Sample Exam 3

Question 1

Which of the following system development life cycle stages is MOST suitable for incorporating internal controls?

A.Development
B.Testing
C.Implementation
D.Design

Answer 1

D is the correct answer.

Justification
Internal control requirements should be incorporated during development; however, unless the team already started incorporating internal controls during the preceding design phase, the project may incur a rework cost, and the incorporation effort will likely affect project deliverables, project cost and the project time line.
Incorporating internal control requirements as late as the testing stage is likely to adversely affect project deliverables, project cost and the project time line.
Incorporating internal control requirements as late as the implementation stage is too late and may pose significant risk to the enterprise.
Internal controls should be incorporated in the new system development at the earliest stage possible (i.e., at the design stage).

Question 2

Which of the following is the MOST important information to include in a risk treatment plan that already has an appropriate resolution and a date for completion?

A.responsible personnel.
B.mitigating factors.
C.likelihood of occurrence.
D.cost of completion.

Answer 2

A is the correct answer.

Justification
Risk response activities must be assigned to a responsible person or group; if this assignment is not included, it will be unclear who will implement the countermeasure.
Mitigating factors can be included but are not as important as responsible personnel.
Compensating controls can be included but are not as important as responsible personnel.
Cost for completion is an optional field and is not necessary.

Question 3

Which of the following assessments of an enterprise’s risk monitoring process will provide the BEST information about its alignment with industry-leading practices?

A.A capability assessment by an outside firm
B.A self-assessment of capabilities
C.An independent benchmark of capabilities
D.An internal audit review of capabilities

Answer 3

C is the correct answer.

Justification
A capability assessment by an outside firm does not assess the enterprise against industry peers or competitors and only provides the opinion of the examiner as to what are or are not industry-leading practices.
A process capability self-assessment does not assess the enterprise against industry peers or competitors. It provides the opinion of the examiner and in the case of a self-assessment is not independent of the process to be reviewed.
An independent benchmark of capabilities allows an enterprise to understand its level of capability compared to other enterprises within its industry. This allows the enterprise to identify industry-leading practices and its level of capability associated with those practices.
An internal audit review of capabilities does not assess the enterprise against industry peers or competitors. Audits generally measure capabilities against corporate standards, not necessarily against industry-leading practices.

Question 4

Which of the following activities is MOST important in determining the risk mitigation strategy?

A.Review vulnerability assessment results.
B.Perform a cost-benefit analysis related to risk acceptance.
C.Conduct a business impact analysis of affected areas.
D.Align the strategy with the security controls framework.

Answer 4

B is the correct answer.

Justification
Results from a vulnerability assessment are used in a risk assessment to determine the level of risk but are not used in the selection of a mitigation strategy.
Risk mitigation ensures that residual risk is maintained at an acceptable level. Cost-benefit analysis ensures that the cost of mitigating risk does not exceed the cost to the enterprise if an incident should occur.
Business impact analysis facilitates development of mitigation and recovery strategy because it documents processes, key deliverables and recovery time objectives. However, the cost of mitigation is the key criterion for the enterprise.
Understanding the enterprise’s security controls framework assists with design and implementation of controls once the mitigation strategy is determined for a given risk.

Question 5

Which of the following would BEST help finalize the risk treatment plan?

A.Vulnerability analysis
B.B. Impact analysis
C.Cost-benefit analysis
D.SWOT analysis

Answer 5

C is the correct answer.

Justification
A vulnerability analysis provides insight into which risk to treat but is not useful when evaluating risk treatment options.
Impact analysis is a part of the risk assessment but on its own would not help finalize a risk treatment plan.
A cost-benefit analysis helps determine if the benefit of a control outweighs the cost of implementing the control.
A SWOT (strengths, weaknesses, opportunities and threats) analysis can be helpful, but the results must be translated in terms of risk, including costs and benefits, to be useful.

Question 6

Which of the following issues would be of MOST concern to the board of directors when assessing a company’s risk management capability?

A.The third line of defense is acting independently of the other lines.
B.The second line of defense is checking and challenging the first line.
C.Internal audit is preparing the risk management strategy.
D.Each line of defense is conducting its own planning independently.

Answer 6

D is the correct answer.

Justification
It is expected that the third line of defense would act independently of the other lines.
Checking and challenging the first line of defense is one of the roles of the second line and would not represent a concern.
Preparing the risk management strategy is an expected internal audit activity and should not be a concern.
Joint planning across the three lines of defense is key to achieving an effective risk management capability. If each line is planning independently, it is an indicator that the lines of defense are not working as expected.

Question 7

A key objective when monitoring information systems control effectiveness against the enterprise’s external requirements is to:

A.design the applicable information security controls for external audits.
B.create the enterprise’s information security policy provisions for third parties.
C.ensure that the enterprise’s legal obligations have been satisfied.
D.identify those legal obligations that apply to the enterprise’s security practices.

Answer 7

C is the correct answer.

Justification
Control design occurs in the risk treatment phase instead of in the monitoring phase.
Creating the information security policy should occur well in advance of control monitoring.
Legal obligations are one of the principal external requirements that necessitate compliance monitoring.
The identification of the legal obligations should occur before risk treatment, so that the proper controls may be designed.

Question 8

What is the PRIMARY reason that an enterprise would establish segregation of duties controls?

A.To restrict users to the minimum level of access required to perform their jobs
B.To ensure that any sensitive financial transactions cannot violate corporate policy
C.To restrict users to working on systems that reflect their areas of expertise
D.To prevent errors or fraudulent activity on high-risk transactions

Answer 8

D is the correct answer.

Justification
Limiting access to the minimum level needed to perform a job function (least privilege) is not the reason for segregation of duties (SoD). It also does not necessarily deliver a SoD outcome. If an enterprise permits the same person to officially hold several roles that should have been segregated, application of least privilege will legitimately assign that person all the access needed to perform all the assigned roles.
Even with SoD, a violation c take place. SoD just makes it harder to breach policy without collusion.
Restricting users to the limits of their expertise is likely a good idea in terms of productivity and error reduction, but SoD focuses on making it necessary for more than one person to participate in completing a specific business process or transaction, which may involve only one system.
It is considerably more difficult for fraudulent activities to be arranged and to go undetected over a long-term period when more than one person is involved. Enterprises establish SoD for precisely that reason, ensuring that any fraudulent activities that do occur require collusion, which decreases the likelihood of occurrence and increases the likelihood of detection.

Question 9

Which of the following BEST ensures that identified risk remains at an acceptable level?

A.Reviewing controls periodically, according to the risk treatment plan
B.Listing each risk as a separate entry in the risk register
C.Creating a separate risk register for every department
D.Maintaining a key risk indicator for assets in the risk register

Answer 9

A is the correct answer.

Justification
Controls deployed according to the risk treatment plan should provide the desired results, because the risk treatment plan is based on management’s acceptance of residual risk and management’s approval of deployment steps in the plan.
Listing each risk as a separate entry in the risk register may help in better evaluating the risk, but the register in itself does not ensure risk management of identified risk at a reasonable level.
Creating a separate risk register for every department may help inform development of better risk assessment exercises, but separation of registers does not necessarily ensure risk management of identified risk at a reasonable level.
Maintaining a key risk indicator for assets in the risk register may improve the overall risk management cycle, but the register in itself does not ensure that the management of identified risk has been performed according to the risk action plan.

Question 10

What is the BEST method to validate the effectiveness of an enterprise’s patching program?

A.Conduct penetration testing.
B.Conduct a risk identification initiative.
C.Carry out vulnerability scans.
D.Review the requests for change.

Answer 10

C is the correct answer.

Justification
Penetration testing is not the most effective way of validating the effectiveness of an enterprise patching program as it could elevate risk on production systems.
A risk identification initiative will identify new and emerging risk but will not reveal information about the effectiveness of a patching control.
Performing vulnerability scans will enable the IT risk practitioner to determine if patches are being installed on a timely basis.
Requests for change are a valid input. However, requests for change do not mean a patch is applied and do not identify new vulnerabilities.

Question 11

Which of the following statements is a risk scenario?

A.The password for the configuration of the tape backup system is set to the vendor default.
B.A program that processes records does not include data input validation.
C.Dedicated capacity for processing on an enterprise system exceeds projected maximum usage, resulting in wasted infrastructure resources.
D.Attackers develop a new piece of malware based on a known, but patched, vulnerability.

Answer 11

C is the correct answer.

Justification
If the password to configure a tape backup system is set to its vendor default, the password reflects the state of a technology control. Its state is not an event that could result in a loss.
A program that processes records without data input validation presents a vulnerability. It is not an event that could result in a loss.
Dedicated processing capacity that exceeds projected maximum usage and therefore results in wasted infrastructure resources constitutes potential loss.
If attackers develop a new piece of malware based on a known, but patched, vulnerability, their actions constitute a threat, but not a valid risk, because the vulnerability has already been patched.

Question 12

After a laptop has been identified as lost or stolen, which of the following BEST mitigates the risk of unauthorized access to the information on the device?

A.Remote wipe capabilities
B.Encryption
C.Data classification policy
D.Application download restrictions

Answer 12

B is the correct answer.

Justification
The ability to remote-wipe the corporate information from the laptop would help mitigate the risk if done in a timely manner once the device is identified as lost or stolen. However, remote wipe on its own may not be reliable because an attacker may power off the device to prevent it from receiving a remote wipe signal.
Encryption of the laptop would best protect against risk impacting the confidentiality and integrity of the information residing on the device.
A data classification policy would not mitigate the risk of unauthorized access to information on a lost or stolen laptop.
Application download restrictions, while addressing other risk (such as malware), would not directly mitigate the risk associated with loss or theft.

Question 13

Which of the following activities should a risk professional perform to determine whether firewall deployments are deviating from the enterprise’s information security policy?

A.Review the firewall parameter settings.
B.Review the firewall intrusion prevention system logs.
C.Review the firewall hardening procedures.
D.Analyze the firewall log file for recent attacks.

Answer 13

A is the correct answer.

Justification
Firewall parameter settings will tie in with the configurations linked to the governing security policy. If the parameter settings differ from what policy states or requires, then there is a deviation.
Reviewing the intrusion protection system logs may point out, to some extent, which packets were not blocked at the firewall level. To determine whether the firewall is compliant with the enterprise’s security policy, one has to review the parameters—such as firewall rules for traffic management, connectivity and firewall configurations.
Reviewing firewall hardening procedures will help a risk professional understand what was expected for security of the firewall, and a review of the actual firewall settings is necessary to establish whether the deployments deviate from the enterprise’s security policy.
There can be attacks on the firewall for which the enterprise may not have formally defined rules in the security policy; analyzing firewall logs for recent attacks does not imply that a firewall policy deviation is present.

Question 14

Which of the following would create the GREATEST benefit for an enterprise deploying new IT infrastructure processing personal data?

A.Privacy by design
B.Privacy notices
C.Data encryption
D.Data classification

Answer 14

A is the correct answer.

Justification
Privacy by design embeds privacy within the IT infrastructure life cycle.
Privacy notices are informational and will not impact the new IT infrastructure deployment.
Data encryption is relevant and provides some benefit. However, privacy by design embeds privacy principles throughout the whole IT infrastructure life cycle.
Data classification is limited to the data component within the IT infrastructure, whereas privacy by design impacts the entire IT infrastructure life cycle.

Question 15

Testing compliance of a response and recovery plan should begin by conducting a:

A.tabletop exercise.
B.review of archived logs.
C.penetration test.
D.business impact analysis.

Answer 15

A is the correct answer.

Justification
Tabletop exercises simulate incidents to test the response capability of an enterprise. The exercise involves scenarios that require a coordinated response to realistic incidents developing in real time. Participants gather to formulate responses to each development. Tabletop exercises are used extensively by police, fire and emergency medical services to gather key personnel who practice response and recovery in the context of simulated incidents likely within a given jurisdiction.
Logs provide a way to trace the activities performed during the vulnerability assessment.
Penetration tests highlight specific weaknesses; although these tests generally are very controlled, they do not provide the depth and breadth of a tabletop exercise.
A business impact analysis provides input to the response and recovery plan at a given point in time and reflects the viewpoint of business owners. It should be used as the basis for building test scripts to validate compliance, but in and of itself, it is not a testing tool.

Question 16

A lack of adequate controls represents:

A.a vulnerability.
B.an impact.
C.an asset.
D.a threat.

Answer 16

A is the correct answer.

Justification
Lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack, or unauthorized access by hackers. This could result in a loss of sensitive information, financial loss, legal penalties, etc.
Impact is the measure of financial loss incurred by a threat or incident.
Assets have tangible or intangible value worth protecting and include people, systems, infrastructure, finances and reputation.
A threat is a potential cause of a security incident.

Question 17

Which of the following BEST describes the objective of a business impact analysis?

A.The identification of threats, risk and vulnerabilities that can adversely affect the enterprise
B.The development of procedures for initial response and stabilization during an emergency
C.The identification of time-sensitive critical business functions and interdependencies
D.The development of communication procedures in case of a crisis

Answer 17

C is the correct answer.

Justification
The identification of threats, risk and vulnerabilities is the objective of risk identification and analysis.
The development of procedures for initial response and stabilization during an emergency is a key output of preparedness and response planning.
Identification of time-sensitive critical business functions and interdependencies is a deliverable of the business impact analysis (BIA); the BIA includes metrics like recovery-time objectives and recovery-point objectives.
Communication procedures are beneficial to every business process, including crisis management; however, they are not the main deliverable of the BIA and relate more closely to business continuity and disaster recovery planning.

Question 18

Which of the following principles of information security is of the GREATEST concern to a social media outlet for political or news-related content?

A.Integrity
B.Confidentiality
C.Availability
D.Nonrepudiation

Answer 18

C is the correct answer.

Justification
An integrity problem will not have the immediate and widespread effect of an availability problem. Integrity is usually the responsibility of the social media user.
Confidentiality is the responsibility of the user, and at the user’s discretion.
For a social media outlet, availability is of the greatest concern because integrity, confidentiality and nonrepudiation are not the greatest concerns of social media outlet customers.
Nonrepudiation is a concern in social media because a user can create a profile claiming to be someone else. However, this is the responsibility of social media users.

Question 19

Which of the following is MOST important for effective risk management?

A.Assignment of risk owners to identified risk
B.Ensuring compliance with regulatory requirements
C.Integration of risk management into operational processes
D.Implementation of a risk avoidance strategy

Answer 19

A is the correct answer.

Justification
It is of utmost importance to assign risk to individual owners and therein maximize accountability.
Regulatory compliance is a relatively small part of risk management.
Risk management should be integrated into strategic, tactical and operational processes of an enterprise.
Risk avoidance is not always feasible in a business environment.

Question 20

Which of the following choices poses the MOST significant threat to a project?

A.A lack of feedback upon project completion
B.A lack of unit testing
C.Missed opportunities from lessons learned
D.Misunderstanding the requirements

Answer 20

D is the correct answer.

Justification
Post-completion feedback is useful for documenting lessons learned and improving future projects, but it does not affect the success of the project to which the feedback relates.
Unit testing eliminates flaws in a project’s deliverables before they are presented as final, but the more fundamental threat posed by misunderstanding requirements is not addressed in unit testing.
Lessons learned can help make future projects more effective. However, lessons that fall short of causing a project to fail are not as significant as misunderstanding original requirements, which can result in delivery of outcomes that fail to meet business objectives.
Projects exist to deliver specific outcomes, as stated in requirements. If requirements are misunderstood, a project can be successful in terms of its internal criteria, scheduling and budget, yet result in a business failure because the project will not have delivered business value.

Question 21

During the initial phase of the system development life cycle, the risk professional provided input on how to secure the proposed system. The project team prepared a list of requirements for use in designing the system. Which of the following tasks MUST be accomplished before moving on to the system design phase?

A.The risk associated with the proposed system and controls is accepted by management.
B.Various test scenarios that will be used to test the controls are documented.
C.The project budget is increased to include additional costs for security.
D.Equipment and software are procured to meet the security requirements.

Answer 21

A is the correct answer.

Justification
The risk acceptance decision is made by senior management. Before moving further into the project, it is important to have sign-off that management acknowledges and accepts the risk that is associated with this project. If management does not accept the risk, then there is no point in proceeding any further.
As risk is being identified, it is good to begin developing scenarios to test the system against that risk, but this is not a critical step before moving into the design phase.
At the end of each phase, a go/no-go decision should be made by management based on project feasibility and risk. However, it may not be necessary to revise the budget at this time.
It is too early in the process to begin the procurement of system components.

Question 22

Which of the following MOST effectively ensures that service provider controls are within the guidelines set forth in the enterprise’s information security policy?

A.Service level monitoring
B.Penetration testing
C.Security awareness training
D.Periodic auditing

Answer 22

D is the correct answer.

Justification
Service level monitoring helps pinpoint the service provider’s operational issues but is not designed to ensure compliance.
Penetration testing helps identify system vulnerabilities but is not designed to ensure compliance.
Security awareness training is a preventive measure to increase user awareness of the information security policy but is not designed to ensure compliance.
Periodic audits help ensure compliance with the enterprise’s information security policy.

Question 23

What is the FIRST step for a risk practitioner when an enterprise has decided to outsource all IT services and support to a third party?

A.Validate that the internal systems of the service provider are secure.
B.Enforce the regulations and standards associated with outsourcing data management for restrictions on transborder data flow.
C.Ensure that security requirements are addressed in all contracts and agreements.
D.Build a business case to perform an on-site audit of the third-party vendor.

Answer 23

C is the correct answer.

Justification
A risk practitioner will rarely have access to validate the security of a third party, and must seek other assurances from an external audit or other standards.
A risk practitioner can advise on risk associated with outsourcing and regulations but cannot enforce such rules.
A contract only covers the topics listed in the contract. If security is not explicitly included in the contract terms, the enterprise may not be properly protected.
Even though IT management has been outsourced, the enterprise that outsourced the service function remains responsible for protecting its data.

Question 24

Which of the following information systems controls is the BEST way to detect malware?

A.Reviewing changes to file size
B.Reviewing administrative-level changes
C.Reviewing audit logs
D.Reviewing incident logs

Answer 24

A is the correct answer.

Justification
One method to detect malware is to compare current executables and files with historical sizes and time stamps.
Administrative-level changes will not detect the presence of malware. They will provide a trigger to investigate depending on the number of administrative-level changes.
Audit logs do not hold data at a granular enough level to enable malware discovery.
Incident logs are used to identify a root cause that contributed to the introduction of malware.

Question 25

Which of the following BEST enables a peer review of an enterprise’s risk management process?

A.A balanced scorecard
B.An industry survey
C.A capability maturity model
D.A framework

Answer 25

C is the correct answer.

Justification
A balanced scorecard is a coherent set of performance measures organized into four categories that include traditional financial measures, customer processes, internal business processes and learning and growth perspectives.
An industry survey does provide a view of current practices; however, because survey results are generally presented in an aggregated manner, they do not enable a peer review of an enterprise’s risk management process.
A capability maturity model describes essential elements and criteria for effective processes for one or more disciplines. It also outlines an evolutionary improvement path from ad hoc, immature processes to disciplined, mature processes with improved quality and effectiveness.
A framework is a set of concepts, assumptions and practices that define how a given discipline or function can be approached or understood; relationships among its various components; roles of those involved; and conceptual and organizational boundaries.

Question 26

The marketing department procures a third-party application for global enterprise use. During assessment of the application, it is discovered that it poses some risk to data privacy regulations (i.e., violates or does not address data transfer and data privacy requirements as regulated) within certain regions where the enterprise operates. If the third-party application is implemented globally, which of the following roles will be responsible for the risk it poses to the business?

A.The marketing department
B.The IT department
C.The data privacy officer
D.The chief risk officer

Answer 26

B is the correct answer.

Justification
The marketing department, which is the business owner of the application, will be accountable for the risk and for ensuring that the application is in compliance with the IT policy for the implementation of new tools and applications within the infrastructure.
The IT department is responsible for the risk posed by this application. The IT department has a policy in place that states that no tool or application can be implemented within the production infrastructure without a risk assessment and mitigation of all risk to an acceptable level. According to ISACA’s COBIT 5 framework, responsibility rests with those who must ensure that the activities are completed successfully.
The data privacy officer will support, in an advisory role, the controls that will be implemented to address and mitigate the data transfer and data privacy requirements.
The chief risk officer will support, in an advisory role, the controls that will be implemented to address and mitigate the data transfer and data privacy requirements.

Question 27

The FIRST step in identifying and assessing IT risk is to:

A.confirm the risk tolerance level of the enterprise.
B.identify threats and vulnerabilities.
C.gather information on the current and future environment.
D.review past incident reports and response activity.

Answer 27

C is the correct answer.

Justification
A risk practitioner must understand the risk appetite of senior management and the associated risk tolerance level. However, risk tolerance primarily informs risk response and does not facilitate risk identification and assessment.
Identification of relevant threats and vulnerabilities is important but must be supplemented by consideration of pending changes to the enterprise’s environment; anticipated changes may widen or narrow the scope of relevance.
The first step in any risk assessment is to gather information about the current state and pending internal and external changes to the enterprise’s environment (scope, technology, incidents, modifications, etc.).
While the review of past incident reports may be an input for the identification and assessment of IT risk, focusing on these factors is not adequate.

Question 28

An enterprise implements lagging key risk indicators in order to:

A.gather data to report to management.
B.predict an approaching risk event.
C.proactively monitor the current state of the risk profile.
D.conduct forecasting for the risk event.

Answer 28

A is the correct answer.

Justification
Lagging, or backward-looking, key risk indicators (KRIs) can be used to report data to management.
Leading, or forward-looking, KRIs can predict risk events, not lagging KRIs.
Leading KRIs are used to proactively monitor and control the current state of the risk profile, not lagging KRIs.
Leading KRIs can provide future-looking data for forecasting of risk events, not lagging KRIs.

Question 29

The application of information classification is the responsibility of the:

A.information security officer.
B.information owner.
C.information systems auditor.
D.information custodian.

Answer 29

B is the correct answer.

Justification
The information security officer has functional responsibility for security and does not determine the classification of information.
The information owner determines classification based on the criticality and sensitivity of information.
The information systems auditor examines security and does not determine the classification of information.
The information custodian preserves the confidentiality, availability and integrity of information and does not determine the classification of information.

Question 30

Which of the following would BEST measure the effectiveness of operational controls?

A.Control matrix
B.Key performance indicator
C.Statement of applicability
D.Key control indicator

Answer 30

D is the correct answer.

Justification
The control matrix is a tool used to analyze a systems flowchart (and related narrative) to determine the control plans appropriate to a process and to relate those plans to the control goals of the process.
Key performance indicators do not measure the effectiveness of operational risk controls
Statement of applicability is specific to the ISO 27001 standard, and although it has a list of controls, it will not help in measuring the effectiveness of particular operational risk controls.
Key control indicators, also referred to as control effectiveness indicators, are metrics that provide information on the degree to which a control is working.

Question 31

Acceptable risk for an enterprise is achieved when:

A.transferred risk is minimized.
B.control risk is minimized.
C.inherent risk is minimized.
D.residual risk is within tolerance levels.

Answer 31

D is the correct answer.

Justification
Risk transfer is the process of assigning risk to another enterprise, usually through the purchase of an insurance policy or through outsourcing the service. In both a physical and legal sense, risk transfer does not relieve an enterprise of a risk, but it can leverage the skills of another party to help manage the risk and thus reduce the financial consequence of adverse events.
Control risk is the risk that a material error would not be prevented or detected on a timely basis by the system of internal controls.
Inherent risk reflects a level of risk or exposure apart from actions that management has taken or might take (e.g., implementing controls). Inherent risk cannot be minimized.
Residual risk is the risk that remains after all controls have been applied; therefore, acceptable risk is achieved when residual risk is aligned with the enterprise risk appetite.

Question 32

A risk treatment plan should PRIMARILY specify the:

A.responsibility for implementing the chosen risk treatment.
B.approach to integrate risk treatment into day-to-day operations.
C.risk acceptance decisions made by the risk owners.
D.best approach to implement all the identified risk treatment options.

Answer 32

A is the correct answer.

Justification
A risk treatment plan will provide the details needed to implement the risk treatment options and the selected controls, including the responsibility for implementing the chosen risk treatment.
Integrating risk treatment into day-today operations is not a part of the risk treatment plan, but a part of the risk strategy.
If the risk is already accepted by risk owners, a risk treatment plan is not required.
It may not be necessary or feasible to implement all identified risk treatment options.

Question 33

Which of the following MOST effectively supports adherence to an enterprise’s code of ethics?

A.Ensuring periodic training, evaluation and attestation of employees
B.Performing background checks at hire to eliminate future unethical behavior
C.Providing clear enterprise policies and standards that advocate ethical behavior
D.Providing continuous awareness of ethical requirements throughout the year

Answer 33

A is the correct answer.

Justification
Attestation to comply with the enterprise’s code of conduct during ethics training ensures that employees have a clear idea of what is expected of them in terms of aligning with the enterprise’s ethics code. Training will also provide evaluation to measure employees’ understanding of these concepts.
Background checks are an indicator of past activities and do not check or confirm current ethical behavior.
Enterprise policies and standards can help, but without attestation, these do not fully ensure that employees understand the enterprise’s code of ethics.
Continuous ethical awareness training may not be feasible or cost effective.

Question 34

Which of the following roles provides formal authorization of user access?

A.Database administrator
B.Data owner
C.Process owner
D.Data custodian

Answer 34

B is the correct answer.

Justification
The database administrator is responsible for overall database maintenance, support and performance and may grant access to data within the database once the data owner has approved the access request.
The data owner provides formal authorization to grant user access.
The process owner is responsible for a specific business process.
The data custodian is responsible for the safe custody, transport and storage of data, and for implementation of business rules, such as granting access to data, once the data owner has approved the access request.

Question 35

Security technologies should be selected PRIMARILY on the basis of their:

A.evaluation in security publications.
B.compliance with industry standards.
C.ability to mitigate risk to organizational objectives.
D.cost compared to the enterprise’s IT budget.

Answer 35

C is the correct answer.

Justification
Evaluation in security publications is a valuable reference point when selecting a security technology; yet it is secondary to the technology’s ability to mitigate risk to the enterprise.
Compliance with industry standards may be an important aspect of selecting a security technology but it is secondary to the technology’s ability to mitigate risk to the enterprise.
The most fundamental criterion for selecting security technology is the capacity to reduce risk for organizational objectives.
While the cost of technology in the context of budget is an important consideration for the selection of a suitable technology, it is secondary to the technology’s ability to mitigate risk to the enterprise.

Question 36

Which of the following types of risk is high for projects that affect multiple business areas?

A.Control risk
B.Inherent risk
C.Compliance risk
D.Residual risk

Answer 36

B is the correct answer.

Justification
Control risk may be high, but it would follow from failure to identify, evaluate or test internal controls, not from the number of users or business areas affected.
Inherent risk normally grows as the number of users and business areas that may be affected increases. Inherent risk reflects risk or exposure without accounting for mitigating action by management. It is often higher whenever multiple parties may have conflicting responsibilities for a business process.
Compliance risk reflects the penalty applied to current and future earnings for nonconformance to laws and regulations; number of users and affected business areas will not necessarily increase compliance risk.
Residual risk is risk that persists after management implements a risk response. It is not based on the number of users or business areas affected.

Question 37

The marketing department procures a third-party application for global enterprise use. During assessment of the application, it is discovered that the application poses some risk to data privacy regulations (i.e., violates or does not address data transfer and data privacy requirements as regulated) within certain regions where the enterprise operates. Who will be accountable for the risk this application may pose to the business if it is implemented globally?

A.The IT department
B.The data privacy officer
C.The chief risk officer
D.The marketing department

Answer 37

D is the correct answer.

Justification
The IT department will be responsible for ensuring that any identified risk is mitigated to an acceptable level before the application is implemented within the infrastructure.
The data privacy officer will support, in an advisory role, the controls that will be implemented to address and mitigate the data transfer and data privacy requirements.
The chief risk officer will support, in an advisory role, the controls that will be implemented to address and mitigate the data transfer and data privacy requirements.
The marketing department is the business owner of the application and, therefore, must be accountable. According to ISACA’s COBIT framework, accountability rests with those who own the required resources and have the authority to approve the execution and accept the outcome of an activity within the specific risk IT processes.

Question 38

The board of directors of a one-year-old start-up company asked the chief information officer to create all the enterprise’s IT policies and procedures, to be managed and approved by the IT steering committee. The IT steering committee makes all the IT decisions for the enterprise, including those related to the technology budget. Which type of IT organizational structure does the enterprise have?

A.Project-based
B.Centralized
C.Decentralized
D.Divisional

Answer 38

B is the correct answer.

Justification
In a project-based enterprise, a temporary group is formed to work on one particular project. Neither a group initiated by the chief information officer, nor a steering committee in general, is considered temporary.
Within a centralized IT organizational structure, one group makes all decisions for the entire enterprise.
In a decentralized organizational structure, decisions are made by each division (sales, human resources, etc.). In this kind of organization, different and perhaps conflicting IT policies can be developed.
In a divisional organizational structure, each geographic area, or each product or service, will have its own group.

Question 39

Which of the following is the BEST approach when conducting an IT risk awareness campaign?

A.Provide technical detail on exploits.
B.Provide common messages tailored for different groups.
C.Target system administrators and help desk staff.
D.Target senior managers and business process owners.

Answer 39

B is the correct answer.

Justification
Providing technical detail on exploits is not advisable during an IT risk awareness campaign because individuals could learn how to circumvent controls.
Groups differ in level of responsibility and expertise; tailor common messages to each group’s role and level of understanding.
Specific groups should not be singled out for training at the exclusion of others because all groups have a role to play in strengthening information systems security.
Specific groups should not be singled out for training at the exclusion of others because all groups have a role to play in strengthening information systems security.

Question 40

Which of the following factors will have the GREATEST impact on the type of information security governance model that an enterprise adopts?

A.The number of employees
B.The enterprise’s budget
C.The organizational structure
D.The type of technology that the enterprise uses

Answer 40

C is the correct answer.

Justification
The number of employees in an enterprise does not primarily affect the choice of an information security governance model; well-defined processes provide the proper governance.
The enterprise budget does not dictate the choice of information security governance model.
Information security governance models depend significantly on the overall organizational structure.
Technology in an enterprise does not primarily affect the choice of an information security governance model; well-defined processes provide the proper governance.

Question 41

Which of the following is the MAIN outcome of a business impact analysis (BIA)?

A.Project prioritization
B.Criticality of business processes
C.The root cause of IT risk
D.Asset alignment with business processes

Answer 41

B is the correct answer.

Justification
Project prioritization is a core focus of program management and seeks to optimize resource utilization. It is not the main outcome of a business impact analysis.
A business impact analysis measures the total impact of tangible and intangible assets on business processes. Therefore, the sum of the value and opportunity lost plus the investment and time required to recover indicates the criticality of business processes.
A root cause analysis investigates and diagnoses the origins of events. It typically assesses consequences of errors and problems and is not an outcome of a BIA.
Third-party vendor risk should be documented during the BIA process, but it is not a main outcome.

Question 42

Risk monitoring provides timely information on the actual status of the enterprise with regard to risk. Which of the following choices provides an overall risk status of the enterprise?

A.Risk management
B.Risk analysis
C.Risk appetite
D.Risk profile

Answer 42

D is the correct answer.

Justification
Risk management encompasses the coordinated activities to direct and control an enterprise with regard to risk.
Risk analysis is the analysis of risk at a point in time and is not updated via multiple sources with the current actual risk status of the entire enterprise. The initial steps of risk management are analyzing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats. Risk management often involves an evaluation of the probable frequency of a particular event and the probable impact of that event.
Risk appetite is the amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission; it does not reflect the current status of overall risk.
The risk profile provides the current overall portfolio of the identified risk to which the enterprise is exposed. Because the profile is updated with evolving and new risk, it provides the enterprise’s current risk status.

Question 43

Information security procedures should:

A.be updated frequently as new software is released.
B.underline the importance of security governance.
C.define the allowable limits of behavior.
D.describe security baselines for each platform.

Answer 43

A is the correct answer.

Justification
Security procedures have to change frequently to keep up with changes in software. Because a procedure is a how-to document, it must be kept current with frequent changes in software.
High-level objectives of an enterprise, such as security governance, are normally addressed in a security policy.
Security policies define behavioral limits and are generally not updated as frequently as procedures.
Security standards define platform baselines; however, they do not provide the detail on how to apply the security baseline and are generally not updated as frequently as procedures.

Question 44

Which of the following threats would MOST concern the risk practitioner? An enterprise allows:

A.Internet-facing applications for business functions.
B.third-party access through remote network connectivity.
C.employee-owned devices for business functions.
D.artificial intelligence systems for business functions.

Answer 44

C is the correct answer.

Justification
Enterprises doing business over the Internet should use secure Internet-facing applications to interact and share information with clients and suppliers. Effective ongoing monitoring treats this risk.
Third-party access through remote network connectivity uses a secure means of communication and can guarantee end-to-end protection of information exchanged between an enterprise and its suppliers and third parties.
The increased risk of malware propagation, information loss, loss of device, and unauthorized access associated with employees accessing business information on employee-owned devices would be of most concern to the risk practitioner.
The use of artificial intelligence systems does not pose a higher risk than any other risk to the enterprise.

Question 45

The likelihood of an attack being launched against an enterprise is MOST dependent on:

A.the skill and motivation of the potential attacker.
B.the frequency that monitoring systems are reviewed.
C.the ability to respond quickly to any incident.
D.the effectiveness of the controls.

Answer 45

A is the correct answer.

Justification
Factors that affect likelihood include the skill and motivation of the attacker; knowledge of vulnerabilities; use of popular hardware or software; value of the asset (which varies directly with motivation); and environmental factors such as politics, activists, and disgruntled employees or dissatisfied customers.
Monitoring systems may detect an attack but will not usually affect the likelihood of an attack. An exception occurs when the attacker becomes aware of being monitored, realizes the likelihood of being caught is high, and accordingly becomes less likely to launch an attack.
The ability to respond is important but is only relevant once an attack has been conducted. It will not affect likelihood.
Controls may deter, prevent, detect or aid recovery from an attack, but they will not necessarily affect the likelihood of someone trying to attack.

Question 46

The MOST significant benefit of using the three lines of defense model in a risk management framework of an enterprise is that it:

A.ensures ongoing success of the risk management initiative.
B.enhances communication between various stakeholders.
C.clarifies essential roles of the key stakeholders.
D.helps risk owners in selecting appropriate control owners.

Answer 46

C is the correct answer.

Justification
The three lines of defense model supports allocation of roles and does not ensure success of the risk management initiative.
The three lines of defense model may help stakeholders clearly understand their roles and communication protocols across all lines of defense, but this is not the most significant benefit.
The three lines of defense model is designed to assign roles related to risk, controls and security while better defining and understanding the relationships between them.
Clarity of roles may help in selecting appropriate control ownership, but it is not the most significant benefit of the model.

Question 47

An enterprise has outsourced several business functions to a firm in another country, including IT development, data hosting and support. What is the MOST important question the risk professional will ask in relation to the outsourcing arrangements?

A.Are policies and procedures in place to handle security exceptions?
B.Is the outsourcing supplier meeting the terms of the service level agreements?
C.Is the security program of the outsourcing provider based on an international standard?
D.Are specific security controls mandated in the outsourcing contract/agreement?

Answer 47

D is the correct answer.

Justification
There should be policies and procedures to handle incidents or exceptional circumstances; however, this is not the most important consideration.
Whether the provider meets the service level agreements (SLAs) is of concern to the outsourcing enterprise and the auditors; however, this is not the most important consideration.
The contract should stipulate the required levels of security and risk management. Basing the security program on a recognized international standard may be an excellent foundation for the security program but is not the most important consideration.
Without enumerating security requirements directly in the outsourcing contract, the outsourcing company has no assurance that the provider will comply with specific security requirements.

Question 48

Which of the following is MOST useful in managing increasingly complex deployments?

A.Policy development
B.A security architecture
C.Senior management support
D.A standards-based approach

Answer 48

B is the correct answer.

Justification
Although policies guide direction, they do not effectively enable complex deployments.
Deploying complex security initiatives and integrating a range of diverse projects and activities are more easily managed with the overview and relationships provided by a security architecture.
Senior management support is important yet is insufficient to ensure deployment.
Although standards may provide metrics for deployment, they do not effectively enable complex deployments.

Question 49

As part of an enterprise risk management (ERM) program, a risk practitioner BEST leverages the work performed by an internal audit function by having it:

A.design, implement and maintain the ERM process.
B.manage and assess the overall risk awareness.
C.evaluate ongoing changes to enterprise risk factors.
D.assist in monitoring, evaluating, examining and reporting on controls.

Answer 49

D is the correct answer.

Justification
The design, implementation and maintenance of the enterprise risk management (ERM) function is the responsibility of management, not of the internal audit function.
Overall risk awareness is the responsibility of the risk governance function.
Evaluating ongoing changes to the enterprise is not the responsibility of the internal audit function.
The internal audit function is responsible for assisting management and the board of directors in monitoring, evaluating, examining and reporting on internal controls, regardless of whether an ERM function has been implemented.

Question 50

Assessing information systems risk is BEST achieved by:

A.using the enterprise’s past actual loss experience to determine current exposure.
B.reviewing published loss statistics from comparable enterprises.
C.evaluating threats associated with existing information systems assets.
D.reviewing information systems control weaknesses identified in audit reports.

Answer 50

C is the correct answer.

Justification
Past actual loss experience is potentially useful input to the risk assessment process, but it does not address realistic risk scenarios that have not occurred in the past.
Published loss statistics from comparable enterprises are a potentially useful input to the risk assessment process but do not address enterprise-specific risk scenarios or those that have not occurred in the past.
To assess IT risk, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches.
Control weaknesses and other vulnerabilities are an important input to the risk assessment process, but by themselves are not useful.

Question 51

An enterprise risk assessment reveals that many corporate IT standards have not been updated. The BEST course of action is to:

A.review the standards against current requirements and determine their adequacy.
B.determine that the standards should be updated annually.
C.report that IT standards are adequate and do not need to be updated.
D.review the IT policy document and see how frequently IT standards should be updated.

Answer 51

A is the correct answer.

Justification
The risk practitioner should verify that the standards are still adequate. Standards that are lacking should be updated.
Standards may or may not need to be updated but should be reviewed annually for adequacy.
The risk practitioner cannot report that the IT standards are accurate until they are reviewed.
Reviewing the IT policy will not help determine whether the standards are still adequate or relevant.

Question 52

Which of the following options BEST ensures that an identified risk is mitigated?

A.Control metrics
B.Control testing
C.Control objective
D.Control ownership

Answer 52

B is the correct answer.

Justification
Control metrics will only report on the control’s effectiveness on an ongoing basis. Control metrics do not necessarily trigger immediate remedial actions, although they will be used to determine such actions.
Control testing determines the effectiveness of the controls in achieving their stated objectives, ensuring that the risk is mitigated.
A control objective is only a statement of the desired result or purpose to be achieved by implementing a given control and does not ensure a risk is mitigated.
Control ownership establishes lines of accountability but does not identify whether a risk has been mitigated.

Question 53

Which of the following BEST addresses the risk of data leakage?

A.Capacity planning procedures
B.File backup procedures
C.Acceptable use policies
D.Database integrity checks

Answer 53

C is the correct answer.

Justification
Capacity planning procedures do not address the confidentiality of information.
While file backup procedures should take into consideration the confidentiality requirements, they are not the best control to address the risk of data leakage.
Acceptable use policies are an important control for preventing unauthorized disclosure of confidential information.
Database integrity checks do not address the confidentiality of information.

Question 54

The GREATEST benefit of implementing a risk treatment plan is:

A.to reduce the impact and likelihood of risk occurrence.
B.to identify the unmitigated risk that can be transferred.
C.to exploit the risk to test organizational preparedness.
D.to enhance the overall risk appetite of the enterprise.

Answer 54

A is the correct answer.

Justification
Implementing the risk treatment plan reduces the negative impact and likelihood of a risk occurrence.
Transferring is not the only response option for unmitigated risk.
Exploiting the risk is not the aim of the risk treatment plan and can create more risk.
Risk appetite is established to identify the level of acceptable risk in an enterprise. Implementing a risk treatment plan will not influence the risk appetite.

Question 55

A risk practitioner is conducting a risk assessment of the local office’s network infrastructure. Who owns the risk treatment decisions?

A.Control owner
B.Chief information officer
C.IT security manager
D.Senior management

Answer 55

D is the correct answer.

Justification
The control owner would not be responsible for making risk treatment decisions.
The chief information officer is part of senior management but should not be the only member making risk treatment decisions.
The IT security manager is responsible for proper implementation of security requirements in IT systems and would not be responsible for making risk treatment decisions.
Senior management ultimately owns the risk and would make risk treatment decisions.

Question 56

Which of the following can provide the BEST perspective of risk management to an enterprise’s employees and stakeholders?

A.An interdisciplinary team within the enterprise
B.A third-party risk assessment service provider
C.The enterprise’s IT department
D.The enterprise’s internal compliance department

Answer 56

A is the correct answer.

Justification
Assembling an interdisciplinary team to manage risk ensures that all areas are adequately considered in risk assessment and helps provide an enterprise-wide perspective on risk.
Engaging a third party to perform a risk assessment may provide additional expertise, but without internal knowledge, third parties lack judgment to determine the adequacy of risk assessment.
A risk assessment performed by the enterprise’s IT department is unlikely to reflect the view of the entire enterprise.
The internal compliance department ensures the implementation of risk responses based on the requirements of management. It generally does not take an active part in implementing risk responses for items that do not have regulatory implications.

Question 57

Which of the following BEST helps ensure that the cost is justifiable when selecting an IT control?

A.The investment cost is within budget.
B.The risk likelihood and impact are reflected.
C.The net present value of the IT control cost is high.
D.Low cost open source technology is used.

Answer 57

B is the correct answer.

Justification
The fact that the cost of a control is within budget does not necessarily justify the cost of a control. The cost of a control should be less than the projected benefit of the control.
While other factors may be relevant, the total cost of ownership of a control should not exceed the projected likelihood times the impact of the risk it is intended to mitigate.
The net present value is calculated by using an after-tax discount rate of an investment and a series of expected incremental cash outflows (the initial investment and operational costs) and cash inflows (cost savings or revenues) that occur at regular periods during the life cycle of the investment. It does not justify the cost of the control because it does not relate the cost to the expected benefit.
While open source technology is generally a low-cost option, the low cost itself does not justify the cost of the control.

Question 58

The risk treatment plan PRIMARILY provides treatment for:

A.high risk areas reported to senior management.
B.identified risk that exceeds risk tolerance.
C.every risk identified on the risk register.
D.risk that has already materialized.

Answer 58

B is the correct answer.

Justification
The risk treatment plan addresses all risk that exceeds risk tolerance, not just high-risk items.
Risk treatment plans would cover all the risk identified in the risk register that exceeds the enterprise risk tolerance level and, therefore, needs to be further treated.
Not every identified risk requires a risk treatment plan.
Risk treatment plans treat all risk, not just materialized risk.

Question 59

Which of the following triggers performance of an internal ad hoc risk assessment before the annual occurrence?

A.A new chief information officer is hired.
B.Senior management adjusts risk appetite.
C.Risk changes on a frequent basis.
D.A new system is introduced into the environment.

Answer 59

D is the correct answer.

Justification
A new chief information officer may undertake a new enterprise risk assessment, but it would not necessarily be required because the CIO could review the last risk assessment if there were no changes to the environment.
Senior management adjusting risk appetite will significantly affect risk responses but does not require a risk assessment.
Risk changing on a frequent basis will be captured during the annual risk assessment.
Introduction of new systems adds to overall risk of business objectives. The level of new or added risk should be determined via an ad hoc risk assessment.

Question 60

Which of the following outcomes of outsourcing noncore processes is of GREATEST concern to the management of an enterprise?

A.Total cost of ownership exceeds projections.
B.Internal information systems experience is lost.
C.Employees of the vendor are disloyal to the client enterprise.
D.Processing of sensitive data is subcontracted by the vendor.

Answer 60

D is the correct answer.

Justification
Total cost of ownership (TCO) exceeding projections is significant but not uncommon. Because TCO is based on modeling, some variation can be expected.
Loss of internal information systems experience can be problematic when core processes or subprocesses are outsourced. However, for noncore processes, the loss of such experience would not be a concern.
Lack of vendor loyalty to the client enterprise is generally managed via service level agreements.
The greatest risk in third-party relationships is the fact that the enterprise is ceding direct control of its IS processes. Subcontracting will increase this risk; therefore, the subcontracting process must be reviewed because sensitive data are involved.

Question 61

Which of the following is the FIRST step when developing a risk monitoring program?

A.Developing key indicators to monitor outcomes
B.Gathering baseline data on indicators
C.Analyzing and reporting findings
D.Conducting a capability assessment

Answer 61

D is the correct answer.

Justification
Developing key indicators to monitor outcomes is necessary but not the first step. There is no use for indicators if there is no information on what the indicators are going to report.
Gathering baseline data on indicators is necessary but not the first step. There is no use for gathering baseline data if the indicators are not defined.
Analyzing and reporting findings is necessary but not the first step. There is no use for analyzing and reporting findings if the baseline is not there.
This step determines the capacity and readiness of the entity to develop a risk management program. This assessment identifies champions, barriers, owners and contributors to the program, including identifying the overall goal of the program. A capability assessment helps determine the enterprise’s maturity in its risk management processes and the capacity and readiness of the entity to develop a risk management program. When the enterprise is more mature, more sophisticated responses can be implemented; when the enterprise is rather immature, some basic responses may be a better starting point.

Question 62

An enterprise learns of a security breach at another entity using similar network technology. The MOST important action for a risk practitioner is to:

A.assess the likelihood of the incident occurring at the risk practitioner’s enterprise.
B.discontinue the use of the vulnerable technology.
C.report to senior management that the enterprise is not affected.
D.remind staff that no similar security breaches have taken place.

Answer 62

A is the correct answer.

Justification
The likelihood of a similar incident occurring at the risk practitioner’s enterprise should be assessed first, based on available information.
Discontinuing vulnerable technology is not necessarily required; furthermore, the technology is likely to be needed to support the enterprise.
Reporting to senior management that the enterprise is not affected is premature until the risk practitioner assesses the likelihood of a similar incident.
Pending further research, the risk practitioner cannot be certain that no similar security breaches have taken place.

Question 63

Which of the following approaches to corporate policy BEST supports an enterprise’s expansion to other regions, where different local laws apply?

A.A global policy without provisions that might be disputed at local levels
B.A global policy amended to comply with local laws
C.A global policy that complies with laws at enterprise headquarters
D.Local policies to accommodate laws within each region

Answer 63

B is the correct answer.

Justification
Having one global policy that attempts to address local requirements for all locales is nearly impossible and generally cost prohibitive.
A global policy including local amendments ensures alignment with local laws and regulations.
Policies tailored exclusively to laws governing the enterprise headquarters, without providing for local laws and regulations, will expose the enterprise to risk of legal action and political and reputational loss.
Decentralized local policies for each region require the enterprise to maintain and test documentation and processes separately for each region. This approach can become extremely expensive and may fail to leverage common practices entailed in a global policy that is amended locally.

Question 64

What is a PRIMARY advantage of performing a risk assessment on a consistent basis?

A.It lowers the costs of assessing risk.
B.It provides evidence of threats.
C.It indicates trends in the risk profile.
D.It eliminates the need for periodic audits.

Answer 64

C is the correct answer.

Justification
There may be some minor cost benefits to performing risk assessments on a consistent basis, but that is not a primary benefit.
A risk assessment provides evidence of risk; however, it is not intended to provide evidence of threats.
Tracking trends in evolving risk is of significant benefit to managing risk and ensuring that appropriate controls are in place.
The performance of risk assessment on a consistent basis does not preclude the requirement to perform periodic independent audits.

Question 65

A PRIMARY reason for initiating a policy-exception process is:

A.the risk is justified by the benefit.
B.policy compliance is difficult to enforce.
C.operations are too busy to comply.
D.users may initially be inconvenienced.

Answer 65

A is the correct answer.

Justification
Exceptions to policies are warranted if the benefits outweigh the costs of policy compliance; however, the enterprise needs to assess both the tangible and intangible risk and evaluate both in the context of existing risk.
Difficulty in enforcement does not justify policy exceptions.
Lack of resources to achieve compliance does not justify policy exceptions.
User inconvenience does not warrant an automatic exception to a policy.

Question 66

Risk scenarios should be created PRIMARILY based on which of the following?

A.Input from senior management
B.Previous security incidents
C.Threats that the enterprise faces
D.Results of the risk analysis

Answer 66

C is the correct answer.

Justification
Input from senior management is not as critical as enterprise threats in developing risk scenarios.
Previous incidents are not as critical as enterprise threats in developing risk scenarios.
When creating risk scenarios, the most important factor to consider is the likelihood of threats or threat actions occurring due to the risk.
Risk scenarios should be an input to the risk analysis, not vice versa.

Question 67

Which of the following is of MOST concern to the risk practitioner regarding applications running in production?

A.Unpatched vulnerabilities
B.Backdoors
C.Unskilled resources
D.Informal system development life cycle

Answer 67

B is the correct answer.

Justification
Unpatched vulnerabilities do not apply to applications.
Attackers can use backdoors to bypass authorized access control in applications; therefore, backdoors would be of most concern to the risk practitioner.
Unskilled resources would be a concern; however, they do not present an immediate concern relative to the risk posed by backdoors.
An informal system development life cycle would be a concern; however, it would not present an immediate concern relative to the risk posed by backdoors.

Question 68

Which of the following is the BIGGEST concern for a chief information security officer regarding interconnections with systems outside the enterprise?

A.Requirements to comply with each other’s contractual security obligations
B.Uncertainty that the other system will be available as needed
C.The ability to perform risk assessments on the other system
D.Ensuring that communications between the two systems are encrypted through a virtual private network tunnel

Answer 68

A is the correct answer.

Justification
Ensuring that both systems comply with mutual contractual security obligations should be the primary concern of the risk practitioner. If one system fails to comply, both will likely miss their respective security obligations.
Uncertainty about the other system’s availability is probably the primary concern of the business owner and users, not of the chief information security officer.
The ability to perform risk assessment on the other system may or may not be a concern based on the interconnection agreement between the two systems.
Communications between the two systems may not necessarily require a virtual private network tunnel, or encryption. That requirement will be based on type of data being transmitted.

Question 69

The MOST important of the following external factors that should be considered in risk assessment is:

A.the discovery of new vulnerabilities.
B.the number of viruses and other malware being developed.
C.international crime statistics and political unrest.
D.the connectivity of many unsecured devices on the Internet.

Answer 69

D is the correct answer.

Justification
Discovery of new vulnerabilities is relevant only if they affect the assets in use by an enterprise.
The number of new malware types being developed is something worth watching, but it is not a factor that the risk professional can use directly to calculate risk for a risk assessment report.
International crime statistics and political unrest may raise concerns, but compared to unsecured devices they are not an immediate threat.
The proliferation of unsecured devices (i.e., the Internet of Things) creates a serious external threat that must be considered.

Question 70

Which characteristic of a key performance indicator demonstrates that it is realistic and based on important goals and values?

A.Specific
B.Relevant
C.Measurable
D.Attainable

Answer 70

D is the correct answer.

Justification
A specific key performance indicator (KPI) is based on a clearly understood goal and is clear and concise, but it may not be realistic or based on important goals and values.
A relevant KPI is directly related to a specific activity or goal, but it may not be realistic or based on important goals and values.
A measurable KPI is quantifiable (objective), but it may not be realistic or based on important goals and values.
An attainable KPI is one that is realistic and based on important goals and values.

Question 71

Which of the following is the MOST important risk an enterprise must consider when developing a disaster recovery plan?

A.Budgets have not yet been finalized.
B.A business impact analysis has not been conducted.
C.No risk strategy has been established.
D.All employees have not attended disaster recovery training.

Answer 71

B is the correct answer.

Justification
A budget is important when developing a disaster recovery plan, but if set without knowledge of what to cover and when, the budget will not be useful.
Without a business impact analysis (BIA), the enterprise does not know what it needs to recover and when it needs to recover it.
A risk strategy is just one part of the BIA.
All employees do not necessarily need to attend training. Employees with a role in key business processes should be trained to know their responsibilities following a disaster.

Question 72

After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft was widespread. To MOST effectively deal with the risk, the business should:

A.implement monitoring techniques to detect and react to potential fraud.
B.make the customer liable for losses if the customer fails to follow the bank’s advice.
C.increase its customer awareness efforts in those regions.
D.outsource credit card processing to a third party.

Answer 72

A is the correct answer.

Justification
Implementing monitoring techniques that will detect and deal with potential fraud cases is the most effective way to deal with this risk.
While making the customer liable for losses is a possible approach, the bank needs to be seen as proactive in managing its risk.
While customer awareness will help mitigate the risk, it is not sufficient on its own to control fraud risk.
If the bank outsources its processing, the bank still retains liability.

Question 73

Who is responsible for explaining the ramifications of a new zero-day exploit to the enterprise to senior management?

A.Chief operating officer
B.Chief risk officer
C.Chief information security officer
D.Chief information officer

Answer 73

B is the correct answer.

Justification
The chief operating officer is the most senior official accountable for the operation of the enterprise and would not be responsible for explaining risk to senior management.
The chief risk officer is the most senior official accountable for all aspects of risk management across the enterprise, including explaining risk to senior management.
The chief information security officer leads the establishment of the information security program and respective security teams; however, this role is not responsible for the acceptance of enterprise risk or explaining risk to senior management.
The chief information officer is the most senior official responsible for aligning IT and business strategies and is accountable for planning, resourcing and managing delivery of IT-related services and solutions. This role would not be responsible for explaining risk to senior management.

Question 74

The MAIN reason an enterprise maintains a risk register is that it:

A.acts as a repository of identified risk for decision-making.
B.helps in benchmarking against the risk impacting industry peers.
C.improves the risk culture by communicating risk to all employees.
D.establishes the risk indicators that an enterprise can focus upon.

Answer 74

A is the correct answer.

Justification
The risk register has the identified risk and is a repository that helps in decision-making.
The risk registers from industry peers are never published, so benchmarking is not possible.
Risk culture can be improved through awareness, but the risk register itself is not a means of communicating risk awareness.
The risk register may include information that the risk owner could use to establish risk indicators, but that is not its main purpose.

Question 75

The PRIMARY focus of managing IT-related business risk is to protect:

A.information.
B.hardware.
C.applications.
D.databases.

Answer 75

A is the correct answer.

Justification
The primary objective for any enterprise is to protect mission-critical information based on a risk assessment.
While many enterprises spend large amounts protecting IT hardware, doing so without first assessing risk to mission-critical data is not advisable. Hardware may become a focus if it stores, processes or transfers mission-critical data.
Applications become a focus only if they process mission-critical data.
Databases become a focus only if they store mission-critical data.