will MOST likely to be chosen when addressing:
A. Long-term, high-impact risk
B. Short-term low impact risk
C. Short-term, high-impact risk

A

C. Short-term, high-impact risk

46
Q

Risk monitoring focuses on
A- Observing and assessing pontential risk events
B-Selecting metrics that exceed risk tolerance
C-Measuring and assesing current risk

A

A- INCORRECT not only pontential risk events but threats events and vulnerability events.
C- Correct

47
Q

Which of the follwing are components used to help rank risk
A- Characteristics and capabilities of threat source
B-Frequency and regularity of necessary updated
C-Control dependencies within enterprise processes
D- Likelihood of attack success after considering controls
E-Impact of the enterprise of a successful attack

A

A- Characteristics and capabilities of threat source
D- Likelihood of attack success after considering controls
E-Impact of the enterprise of a successful attack

48
Q

When choosing KRIs for different stakeholders, it is MOST important to consider their:
A-Process and IT Recourse constraints
B-Needs and view of i&r related risk
C-budget and third party contract obligations

A

B-Needs and view of i&t related risk

IT Risk (2 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions