Sample Exam 2 Flashcards

Question 1

Q

Which of the following is the GREATEST challenge of performing a quantitative risk analysis?

A.Obtaining accurate figures on the impact of a realized threat
B.Obtaining accurate figures on the value of assets
C.Calculating the annual loss expectancy of a specific threat
D.Obtaining accurate figures on the frequency of specific threats

Answer

A

D is the correct answer.

Justification
The impact of a threat can be determined based on the type of threat that occurs.
The value of an asset should be easy to ascertain.
Annual loss expectancy will not be difficult to calculate if you know the correct frequency of threat occurrence.
It can be challenging to obtain an accurate figure representing the frequency of threat occurrence.

Question 2

Q

The PRIMARY reason to verify the completion of a risk mitigation response is to:

A.confirm that residual risk is within acceptable thresholds.
B.verify that vulnerabilities are no longer exploitable.
C.maintain an accurate risk profile and inventory.
D.manage and report on the status of risk action plans.

Answer

A

A is the correct answer.

Justification
The primary reason to verify the completion of the risk mitigation response is to confirm that residual risk is within acceptable thresholds or to plan for further action if it is not.
Verifying if vulnerabilities are no longer exploitable is not the primary reason to verify completion of a risk mitigation response as new exploits continuously emerge.
Accuracy of the risk register is not the primary reason for monitoring residual risk.
Risk reporting is not the primary reason to verify residual risk and its impact to the enterprise.

Question 3

Q

A PRIMARY reason for initiating a policy-exception process is:

A.the risk is justified by the benefit.
B.policy compliance is difficult to enforce.
C.operations are too busy to comply.
D.users may initially be inconvenienced.

Answer

A

A is the correct answer.

Justification
Exceptions to policies are warranted if the benefits outweigh the costs of policy compliance; however, the enterprise needs to assess both the tangible and intangible risk and evaluate both in the context of existing risk.
Difficulty in enforcement does not justify policy exceptions.
Lack of resources to achieve compliance does not justify policy exceptions.
User inconvenience does not warrant an automatic exception to a policy.

Question 4

Q

The board of directors wants to know the financial impact of specific, individual risk scenarios. What type of approach is BEST suited to fulfill this requirement?

A.Delphi method
B.Quantitative analysis
C.Qualitative analysis
D.Financial risk modeling

Answer

A

B is the correct answer.

Justification
The Delphi method is a forecasting method based on expert opinions that are gathered over several iterations of anonymous surveys.
A quantitative approach to risk evaluations would be the best approach because it is formula-based and puts a monetary amount on the potential loss resulting from a risk scenario, which is of most interest to senior management.
Qualitative analysis does not quantify the risk and loss in numbers and therefore is not the best option.
Financial risk modeling determines aggregate risk in a financial portfolio. It is generally not used to provide the financial impact of individual risk scenarios.

Question 5

Q

Which of the following practices BEST mitigates the risk associated with outsourcing a business function?

A.Performing audits to verify compliance with contract requirements
B.Requiring all vendor staff to complete annual awareness training sessions
C.Retaining copies of all sensitive data on internal systems
D.Reviewing the financial records of the vendor to verify financial soundness

Answer

A

A is the correct answer.

Justification
When an outsourcing relationship is established, the risk of noncompliance with the agreement must be met through review, monitoring and enforcement of the contract terms. Therefore, conducting regular audits to verify that the vendor is compliant with contract requirements is an important practice to mitigate the outsourcing risk.
Requiring the vendor’s staff to complete annual awareness training sessions would not provide the same level of mitigation as the verification of adherence to contract requirements.
Keeping copies of all sensitive data is an unnecessary expenditure and may result in errors or inconsistencies with data stored at the vendor site. In addition, duplicating sensitive data makes the enterprise liable for protecting data in two or more locations and increases the possibility of inappropriate access or data leakage.
Although it is common practice to review financial solvency before selecting a vendor to ensure that the vendor can function without the threat of liquidation for the foreseeable future, reviewing solvency is not the best practice to address risk related to outsourcing an IT or business function.

Question 6

Q

Which of the following is an effective monitoring process to ensure a third party is performing in accordance with contract requirements?

A.Review independent audit reports
B.Review the third party’s service level agreements
C.Review the number of third party security-related incidents
D.Ongoing third-party oversight

Answer

A

D is the correct answer.

Justification
Reviewing audit reports is only one aspect of the process. Third-party management encompasses more than audit reports.
The service level agreement is one of many ways to measure contractual compliance.
Reviewing the number of incidents is only one aspect of the ongoing monitoring process.
Third-party management should be an ongoing process that monitors for compliance with agreements, adequate insurance coverage, business continuity tests, results of independent audits, and policy reviews.

Question 7

Q

The criticality of an IT infrastructure element can be quantified based on:

A.audit logs.
B.thresholds.
C.dependencies.
D.replacement cost.

Answer

A

C is the correct answer.

Justification
Audit logs are a monitoring mechanism, not a basis for selection.
Thresholds are used as a means of limiting the number of events that draw attention, helping to avoid the noise that can be generated by an overwhelming number of false positives, while ensuring that events deserving attention are not overlooked. They apply to elements that have already been selected for monitoring.
One way to identify the criticality of a system, process or capability is to quantify the number and type of systems, processes and capabilities that depend on its continued operation. In general, a system on which many other things depend is critical even if the individual importance of any one of the elements that it supports is relatively low.
Replacement cost is not an effective means of identifying elements for monitoring because the importance of a particular element within an overall IT infrastructure to the enterprise as a whole typically goes far beyond the direct cost associated with the element’s purchase, installation and maintenance.

Question 8

Q

Which of the following processes is MOST critical for prioritizing actions in a business continuity plan?

A.Risk assessment
B.Vulnerability assessment
C.Business impact analysis
D.Business process mapping

Answer

A

C is the correct answer.

Justification
Risk assessment provides information on the likelihood of occurrence of security incidents. It assists in the selection of countermeasures but not in the prioritization of actions.
A vulnerability assessment provides information regarding the security weaknesses of the system and supports the risk identification process.
The business impact analysis is the most critical process for deciding which part of the information system/business process should be given priority in case of a security incident that may lead to business disruption.
Business process mapping does not help in decision-making, but it does help in implementing a decision.

Question 9

Q

Which of the following BEST helps the risk practitioner identify IS control deficiencies?

A.An IT control framework
B.Defined control objectives
C.A countermeasure analysis
D.A threat analysis

Answer

A

B is the correct answer.

Justification
An IT control framework is generic, and reviewing it does not help in identifying IS control deficiencies.
Controls are deployed to achieve the desired objectives based on risk assessment and to meet the business requirements.
A countermeasure analysis provides results on countermeasures for a control. The countermeasures are deployed when a threat is perceived and additional controls act as countermeasures. This, however, does not help to identify IS control deficiencies.
A threat analysis identifies the various threats affecting the systems and assets and does not help to identify IS control deficiencies.

Question 10

Q

Which of the following objectives is the PRIMARY reason that risk professionals conduct risk assessments?

A.To maintain the enterprise’s risk register
B.To enable management to choose the right risk response
C.To provide assurance on the risk management process
D.To identify risk with the highest business impact

Answer

A

D is the correct answer.

Justification
The maintenance of the risk register is part of the ongoing risk assessment process.
Management chooses the right risk response strategy based on risk analysis. A risk assessment itself is not sufficient to make educated risk response decisions.
Assurance on risk management is not the main reason risk assessment is performed by the risk professional.
All decisions should be taken in the context of business impact. For each action to be taken, consideration ultimately must be given to its positive or negative impact on the business.

Question 11

Q

Which of the following types of risk is high for projects that affect multiple business areas?

A.Control risk
B.Inherent risk
C.Compliance risk
D.Residual risk

Answer

A

B is the correct answer.

Justification
Control risk may be high, but it would follow from failure to identify, evaluate or test internal controls, not from the number of users or business areas affected.
Inherent risk normally grows as the number of users and business areas that may be affected increases. Inherent risk reflects risk or exposure without accounting for mitigating action by management. It is often higher whenever multiple parties may have conflicting responsibilities for a business process.
Compliance risk reflects the penalty applied to current and future earnings for nonconformance to laws and regulations; number of users and affected business areas will not necessarily increase compliance risk.
Residual risk is risk that persists after management implements a risk response. It is not based on the number of users or business areas affected.

Question 12

Q

Which of the following compensating controls should management implement when a segregation of duties conflict exists because an enterprise has a small IT department?

A.Independent analysis of IT incidents
B.Entitlement reviews
C.Independent review of audit logs
D.Tighter controls over user provisioning

Answer

A

C is the correct answer.

Justification
Independent analysis of IT incidents could point to segregation of duties violations. This is not a compensating control but a detective control.
Entitlement reviews are performed to review the access of individuals to ensure they have the proper access for their current role. This review is the responsibility of the data owner and usually occurs at regular intervals. This is not the best way to prevent or detect a segregation of duties conflict.
An independent review of the audit logs would be the best compensating control because someone outside the IT department can validate that no activity exploited segregation of duties.
User provisioning is the process of granting access to an application or system. While a normal part of the provisioning process is to make sure that no segregation of duties conflicts exist, this approach is not practical for the present case due to the small size of the IT department; therefore, tighter controls over user provisioning will be of limited value.

Question 13

Q

Which of the following can be expected when a key control is being maintained at an optimal level?

A.The shortest lead time until the control breach comes to the surface
B.Balance between control effectiveness and cost
C.An adequate maturity level of the risk management process
D.An accurate estimation of operational risk amounts

Answer

A

B is the correct answer.

Justification
Even though a key control is in place, it may take time until a breach surfaces if escalation procedures are not adequately set up. Thus, a key control alone does not ensure the shortest lead time for a breach to be communicated to management.
Maintaining controls at an optimal level translates into a balance between control cost and derived benefit.
Measurement of the maturity level in risk management may depend on the function of key controls. However, the key control is not the major driver to assess the maturity of risk management.
The key control does not directly contribute to the accurate estimation of operational risk amounts. Maintenance of an incident database and the application of statistical methods are essential for the estimation of operational risk.

Question 14

Q

Which of the following factors determines the acceptable level of residual risk in an enterprise?

A.Management discretion
B.Regulatory requirements
C.Risk assessment results
D.Internal audit findings

Answer

A

A is the correct answer.

Justification
Deciding what level of risk is acceptable to an enterprise is fundamentally a function of management. At its discretion, enterprise management may decide to accept risk. The target risk level for a control is, therefore, subject to management discretion.
Failure to comply with regulatory requirements has consequences, but those consequences are considered in the context of enterprise risk. In some cases, the cost of failure to comply may be lower than the cost of compliance; in this case, management may decide to accept the risk.
The acceptable level of residual risk is determined by management and is not dependent on the results of the risk assessment.
The results of an internal audit determine the actual level of residual risk within a specific audit scope, but whether this level is acceptable is fundamentally a management decision.

Question 15

Q

What should be performed FIRST when establishing the IT risk framework of an enterprise?

A.Setting accountabilities and responsibilities for risk
B.Articulating the financial risk appetite for the enterprise
C.Allocating control owners for critical information systems
D.Endorsing a risk matrix that specifies risk tolerances

Answer

A

A is the correct answer.

Justification
Without ownership and accountability, the risk framework will not be driven forward.
A financial risk appetite is important, but its articulation is not the first step in establishing the IT risk framework, which must set accountabilities and ownership to be effective. Furthermore, the risk appetite will require interpretation and translation into the IT domain.
Ownership of critical systems is a subset of overall accountability, without which the IT risk framework could not be complete or enforceable.
Risk matrices are not required for risk assessments and risk frameworks (especially those emphasizing risk tolerance).

Question 16

Q

Which of the following is the GREATEST benefit of a risk-aware culture?

A.Issues are escalated when suspicious activity is noticed.
B.Controls are double-checked to anticipate any issues.
C.Individuals communicate with peers for knowledge sharing.
D.Employees are self-motivated to learn about costs and benefits.

Answer

A

A is the correct answer.

Justification
Management benefits most from an escalation process because risk and incidents are reported in a timely manner. Escalation posture among employees is best developed through training and awareness programs.
Double-checking controls is a thorough business practice. It is a basic business stance, so benefit for management may be limited.
Knowledge sharing is an important theme and should be encouraged through awareness programs. However, its benefit to risk management may be indirect.
Encouraging employees to learn is desirable. However, management may not expect awareness programs to emphasize assessment of cost and benefit.

Question 17

Q

Which of the following is the MOST important risk an enterprise must consider when developing a disaster recovery plan?

A.Budgets have not yet been finalized.
B.A business impact analysis has not been conducted.
C.No risk strategy has been established.
D.All employees have not attended disaster recovery training.

Answer

A

B is the correct answer.

Justification
A budget is important when developing a disaster recovery plan, but if set without knowledge of what to cover and when, the budget will not be useful.
Without a business impact analysis (BIA), the enterprise does not know what it needs to recover and when it needs to recover it.
A risk strategy is just one part of the BIA.
All employees do not necessarily need to attend training. Employees with a role in key business processes should be trained to know their responsibilities following a disaster.

Question 18

Q

Who is MOST likely responsible for data classification?

A.Data user
B.Data owner
C.Data custodian
D.System administrator

Answer

A

B is the correct answer.

Justification
The data user gains access based on justified business need and the approval of the data owner.
The data owner is responsible for classifying data according to the enterprise’s data classification scheme. The classification scheme then defines who is eligible to access the data and what controls are required.
The data custodian is responsible for safe custody, transport and storage of data, including implementation of associated business rules.
System administrators are considered data custodians because they ensure safe custody, transport and storage of data, including implementation of associated business rules.

Question 19

Q

A substantive test to verify that tape library inventory records are accurate involves:

A.determining whether bar code readers are installed.
B.conducting a physical count of the tape inventory.
C.checking whether receipts and issues of tapes are accurately recorded.
D.determining whether the movement of tapes is authorized.

Answer

A

B is the correct answer.

Justification
Testing the existence of bar code readers is a compliance test, not a substantive test. A substantive test involves gathering evidence to evaluate the integrity of individual transactions, data or other information.
A substantive test involves gathering evidence to evaluate the integrity of individual transactions, data or other information. Conducting a physical count of the tape inventory is a substantive test.
Confirming that receipts and issues of tapes are accurately recorded is a compliance test, not a substantive test. A substantive test involves gathering evidence to evaluate the integrity of individual transactions, data or other information.
Testing the approval of tape movements is a compliance test, not a substantive test. A substantive test involves gathering evidence to evaluate the integrity of individual transactions, data or other information.

Question 20

Q

The implementation of unjustified controls is MOST likely to result in:

A.an increase in residual risk related to the controls.
B.a decrease in residual risk related to the controls.
C.an ineffective monitoring of the related controls.
D.a smaller return on IT investment.

Answer

A

D is the correct answer.

Justification
Residual risk will not increase as a result of unjustified controls; however, if controls that do not support business objectives are implemented, the enterprise may place focus on less critical activities.
Residual risk will not decrease as a result of unjustified controls; however, if controls that do not support business objectives are implemented, the enterprise may place focus on less critical activities.
Monitoring will not be impacted by unjustified controls; rather, monitoring will be performed on controls that do not provide value toward achieving business objectives.
Enterprises that have a large suite of controls that do not relate to their critical objectives have a greater likelihood of decreasing their return on IT investment due to the cost of implementing those controls.

Question 21

Q

Which of the following options BEST ensures that an identified risk is mitigated?

A.Control metrics
B.Control testing
C.Control objective
D.Control ownership

Answer

A

B is the correct answer.

Justification
Control metrics will only report on the control’s effectiveness on an ongoing basis. Control metrics do not necessarily trigger immediate remedial actions, although they will be used to determine such actions.
Control testing determines the effectiveness of the controls in achieving their stated objectives, ensuring that the risk is mitigated.
A control objective is only a statement of the desired result or purpose to be achieved by implementing a given control and does not ensure a risk is mitigated.
Control ownership establishes lines of accountability but does not identify whether a risk has been mitigated.

Question 22

Q

Which of the following requirements MUST be met during the initial stages of developing a risk management program?

A.Management establishes ownership of identified risk.
B.Information security policies and standards are established.
C.A management committee exists to provide program oversight.
D.The context and purpose of the program are defined.

Answer

A

D is the correct answer.

Justification
Although an important component in the development of any managed program, establishing ownership of identified risk would occur later in the program.
Information security policies and standards are based on the decisions made in the planning phase of the program and are developed based on the outcomes and business objectives established by the enterprise.
Management oversight of the risk management program constitutes a monitoring control developed to ensure that the program meets business objectives. This process is established in later stages of development, after the purpose of the program and the mechanics of its deployment have been established.
Initial requirements to determine the enterprise’s purpose for creating an information security risk management program include determining the desired outcomes and defining objectives.

Question 23

Q

A lack of adequate controls represents:

A.an impact.
B.a risk indicator.
C.a vulnerability.
D.a threat.

Answer

A

C is the correct answer.

Justification
Impact measures the financial loss posed by a threat.
A risk indicator is a metric capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds its defined risk appetite.
The lack of adequate controls represents a vulnerability, exposing sensitive processes and/or data to the possibility of malicious damage, attack, or unauthorized access by hackers. Vulnerabilities can result in loss of sensitive information, financial loss, legal penalties, etc.
A threat is a potential cause or actor behind an adverse incident.

Question 24

Q

Risk assessments should be repeated at regular intervals because:

A.omissions in earlier assessments can be addressed.
B.periodic assessments allow various methodologies.
C.business threats are constantly changing.
D.they help raise risk awareness among staff.

Answer

A

C is the correct answer.

Justification
Omissions not found in earlier assessments do not necessarily justify regular reassessments.
Unless the environment changes, risk assessments should be performed using the same methodologies.
As business objectives and methods change, the nature and relevance of threats also change.
There are better ways of raising security awareness than by performing a risk assessment, such as risk awareness training.

Question 25

Q

Which of the following is the MAIN reason senior management monitors and analyzes trends in key control indicators?

A.It provides feedback on the overall control environment.
B.It helps in identifying redundant controls.
C.It proactively identifies impacts to the risk profile.
D.It helps determine if additional controls are required.

Answer

A

C is the correct answer.

Justification
The control environment is primarily the responsibility of the operations team, and not senior management. Tuning and related feedback is the responsibility of the operations team.
Redundancy is a design and operations responsibility, not senior management.
The primary objective of key control indicators (KCIs) is to ensure that controls actually mitigate risk at an effective level. Analysis of KCI trends provides information on the overall effectiveness of controls and provides management information on the status of risk management.
Determining the need for additional controls is the responsibility of operations, not senior management. KCIs would not necessarily identify the need for additional controls.

Question 26

Q

Which of the following risk response options is MOST likely to increase the liability of the enterprise?

A.Risk acceptance
B.Risk reduction
C.Risk transfer
D.Risk avoidance

Answer

A

A is the correct answer.

Justification
An enterprise may choose to accept risk without knowing the correct level of risk that is being accepted; this may result in accusations of negligence.
Risk reduction indicates an attempt to reduce the risk level. It may not be as effective as intended, but is not likely to increase the level of risk.
Risk transfer allocates a portion of risk to another party (e.g., insurance).
Risk avoidance will terminate a process that is considered to have an unacceptable level of risk that cannot be mitigated economically.

Question 27

Q

Purchasing insurance is a form of:

A.risk avoidance.
B.risk mitigation.
C.risk acceptance.
D.risk transfer.

Answer

A

D is the correct answer.

Justification
Risk avoidance means that activities or conditions that give rise to risk are discontinued.
Risk mitigation is the management of risk through the use of countermeasures and controls. Risk transfer is one form of risk mitigation.
Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs.
Transferring risk typically involves insurance policies to share the financial risk.

Question 28

Q

Which of the following BEST mitigates control risk?

A.Continuous monitoring
B.An effective security awareness program
C.Effective change management procedures
D.Senior management support for control implementation

Answer

A

A is the correct answer.

Justification
Continuous monitoring tests controls that mitigate the risk of the control being less effective over time. A risk assessment will identify when the control is no longer effective and the control will be replaced.
An effective security awareness program does not mitigate control risk.
Effective change management procedures alone do not mitigate control risk.
Senior management support will only assist in implementing a new control but does not directly mitigate control risk.

Question 29

Q

Which of the following is BEST addressed by transferring risk?

A.An antiquated fire suppression system in the computer room
B.The threat of disgruntled employee sabotage
C.The threat of disgruntled employee theft
D.A building located in a 100-year flood plain

Answer

A

D is the correct answer.

Justification
Although an enterprise may hold insurance policies for physical assets such as computer equipment, the most appropriate risk remediation strategy is to update the fire suppression system.
This risk is not readily transferable. Full risk response planning should be performed for all risk that could happen at any time during routine business activities.
This risk is not readily transferable. Removable media policies and procedures should proactively be in place to mitigate the risk of lost or stolen media.
Purchasing an insurance policy transfers the risk of a flood. Risk transfer is the process of assigning risk to another entity, usually through the purchase of an insurance policy or through outsourcing the service.

Question 30

Q

Development of corporate information security policy should PRIMARILY be based on:

A.vulnerabilities.
B.threats.
C.assets.
D.impacts.

Answer

A

C is the correct answer.

Justification
Absent a threat, vulnerabilities do not pose a risk. A vulnerability is defined as a weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events.
A threat is defined as anything (e.g., object, substance, human actor) that is capable of acting against an asset in a manner that can result in harm. The information security policy is not written to address a threat directly, but rather to address the protection of assets from threats.
The corporate information security policy is based on management’s commitment to protect the assets of the enterprise (and relevant information of its business partners) from threats, risk and exposures that could occur.
Impact is not an issue if no threat exists. The impact is generally quantified as a direct financial loss in the short term or an ultimate (indirect) financial loss in the long term. Impact does not drive the development of the policy but is a component of the policy.

Question 31

Q

Which of the following is an example of a key performance indicator?

A.Average network availability uptime
B.Average number of missed patches
C.Average number of data entry errors
D.Average number of virus and phishing attacks

Answer

A

A is the correct answer.

Justification
Average network availability is an example of a key performance indicator.
Average number of missed patches is an example of a key risk indicator.
Average number of data entry errors is an example of a key risk indicator.
Average number of virus and phishing attacks is an example of a key risk indicator.

Question 32

Q

Which of the following BEST assists in the proper design of an effective key risk indicator?

A.Generating the frequency of reporting cycles to report on the risk
B.Preparing a business case that includes the measurement criteria for the risk
C.Conducting a risk assessment to provide an overview of the key risk
D.Documenting the operational flow of the business from beginning to end

Answer

A

D is the correct answer.

Justification
Generating the frequency of reporting for the key risk indicator (KRI) means nothing if the KRI is not designed.
A proper business case describes what is going to be done, why it is worth doing, how it will be accomplished, and what resources will be required. It will not document the data points, structures, or anything else needed for designing a KRI.
A risk assessment is the determination of a value of risk related to some situation and a recognized threat. While it contributes somewhat to the design of the KRI, there is a need for additional information.
Prior to starting to design the KRI, a risk manager must understand the end-to-end operational flow of the business. The risk manager requires detailed insight into data flows, decision-making processes, acceptable levels of risk for the business, etc., which enables the application of top and bottom levels for the KRI.

Question 33

Q

An excessive number of standard workstation images can be categorized as a key risk indicator for:

A.change management.
B.configuration management.
C.IT operations management.
D.data management.

Answer

A

B is the correct answer.

Justification
Change management deals with the process of managing changes to existing environments, rather than the initial environment definition.
An excessive number of unique workstation images is an indicator that poor configuration management processes are in place and that sufficient attention to actual business requirements has not been paid during the initial image definition.
IT operations management relates to the day-to-day operations of IT.
Data management relates to the handling of the data, rather than environment definition.

Question 34

Q

Which of the following is MOST important when selecting an appropriate risk management methodology?

A.Risk culture
B.Countermeasure analysis
C.Cost-benefit analysis
D.Risk transfer strategy

Answer

A

A is the correct answer.

Justification
Without understanding risk culture—how and why an enterprise makes decisions regarding risk—one cannot select a risk management methodology.
Countermeasure analysis targets controls that address specific attacks, sometimes while the attack is occurring. Countermeasure analysis does not inform selection of an appropriate risk management methodology.
Cost-benefit analysis measures the projected benefit of a solution (such as a control) relative to its price, either at a given point in time or over an extended period. Cost-benefit analysis is generally not considered when selecting a risk management methodology.
Because not all risk can be transferred, implementing a proper risk assessment methodology must begin by considering the overall risk profile, not the risk transfer strategy.

Question 35

Q

Risk management strategic plans are MOST effective when developed for:

A.the enterprise as a whole.
B.each individual system based on technology used.
C.every location based on geographic threats.
D.end-to-end business processes.

Answer

A

A is the correct answer.

Justification
Risk management strategic plans are most effective when they are created and followed by the entire enterprise.
Because most enterprises use many different technologies, creating a management plan for each technology creates unnecessary and counterproductive complexity, and may increase conflicts among policies.
It is difficult to create a risk management plan for each location based on geographic threats. Also, these plans do not take other types of threats into account.
Risk management plans based on end-to-end business processes can result in overlapping and/or conflicting policies and procedures.

Question 36

Q

Which of the following is the MOST important when transmitting personal information across networks?

A.encrypting the personal information.
B.obtaining consent to transfer personal information.
C.ensuring the privacy of the personal information.
D.ensuring effective change management.

Answer

A

C is the correct answer.

Justification
Encryption is a method of protecting the data at rest and in transit, but there may be remaining unmitigated risk resulting in inadequate privacy protection. Therefore, encryption is a partial answer.
Consent is one of the protections that are frequently, but not always, required.
Privacy protection is necessary to ensure that the receiving party has the appropriate level of protection of personal data.
Change management is a core control that ensures that the privacy protections, encryption settings and consent processes are implemented as management intended; however, it will not directly address the privacy of the individuals.

Question 37

Q

Which of the following is MOST suitable for reporting IT-related business risk to senior management?

A.Balanced scorecards
B.Gantt charts
C.Technical vulnerability reports
D.Dashboards

Answer

A

D is the correct answer.

Justification
A balanced scorecard is a coherent set of performance measures organized into four categories: traditional financial measures, and customer, internal business process, and learning and growth perspectives.
Gantt charts show the critical path for a project but are not suitable for reporting IT-related business risk.
Technical vulnerability reports provide a detailed overview of system vulnerabilities and often include leading practices on how to mitigate vulnerabilities. Often, they are not tied to the business impact and are too granular to be used for reporting IT-related business risk to senior management.
Dashboards are most suitable for reporting risk to senior management because they provide a high-level overview of risk levels that can be easily understood.

Question 38

Q

An enterprise has contracted an external supplier to develop critical components of a consumer product. Risk tolerance levels for the outsourced component have been documented and approved. Which of the following can serve to gauge risk that may trigger stakeholder concern?

A.Indicators with approved thresholds
B.Approved status report of completed milestones
C.List of controls to be implemented by the supplier
D.Number of findings in external audit reports

Answer

A

A is the correct answer.

Justification
Indicators with approved thresholds demonstrate the acceptable risk levels stakeholders are willing to tolerate, and any risk above those approved levels will likely trigger stakeholder concern.
A status report of completed milestones only shows deliverables that have been completed against projected timelines for the outsourced component.
The lists of controls to be implemented by the supplier are requirements that the supplier will fulfill. To gauge potential for stakeholder concern, indicators for thresholds and tolerance must be defined and approved.
The number of findings in external audit reports is not an indicator of risk tolerance levels.

Question 39

Q

Which of the following choices should drive the IT plan?

A.Strategic planning and business requirements
B.Technology and operational procedures
C.Compliance with laws and regulations
D.Project plans and stakeholder requirements

Answer

A

A is the correct answer.

Justification
IT exists to support business objectives. Management of enterprise IT should align the IT plan closely with the business.
IT exists to support business objectives. The IT plan should consider technology and procedures, but should not eclipse business strategy, which would risk creating a gap between strategy and IT.
IT exists to support business objectives. Compliance with laws and regulations should be evaluated in the same manner as any other risk.
IT exists to support business objectives. When IT projects are based on a project-by-project approach, effort is often duplicated or wasted, and results are likely to be incompatible across the enterprise.

Question 40

Q

Which of the following documents BEST identifies an enterprise’s compliance risk and the corrective actions in progress to meet these regulatory requirements?

A.An internal audit report
B.A risk register
C.An external audit report
D.A risk assessment report

Answer

A

B is the correct answer.

Justification
Audit reports track audit findings and their respective actions but, based on the audit scope, do not necessarily include compliance-oriented findings or their risk. They generally do not include corrective actions in progress.
A risk register provides a report of all current identified risk within an enterprise (including compliance risk) and tracks the status of corrective actions or exceptions.
External audit reports are generally more reliable than internal audit reports due to the relative independence of external auditors. However, they do not generally include all relevant compliance risk. They may focus on one requirement at a time, such as privacy, the US Occupational Safety and Health Administration (OSHA) regulations, the US Sarbanes-Oxley Act of 2002, etc. They generally do not include corrective actions in progress.
Risk assessment reports may include compliance risk, but often do not track ongoing or anticipated corrective actions.

Question 41

Q

An enterprise has decided to perform backups on a weekly basis. Which of the following choices BEST describes the risk response approach used by management?

A.Any residual risk from performing weekly backups has been accepted.
B.The risk of losing data has been mitigated to as low a level as possible.
C.The control is ineffective because any loss of data should be minimized.
D.The inherent risk of losing data has not been adequately mitigated.

Answer

A

A is the correct answer.

Justification
Residual risk arises where there is a risk response or control in place, but the potential for loss is still probable. There is a risk of data loss, but management tolerance for risk is such that it is willing to accept that loss.
The control could reduce risk to an even lower level; however, it would be at a higher cost that may not be deemed reasonable.
The effectiveness of the control needs to be matched against the control objective. As long as the control objective to perform weekly backups is carried out by management, implementation of the control is still effective, even if it may not be adequate.
The resulting risk associated with performing weekly backups is not inherent risk but residual risk. Inherent risk is risk that exists in the absence of any controls.

Question 42

Q

Which of the following is the MOST appropriate metric to measure how well the information security function is managing the administration of user access?

A.Elapsed time to suspend accounts of terminated users
B.Elapsed time to suspend accounts of users transferring
C.Ratio of actual accounts to actual end users
D.Percent of accounts with configurations in compliance

Answer

A

D is the correct answer.

Justification
Elapsed time to suspend accounts of terminated users is only part of the picture and does not address the volume of requests.
Elapsed time to suspend accounts of users transferring is only part of the picture and does not address the volume of requests.
The ratio of actual accounts to actual end users does not indicate much in terms of how well security is administered.
The percent of accounts with configurations in compliance is the best measure of how well the administration is being managed because it shows the overall impact.

Question 43

Q

The application of information classification is the responsibility of the:

A.information security officer.
B.information owner.
C.information systems auditor.
D.information custodian.

Answer

A

B is the correct answer.

Justification
The information security officer has functional responsibility for security and does not determine the classification of information.
The information owner determines classification based on the criticality and sensitivity of information.
The information systems auditor examines security and does not determine the classification of information.
The information custodian preserves the confidentiality, availability and integrity of information and does not determine the classification of information.

Question 44

Q

As part of risk monitoring, the administrator of a two-factor authentication system identifies a trusted independent source indicating that the algorithm used for generating keys has been compromised. The vendor of the authentication system has not provided further information. Which of the following is the BEST initial course of action?

A.Wait for the vendor to formally confirm the breach and provide a solution.
B.Determine and implement suitable compensating controls.
C.Identify all systems requiring two-factor authentication and notify their business owners.
D.Disable the system and rely on single-factor authentication until further information is received.

Answer

A

C is the correct answer.

Justification
Waiting for the vendor to acknowledge the vulnerability may result in unacceptable exposure and may be considered negligent.
Determining suitable compensating controls is not appropriate without instructions from the responsible business owner.
Business owners should be notified, even when some information may not be available. Business owners are responsible for responding to new risk.
Disabling the system is not appropriate because there is no indication that the compromise will have an impact on the first-factor authentication.

Question 45

Q

Which of the following risk management activities initially identifies critical business functions and key business risk?

A.Risk monitoring
B.Risk analysis
C.Risk assessment
D.Risk evaluation

Answer

A

C is the correct answer.

Justification
Risk monitoring provides timely information on the actual status of risk in the enterprise.
Risk analysis estimates the frequency and magnitude of IT risk scenarios.
Risk assessment identifies and evaluates risk and its potential effects. It includes recognizing and assessing critical functions and processes necessary for an enterprise to continue operating, defines the controls in place to reduce exposure, and evaluates the cost of such controls.
Risk evaluation compares estimated risk against given risk criteria to determine the significance of the risk.

Question 46

Q

Risk tolerance levels, risk ratings, related projects, affected stakeholders, assessment details and risk owners are all captured in which of the following items?

A.Risk register
B.Risk subject
C.Risk factors
D.Risk treatment plan

Answer

A

A is the correct answer.

Justification
A risk register includes risk tolerance levels, risk ratings, related projects, affected stakeholders, assessment details and risk owners.
A risk subject refers to the risk owner and affected business unit but does not address projects.
Risk factors reference internal and external context, risk management and IT-related capabilities.
A risk treatment plan includes risk scenarios requiring mitigation, root cause analysis, risk response evaluation criteria, accountability and responsibility, proposed actions, required resources, performance measurements and constraints, cost-benefit analysis, reporting and monitoring requirements, and timing and scheduling.

Question 47

Q

The PRIMARY reason to have the risk management process reviewed by an independent risk management professional is to:

A.validate cost-effective solutions for mitigating risk.
B.validate control weaknesses detected by the internal team.
C.assess the validity of the end-to-end process.
D.assess whether the risk profile and risk factors are properly defined.

Answer

A

C is the correct answer.

Justification
Cost-effective solutions can be provided by the internal teams.
The internal team can find weaknesses. It is not necessary to involve an external risk professional to validate the weaknesses detected by the internal team.
The independent risk professional will be unbiased to review the risk management process end to end. The independent reviewer will not have any involvement in any stage of the risk management process and will be unaffected by all internal factors.
The risk profile and risk factors are properly defined when the risk assessment process is performed correctly. An independent assessment may result in further improvements.

Question 48

Q

Which of the following controls within the user provision process BEST ensures revocation of system access for contractors and other temporary users when it is no longer required?

A.Log all account usage and send it to the users’ managers.
B.Establish predetermined, automatic expiration dates.
C.Ensure that each user signs a security acknowledgment.
D.Require managers to email security when the user leaves.

Answer

A

B is the correct answer.

Justification
Logging, when coupled with monitoring, may be a detective control but it would not be as effective as the preventive control of implementing user accounts with predetermined expiration dates.
Predetermined expiration dates are the most effective means of removing systems access for temporary users.
Requiring each individual to sign a security acknowledgment has little effect in this case.
Managers often do not promptly submit termination notices.

Question 49

Q

To which of the following documents does an enterprise refer to determine the intellectual property ownership of an application built by a third-party service manager in the course of its work for the enterprise?

A.Service level agreement
B.Statement of work
C.Operational level agreement
D.Nondisclosure agreement

Answer

A

B is the correct answer.

Justification
A service level agreement (SLA) defines minimum performance targets; mechanisms for performance measurement; and, typically, penalties for noncompliance. It does not address matters of intellectual property (IP) ownership.
A statement of work typically defines terms of governance and conditions for third-party engagement, and it delineates IP ownership of products developed under the contract. Failure to include adequate language for IP may result in limited or no rights to resulting deliverables. Therefore, it is critical to review language rather than rely on boilerplate clauses to optimize ownership of deliverables and assess vulnerability associated with third-party engagements.
An operational level agreement is comparable to an SLA but involves different departments within an enterprise. IP ownership is usually not disputed among departments within the same enterprise.
A nondisclosure agreement typically provides confidentiality of shared materials and information. It does not apply to work performed under contract by one party for the other.

Question 50

Q

Which of the following criteria is MOST essential for the effectiveness of operational metrics?

A.Relevance to the recipient
B.Timeliness of the reporting
C.Accuracy of the measurement
D.Cost of obtaining the metrics

Answer

A

A is the correct answer.

Justification
Unless the metric is relevant to the recipient and the recipient understands what the metric means and what action to take, if any, all other criteria are of little importance.
Timeliness of reporting is important, but it is secondary to relevance.
A high degree of accuracy is not essential if the metric is reliable and indications are within an acceptable range.
Cost is always a consideration, but it is secondary to relevance.

Question 51

Q

An asset’s annual loss expectancy is calculated as the:

A.exposure factor (EF) multiplied by the annualized rate of occurrence (ARO).
B.single loss expectancy (SLE) multiplied by the EF.
C.SLE multiplied by the ARO.
D.asset value multiplied by the SLE.

Answer

A

C is the correct answer.

Justification
This is not the correct formula to calculate annual loss expectancy (ALE). ALE is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO), the number of times the enterprise expects the loss to occur.
This is not the correct formula to calculate ALE. ALE is calculated by multiplying the SLE by the ARO, the number of times the enterprise expects the loss to occur.
ALE is calculated by multiplying the SLE by the ARO (the number of times the enterprise expects the loss to occur).
This is not the correct formula to calculate ALE. ALE is calculated by multiplying the SLE by the ARO (the number of times the enterprise expects the loss to occur).

Question 52

Q

Which of the following is MOST likely to be reduced to achieve acceptable risk?

A.Risk appetite
B.Control risk
C.Residual risk
D.Inherent risk

Answer

A

C is the correct answer.

Justification
Risk appetite is the amount of risk that an entity is willing to accept. It does not change with risk mitigation activities.
Control risk is incurred whenever controls can fall short of their objectives and is not necessarily related to residual risk.
Residual risk is the remaining risk after management has implemented a risk response. Acceptable risk is achieved when the residual risk is reduced to the levels within the enterprise’s risk appetite.
Inherent risk is a risk that is part of an activity; it cannot be minimized, only avoided by not engaging in the activity itself.

Question 53

Q

Which of the following is the BEST way for a risk practitioner to ensure that controls are in place and effectively addressing the risk?

A.Key performance indicators
B.Control testing
C.Control monitoring
D.Key risk indicators

Answer

A

C is the correct answer.

Justification
Key performance indicators report on control performance. However, monitoring provides a better view of effectiveness.
Control testing is performed when the control is put in place and on an ad hoc basis. However, monitoring provides a better view of effectiveness.
Control monitoring confirms that the control is addressing the risk and operating effectively.
Key risk indicators report on control performance and could communicate a problem. However, they may not provide enough information to confirm that a problem exists.

Question 54

Q

An enterprise wants to use a cloud solution for its travel booking system that will store its employees’ information. Which of the following cloud models presents the lowest risk to the risk practitioner?

A.Hybrid
B.Private
C.Public
D.Community

Answer

A

B is the correct answer.

Justification
In the hybrid cloud model, the enterprise depends on third parties to protect its data.
The private cloud model presents the least risk because the data is under the control of the enterprise.
In the public cloud model, the enterprise depends on third parties to protect its data.
In the community cloud model, the enterprise depends on third parties to protect its data.

Question 55

Q

Which of the following choices is the MOST important critical success factor of implementing a risk-based approach to the system development life cycle?

A.Existence of a risk management framework
B.Defined risk mitigation strategies
C.Compliance with the change management process
D.Adequate involvement of business representatives

Answer

A

D is the correct answer.

Justification
The existence of a risk management framework does not necessarily ensure compliance and success during the system development life cycle.
Understanding the defined risk mitigation strategies will help the enterprise manage risk effectively; however, adequate involvement of business representatives is still required.
Although compliance with the change management process is a critical success factor (CSF) for system development, it is not the most important one.
A CSF for system development is the adequate involvement of business representatives, including management, users, quality assurance, IT, privacy, legal, audit, regulatory affairs or compliance teams in high-risk regulatory situations.

Question 56

Q

While prioritizing the risk for treatment, the IT risk practitioner should PRIMARILY consider the:

A.risk impact
B.risk appetite
C.risk exposure
D.risk rating

Answer

A

D is the correct answer.

Justification
The risk impact is only one component of the risk assessment and prioritization process. A high-impact event may have a low likelihood, thus resulting in a low risk rating.
The risk appetite is only one component of the risk assessment and prioritization process. Risk should be quantified to determine if it falls within the enterprise’s risk appetite; therefore, the risk rating is needed.
The risk exposure is only one component of the risk assessment and prioritization process. It may or may not be quantifiable at the time of prioritization.
The risk rating quantifies the risk by providing a ranking (for example, high, medium, low) that can be used to prioritize treatment.

Question 57

Q

Which of the following information in the risk register BEST helps in developing proper risk scenarios? A list of:

A.potential threats to assets.
B.residual risk on individual assets.
C.accepted risk.
D.security incidents.

Answer

A

A is the correct answer.

Justification
Identifying potential threats to business assets will help isolate vulnerabilities and associated risk, all of which contribute to developing proper risk scenarios.
Identifying residual risk on individual assets does not help develop a proper risk scenario.
Accepted risk generally reflects a small subset of entries in the risk register. Accepted risk should be included in the risk register to ensure that events continue to be monitored in case an actual incident alters current acceptance of the risk.
Previous security incidents at the enterprise itself or at entities with a similar profile may inspire the inclusion of similar risk scenarios in the risk register. However, the best approach to create a meaningful risk register is to capture potential threats on tangible and intangible assets.

Question 58

Q

Which of the following is MOST relevant to include in a cost-benefit analysis of a two-factor authentication system?

A.The approved budget of the project
B.The frequency of incidents
C.The annual loss expectancy of security incidents
D.The total cost of ownership

Answer

A

D is the correct answer.

Justification
The approved budget of the project may have no bearing on what the project may actually cost.
The frequency of security incidents can help measure the benefit but the relationship is indirect because not all security incidents may be mitigated by implementing a two-factor authentication system.
The ALE of incidents can help measure the benefit but the relationship is indirect because not all incidents may be mitigated by implementing a two-factor authentication system.
Total cost of ownership is the most relevant piece of information to be included in the cost-benefit analysis because it establishes a cost baseline that must be considered for the full life cycle of the control.

Question 59

Q

Which of the following BEST describes the risk-related roles and responsibilities of an organizational business unit (BU)? The BU management team:

A.owns the mitigation plan for the risk belonging to its BU, while board members are responsible for identifying and assessing risk and reporting to the appropriate support functions.
B.owns the risk and is responsible for identifying, assessing and mitigating risk, and reporting to the appropriate support functions and the board of directors.
C.carries out the respective risk-related responsibilities, but ultimate accountability for risk management and goal achievement belongs to the board of directors.
D.is ultimately accountable for risk management and goal achievement, and the board of directors owns the risk.

Answer

A

B is the correct answer.

Justification
The business unit (BU) management team owns both the risk management activities (identifying, assessing and reporting the mitigation plan for the risk belonging to its BU) and the reporting activities. The board members do not perform the risk identification, assessment and risk reporting functions.
The BU is responsible for owning the risk and its resulting actions. Risk owners have the responsibility of identifying, measuring, monitoring, controlling and reporting on risk to executive management as established by the corporate risk framework.
The ultimate accountability for the day-to-day work also belongs to the BU, not the board of directors.
The board members do not own the BU risk; the BU leader owns it and, along with the BU management team, is accountable for the remediation efforts.

Question 60

Q

Which of the following is a MAJOR risk associated with the use of governance, risk and compliance (GRC) tools?

A.Misinterpretation of the dashboard’s output
B.Incomplete or inaccurate coverage in the enterprise for GRC
C.Obsolescence of content
D.Complex integration of diverse requirements

Answer

A

C is the correct answer.

Justification
Misinterpreting the dashboard’s output is easily corrected by training or employing subject matter experts.
A governance, risk and compliance (GRC) program that is assumed to be complete but is not would misrepresent risk—for example, one that failed to explicitly state that its privileged access management did not include network devices.
A GRC application has to be updated regularly with current regulations, policies, etc. Obsolete content renders a GRC outdated. Many GRC applications are based on the unified compliance framework (UCF) for mapping to various regulations, frameworks and standards. The technology team should refresh the UCF file quarterly through its vendor and should implement processes to identify and address changes from one release to the next. Additionally, the enterprise needs to commit internal resources to maintain company data in the tool to guard against obsolescence.
Most GRC tools are designed to integrate diverse, complex requirements. Obsolete content represents a greater risk because its maintenance rests entirely with users.

Question 61

Q

During which of the following phases of an incident response process will an attempt to limit the impact of the incident MOST likely be made?

A.Mitigation
B.Recovery
C.Response
D.Detection

Answer

A

C is the correct answer.

Justification
Mitigation involves remediation of the event. An attempt to limit the impact should be made earlier in the response process.
The recovery phase includes a full repair of the incident.
During the response phase, attempts are made to limit the impact of an incident because the occurrence is ongoing; depending upon the nature of the incident, the time following initial identification can present opportunities to intervene and limit severity.
Detection aims to identify an incident and determine its cause.

Question 62

Q

Which of the following risk responses relieves the enterprise of risk ownership?

A.Mitigation
B.Avoidance
C.Transference
D.Acceptance

Answer

A

B is the correct answer.

Justification
The mitigation of risk is accomplished through the application of controls that reduce the likelihood of an adverse event or the impact of risk should such an event occur. However, the reduced risk is thereby accepted by the enterprise, which explicitly acknowledges ownership of the reduced risk.
When an enterprise avoids a risk, it relieves itself of ownership of the risk by ceasing to engage in the activities with which the risk is associated.
Although the term “transference” often creates the impression that ownership of a risk is transferred, this response only creates conditions under which an adverse event can be addressed with the benefit of skills provided by a third party—for example, the financial resources of an insurance company or the expertise of a third-party software developer. As long as the enterprise continues to engage in the activities with which the risk is associated, it remains fundamentally responsible for the risk in both a physical and legal sense.
An enterprise that accepts a risk explicitly acknowledges ownership of the risk.

Question 63

Q

Due to changes in the IT environment, the disaster recovery plan of a large enterprise has been modified. What is the GREATEST benefit of testing the new plan? To ensure that:

A.the plan is complete.
B.the team is trained.
C.that all assets have been identified.
D.that the risk assessment was validated.

Answer

A

A is the correct answer.

Justification
The greatest benefit of testing the new plan is to ensure that the plan is complete and will work during a crisis. Testing ensures that all assets in scope have been incorporated into the plan, that all staff have been trained and are familiar with their roles, and that backups have been tested.
Although training the team is a benefit of testing, it is not the greatest benefit.
Although ensuring that all assets have been identified is a benefit of testing, it is not the greatest benefit. In addition, ensuring that the plan is complete involves updating the asset inventory.
Testing can be a method of validating the risk assessment. However, the greatest benefit of testing the new plan is to ensure that the plan is complete and viable in the event of a crisis.

Question 64

Q

Information that is no longer required to support the main purpose of the enterprise from an information security perspective should be managed:

A.under the retention policy.
B.under the information classification policy.
C.under the backup policy.
D.under the business impact analysis.

Answer

A

A is the correct answer.

Justification
Information that is no longer required should be analyzed under the retention policy to determine whether the enterprise is required to maintain the data for business, legal or regulatory reasons. Keeping data that are no longer required unnecessarily consumes resources; may be in breach of legal and regulatory obligations regarding retention of data; and, in the case of sensitive personal information, can increase the risk of data compromise.
The information classification policy should specify retention and destruction of information that is no longer of value to the core business, as applicable.
The backup policy is generally based on recovery point objectives. The information classification policy should specify retention and destruction of backup media.
A business impact analysis can help determine that information does not support the main objective of the business, but it does not indicate the action to take.

Answer 65

A

D is the correct answer.

Justification
Key control indicators determine if internal controls are effective.
Key risk indicators can help to assess the impact to risk tolerance.
A key business indicator ensures business goals are being achieved.
Key performance indicators ensure desired performance levels and metrics are achieved.

Answer 66

A

B is the correct answer.

Justification
It is important to inform management of the monitoring and testing of controls, but that is not the primary purpose of a control.
The primary purpose of a control is to ensure that it is effectively addressing the risk for which the control was selected and implemented.
The impact of the control on performance is secondary to the requirement to ensure that the control is properly addressing risk.
Providing a benchmark for future tests is not the primary purpose of a control review.

Answer 67

A

B is the correct answer.

Justification
IT managers are responsible for managing information systems on behalf of business owners; they are not accountable for risk.
The accountable party is senior management. Although senior managers are not responsible for executing the risk management program, they are ultimately liable for acceptance and mitigation of all risk.
The risk management department is responsible for the execution of the risk management program and will identify, evaluate and report risk and risk response efforts; the department is not accountable for the risk.
System users are responsible for using the system properly and following procedures; they are not accountable for the risk.

Answer 68

A

D is the correct answer.

Justification
Maturity models help benchmark processes and identify gaps between the current and the desired state of specific processes. They do not enable alignment with business objectives, which is more effectively achieved through a balanced scorecard or a goals cascade approach.
While maturity models help identify gaps between the current and the desired state of specific business processes, they do not explicitly improve governance and compliance efforts.
Maturity models help benchmark business processes and identify gaps between the current and the desired states. Maturity models to not explicitly ensure that security controls are effective.
Maturity models are designed to enable continuous improvement. This is achieved by first assessing the current maturity level of specific business processes and determining whether it is congruent with the desired maturity levels. Where gaps exist, maturity models implicitly provide steps to improve the process by defining requirements for each maturity level.

Answer 69

A

A is the correct answer.

Justification
Acceptance of a risk is an alternative to be considered in the risk response process.
The risk assessment process is completed prior to determining appropriate risk responses.
Risk evaluation is part of the risk assessment process that is completed prior to determining appropriate risk responses.
Risk quantification is achieved during risk analysis; it is an input into the risk response process and occurs prior to determining appropriate risk responses.

Answer 70

A

D is the correct answer.

Justification
Seeking the lowest common denominator of requirements may cause certain locations to fail regulatory compliance.
Just using industry good practices may cause certain locations to fail regulatory compliance.
Forcing all locations to comply with the regulations places an undue burden on some locations.
It is more efficient to establish a baseline standard and then develop additional standards for locations that must meet specific requirements.

Answer 71

A

D is the correct answer.

Justification
While the capacity of the enterprise to absorb loss is an important risk mitigation factor, it does not influence risk appetite as much as culture and predisposition toward risk taking.
The definition of the responsibilities and the accountability for IT risk management says nothing about the enterprise’s risk appetite. Risk appetite mostly depends on an enterprise’s risk culture, risk tolerance and risk acceptance.
The line of business and typical risk of the industry say nothing about the risk appetite of a single enterprise. Risk appetite depends on the individual risk culture of an enterprise.
When considering risk appetite, two major factors are relevant: the management culture and the predisposition toward risk taking.

Answer 72

A

B is the correct answer.

Justification
The review and approval of the security plan, including system and general IT controls, is the responsibility of senior management, or a delegated authorized individual, not the system owner.
The system owner specifies the information security controls for the system being deployed based on functional requirements from the information owner.
The system owner does not test the controls. Security control testing is the responsibility of the security control assessor or an otherwise independent party.
Senior management is accountable for determining whether the risk to the business is acceptable.

Answer 73

A

C is the correct answer.

Justification
Threat analysis does not provide sufficient information to estimate likelihood. While there may be a threat, many other factors, including existing controls, must be considered to determine the likelihood of a threat.
Cost-benefit analysis is used in selecting controls and does not help estimate the likelihood of significant events.
Scenario analysis, along with vulnerability analysis, best determines whether a particular risk is relevant to the enterprise, and helps estimate the likelihood that significant events will affect the enterprise.
Countermeasure analysis is used to assess controls that address specific attacks, sometimes while an attack is occurring. Countermeasure analysis does not help estimate the likelihood of significant events.

Answer 74

A

A is the correct answer.

Justification
A key risk indicator must be repeatable to be measured and to be effective over time.
Timing on its own does not ensure effectiveness.
Corrective action on its own does not ensure effectiveness.
Actionable is an attribute of a key performance indicator.

Answer 75

A

A is the correct answer.

Justification
A security information and event management system gathers incident activity from several locations and prepares reports on risk trends and correlated events.
A fault tree analysis examines all the factors that could lead to a risk but does not correlate or aggregate risk from several sources.
A failure modes and effects analysis examines the sequence of events and impacts of an incident but does not aggregate risk data.
A business impact analysis provides an understanding of a particular business unit; however, it is not a means of determining aggregated risk from several sources.

Answer 76

A

A is the correct answer.

Justification
A data classification policy describes the data classification categories, level of protection to be provided for each category of data, and roles and responsibilities of potential users, including data owners.
An acceptable use policy is oriented more toward the end user and therefore does not specifically address which controls should be in place to adequately protect information.
Mandated levels of protection, as defined by the data classification policy, should drive which levels of encryption will be in place.
Mandated levels of protection, as defined by the data classification policy, should drive which access controls will be in place.

Answer 77

A

D is the correct answer.

Justification
Risk action plans define risk activities for a defined scope, not for an entire entity.
Risk scenarios help develop a thorough understanding of an enterprise’s risk profile; however, they are not suitable for capturing risk mitigation, contingency plans and ownership for an enterprise.
The business impact analysis documents show ownership and describe processes and assets that are critical to the business; they do not describe risk mitigation strategies or specifically lay out the technical details of the contingency plan.
A risk register is designed to document all risk identified for the enterprise. For each risk it records, at a minimum, the likelihood, potential impact, priority, status of mitigation and owner.

Answer 78

A

A is the correct answer.

Justification
The risk register has the identified risk and is a repository that helps in decision-making.
The risk registers from industry peers are never published, so benchmarking is not possible.
Risk culture can be improved through awareness, but the risk register itself is not a means of communicating risk awareness.
The risk register may include information that the risk owner could use to establish risk indicators, but that is not its main purpose.

Answer 79

A

B is the correct answer.

Justification
A vulnerability assessment itself provides a one-sided view unless it is linked to specific risk scenarios that help determine likelihood and impact.
Using a list of possible scenarios with threats and impacts will better frame the range of risk and facilitate a more informed discussion and decision.
The value of information assets is an important starting point when performing a qualitative risk analysis. However, value without consideration of realistic threats and determination of likelihood and impact is not sufficient for a risk analysis.
Estimated productivity losses may be necessary to project magnitude of impact but are insufficient for a risk analysis.

Answer 80

A

D is the correct answer.

Justification
Every business decision is driven by cost and benefit considerations. A risk practitioner’s contribution to the process is most likely a risk assessment, identifying both the risk and opportunities related to the proposed solution.
A recommendation to revise the current policy should not be triggered by a single request without conducting a risk assessment.
While a risk practitioner may conduct a risk assessment to enable a risk-aware business decision, it is management that will make the final decision.
A risk assessment should be conducted to clarify the risk whenever the enterprise’s policies cannot be followed. The solution should be implemented only if the related risk is formally accepted by the enterprise.

Answer 81

A

B is the correct answer.

Justification
The chief operating officer is the most senior official accountable for the operation of the enterprise and would not be responsible for explaining risk to senior management.
The chief risk officer is the most senior official accountable for all aspects of risk management across the enterprise, including explaining risk to senior management.
The chief information security officer leads the establishment of the information security program and respective security teams; however, this role is not responsible for the acceptance of enterprise risk or explaining risk to senior management.
The chief information officer is the most senior official responsible for aligning IT and business strategies and is accountable for planning, resourcing and managing delivery of IT-related services and solutions. This role would not be responsible for explaining risk to senior management.

Answer 82

A

C is the correct answer.

Justification
An IT audit typically uses technical evaluation tools or assessment methodologies to enumerate risk.
A security gap analysis typically uses technical evaluation tools or assessment methodologies to enumerate risk or areas of noncompliance but does not use risk scenarios.
A threat and vulnerability assessment typically evaluates all elements of a business process for threats and vulnerabilities and identifies the likelihood of occurrence and the business impact if the threats were realized.
An IT security assessment typically uses technical evaluation tools or assessment methodologies to enumerate risk or areas of noncompliance but does not use risk scenarios.

Answer 83

A

B is the correct answer.

Justification
In a project-based enterprise, a temporary group is formed to work on one particular project. Neither a group initiated by the chief information officer, nor a steering committee in general, is considered temporary.
Within a centralized IT organizational structure, one group makes all decisions for the entire enterprise.
In a decentralized organizational structure, decisions are made by each division (sales, human resources, etc.). In this kind of organization, different and perhaps conflicting IT policies can be developed.
In a divisional organizational structure, each geographic area, or each product or service, will have its own group.

Answer 84

A

D is the correct answer.

Justification
The control matrix is a tool used to analyze a systems flowchart (and related narrative) to determine the control plans appropriate to a process and to relate those plans to the control goals of the process.
Key performance indicators do not measure the effectiveness of operational risk controls
Statement of applicability is specific to the ISO 27001 standard, and although it has a list of controls, it will not help in measuring the effectiveness of particular operational risk controls.
Key control indicators, also referred to as control effectiveness indicators, are metrics that provide information on the degree to which a control is working.

Answer 85

A

A is the correct answer.

Justification
Ensuring that both systems comply with mutual contractual security obligations should be the primary concern of the risk practitioner. If one system fails to comply, both will likely miss their respective security obligations.
Uncertainty about the other system’s availability is probably the primary concern of the business owner and users, not of the chief information security officer.
The ability to perform risk assessment on the other system may or may not be a concern based on the interconnection agreement between the two systems.
Communications between the two systems may not necessarily require a virtual private network tunnel, or encryption. That requirement will be based on type of data being transmitted.

Answer 86

A

D is the correct answer.

Justification
IT control objectives will not provide the techniques for securing information for a given risk. The techniques for security information for a given risk will be determined by selecting controls and defining how the techniques will work in the control environment.
To understand security policies, procedures and standards, it is necessary to understand the business, the risk involved in various processes, and how the policies will manage risk. IT control objectives in themselves will not improve understanding of security policies, procedures and standards.
The IT control objectives do not mandate good practice; they help establish the need for and the desired outcome of a control.
IT control objectives define the main purpose or objective of an IT control and help implement specific control procedures.

Answer 87

A

C is the correct answer.

Justification
Vulnerability assessments provide a view of an enterprise’s current control environment, specifically where controls are weak or lacking. Unlike business impact analyses (BIAs), they do not tie vulnerabilities to the enterprise’s threat landscape or help determine the impact of adverse events affecting specific business processes.
A BIA predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies. Potential loss scenarios should be identified during a risk assessment, so a BIA is more concerned with prioritizing risk management efforts than how to mitigate the risk.
The risk tolerance level (along with risk appetite) determines what kind of risk response an enterprise selects, and it needs to be defined in order for an enterprise to appropriately address risk.
A framework is a generally accepted, business process-oriented structure that establishes a common language and enables repeatable business processes. Frameworks generally describe only what needs to be done. They do not provide actionable recommendations and therefore are not the best solution for determining what risk mitigation activities to pursue.

Answer 88

A

A is the correct answer.

Justification
Quantitative risk analysis derives the probability and impact of risk scenarios from statistical methods and data.
A risk scenario analysis generally includes several risk analysis methods, including quantitative, semi-quantitative and qualitative.
A qualitative risk analysis would use non-quantitative measures to estimate the likelihood and impact of adverse events. These might include low, medium and high for likelihood; and low, medium, high and catastrophic for the impact.
Probabilistic risk assessments are mostly applied to risk associated with complex engineered technology (e.g., nuclear plants, airplanes). They rely on a systematic and comprehensive methodology and consider both quantitative and qualitative risk analysis.

Answer 89

A

C is the correct answer.

Justification
The process owner is responsible for granting access to a specific business process.
The system administrator is the data custodian and is responsible for safe custody, transport, and storage of data, and grants access to data on approval from the data owner.
The data owner grants formal authorization for users to access protected files.
The security manager is responsible for enforcing security protection according to the data owner’s requirements.

Answer 90

A

B is the correct answer.

Justification
Publishing information security policies does not provide evidence of implementation of security controls. To establish client trust, evidence of implementation of controls is required. This is achieved through external assurance.
An external assurance certification provides an independent view of risk and controls impacting the enterprise, which can establish client trust and confidence.
Publishing the personally identifiable information handling policy does not provide evidence of the implementation of controls. To establish client trust, evidence of implementation of controls is required. This is achieved through external assurance.
Publishing the number of findings from a most recent audit does not provide assurance to a client.

Answer 91

A

D is the correct answer.

Justification
While countermeasures can be too complicated to deploy, this does not necessarily mean that they are cost prohibitive.
Any safeguards placed to prevent the risk need to match the risk impact.
It is likely that a global financial institution may be exposed to such denial-of-service attacks, but the frequency cannot be predicted. This would not be the reason for risk acceptance.
An enterprise may decide to accept a specific risk because the protection would cost more than the potential loss.

Answer 92

A

C is the correct answer.

Justification
A vulnerability analysis provides insight into which risk to treat but is not useful when evaluating risk treatment options.
Impact analysis is a part of the risk assessment but on its own would not help finalize a risk treatment plan.
A cost-benefit analysis helps determine if the benefit of a control outweighs the cost of implementing the control.
A SWOT (strengths, weaknesses, opportunities and threats) analysis can be helpful, but the results must be translated in terms of risk, including costs and benefits, to be useful.

Answer 93

A

B is the correct answer.

Justification
Enabling logging is not a function of the incident response plan but can provide information if enabled prior to an incident.
An incident response plan defines actions to be taken in response to a threat, loss or vulnerability event. Shutting down servers to patch defects is a corrective action against identified events. Once installed, the upgraded version of the operating system might be able to mitigate further risk.
Use of a virus scanner is preventive and a detective rather than corrective. Use of a virus scanner in the response to an incident will mean scanning email that has already been received.
Generally, an alphanumeric password authorization policy is a preventive rather than a corrective control.

Answer 94

A

C is the correct answer.

Justification
Balance between preventive and detective controls does not help evaluate current risk appetite because the controls may have been established in the wake of an earlier risk analysis.
Inherent risk in itself does not help define residual risk; inherent risk and acceptable risk are inadequate determinants of risk appetite.
Considering residual risk in terms of acceptable risk yields risk that is appropriately balanced after the application of controls. In this context, management can decide to accept risk or apply additional controls based on current standards of acceptable risk. Considering residual risk in the context of acceptable risk also illuminates the broader pattern of risk appetite of the enterprise as it changes over time. A conservative approach seeks to reduce risk levels to keep them low or very low.
Countermeasures help when threats need to be reduced; they do not help evaluate risk appetite.

Answer 95

A

B is the correct answer.

Justification
Monitoring control activities should be done continuously, not periodically.
Ensuring ownership of key control activities is the most important factor in assigning control responsibility and control accountability.
Reviewing the risk management strategy can be useful, but without defined ownership, controls cannot be aligned with business objectives.
Prioritizing control activities based on residual risk is important, but it cannot be accomplished without defined ownership.

Answer 96

A

A is the correct answer.

Justification
Privacy by design embeds privacy within the IT infrastructure life cycle.
Privacy notices are informational and will not impact the new IT infrastructure deployment.
Data encryption is relevant and provides some benefit. However, privacy by design embeds privacy principles throughout the whole IT infrastructure life cycle.
Data classification is limited to the data component within the IT infrastructure, whereas privacy by design impacts the entire IT infrastructure life cycle.

Answer 97

A

D is the correct answer.

Justification
Risk management staffing requirements are generally driven by a robust understanding of the current and desired future state.
The risk management mission statement is important, but it is not an actionable part of a risk management strategic plan.
Risk mitigation investment plans are generally driven by a robust understanding of the current and desired future state.
It is most important to paint a vision for the future and then draw a road map from the starting point, which requires that the current state and desired future state be fully understood.

Answer 98

A

D is the correct answer.

Justification
While the local management has mitigated the risk, corporate management remains responsible for the risk.
The corporate chief risk officer is responsible for the corporate risk management program, yet does not own the risk related to the global purchasing process.
The risk owner is the global purchasing manager.
Corporate management remains responsible for the risk, even when the risk response is executed at a lower organizational level.

Answer 99

A

B is the correct answer.

Justification
Identification and authentication are important for confirming the identity of a user; however, both need to be complemented with proper authorization controls to ensure the confidentiality of the price list.
Authentication and authorization are two complementary control objectives that will ensure confidentiality of the price list.
Segregation of duties (SoD) is a control objective that ensures that a single individual is not authorized to execute incompatible activities, such as submitting and approving a change to the price list. SoD and authorization is not the best solution to ensure confidentiality.
Availability and confidentiality are business requirements, not controls.

Answer 100

A

D is the correct answer.

Justification
The escalation to management should not occur until more is known about the situation, and even then only if it is outside the security manager’s scope to address the issue.
The risk register should be updated after the exception has been validated.
The risk response plan will not be activated until the exception has been validated and the response has been approved by management.
Before any other action is taken, the risk practitioner should ensure that the exception identified by monitoring is not a false positive.

Answer 101

A

D is the correct answer.

Justification
Focus groups may or may not provide meaningful feedback but in and of themselves do not provide metrics.
A reduction in the number of violation reports may not be indicative of a high level of security awareness.
To judge the effectiveness of user awareness training, measurable testing is necessary to confirm user comprehension. However, comprehension of what needs to be done does not ensure that action is taken when necessary. The most effective indicator for measuring the success of an awareness program is an increase in the number of violation reports by staff.
An increase in the number of violation reports is the best indicator of a high level of security awareness. As with automated alerts, each security violation report needs to be assessed for validity.

Answer 102

A

D is the correct answer.

Justification
Mandatory access control is mandated by security policy. It will not prevent the risk of collusion.
Even if the principle of least privilege is followed, it will not be adequate to prevent collusion risk because two or more parties come together in collusion and have a higher privilege.
Discretionary access control is access provided by the data owner; it does not prevent two people within the same department from bypassing segregation of duties.
Collusion risk occurs when two or more people who are bound by segregation of duties work together to bypass security controls. With job rotation, people are assigned different job responsibilities over a period of time, which reduces opportunities for collusion.

Answer 103

A

C is the correct answer.

Justification
A Gantt chart is a foundational planning tool in project management that is used to represent the work breakdown structure (WBS) in a graphic form to illustrate expected durations as well as dependencies. A Gantt chart can be generated from a WBS that can be associated with expected durations.
A WBS represents the project in terms of manageable and controllable units of work, serves as a central communication tool in the project, and forms the baseline for cost and resource planning.
A program evaluation review technique (PERT), a critical path methodology-type technique, focuses on establishment and management of the critical path for a project. PERT calculates times, but it does so according to a formula that gives distributed, unequal weight to optimistic, likely and pessimistic estimates. This approach makes PERT a better tool than a Gantt chart for managing system development projects of uncertain duration.
A histogram, or bar chart, is used to graphically illustrate relative magnitudes across various measured items.

Answer 104

A

A is the correct answer.

Justification
Without identifying new risk, other measures will succeed only for a limited period.
A risk baseline is essential for implementing risk management, but new risk detection is the most essential.
Accurate risk reporting is essential for implementing risk management, but new risk detection is the most essential.
A flexible security budget is not available to most enterprises. A limited security budget reflects a common scope limitation that should be considered, along with other limitations, in prioritizing risk responses.

Answer 105

A

B is the correct answer.

Justification
Changes in controls are not necessarily reported to the audit function.
Changes may render a control ineffective and allow a vulnerability to be exploited. Changes in control may also strengthen the enterprise’s risk profile (e.g., in cases in which highly manual processes are automated).
A change may be replacing a weaker control with a stronger control; changes do not necessarily require mitigation.
Reporting changes in controls may help manage the control life cycle, particularly in cases in which a control is failing and is consequently modified or replaced.

Answer 106

A

C is the correct answer.

Justification
Maximizing the return on investment may be a key objective of implementing risk responses, but it is not part of the risk assessment process.
A risk assessment does not focus on auditors or regulators as primary recipients of the risk assessment documentation. However, risk assessment results may provide input into the audit process.
A risk practitioner should use risk assessment techniques to justify and implement a risk mitigation strategy as efficiently as possible.
Risk assessment is generally high-level, whereas risk analysis can be either quantitative or qualitative, based on the needs of the enterprise.

Answer 107

A

D is the correct answer.

Justification
IT risk, like any business risk, can be assessed both quantitatively and qualitatively. It can be difficult to measure risk quantitatively, but quantitative information can provide a more complete picture of the risk as opposed to qualitative risk analysis alone.
IT risk is one type of business risk and would not be calculated separately from other business risk.
IT risk is the responsibility of senior management, not just the IT department.
The enterprise must identify, acknowledge and respond to risk; ignorance of risk is not acceptable.

Answer 108

A

B is the correct answer.

Justification
The hourly billing rate charged by the carrier may be a factor that contributes to the overall financial impact; however, it reflects only a minor consequence of losing network connectivity.
The impact of network unavailability reflects the cumulative costs incurred by the enterprise.
The value of the data transmitted over the network reflects only a subset of financial losses incurred by affected business units.
Aggregate compensation of all affected business users represents only a subset of financial losses incurred by affected business units.

Answer 109

A

C is the correct answer.

Justification
Parallel changeover requires that both old and new systems operate fully for a specified period. When users, management and the IT group are satisfied that the new system operates correctly, the old system is retired. This approach entails very low risk. If the new system does not work correctly, the enterprise can revert to the old system as a backup.
Outsourcing involves a formal agreement with a third party to perform information system or other business functions for an enterprise. Outsourcing is not a changeover technique.
Abrupt changeover occurs when users are converted from the old to the new system immediately upon its operational availability. This approach is usually least expensive but involves high risk of data loss and system failure. With this approach, the enterprise cannot revert to the old system as a backup.
Phased changeover involves modular implementation and simultaneous operation of discrete system components or modules. It is extremely complex to coordinate, particularly with regard to consistency of data across multiple systems or locations. However, this approach retains the possibility to revert to a previous state.

Answer 110

A

A is the correct answer.

Justification
The enterprise should develop its own security requirements considering many factors such as audit recommendations and good practices. Third-party security controls should be evaluated in the context of the enterprise’s security requirements, which may inform the terms of any agreement with a third party regarding hosting.
Internal audit recommendations help management improve the security control environment but do not constitute specific requirements.
Compliance with applicable laws and regulations reflects a subset of the enterprise’s own security requirements.
Security good practices should be considered in developing the enterprise’s own security requirements.

Answer 111

A

B is the correct answer.

Justification
User authentication is a preventive control.
An enterprise policy states the enterprise’s directive related to risk management; therefore, it is a directive control.
Inhibiting security policy violations is a preventive control.
Regular remediation of errors is a corrective control.

Answer 112

A

D is the correct answer.

Justification
A documented disaster recovery plan does not play a direct role in ensuring the effectiveness of the three lines of defense.
Automated business operational processes may or may not improve the effectiveness of the three lines of defense.
Independent audits will uncover issues with implementation of the three lines of defense, but do not ensure their effectiveness.
Without clear, detailed job descriptions for employees working in each line of defense, there can be confusion on what is expected at each level, which may hinder the effectiveness of each line of defense.

Answer 113

A

C is the correct answer.

Justification
Reliability considers the integrity of the data extracted from the system. While it is not impossible for criminals to cause changes to an IT system as a means of disguising their activities, reviewing transactional data for reliability is not a primary means of fraud detection. Reliability is typically called into question only after fraudulent activity is discovered through other means.
Duplicate transactions occur in IT systems and must be addressed. The presence of duplicates may be legitimate activity. Further checks are required to identify whether the duplicate transactions are a result of fraud.
Reasonableness considers reliability, validity and duplicate transactions. It identifies values that are substantially different from the norm, and routes them for additional scrutiny.
Validity involves matching data to definitions in a table layout. Extracted data that are invalid indicate a system problem but not necessarily fraud; nor is fraud generally correlated with invalid data. Further checks are required to identify whether invalid data is a result of fraud.

Answer 114

A

A is the correct answer.

Justification
Assembling an interdisciplinary team to manage risk ensures that all areas are adequately considered in risk assessment and helps provide an enterprise-wide perspective on risk.
Engaging a third party to perform a risk assessment may provide additional expertise, but without internal knowledge, third parties lack judgment to determine the adequacy of risk assessment.
A risk assessment performed by the enterprise’s IT department is unlikely to reflect the view of the entire enterprise.
The internal compliance department ensures the implementation of risk responses based on the requirements of management. It generally does not take an active part in implementing risk responses for items that do not have regulatory implications.

Answer 115

A

A is the correct answer.

Justification
Ensuring that all residual risk is maintained at a level acceptable to the business is the objective of a risk management program.
Implementing controls for every threat is not the objective of the risk management program. The program considers known threats and determines the risk response to those threats as determined by the enterprise’s risk appetite and acceptance levels.
A risk management program is not intended to remove every identified risk.
Inherent risk—the risk level of an activity, business process or entity without taking into account the actions that management has taken or may take—is always greater than zero.

Answer 116

A

D is the correct answer.

Justification
Symmetric encryption provides confidentiality.
Hashing can provide integrity.
Message authentication codes provide integrity.
A digital signature combines a hash function with asymmetric encryption ability to verify the author’s identity, message integrity and nonrepudiation.

Answer 117

A

D is the correct answer.

Justification
Seeking the lowest common denominator of requirements may cause certain locations to fail regulatory compliance.
Just using industry good practices may cause certain locations to fail regulatory compliance.
Forcing all locations to comply with the regulations places an undue burden on some locations.
It is more efficient to establish a baseline standard and then develop additional standards for locations that must meet specific requirements.

Answer 118

A

D is the correct answer.

Justification
Information on the internal and external environments must be collected to define a strategy and identify its impact. Risk assessment criteria alone are not sufficient.
IT architecture complexity is more directly related to assessing risk than defining strategies.
An enterprise disaster recovery plan is more directly related to mitigating the risk.
While defining risk management strategies, the risk practitioner needs to analyze the enterprise’s objectives and risk tolerance and define a risk management framework based on this analysis. Some enterprises may accept known risk, while others may invest in and apply mitigating controls to reduce risk.

Answer 119

A

D is the correct answer.

Justification
The person performing the risk assessment should already understand the performance metrics and indicators.
The person performing the risk assessment should already understand the policies and standards of the enterprise.
Recent audit findings and recommendations could be useful but are not as important as understanding the system.
To conduct a proper risk assessment, the risk practitioner must understand the system and subsystems, and how they work. This knowledge provides the basis for understanding how policies and standards are applied within the system and subsystems, and for understanding process-specific risk, existing interdependencies and performance indicators.

Answer 120

A

B is the correct answer.

Justification
Key risk indicators are highly relevant and possess a high probability of predicting or indicating important risk. They are not used after a loss event occurs.
Cause-and-effect analysis is a predictive or diagnostic analytical tool used to explore the root causes or factors that contribute to positive or negative effects or outcomes. It can also be used to identify potential risk. A typical form is the fishbone diagram.
Business process modeling is not used for root cause analysis.
Business impact analysis is a process to determine the impact of losing the support of any resource and is not used for root cause analysis.

Answer 121

A

D is the correct answer.

Justification
Amendments to the risk register are important for a review but not as important as the risk profile.
Lessons learned from loss events are important but unless the actual risk is known, along with what corrective actions and risk responses were taken, communicating the lessons learned is not sufficient.
Technical details on vulnerabilities are usually not expected at the management level and, therefore, should not be communicated while reporting the status of IT risk to management.
The risk profile of the enterprise is the most important component compared to the other choices because it provides the overall portfolio of identified risk to which the enterprise is exposed. This is most important for management to know.

Answer 122

A

C is the correct answer.

Justification
Native database audit logs are a good detective control but do not provide information about the application server performance.
Documentation of performance objectives is important but does not provide information about the application server performance.
With continuous monitoring it is possible to track key performance metrics and also possible to address critical issues with minimum impact.
Documentation of associated security modules may be helpful but does not provide information about the application server performance.

Answer 123

A

C is the correct answer.

Justification
Although it is important to ensure that all devices are adequately patched in a timely fashion, patches should be released in phases to the related systems, starting with critical systems or the most vulnerable systems and then working down the priority chain.
Procuring patches from an approved vendor helps ensure the validity and the integrity of patches. However, there is still risk that the patches might not work in the environment.
When a change goes into production, the most important practice is to ensure that testing has been completed. In the case of a security patch, testing is essential because an untested security patch may cause serious business disruptions.
Having the business stakeholders sign off on the patch release to production is not required because most of the operating system patches are technical in nature and are released after due process by the operations team.

Answer 124

A

A is the correct answer.

Justification
Control indicators are used to determine the effectiveness of an enterprise’s controls designed to treat risk.
Leading indicators are used to detect the root cause of a risk event and to provide early warning if the achievement of a strategic goal would be in jeopardy.
Key risk indicators answer questions about the changes in the enterprise’s risk profile and if those changes are within the enterprise’s desired risk tolerance levels.
Key performance indicators enable the enterprise to define performance targets and monitor progress toward achieving those targets.

Answer 125

A

B is the correct answer.

Justification
The database administrator is responsible for overall database maintenance, support and performance and may grant access to data within the database once the data owner has approved the access request.
The data owner provides formal authorization to grant user access.
The process owner is responsible for a specific business process.
The data custodian is responsible for the safe custody, transport and storage of data, and for implementation of business rules, such as granting access to data, once the data owner has approved the access request.

Answer 126

A

B is the correct answer.

Justification
A control may be operating correctly but may not mitigate the risk it was designed to address. It is most important that the control reduce the risk it was designed to mitigate.
A control is designed to mitigate or reduce a risk. Even if the control is operating correctly, it is not the appropriate control if it does not address the risk it was designed to mitigate.
Even if the control has not been bypassed, it still may not effectively mitigate the associated risk.
A control must be checked periodically, but this does not ensure that it is the correct control to mitigate the risk.

Answer 127

A

B is the correct answer.

Justification
Risk treatment plans describe the plan of action for the chosen treatment and would not further analyze identified risk.
A risk treatment plan includes the plan of action for the chosen treatment, how it will be implemented, who will implement it, key dates and resource requirements.
Once the risk is accepted, a risk treatment plan is not needed.
Risk indicators are used to identify emerging risk and are not part of a risk treatment plan.

Answer 128

A

A is the correct answer.

Justification
Controls are deployed to achieve control objectives based on risk assessments and business requirements. The gap between desired control objectives and actual control design and operational effectiveness identifies control deficiencies in information systems.
Without knowing the gap between desired state and current state, one cannot identify control deficiencies relative to a desired state. The current IT risk profile does not expose this gap.
The IT controls framework is a generic document with no information on the desired future state of IS controls or the current state of the enterprise; therefore, it will not help identify IS control deficiencies.
Countermeasure analysis helps only in identifying deficiencies in countermeasures and not in the full set of primary controls.

Answer 129

A

D is the correct answer.

Justification
An intrusion detection system logs only details specific to intrusions and does not provide a collaborated log view.
An intrusion prevention system logs only details specific to intrusions and does not provide a collaborated log view.
A configuration management system captures the attributes and relationships of configuration items and does not necessarily capture event data.
The event management system has the capability to merge logs from various systems and analyze entire data sets at once; therefore, it would provide the best source of information.

Answer 130

A

C is the correct answer.

Justification
Risk response is a component of the risk register and would not present a complete picture to executive management.
An emerging risk report would not be included as part of a presentation to executive management and the board of directors.
A risk register dashboard would provide a comprehensive overview of the risk profile of the enterprise.
A key risk indicators report is only one component of the risk register dashboard.

Answer 131

A

B is the correct answer.

Justification
Unpatched vulnerabilities do not apply to applications.
Attackers can use backdoors to bypass authorized access control in applications; therefore, backdoors would be of most concern to the risk practitioner.
Unskilled resources would be a concern; however, they do not present an immediate concern relative to the risk posed by backdoors.
An informal system development life cycle would be a concern; however, it would not present an immediate concern relative to the risk posed by backdoors.

Answer 132

A

C is the correct answer.

Justification
Regulatory requirements are not the only risk factors affecting an enterprise’s decision to reduce risk; other factors may include reputational damage, financial repercussions and other costs.
The residual risk after existing mitigating controls may still be above acceptable levels. In this case, further risk reduction would be needed.
Enterprises will accept the risk when the cost of mitigation exceeds the risk.
Enterprises may choose to reduce a risk even when the budget is exceeded, such as when the cost of reducing the risk is lower than the risk.

Answer 133

A

C is the correct answer.

Justification
Recycling logs in less than 24 hours can jeopardize root cause analysis but is generally not as damaging financially as failing to track regulation-related transactions properly.
Backing up log files to the same server can have a significant impact. In the event of an incident, log files may be compromised. Additionally, privileged accounts can make changes and modify logged data. However, this practice is generally not as damaging financially as failing to track regulation-related transactions properly.
The enterprise may be fined for failing to track regulation-related transactions properly.
The scope of logged transactions is limited because only transactions explicitly defined for inclusion will be captured. Thus the majority of transactions are executed without leaving an audit trail.

Answer 134

A

A is the correct answer.

Justification
Controls deployed according to the risk treatment plan should provide the desired results, because the risk treatment plan is based on management’s acceptance of residual risk and management’s approval of deployment steps in the plan.
Listing each risk as a separate entry in the risk register may help in better evaluating the risk, but the register in itself does not ensure risk management of identified risk at a reasonable level.
Creating a separate risk register for every department may help inform development of better risk assessment exercises, but separation of registers does not necessarily ensure risk management of identified risk at a reasonable level.
Maintaining a key risk indicator for assets in the risk register may improve the overall risk management cycle, but the register in itself does not ensure that the management of identified risk has been performed according to the risk action plan.

Answer 135

A

C is the correct answer.

Justification
A business manager can be accountable only if the manager is the risk owner.
Senior management can be accountable only if senior management is the risk owner.
The risk owner is responsible for a risk treatment plan.
The control owner can be accountable only if the control owner is the risk owner.

Answer 136

A

C is the correct answer.

Justification
The number of employees has less impact on information security governance models because well-defined process, technology and personnel components combine to provide proper governance.
Cultural disparities between different physical locations have less impact on information security governance models because well-defined process, technology and personnel components combine to provide proper governance.
Information security governance models are highly dependent on the complexity of the organizational structure. Elements that affect organizational structure include multiple business units, dispersion of multiple functions across the organization, multiple leadership hierarchies and multiple lines of communication.
Certainty with respect to legislative requirements should not have a major impact once good governance models are in place; therefore, governance will help in effective management of the organization’s ongoing compliance as mechanisms will be in place to address these evolving requirements.

Answer 137

A

D is the correct answer.

Justification
Credit-card processing can be eligible for public cloud computing, but in comparison to an email system, enforcing security requirements may be more challenging.
Research and development generally contain confidential, proprietary information and are less likely to be outsourced to a cloud environment than email.
The legacy financial system not only contains sensitive financial information, but also will most likely be more complex to outsource than an email system.
Consideration for moving processes and information to the cloud (public or hybrid) should include, among other factors, the criticality, complexity and classification of the data supported by the process. Of the options offered, the corporate email system has the least competitive distinction, complexity, and sensitive/highly classified information.

Answer 138

A

B is the correct answer.

Justification
Although it is necessary to have a bring your own device (BYOD) policy before allowing personal devices to attach to a company network, it is a not a preventive control but rather a managerial control.
If the BYOD can access the network only via a virtualized desktop client, no data will be stored on the device and all the commands entered through the device will actually be executed and stored within the enterprise’s demilitarized zone (DMZ), network or servers. With this type of mobile/enterprise architecture, users can be allowed to access the corporate network/data from a personal device and still be compliant with the enterprise’s acceptable use policy.
Blacklisting social media websites or any other application within the DMZ generally does not extend to a personal device attached to the network. It should be noted, however, that there are emerging technologies that can specifically blacklist or whitelist applications on mobile devices.
Although every security policy should be accompanied by some level of user awareness training, simply making the database administrator aware of potential dangers of using a social media website and corporate applications simultaneously is not the most effective control.

Answer 139

A

A is the correct answer.

Justification
Role-based access controls address the amount of sensitive data available to users (thereby minimizing impact) and the number of attack vectors (thereby lowering probability).
The control is not designed to reduce risk after a breach.
The control is not designed to reduce risk events related to an outsider attack.
Although the control might reduce the impact of an accidental-disclosure event, it does not reduce the probability.

Answer 140

A

B is the correct answer.

Justification
Having one global policy that attempts to address local requirements for all locales is nearly impossible and generally cost prohibitive.
A global policy including local amendments ensures alignment with local laws and regulations.
Policies tailored exclusively to laws governing the enterprise headquarters, without providing for local laws and regulations, will expose the enterprise to risk of legal action and political and reputational loss.
Decentralized local policies for each region require the enterprise to maintain and test documentation and processes separately for each region. This approach can become extremely expensive and may fail to leverage common practices entailed in a global policy that is amended locally.

Answer 141

A

C is the correct answer.

Justification
There may be some minor cost benefits to performing risk assessments on a consistent basis, but that is not a primary benefit.
A risk assessment provides evidence of risk; however, it is not intended to provide evidence of threats.
Tracking trends in evolving risk is of significant benefit to managing risk and ensuring that appropriate controls are in place.
The performance of risk assessment on a consistent basis does not preclude the requirement to perform periodic independent audits.

Answer 142

A

D is the correct answer.

Justification
The cost of existing controls is not taken into consideration when calculating the annual loss exposure.
The number of vulnerabilities does not help determine the annual loss exposure.
Net present value is based on asset depreciation value and is a difficult basis for calculating annual loss exposure because it may not reflect the true risk associated with the asset.
Annual loss exposure is a function of the value of the information asset and the impact if a given potential risk should materialize. Annual loss exposure should be identified primarily to determine exposure associated with other answer choices in the question stem.

Answer 143

A

D is the correct answer.

Justification
Protecting IT assets in support of business objectives is a subordinate goal of IT risk management.
IT risk management can add value to reports; for example, it helps to document measurable return on IT investment. However, reporting and timeliness are subordinate goals of IT risk management.
Meeting regulatory compliance requirements is one of the objectives in an IT risk management framework.
IT risk management should be conducted as part of enterprise-wide risk management, whose ultimate objective is to support risk-aware business decisions.

Answer 144

A

C is the correct answer.

Justification
Licensing violations can lead to fines and penalties from software companies; however, absence of strategic planning does not necessarily entail an increase in licensing violations.
The number of obsolete systems can increase if strategic planning lapses; however, improper or negligent oversight of IT investment is the more fundamental direct risk, as investment informs the execution of future strategy and ensures that new systems align with business objectives.
Improper oversight of IT investment is the greatest risk. Without proper oversight from management, IT investment may fail to align with business strategy, and IT expenditures may not support business objectives.
Strategic planning is future-oriented, whereas unresolved current and past problems are tactical in nature.

Answer 145

A

B is the correct answer.

Justification
The risk profile will consider regional loss events that could affect the enterprise in roughly equal measure with systemic and other risk.
The risk profile is based on the aggregated risk to the enterprise, including historical risk, critical risk and emerging risk.
The risk profile will consider all risk, not just critical risk.
Analysis of historical loss events can assist in business continuity planning and risk assessment but cannot substantively inform the risk profile.

Answer 146

A

A is the correct answer.

Justification
The greatest benefit is continued suitability of the contingency facilities because if the facility itself is not suitable, then even with data and personnel resources, the disaster recovery plan will not work.
Simply having data available at an alternate site is not the reason for periodic testing because data alone will not help in disaster recovery.
Ensuring that the correct equipment is at the recovery site is a subset of site suitability requirements.
Testing security measures at recovery sites is a subset of site suitability requirements.

Answer 147

A

D is the correct answer.

Justification
Key stakeholders are a broad group of internal and external individuals and entities that are affected by a specific process. While some stakeholders may need to know about relevant key risk indicators (KRIs), it may not be appropriate to share such information with other stakeholders.
The IT administrator group is not a key target for sharing IT-related KRIs. KRIs generally are shared with those who make risk response decisions or who are accountable for the execution of risk responses.
The finance department is not a key target for sharing IT-related KRIs for the financial application. KRIs generally are shared with those who make risk response decisions or who are accountable for the execution of risk responses.
IT management is a key target group for sharing IT-related KRIs for the financial application because it makes decisions related to risk response.

Answer 148

A

B is the correct answer.

Justification
Wiping hard disks after each job is not appropriate without a prior risk assessment. The data may be useful for forensic investigation; furthermore, the consumption of processing resources may affect printer performance.
Risk assessment is most appropriate because it yields risk mitigation techniques that are appropriate for enterprise risk context and appetite.
Focusing solely on risk and ignoring opportunity are inappropriate. A risk associated with nonvolatile storage is not a sufficient reason for changing vendors. Default archiving of copies to the internal disk may be a general industry trend with printers; furthermore, it may bring business benefits in addition to the risk, which should be evaluated.
Notifying staff is not a sufficient control and does not mitigate risk associated with printers serviced by an external party.

Answer 149

A

B is the correct answer.

Justification
Although most personal computers and servers feature standard interfaces (e.g., universal serial bus [USB] ports, SATA and HDMI), the internal architecture and basic input/output system (BIOS) calls of all PCs and servers differ from vendor to vendor. Unless the hardware is certified to work with at least the operating system (OS)—and ideally both the OS and the database—support can be very difficult to manage and will not represent a minimal level of risk.
Because the hardware is not certified by its manufacturer to work without major issues using the OS or the database software, the risk is unknown. An enterprise database is a critical application and the unknown risk should not be approved.
Using uncertified hardware for an enterprise database system is an unknown risk; it is usually such a high risk that no enterprise would deploy uncertified hardware. Costs for downtime and support are almost always higher in the long term than the purchase price of the hardware.
The database vendor typically supports different OSs, while the OS vendor usually supports hardware or its vendor. Because database vendors do not support hardware directly, the risk level (strictly defined) remains unknown.

Answer 150

A

B is the correct answer.

Justification
Making the security policy widely available will facilitate its success but is not as critical to information risk management as ensuring that business decisions are informed by consideration of risk.
Defining information risk in advance of business decisions best ensures that risk tolerance remains at approved levels.
Updating security procedures is necessary only if policy changes.
Ensuring that risk assessments occur annually will facilitate effective risk management, but is not as critical as making risk-based business decisions.

Brainscape's Knowledge GenomeTM

Sample Exam 2 Flashcards

Brainscape's Knowledge Genome^TM