D3-Information Risk Management Flashcards

Question 1

Q

Is the fundamental Undertaking for any organization that desires to be reasonably aware of risks that, If not identified or monitored, could result in unexpected losses and even threaten the survival of the organization

1.Risk Management
2. Risk awareness
3. Risk Mitigation

Answer

A

1.Risk Management

Question 2

Q

The purpose of ____ is the identification of credible threats and the means
to decide what to do about those threats

1.Risk Management
2. Risk avoidance
3. Risk Mitigation

Answer

A

1.Risk Management

Question 3

Q

The effectiveness of a risk management program is largely dependent on two factors:

Support from the security committee, and an orgs culture with respect to security awareness and accountability.
Support from executive management, and an orgs culture with respect to security awareness and accountability.

Answer

A

Support from executive management, and an orgs culture with respect to security awareness and accountability.

Question 4

Q

REFERS to activities whose objective is to make business leaders, stakeholders, and other personnel aware of the organization’s information risk management program.

1.Risk Management
2. Risk awareness
3. Risk Mitigation

Answer

A

Risk awareness

Question 5

Q

The goal of ___ ____ awareness is to ensure that business leaders and decision-makers are aware of the idea that
all business decisions have a risk component and that many
decisions have implications on information risk.

1.Risk Management
2. Risk awareness
3. Risk Mitigation

Answer

A

Risk awareness

Question 6

Q

Primarily, ___ ____ applies to an entire organization, whereas risk awareness encompasses senior personnel who are involved in the risk
management process.

1.Risk Management
2. Risk awareness
3. Risk Mitigation
4. Security Awareness

Answer

A

Security Awareness

Question 7

Q

Information security mgmt systems Requirements.
Requirements 4 through 10 in this standard describe the structure of an entire information security
management system (ISMS) including risk management.

1.ISO/IEC 27001
2.ISO/IEC 27005
3. ISO/IEC 31010
4. NIST 800-37

Answer

A

1.ISO/IEC 27001

Question 8

Q

ISO- Information security risk management.
1.ISO/IEC 27001
2.ISO/IEC 27005
3. ISO/IEC 31010
4. NIST 800-37

Answer

A

2.ISO/IEC 27005

Question 9

Q

ISO Risk assessment techniques.

1.ISO/IEC 27001
2.ISO/IEC 27005
3. ISO/IEC 31010
4. NIST 800-37

Answer

A

ISO/IEC 31010

Question 10

Q

Guide for Applying the Risk Management Framework to Federal Information Systems:
A Security Life Cycle Approach.”

1.ISO/IEC 27001
2.ISO/IEC 27005
3. ISO/IEC 31010
4. NIST 800-37

Answer

A

NIST 800-37

Question 11

Q

A _ _ is defined as an Examination of a process or system to determine differences between its existing state and a desired
future state. This helps the security manager better understand the current state and how it is different from the desired future state.

Security audit
Gap analysis

Answer

A

Gap analysis

Question 12

Q

In further detail, the _ _ will reveal what characteristics of the current state can remain, what should be discarded, what should be replaced, and what should be added.

Security audit
Gap analysis

Answer

A

Security audit
Gap analysis

Question 13

Q

_ _ is the activity where decisions about risks are made after weighing various risk treatment options. _ _ decisions are typically made by a business owner associated with the
affected business activity.

1.Risk Management
2. Risk awareness
3. Risk Mitigation
4. Security Awareness
4. Risk Treatment

Answer

A

Risk Treatment

Question 14

Q

The risk management process consists of a set of structured
activities that enable an organization to systematically manage risks. This activity The organization defines the scope of the risk management process itself.

1.Scope definition
2.Asset identification and valuation
3.Risk appetite
4.Risk identification
5.Risk analysis
6. Risk treatment
7. Risk communication

Answer

A

1.Scope definition

Question 15

Q

The risk management process consists of a set of structured
activities that enable an organization to systematically manage risks. This activity
The organization uses various means to discover and track its information and
information system assets. A classification scheme may be
used to identify risk and criticality levels.

1.Scope definition
2.Asset identification and valuation
3.Risk appetite
4.Risk identification
5.Risk analysis
6. Risk treatment
7. Risk communication

Answer

A

2.Asset identification and valuation

Question 16

Q

The risk management process consists of a set of structured
activities that enable an organization to systematically manage risks. This activity

Developed outside of the risk management life-cycle process, _ _ is an expression of the level of risk that an organization is willing to accept. A _ _ that is related to information risk is typically expressed in qualitative means; however, organizations in financial services industries often express risk in
quantitative terms.

1.Scope definition
2.Asset identification and valuation
3.Risk appetite
4.Risk identification
5.Risk analysis
6. Risk treatment
7. Risk communication

Answer

A

3.Risk appetite

Question 17

Q

The risk management process consists of a set of structured
activities that enable an organization to systematically manage risks. This activity is the first step in the iterative risk management process. Here, the organization
identifies a risk that comes from one of several sources. 1.Scope definition
2.Asset identification and valuation
3.Risk appetite
4.Risk identification
5.Risk analysis
6. Risk treatment
7. Risk communication

Answer

A

4.Risk identification

Question 18

Q

The risk management process consists of a set of structured
activities that enable an organization to systematically manage risks. This activity is the second step in a typical risk management process. After the risk has been identified, it is then analyzed to determine several characteristics, including the following, Probability of event occurrence ,Impact of event occurrence, Mitigation and Recommendation.
1.Scope definition
2.Asset identification and valuation
3.Risk appetite
4.Risk identification
5.Risk analysis
6. Risk treatment
7. Risk communication

Answer

A

5.Risk analysis

Question 19

Q

The risk management process consists of a set of structured
activities that enable an organization to systematically manage risks. This activity is the last step in a typical risk
management process. Here, an individual decision-maker or
committee makes a decision about a specific risk.
Accept. mitigate, transfer..etc

1.Scope definition
2.Asset identification and valuation
3.Risk appetite
4.Risk identification
5.Risk analysis
6. Risk treatment
7. Risk communication

Answer

A

Risk treatment

Question 20

Q

The risk management process consists of a set of structured
activities that enable an organization to systematically manage risks. This activity takes many forms, including
formal communications within risk management processes
and procedures, as well as information communications
among risk managers and decision-makers.

1.Scope definition
2.Asset identification and valuation
3.Risk appetite
4.Risk identification
5.Risk analysis
6. Risk treatment
7. Risk communication

Answer

A

Risk communication

Question 21

Q

Several established methodologies are available for organizations that want to manage risk using a formal standard. This standard NIST
Special Publication _____ “Guide for Conducting Risk
Assessments,” is a detailed, high-quality standard that describes the steps used for conducting risk assessments

NIST SP 800-39
NIST SP 800-30

Answer

A

NIST SP 800-30

Question 22

Q

Several established methodologies are available for organizations that want to manage risk using a formal standard. This standard NIST
Special Publication _____ consists of multilevel risk management, at the
information systems level, at the mission/business process level, and at the overall organization level. Communications up and down these levels ensures that risks are communicated upward for overall awareness, while risk awareness and risk decisions are communicated downward for overall awareness

NIST SP 800-39
NIST SP 800-30

Answer

A

NIST SP 800-39

Question 23

Q

The tiers of risk management are described in NIST SP 800-39 in
this way:
* Tier 1: Organization view This level focuses on the role
of governance, the activities performed by the risk executive,
and the development of risk management and investment
strategies.
* Tier 2: Mission/business process view This level is all
about enterprise architecture, enterprise security architecture,
and ensuring that business processes are risk aware.
* Tier 3: Information systems view This level
concentrates on more tactical things such as system
configuration and hardening specifications, vulnerability
management, and the detailed steps in the systems
development life cycle.

Question 24

Q

The tiers of risk management are described in NIST SP 800-39 (3 tiers )

Mission/business process view This level is all
about enterprise architecture, enterprise security architecture,
and ensuring that business processes are risk aware.

Tier 1
Tier 2
Tier 3

Question 25

Q

The tiers of risk management are described in NIST SP 800-39 (3 tiers )

Organization view This level focuses on the role of governance, the activities performed by the risk executive, and the development of risk management and investment
strategies.

Tier 1
Tier 2
Tier 3

Question 26

Q

The tiers of risk management are described in NIST SP 800-39 (3 tiers )

Information systems view This level concentrates on more tactical things such as system configuration and hardening specifications, vulnerability
management, and the detailed steps in the systems development life cycle.
1. Tier 1
2. Tier 2
3. Tier 3

Question 27

Q

Other concepts discussed in NIST SP 800-39 include trust, the trustworthiness of systems, and organizational culture.

The overall risk management process defined by NIST SP 800-39 consists of several steps

Risk framing This consists of the assumptions,
scope, tolerances, constraints, and priorities, in other words,
the business context that is considered prior to later steps
taking place.

Step 1
Step 2
Step 3
Step 4

Question 28

Q

Other concepts discussed in NIST SP 800-39 include trust, the trustworthiness of systems, and organizational culture.

The overall risk management process defined by NIST SP 800-39 consists of several steps

Risk assessment This is the actual risk assessment, where threats and vulnerabilities are identified and assessed to determine levels and types of risk.

Step 1
Step 2
Step 3
Step 4

Question 29

Q

Other concepts discussed in NIST SP 800-39 include trust, the trustworthiness of systems, and organizational culture.

The overall risk management process defined by NIST SP 800-39 consists of several steps

Step 3: Risk response This is the process of analyzing
each risk and developing strategies for reducing it, through appropriate risk treatment for each identified risk. Risk treatment options are accept, mitigate, avoid, and transfer.

Step 1
Step 2
Step 3
Step 4

Question 30

Q

Question 31

Q

Other concepts discussed in NIST SP 800-39 include trust, the trustworthiness of systems, and organizational culture.

The overall risk management process defined by NIST SP 800-39 consists of several steps

Risk monitoring This is the process of performing periodic and ongoing evaluation of identified risks to see
whether conditions and risks are changing.

Step 1
Step 2
Step 3
Step 4

Question 32

Q

NIST SP 800-30 NIST Special Publication 800-30 describes in
greater detail a standard methodology for conducting a risk assessment. The techniques in this document are quite structured and essentially involve setting up a number of worksheets where threats and vulnerabilities are recorded, along with the probability of occurrence and impact if they occur. In this standard, for this step The organization performs
the actual risk assessment. This consists of several tasks.

Step 1: Prepare for assessment
Step 2: Conduct assessment
Step 3: Communicate results
Step 4: Maintain assessment

Answer

A

Step 2: Conduct assessment

Question 33

Q

NIST SP 800-30 NIST Special Publication 800-30 describes in
greater detail a standard methodology for conducting a risk assessment. The techniques in this document are quite structured and essentially involve setting up a number of worksheets where threats and vulnerabilities are recorded, along with the probability of occurrence and impact if they occur. In this standard, for this step When the risk assessment
has been completed, the results are then communicated to
decision-makers and stakeholders in the organization. The
purpose of communicating risk assessment results is to
ensure that the organization’s decision-makers make decisions
that include considerations for known risks.

Step 1: Prepare for assessment
Step 2: Conduct assessment
Step 3: Communicate results
Step 4: Maintain assessment

Answer

A

Step 3: Communicate results

Question 34

Q

NIST SP 800-30 NIST Special Publication 800-30 describes in
greater detail a standard methodology for conducting a risk assessment. The techniques in this document are quite structured and essentially involve setting up a number of worksheets where threats and vulnerabilities are recorded, along with the probability of occurrence and impact if they occur. In this standard, for this step After a risk assessment has been completed, the organization will then maintain the assessment by monitoring risk factors identified in the risk
assessment. This enables the organization to maintain a view of relevant risks that incorporates changes in the business environment since the risk assessment was completed

Step 1: Prepare for assessment
Step 2: Conduct assessment
Step 3: Communicate results
Step 4: Maintain assessment

Answer

A

Step 4: Maintain assessment

Question 35

Q

NIST Special Publication 800-30 describes in greater detail a standard methodology for conducting a risk assessment. The techniques in this document are quite structured
and essentially involve setting up a number of worksheets where threats and vulnerabilities are recorded, along with the probability of
occurrence and impact if they occur.

A. Identify threat sources and events The organization
identifies a list of threat sources and events that will be
considered in the assessment. The following sources of
threat information are found in the standard and can be
used. Organizations are advised to supplement these
sources with other information as needed.

Table below belongs to

Table F-1: Input—vulnerability and predisposing conditions
Table F-2: Vulnerability severity assessment scale
Table F-4: Predisposing conditions
Table F-5: Pervasiveness of predisposing conditions

Step 1: Prepare for assessment
Step 2: Conduct assessment
Step 3: Communicate results
Step 4: Maintain assessment

Answer

A

Step 2: Conduct assessment

Under B. Identify vulnerabilities and predisposing conditions

Question 36

Q

NIST Special Publication 800-30 describes in greater detail a standard methodology for conducting a risk assessment. The techniques in this document are quite structured
and essentially involve setting up a number of worksheets where threats and vulnerabilities are recorded, along with the probability of
occurrence and impact if they occur.

A. Identify threat sources and events The organization
identifies a list of threat sources and events that will be
considered in the assessment. The following sources of
threat information are found in the standard and can be
used. Organizations are advised to supplement these
sources with other information as needed.

Table below belongs to
* Table D-1: Threat source inputs
* Table D-2: Threat sources
* Table D-3: Adversary capabilities
* Table D-4: Adversary intent
* Table D-5: Adversary targeting
* Table D-6: Nonadversary threat effects
* Table E-1: Threat events
* Table E-2: Adversarial threat events
* Table E-3: Nonadversarial threat events
* Table E-4: Relevance of threat events

Step 1: Prepare for assessment
Step 2: Conduct assessment
Step 3: Communicate results
Step 4: Maintain assessment

Answer

A

Step 2: Conduct assessment

Under A. Identify threat sources and events

Question 37

Q

NIST Special Publication 800-30 describes in greater detail a standard methodology for conducting a risk assessment. The techniques in this document are quite structured
and essentially involve setting up a number of worksheets where threats and vulnerabilities are recorded, along with the probability of
occurrence and impact if they occur.

A. Identify threat sources and events The organization
identifies a list of threat sources and events that will be
considered in the assessment. The following sources of
threat information are found in the standard and can be
used. Organizations are advised to supplement these
sources with other information as needed.

Table below belongs to
* Table G-1: Inputs—determination of likelihood
* Table G-2: Assessment scale—likelihood of threat event
initiation
* Table G-3: Assessment scale—likelihood of threat event
occurrence
* Table G-4: Assessment scale—likelihood of threat event
resulting in adverse impact
* Table G-5: Assessment scale—overall likelihood

Step 1: Prepare for assessment
Step 2: Conduct assessment
Step 3: Communicate results
Step 4: Maintain assessment

Answer

A

Step 2: Conduct assessment

Under C. Determine likelihood of occurrence

Question 38

Q

NIST Special Publication 800-30 describes in greater detail a standard methodology for conducting a risk assessment. The techniques in this document are quite structured
and essentially involve setting up a number of worksheets where threats and vulnerabilities are recorded, along with the probability of
occurrence and impact if they occur.

A. Identify threat sources and events The organization
identifies a list of threat sources and events that will be
considered in the assessment. The following sources of
threat information are found in the standard and can be
used. Organizations are advised to supplement these
sources with other information as needed.

Table below belongs to

Table H-1: Input—determination of impact
Table H-2: Examples of adverse impacts
Table H-3: Assessment scale—impact of threat events
Table H-4: Identification of adverse impacts

Step 1: Prepare for assessment
Step 2: Conduct assessment
Step 3: Communicate results
Step 4: Maintain assessment

Answer

A

Step 2: Conduct assessment

Under D. Determine magnitude of impact

Question 39

Q

NIST Special Publication 800-30 describes in greater detail a standard methodology for conducting a risk assessment. The techniques in this document are quite structured
and essentially involve setting up a number of worksheets where threats and vulnerabilities are recorded, along with the probability of
occurrence and impact if they occur.

A. Identify threat sources and events The organization
identifies a list of threat sources and events that will be
considered in the assessment. The following sources of
threat information are found in the standard and can be
used. Organizations are advised to supplement these
sources with other information as needed.

Table below belongs to

Table I-1: Inputs—risk
Table I-2: Assessment scale—level of risk (combination of
likelihood and impact)
Table I-3: Assessment scale—level of risk
Table I-4: Column descriptions for adversarial risk table
Table I-5: Template for adversarial risk table to be
completed by risk manager
Table I-6: Column descriptions for non adversarial risk
table
Table I-7: Template for non adversarial risk table to be
completed by risk manager

Step 1: Prepare for assessment
Step 2: Conduct assessment
Step 3: Communicate results
Step 4: Maintain assessment

Answer

A

Step 2: Conduct assessment

Under E. Determine risk

Question 40

Q

ISO/IEC 27005 is an international standard that defines a structured approach to risk assessments and risk management. The methodology outlined in this standard involves 6 steps, this step

Before a risk assessment can
be performed, a number of parameters need to be
established, including the following:
* Scope of the risk assessment This includes which
portions of an organization are to be included, based on
business unit, service, line, geography, organization
structure, or other means.
* Purpose of the risk assessment Reasons include
legal or due diligence or support of an ISMS, business
continuity plan, vulnerability management plan, or
incident response plan.
* Risk evaluation criteria Determine the means
through which risks will be examined and scored.
* Impact criteria Determine how the impact of
identified risks will be described and scored.
* Risk acceptance criteria Specify the method that the
organization will use to determine risk acceptance.
* Logistical plan This includes which personnel will
perform the risk assessment, which personnel in the
organization need to provide information such as control
evidence, and what supporting facilities are required such
as office space.

Step 1: Establish context
Step 2: Risk assessment
Step 3: Risk evaluation
Step 4: Risk treatment
Step 5: Risk communication
Step 6: Risk monitoring and review

Answer

A

Step 1: Establish context

Question 41

Q

ISO/IEC 27005 is an international standard that defines a structured approach to risk assessments and risk management. The methodology outlined in this standard involves 6 steps, this step

The risk assessment is performed.
* Asset identification Risk analysts identify assets,
along with their value and criticality.
* Threat identification Risk analysts identify relevant
and credible threats that have the potential to harm
assets, along with their likelihood of occurrence. There
are many types of threats, both naturally occurring and
man-caused, and they could be accidental or deliberate.
Note that some threats may affect more than one asset.
ISO/IEC 27005 contains a list of threat types, as does
NIST Special Publication 800-30 (in Table D-2) described
earlier in this section. Note that a risk analyst may
identify additional threats.
* Control identification Risk analysts identify existing
and planned controls. Those controls that already exist
should be examined to see whether they are effective.
The criteria for examining a control includes whether it
reduces the likelihood or impact of a threat event. The
results of this examination will conclude whether the
control is effective, ineffective, or unnecessary. Finally,
when identifying threats, the risk analyst may determine
that a new control is warranted.
* Vulnerability identification Vulnerabilities that can
be exploited by threat events that cause harm to an
asset are identified. Remember that a vulnerability does
not cause harm, but its presence may permit a threat
event to harm an asset. ISO/IEC 27005 contains a list of
vulnerabilities. Note that a risk analyst may need to
identify additional vulnerabilities.
* Consequences identification The risk analyst will
identify consequences that would occur for each
identified threat against each asset. Consequences may
be the loss of confidentiality, integrity, or availability of
any asset, as well as a loss of human safety. Depending
on the nature of the asset, consequences may take many
forms, including service interruption or degradation,
reduction in service quality, loss of business, reputation
damage, or monetary penalties including fines. Note that
consequences may be a primary result or a secondary
result of the realization of a specific threat. For example,
the theft of sensitive financial information may have little
or no operational impact in the short term, but legal
proceedings over the long term could result in financial
penalties, unexpected costs, and loss of business.

Step 1: Establish context
Step 2: Risk assessment
Step 3: Risk evaluation
Step 4: Risk treatment
Step 5: Risk communication
Step 6: Risk monitoring and review

Answer

A

Step 2: Risk assessment

Question 42

Q

ISO/IEC 27005 is an international standard that defines a structured approach to risk assessments and risk management. The methodology outlined in this standard involves 6 steps, this step

Levels of risk are determined
according to the risk evaluation and risk acceptance criteria
established in step 1. The output of risk evaluation is a list of
risks, with their associated threats, vulnerabilities, and
consequences.

Step 1: Establish context
Step 2: Risk assessment
Step 3: Risk evaluation
Step 4: Risk treatment
Step 5: Risk communication
Step 6: Risk monitoring and review

Answer

A

Step 3: Risk evaluation

Question 43

Q

ISO/IEC 27005 is an international standard that defines a structured approach to risk assessments and risk management. The methodology outlined in this standard involves 6 steps, this step

Decision-makers in the
organization will select one of four risk treatment options for
each risk identified in step 3. These options are as follows:
* Risk reduction (sometimes known as risk
mitigation) In this option, the organization alters
something in information technology (e.g., security
configuration, application source code, or data), business
processes and procedures, or personnel (e.g., training).
In many cases, an organization will choose to update
an existing control or enact a new control so that the risk
reduction may be more effectively monitored over time.
The cost of updating or creating a control—as well as the
impact on ongoing operational costs of the control—will
need to be weighed alongside the value of the asset
being protected, as well as the consequences associated
with the risk being treated. A risk manager remembers
that a control can reduce many risks, and potentially for
several assets, so the risk manager will need to consider
the benefit of risk reduction in more complex terms.
Chapter 4 includes a comprehensive discussion on the
types of controls.
* Risk retention (sometimes known as risk
acceptance) Here, the organization chooses to accept
the risk and decides not to change anything.
* Risk avoidance The organization decides to
discontinue the activity associated with the risk. For
example, an organization assesses the risks related to the
acceptance of credit card data for payments. They decide
to change the system so that credit card data is sent
instead directly to a payment processor so that the
organization will no longer be accepting credit card data.
* Risk transfer The organization transfers risk to
another party. The common forms of risk transfer are
insurance and outsourcing security monitoring to a third
party.
When an organization transfers risk to another party,
there will usually be residual risk that is more difficult to
treat. For example, while an organization may have had
reduced costs from a breach because of cyber insurance,
the organization may still suffer reputational damage in
the form of reduced goodwill.
Decision-makers weigh the costs and benefits
associated with each these four options and decide the
best course of action for the organization.
The four risk treatment options are not mutually
exclusive; sometimes a combination of risk treatment
options is the best option for an organization. For
instance, a business application was found to accept
weak passwords; the chosen risk treatment was a
combination of security awareness training (mitigation)
and acceptance (the organization elected not to modify
the application as this would have been too expensive).
Further, some treatments can address more than one
risk. For example, security awareness training may
reduce several risks associated with end-user computing
and behavior.
Often, after risk treatment, some risk—known as
residual risk—remains. When analyzing residual risk, the
organization may elect to undergo additional risk
treatment to reduce the risk further, or it may accept the
residual risk as is. Note that residual risk cannot be
reduced to zero—there will always be some level of risk.
Because some forms of risk treatment (mainly, risk
reduction and risk transfer) may require an extended
period of time to be completed, risk managers usually
track ongoing risk treatment activities to completion.

Step 1: Establish context
Step 2: Risk assessment
Step 3: Risk evaluation
Step 4: Risk treatment
Step 5: Risk communication
Step 6: Risk monitoring and review

Answer

A

Step 4: Risk treatment

Question 44

Q

ISO/IEC 27005 is an international standard that defines a structured approach to risk assessments and risk management. The methodology outlined in this standard involves 6 steps, this step

All parties involved in
information risk—the CISO (or other top-ranking information
security official), risk managers, business decision-makers,
and other stakeholders—need channels of communication
throughout the entire risk management and risk treatment life
cycle. Examples of risk communication include the following:
* Announcements and discussions of upcoming risk
assessments
* Collection of risk information during risk assessments
(and at other times)
* Proceedings and results from completed risk
assessments
* Discussions of risk tolerance
* Proceedings from risk treatment discussions and risk
treatment decisions and plans
* Educational information about security and risk
* Updates on the organization’s mission and strategic
objectives
* Communication about security incidents to affected
parties and stakeholders

Step 1: Establish context
Step 2: Risk assessment
Step 3: Risk evaluation
Step 4: Risk treatment
Step 5: Risk communication
Step 6: Risk monitoring and review

Answer

A

Step 5: Risk communication

Question 45

Q

ISO/IEC 27005 is an international standard that defines a structured approach to risk assessments and risk management. The methodology outlined in this standard involves 6 steps, this step

Organizations are
not static, and neither is risk. The value of assets, impacts,
threats, vulnerabilities, and likelihood of occurrence should be
periodically monitored and reviewed so that the organization’s
view of risk continues to be relevant and accurate. Monitoring
should include the following:
* Discovery of new, changed, and retired assets
* Change in business processes and practices
* Changes in technology architecture
* New threats that have not been assessed
* New vulnerabilities that were previously unknown
* Changes in threat event probability and consequences
* Security incidents that may alter the organization’s
understanding of threats, vulnerabilities, and risks
* Changes in market and other business conditions
* Changes in applicable laws and regulations

Step 1: Establish context
Step 2: Risk assessment
Step 3: Risk evaluation
Step 4: Risk treatment
Step 5: Risk communication
Step 6: Risk monitoring and review

Answer

A

Step 6: Risk monitoring and review

Question 46

Q

Factor Analysis of Information Risk (FAIR) is an analysis method that helps a risk manager understand the factors that contribute to risk, as well as the probability of threat occurrence and an estimation of loss. FAIR is used to help a risk manager understand the probability of a given threat event and the losses that may occur. In the FAIR methodology, there are six types of loss:

This loss is The cost expended in incident response

Productivity
Response
Replacement
Fines and judgments
Competitive advantage
Reputation

Question 47

Q

Factor Analysis of Information Risk (FAIR) is an analysis method that helps a risk manager understand the factors that contribute to risk, as well as the probability of threat occurrence and an estimation of loss. FAIR is used to help a risk manager understand the probability of a given threat event and the losses that may occur. In the FAIR methodology, there are six types of loss:

This loss is Lost productivity caused by the incident

Productivity
Response
Replacement
Fines and judgments
Competitive advantage
Reputation

Answer

A

Productivity

Question 48

Q

Factor Analysis of Information Risk (FAIR) is an analysis method that helps a risk manager understand the factors that contribute to risk, as well as the probability of threat occurrence and an estimation of loss. FAIR is used to help a risk manager understand the probability of a given threat event and the losses that may occur. In the FAIR methodology, there are six types of loss:

This loss is The expense required to rebuild or replace
an asset

Productivity
Response
Replacement
Fines and judgments
Competitive advantage
Reputation

Answer

A

Replacement

Question 49

Q

Factor Analysis of Information Risk (FAIR) is an analysis method that helps a risk manager understand the factors that contribute to risk, as well as the probability of threat occurrence and an estimation of loss. FAIR is used to help a risk manager understand the probability of a given threat event and the losses that may occur. In the FAIR methodology, there are six types of loss:

This loss is All forms of legal costs resulting
from the incident

Productivity
Response
Replacement
Fines and judgments
Competitive advantage
Reputation

Competitive advantage Loss of business to other
organizations
Reputation Loss of goodwill and future business

FAIR also focuses on the concept of asset value and liability. For
example, a customer list is an asset because the organization can
reach its customers to solicit new business; however, the customer
list is also a liability because of the impact on the organization if the
customer list is obtained by an unauthorized person.
FAIR guides a risk manager through an analysis of threat agents
and the different ways in which a threat agent acts upon an asset.
* Access Reading data without authorization
* Misuse Using an asset differently from intended usage
* Disclose Threat agent shares data with other unauthorized
parties
* Modify Threat agent modifies asset
* Deny use Threat agents prevent legitimate subjects from
accessing assets
FAIR is claimed to be complementary to risk management
methodologies such as NIST SP 800-30 and ISO/IEC 27005.

Answer

A

Fines and judgments

Question 50

Q

Factor Analysis of Information Risk (FAIR) is an analysis method that helps a risk manager understand the factors that contribute to risk, as well as the probability of threat occurrence and an estimation of loss. FAIR is used to help a risk manager understand the probability of a given threat event and the losses that may occur. In the FAIR methodology, there are six types of loss:

This loss is Loss of business to other
organizations

Productivity
Response
Replacement
Fines and judgments
Competitive advantage
Reputation

Reputation Loss of goodwill and future business

FAIR also focuses on the concept of asset value and liability. For
example, a customer list is an asset because the organization can
reach its customers to solicit new business; however, the customer
list is also a liability because of the impact on the organization if the
customer list is obtained by an unauthorized person.
FAIR guides a risk manager through an analysis of threat agents
and the different ways in which a threat agent acts upon an asset.
* Access Reading data without authorization
* Misuse Using an asset differently from intended usage
* Disclose Threat agent shares data with other unauthorized
parties
* Modify Threat agent modifies asset
* Deny use Threat agents prevent legitimate subjects from
accessing assets
FAIR is claimed to be complementary to risk management
methodologies such as NIST SP 800-30 and ISO/IEC 27005.

Answer

A

Competitive advantage

Question 51

Q

Factor Analysis of Information Risk (FAIR) is an analysis method that helps a risk manager understand the factors that contribute to risk, as well as the probability of threat occurrence and an estimation of loss. FAIR is used to help a risk manager understand the probability of a given threat event and the losses that may occur. In the FAIR methodology, there are six types of loss:

This loss is Reputation Loss of goodwill and future business

Productivity
Response
Replacement
Fines and judgments
Competitive advantage
Reputation

FAIR also focuses on the concept of asset value and liability. For
example, a customer list is an asset because the organization can
reach its customers to solicit new business; however, the customer
list is also a liability because of the impact on the organization if the
customer list is obtained by an unauthorized person.
FAIR guides a risk manager through an analysis of threat agents
and the different ways in which a threat agent acts upon an asset.
* Access Reading data without authorization
* Misuse Using an asset differently from intended usage
* Disclose Threat agent shares data with other unauthorized
parties
* Modify Threat agent modifies asset
* Deny use Threat agents prevent legitimate subjects from
accessing assets
FAIR is claimed to be complementary to risk management
methodologies such as NIST SP 800-30 and ISO/IEC 27005.

Answer

A

Reputation

Question 52

Q

FAIR also focuses on the concept of asset value and liability. For
example, a customer list is an asset because the organization can
reach its customers to solicit new business; however, the customer list is also a liability because of the impact on the organization if the customer list is obtained by an unauthorized person. FAIR guides a risk manager through an analysis of threat agents and the different ways in which a threat agent acts upon an asset. There are 5 threat agents, this agent
“Reading data without authorization”

Access
Misuse
Disclose
Modify
Deny use

Question 53

Q

FAIR also focuses on the concept of asset value and liability. For
example, a customer list is an asset because the organization can
reach its customers to solicit new business; however, the customer list is also a liability because of the impact on the organization if the customer list is obtained by an unauthorized person. FAIR guides a risk manager through an analysis of threat agents and the different ways in which a threat agent acts upon an asset. There are 5 threat agents, this agent
“Using an asset differently from intended usage”

Access
Misuse
Disclose
Modify
Deny use

Question 54

Q

FAIR also focuses on the concept of asset value and liability. For
example, a customer list is an asset because the organization can
reach its customers to solicit new business; however, the customer list is also a liability because of the impact on the organization if the customer list is obtained by an unauthorized person. FAIR guides a risk manager through an analysis of threat agents and the different ways in which a threat agent acts upon an asset. There are 5 threat agents, this agent

“Threat agent shares data with other unauthorized
parties”

Access
Misuse
Disclose
Modify
Deny use

Question 55

Q

FAIR also focuses on the concept of asset value and liability. For
example, a customer list is an asset because the organization can
reach its customers to solicit new business; however, the customer list is also a liability because of the impact on the organization if the customer list is obtained by an unauthorized person. FAIR guides a risk manager through an analysis of threat agents and the different ways in which a threat agent acts upon an asset. There are 5 threat agents, this agent

“Threat agent modifies asset”

Access
Misuse
Disclose
Modify
Deny use

Deny use Threat agents prevent legitimate subjects from
accessing assets

Question 56

Q

FAIR also focuses on the concept of asset value and liability. For
example, a customer list is an asset because the organization can
reach its customers to solicit new business; however, the customer list is also a liability because of the impact on the organization if the customer list is obtained by an unauthorized person. FAIR guides a risk manager through an analysis of threat agents and the different ways in which a threat agent acts upon an asset. There are 5 threat agents, this agent

“Threat agents prevent legitimate subjects from
accessing assets”

Access
Misuse
Disclose
Modify
Deny use

Question 57

Q

An organization that is responsible for the management of
information and information systems must have a means for
knowing what all of those assets are. More than that, IT needs to
acquire and track several characteristics about every asset,

This characteristic includes the make, model, serial
number, asset tag number, logical name, and any other
means for identifying the asset.

Identification
Value
Location
Security classification
Asset Group
Owner
Custodian

Answer

A

Identification

Question 58

Q

An organization that is responsible for the management of
information and information systems must have a means for
knowing what all of those assets are. More than that, IT needs to
acquire and track several characteristics about every asset,

This characteristic Initially, may signify the purchased value but may also include its depreciated value if an IT asset management
program is associated with the organization’s financial asset
management program.

Identification
Value
Location
Security classification
Asset Group
Owner
Custodian

Question 59

Q

An organization that is responsible for the management of
information and information systems must have a means for
knowing what all of those assets are. More than that, IT needs to
acquire and track several characteristics about every asset,

This characteristic The asset’s location needs to be specified so that its existence may be verified in a periodic inventory.

Identification
Value
Location
Security classification
Asset Group
Owner
Custodian

Question 60

Q

An organization that is responsible for the management of
information and information systems must have a means for
knowing what all of those assets are. More than that, IT needs to
acquire and track several characteristics about every asset,

This characteristic Security management programs
almost always include a plan for classifying the sensitivity of
information and/or information systems. Example
classifications include secret, restricted, confidential, and
public.

Identification
Value
Location
Security classification
Asset Group
Owner
Custodian

Answer

A

Security classification

Question 61

Q

An organization that is responsible for the management of
information and information systems must have a means for
knowing what all of those assets are. More than that, IT needs to
acquire and track several characteristics about every asset,

This characteristic IT assets may be classified into a hierarchy of
asset groups. For example, any of the servers in a data center
that support a large application may be assigned to an asset
group known as “Application X Servers.”

Identification
Value
Location
Security classification
Asset Group
Owner
Custodian

Answer

A

Asset Group

Question 62

Q

An organization that is responsible for the management of
information and information systems must have a means for
knowing what all of those assets are. More than that, IT needs to
acquire and track several characteristics about every asset,

This characteristic is usually the person or group responsible for
the operation of the asset.

Identification
Value
Location
Security classification
Asset Group
Owner
Custodian

Question 63

Q

An organization that is responsible for the management of
information and information systems must have a means for
knowing what all of those assets are. More than that, IT needs to
acquire and track several characteristics about every asset,

This characteristic the ownership and operations of assets will be divided into two bodies, where the owner owns them but a custodian operates or maintains them.

Identification
Value
Location
Security classification
Asset Group
Owner
Custodian

Answer

A

Custodian

Question 64

Q

Information classification is a process whereby different sets and
collections of data in an organization are analyzed for various types
of value, criticality, integrity, and sensitivity. There are different ways
to understand these characteristics.

This information may be more easily
monetized by intruders who steal this information. Types of
information include credit card numbers, bank account
numbers, gift certificates or cards, and discount or promotion
codes. Loss of this type of information may cause direct
financial losses.

Monetary Value
Operational criticality
Accuracy or integrity
Sensitivity

Answer

A

Monetary Value

Answer 47

A

Operational criticality

Answer 48

A

Accuracy or integrity

Answer 49

A

Sensitivity

Answer 50

A

Restricted

Answer 51

A

Confidential

Answer 52

A

Database management server

Answer 53

A

Demilitarized zone (DMZ) firewall

Answer 54

A

Internet time server

Answer 55

A

Threat actors

Answer 56

A

Vulnerabilities

Answer 57

A

Asset value

Answer 58

A

Visibility

Answer 59

A

Motivation

Answer 60

A

identify risks and, perhaps, suggested remedies

Answer 61

A

identify the most critical business processes, together with their supporting IT systems and dependencies on other processes or systems.

Answer 62

A

Event probability

Answer 63

A

Event cost

Answer 64

A

Asset value (AV)

Answer 65

A

Exposure factor (EF)

Answer 66

A

Single loss expectancy (SLE)

Answer 67

A

Annualized rate of occurrence (ARO)

Answer 68

A

Annualized loss expectancy (ALE)

Answer 69

A

Event tree analysis (ETA)

Answer 70

A

Fault tree analysis (FTA)

Answer 71

A

Monte Carlo analysis

Answer 72

A

Risk acceptance

Answer 73

A

Risk mitigation

Answer 74

A

Risk avoidance

Answer 75

A

Risk transfer

Answer 76

A

Residual Risk

Answer 77

A

Mandatory protective measures

Answer 78

A

Optional protective measures

Answer 79

A

Mandatory risk assessments

Answer 80

A

Change in threat probability

Answer 81

A

Change in threat impact

Answer 82

A

Change in operational efficiency

Answer 83

A

Total cost of ownership (TCO)

Answer 84

A

Operational risk

Answer 85

A

RTO (Recovery Time Objective)

Answer 86

A

RPO (Recovery Point Objective)

Answer 87

A

RCapO (Recovery capacity objective)

Answer 88

A

SDO (Service Delivery Objective)

Answer 89

A

MTD (Maximum Tolerable Downtime)

Answer 90

A

MTO (Maximum Tolerable Outage)

Answer 91

A

Security and/or privacy program

Answer 92

A

Security and/or privacy controls

Answer 93

A

Vulnerability assessments

Answer 94

A

External audits and certifications

Answer 95

A

Security incident response

Answer 96

A

Security incident notification

Answer 97

A

Right to audit

Answer 98

A

Periodic review

Answer 99

A

Annual due diligence

Answer 100

A

Cyber insurance

Answer 101

A

Threat modeling

Answer 102

A

Coding standards

Answer 103

A

Code reviews

Answer 104

A

Code scanning

Answer 105

A

Application scanning

Answer 106

A

Application penetration testing

Answer 107

A

Problem management

Answer 108

A

Change management

Answer 109

A

Configuration management

Answer 110

A

Incident management

Answer 111

A

Security or risk component associated with an incident

Answer 112

A

Security or risk implication associated with actions to restore service

Answer 113

A

Security or risk implications associated with root cause analysis (RCA)

Answer 114

A

Security or risk implications associated with corrective action

Answer 115

A

Background checks

Answer 116

A

Legal agreements

Answer 117

A

Development and management of roles

Answer 118

A

Management of the human resource information system (HRIS)

Answer 119

A

Risk monitoring

Answer 120

A

Key Risk Indicators

Answer 121

A

Answers
1. C. The best approach for success in an organization’s risk management program, and during risk assessments, is to
have support from executive management. Executives need to define the scope of the risk management program,
whether by business unit, geography, or other means.

Answer 122

A

A. Most organizations do not place individual vulnerabilities into a risk register. The risk register is primarily for strategic
issues, not tactical issues such as individual vulnerabilities. However, if the vulnerability scan report was an indication of a
broken process or broken technology, then that matter of brokenness might qualify as a valid risk register entry.

Answer 123

A

D. The shared responsibility model, sometimes known as a shared responsibility matrix, depicts the operational model for
SaaS and IaaS providers where client organizations have some security responsibilities (such as end user access control) and service provider organizations have some security responsibilities (such as physical access control).

Answer 124

A

A. The four categories of risk treatment are risk mitigation (where risks are reduced through a control or process
change), risk transfer (where risks are transferred to an external party such as an insurance company or managed
services provider), risk avoidance (where the risk-producing activity is discontinued), and risk acceptance (where
management chooses to accept the risk).

Answer 125

A

D. Recovery time objective is the maximum period of time from the onset of an outage until the resumption of service.

Answer 126

A

C. Ordinarily it would not make sense to spend $50,000 to protect an asset worth $10,000. But sometimes there are
other considerations, such as revenue realization or reputation damage, that can be difficult to quantify.

Answer 127

A

B. In most cases, compliance risk is just another risk that needs to be understood. This includes the understanding of
potential fines and other sanctions in relation to the costs required to reach a state of compliance. In some cases,
however, being out of compliance can also result in reputation damage, as well as larger sanctions if the organization suffers
from a security breach because of the noncompliant state.

Answer 128

A

C. A risk register item that has been accepted should be shelved and considered after a period of time, perhaps one
year. This is a better option than closing the item permanently; in a year’s time, changes in business conditions, security threats, and other considerations may compel the organization to take different action.

Answer 129

A

B. After risk reduction through risk mitigation, the residual risk should be treated like any new risk: it should be
reexamined, and a new risk treatment decision should be made. This should continue until the final remaining residual
risk is accepted.

Answer 130

A

D. The refusal of an organization to formally consider a risk is known as ignoring the risk. This is not a formal method
of risk treatment because of the absence of deliberation and decision-making. It is not a wise business practice to keep
some risk matters “off the books.”

Answer 131

A

C. The absence of security patches on a system is considered a vulnerability. A vulnerability is defined as a weakness in a system that could permit an attack to occur.

Answer 132

A

B. Any undesired action that could harm an asset is known as a threat.

Answer 133

A

A. A data classification policy is a statement that defines two or more classification levels for data, together with
procedures and standards for the protection of data at each classification for various use cases such as storage in a
database, storage on a laptop computer, transmissions via email, and storage on backup media.

Answer 134

A

D. When the desired end state of a process or system is determined, a gap analysis must be performed so that the
current state of the process or system can also be known. Then, specific tasks can be performed to reach the desired
end state of the process.

Answer 135

A

A. The most common objective of a risk management program is the reduction in the number and severity of
security incidents.

Answer 136

A

Answer: B
Explanation:
The recovery point objective (RPO) is the processing checkpoint to which systems are recovered.
In addition to data owners, the chief operations officer (COO) is the most knowledgeable person to
make this decision. It would be inappropriate for the information security manager or an internal
audit to determine the RPO because they are not directly responsible for the data or the operation.

Answer 137

A

Answer: B
Explanation:
The probability or likelihood of the event and the financial impact or magnitude of the event must
be assessed first. Duration refers to the length of the event; it is important in order to assess
impact but is secondary. Once the likelihood is determined, the frequency is also important to
determine overall impact.

Answer 138

A

Answer: A
Explanation:
Information security managers should use risk assessment techniques to justify and implement a
risk mitigation strategy as efficiently as possible. None of the other choices accomplishes that
task, although they are important components.

Answer 139

A

Answer: C
A risk analysis should take into account the potential financial impact and likelihood of a loss. It
should not weigh all potential losses evenly, nor should it focus primarily on recent losses or
losses experienced by similar firms. Although this is important supplementary information, it does
not reflect the organization’s real situation. Geography and other factors come into play as well.

Answer 140

A

Answer: C
Explanation:
The data owners should be notified first so they can take steps to determine the extent of the
damage and coordinate a plan for corrective action with the computer incident response team.
Other parties will be notified later as required by corporate policy and regulatory requirements.

Answer 141

A

Answer: B
Explanation:
Data owners are responsible for assigning user entitlements and approving access to the systems
for which they are responsible. Platform security, intrusion detection and antivirus controls are all
within the responsibility of the information security manager.

Answer 142

A

Answer: C
Explanation:
Risk management’s primary goal is to ensure an organization maintains the ability to achieve its
objectives. Protecting IT assets is one possible goal as well as ensuring infrastructure and
systems availability. However, these should be put in the perspective of achieving an
organization’s objectives. Preventive controls are not always possible or necessary; risk
management will address issues with an appropriate mix of preventive and corrective controls.

Answer 143

A

Answer: D
Explanation:
Classification of assets needs to be undertaken to determine sensitivity of assets in terms of risk to
the business operation so that proportional countermeasures can be effectively implemented.
While higher costs are allowable to protect sensitive assets, and it is always reasonable to
minimize the costs of controls, it is most important that the controls and countermeasures are
commensurate to the risk since this will justify the costs. Choice B is important but it is an
incomplete answer because it does not factor in risk. Therefore, choice D is the most important.

Answer 144

A

Answer: D
Explanation:
It is important to ensure that adequate levels of protection are written into service level
agreements (SLAs) and other outsourcing contracts. Information must be obtained from providers
to determine how that outsource provider is securing information assets prior to making any
recommendation or taking any action in order to support management decision making. Choice A
is not acceptable in most situations and therefore not a good answer.

Answer 145

A

Answer: C
Explanation:
Implementing more restrictive preventive controls mitigates vulnerabilities but not the threats.
Losses and probability of occurrence may not be primarily or directly affected.

Answer 146

A

Answer: C
Explanation:
Calculating the value of the information or asset is the first step in a risk analysis process to
determine the impact to the organization, which is the ultimate goal. Determining how much
productivity could be lost and how much it would cost is a step in the estimation of potential risk
process. Knowing the impact if confidential information is disclosed is also a step in the estimation
of potential risk. Measuring the probability of occurrence for each threat identified is a step in
performing a threat analysis and therefore a partial answer.

Answer 147

A

Answer: A
Explanation:
Risk mapping or a macro assessment of the major threats to the organization is a simple first step
before performing a risk assessment. Compiling all available sources of risk information is part of
the risk assessment. Choices C and D are also components of the risk assessment process,
which are performed subsequent to the threats-business mapping.

Answer 148

A

Answer: D
Explanation:
Information asset owners are in the best position to evaluate the value added by the IT asset
under review within a business process, thanks to their deep knowledge of the business
processes and of the functional IT requirements. An IT security manager is an expert of the IT risk
assessment methodology and IT asset valuation mechanisms. However, the manager could not
have a deep understanding of all the business processes of the firm. An IT security subject matter
expert will take part of the process to identify threats and vulnerabilities and will collaborate with
the business information asset owner to define the risk profile of the asset. A chief financial officer
(CFO) will have an overall costs picture but not detailed enough to evaluate the value of each IT
asset.

Answer 149

A

Answer: D
Explanation:
The goal of a risk management program is to ensure that residual risk remains within manageable
levels. Management of risk does not always require the removal of inherent risk nor is this always
possible. A possible benefit of good risk management is to reduce insurance premiums, but this is
not its primary intention. Effective controls are naturally a clear objective of a risk management
program, but with the choices given, choice C is an incomplete answer.

Answer 150

A

Answer: B
Explanation:
The business manager will be in the best position, based on the risk assessment and mitigation
proposals. to decide which controls should/could be implemented, in line with the business
strategy and with budget. Senior management will have to ensure that the business manager has
a clear understanding of the risk assessed but in no case will be in a position to decide on specific
controls. The IT audit manager will take part in the process to identify threats and vulnerabilities,
and to make recommendations for mitigations. The information security officer (ISO) could make
some decisions regarding implementation of controls. However, the business manager will have a
broader business view and full control over the budget and, therefore, will be in a better position to
make strategic decisions.

Answer 151

A

Answer: C
Explanation:
Assets must be inventoried before any of the other choices can be performed.

Answer 152

A

Answer: B
Explanation:
All choices are benefits of information classification. However, identifying controls that are
proportional to the risk in all cases is the primary benefit of the process.

Answer 153

A

Answer: C
Explanation:
All of these procedures are essential for implementing risk management. However, without
identifying new risks, other procedures will only be useful for a limited period.

Answer 154

A

Answer: B
Explanation:
A brute force attack is normally successful against weak passwords, whereas strong passwords
would not prevent any of the other attacks. Man-in-the-middle attacks intercept network traffic,
which could contain passwords, but is not naturally password-protected. Remote buffer overflows
rarely require a password to exploit a remote host. Root kits hook into the operating system’s
kernel and, therefore, operate underneath any authentication mechanism.

Answer 155

A

Answer: D
Explanation:
Phishing can best be detected by the user. It can be mitigated by appropriate user awareness.
Security monitoring software would provide some protection, but would not be as effective as user
awareness. Encryption and two-factor authentication would not mitigate this threat.

Answer 156

A

Answer: D
Explanation:
Security responsibilities of data custodians within an organization include ensuring that
appropriate security measures are maintained and are consistent with organizational policy.
Executive management holds overall responsibility for protection of the information assets. Data
owners determine data classification levels for information assets so that appropriate levels of
controls can be provided to meet the requirements relating to confidentiality, integrity and
availability. Implementation of information security in products is the responsibility of the IT
developers.

Answer 157

A

Answer: A
Explanation:
As business objectives and methods change, the nature and relevance of threats change as well.
Choice B does not, by itself, justify regular reassessment. Choice C is not necessarily true in all
cases. Choice D is incorrect because there are better ways of raising security awareness than by
performing a risk assessment.

Answer 158

A

Answer: A
Explanation:
Risk assessment first requires one to identify the business assets that need to be protected before
identifying the threats. The next step is to establish whether those threats represent business risk
by identifying the likelihood and effect of occurrence, followed by assessing the vulnerabilities that
may affect the security of the asset. This process establishes the control objectives against which
key controls can be evaluated.

Answer 159

A

Answer: A
Explanation:
Security incident response plans should be tested to find any deficiencies and improve existing
processes. Testing the intrusion detection system (IDS) is a good practice but would not have
prevented this situation. All personnel need to go through formal training to ensure that they
understand the process, tools and methodology involved in handling security incidents. However,
testing of the actual plans is more effective in ensuring the process works as intended. Reviewing
the response procedures is not enough; the security response plan needs to be tested on a
regular basis.

Answer 160

A

Answer: C
Explanation:
Residual risk is unmanaged, i.e., inherent risk which remains uncontrolled. This is key to the
organization’s risk appetite and is the amount of residual risk that a business is living with that
affects its viability. Hence, inherent risk is incorrect. Control risk, the potential for controls to fail,
and audit risk, which relates only to audit’s approach to their work, are not relevant in this context.

Answer 161

A

Answer: A
Explanation:
Recovery time objective (RTO) is the length of time from the moment of an interruption until the
time the process must be functioning at a service level sufficient to limit financial and operational
impacts to an acceptable level. Maximum tolerable outage (MTO) is the maximum time for which
an organization can operate in a reduced mode. Recovery point objectives (RPOs) relate to the
age of the data required for recovery. Services delivery objectives (SDOs) are the levels of service
required in reduced mode.

Answer 162

A

Answer: B
Explanation:
The object of risk management is to ensure that all residual risk is maintained at a level acceptable
to the business; it is not intended to remove every identified risk or implement controls for every
threat since this may not be cost-effective. Control risk, i.e., that a control may not be effective, is a
component of the program but is unlikely to be reduced to zero.

Answer 163

A

Answer: D
Explanation:
Risk should be addressed as early as possible in the development cycle. The feasibility study
should include risk assessment so that the cost of controls can be estimated before the project
proceeds. Risk should also be considered in the specification phase where the controls are
designed, but this would still be based on the assessment carried out in the feasibility study.
Assessment would not be relevant in choice A or C.

Answer 164

A

Answer: B
Explanation:
The business impact analysis (BIA) determines the possible outcome of a risk and is essential to
determine the appropriate cost of control. The risk analysis process provides comprehensive data,
but does not determine definite resources to mitigate the risk as does the BIA. The risk
management balanced scorecard is a measuring tool for goal attainment. A risk-based audit
program is used to focus the audit process on the areas of greatest importance to the
organization.

Answer 165

A

Answer: C
Explanation:
An organization may decide to live with specific risks because it would cost more to protect
themselves than the value of the potential loss. The safeguards need to match the risk level. While
countermeasures could be too complicated to deploy, this is not the most compelling reason. It is
unlikely that a global financial institution would not be exposed to such attacks and the frequency
could not be predicted.

Answer 166

A

Answer: B
Explanation:
Control objectives are directly related to business objectives; therefore, they would be the best
metrics. Number of controls implemented does not have a direct relationship with the results of a
security program. Percentage of compliance with the security policy and reduction in the number
of security incidents are not as broad as choice B.

Answer 167

A

Answer: D
Explanation:
Previous financial results are public; all of the other choices are private information and should
only be accessed by authorized entities.

Answer 168

A

Answer: D
Explanation:
Risk analysis explores the degree to which an asset needs protecting so this can be managed
effectively. Risk analysis indirectly supports the security expenditure, but justifying the security
expenditure is not its primary purpose. Helping businesses prioritize the assets to be protected is
an indirect benefit of risk analysis, but not its primary purpose. Informing executive management of
residual risk value is not directly relevant.

Answer 169

A

Answer: C
Explanation:
Identifying the data owners is the first step, and is essential to implementing data classification.
Defining job roles is not relevant. Performing a risk assessment is important, but will require the
participation of data owners (who must first be identified). Establishing data retention policies may
occur after data have been classified.

Answer 170

A

Answer: A
Explanation:
Since residual risk will always be too high, the only practical solution is to mitigate the financial
impact by purchasing insurance.

Answer 171

A

Answer: B
Explanation:
A security gap analysis is a process which measures all security controls in place against typically
good business practice, and identifies related weaknesses. A business impact analysis is less
suited to identify security deficiencies. System performance metrics may indicate security
weaknesses, but that is not their primary purpose. Incident response processes exist for cases
where security weaknesses are exploited.

Answer 172

A

Answer: D
Explanation:
Structured query language (SQL) injection is one of the most common and dangerous web
application vulnerabilities. Buffer overflows and race conditions are very difficult to find and exploit
on web applications. Distributed denial of service (DoS) attacks have nothing to do with the quality
of a web application.

Answer 173

A

Answer: C
Explanation:
The security manager would be most concerned with whether residual risk would be reduced by a
greater amount than the cost of adding additional controls. The other choices, although relevant,
would not be as important.

Answer 174

A

Answer: A
Explanation:
The information security manager cannot make an informed decision about the request without
first understanding the business requirements of the developer portal. Performing a vulnerability
assessment of developer portal and installing an intrusion detection system (IDS) are best
practices but are subsequent to understanding the requirements. Obtaining a signed
nondisclosure agreement will not take care of the risks inherent in the organization’s application.

Answer 175

A

Answer: B
Explanation:
Creating a strong random password reduces the risk of a successful brute force attack by
exponentially increasing the time required. Preventing the system from being accessed remotely is
not always an option in mission-critical systems and still leaves local access risks. Vendor patches
are not always available, tracking usage is a detective control and will not prevent an attack.

Answer 176

A

Answer: A
Explanation:
Cross-site scripting attacks inject malformed input. Attackers who exploit weak application
authentication controls can gain unauthorized access to applications and this has little to do with
cross-site scripting vulnerabilities. Attackers who exploit flawed cryptographic secure sockets layer
(SSI.) implementations and short key lengths can sniff network traffic and crack keys to gain
unauthorized access to information. This has little to do with cross-site scripting vulnerabilities.
Web application trust relationships do not relate directly to the attack.

Answer 177

A

Answer: C
Explanation:
Acceptable use policies are the best measure for preventing the unauthorized disclosure of
confidential information. The other choices do not address confidentiality of information.

Answer 178

A

Answer: B
Explanation:
Data classification policies define the level of protection to be provided for each category of data.
Without this mandated ranking of degree of protection, it is difficult to determine what access
controls or levels of encryption should be in place. An acceptable use policy is oriented more
toward the end user and, therefore, would not specifically address what controls should be in
place to adequately protect information.

Answer 179

A

Answer: C
Explanation:
Cost-benefit analysis is performed to ensure that the cost of a safeguard does not outweigh its
benefit and that the best safeguard is provided for the cost of implementation. Risk analysis
identifies the risks and suggests appropriate mitigation. The annualized loss expectancy (ALE) is a
subset of a cost-benefit analysis. Impact analysis would indicate how much could be lost if a
specific threat occurred.

Answer 180

A

Answer: C
Explanation:
A risk assessment will identify- the business impact of such vulnerability being exploited and is,
thus, the correct process. A penetration test or a security baseline review may identify the
vulnerability but not the remedy. A business impact analysis (BIA) will more likely identify the
impact of the loss of the mail server.

Answer 181

A

Answer: A
Explanation:
Role-based access control provides access according to business needs; therefore, it reduces
unnecessary- access rights and enforces accountability. Audit trail monitoring is a detective
control, which is ‘after the fact.’ Privacy policy is not relevant to this risk. Defense-in-depth primarily
focuses on external threats

Answer 182

A

Answer: B
Explanation:
Whenever the company’s policies cannot be followed, a risk assessment should be conducted to
clarify the risks. It is then up to management to accept the risks or to mitigate them. Management
determines the level of risk they are willing to take. Recommending revision of current policy
should not be triggered by a single request.

Answer 183

A

Answer: B
Explanation:
While customer awareness will help mitigate the risks, this is insufficient on its own to control fraud
risk. Implementing monitoring techniques which will detect and deal with potential fraud cases is
the most effective way to deal with this risk. If the bank outsources its processing, the bank still
retains liability. While making the customer liable for losses is a possible approach, nevertheless,
the bank needs to be seen to be proactive in managing its risks.

Answer 184

A

Answer: D
Explanation:
The criticality and sensitivity of information assets depends on the impact of the probability of the
threats exploiting vulnerabilities in the asset, and takes into consideration the value of the assets
and the impairment of the value. Threat assessment lists only the threats that the information
asset is exposed to. It does not consider the value of the asset and impact of the threat on the
value. Vulnerability assessment lists only the vulnerabilities inherent in the information asset that
can attract threats. It does not consider the value of the asset and the impact of perceived threats
on the value. Resource dependency assessment provides process needs but not impact.

Answer 185

A

Answer: C
Explanation:
Valuation is performed first to identify and understand the assets needing protection. Risk
assessment is performed to identify and quantify threats to information assets that are selected by
the first step, valuation. Classification and risk mitigation are steps following valuation.

Answer 186

A

Answer: C
Explanation:
Identification and valuation of assets provides the basis for risk management efforts as it relates to
the criticality and sensitivity of assets. Management support is always important, but is not relevant
when determining the proportionality of risk management efforts. ALE calculations are only valid if
assets have first been identified and appropriately valued. Motives, means and opportunities
should already be factored in as a part of a risk assessment.

Answer 187

A

Answer: C
Explanation:
Protection should be proportional to the value of the asset. Classification is based upon the value
of the asset to the organization. The amount of insurance needed in case of loss may not be
applicable in each case. Peer organizations may have different classification schemes for their
assets.

Answer 188

A

Answer: B
Explanation:
The best strategy for risk management is to reduce risk to an acceptable level, as this will take into
account the organization’s appetite for risk and the fact that it would not be practical to eliminate all
risk. Achieving balance between risk and organizational goals is not always practical. Policy
development must consider organizational risks as well as business objectives. It may be prudent
to ensure that management understands and accepts risks that it is not willing to mitigate, but that
is a practice and is not sufficient to l>e considered a strategy.

Answer 189

A

Answer: C
Explanation:
When mobile equipment is lost or stolen, the information contained on the equipment matters most
in determining the impact of the loss. The more sensitive the information, the greater the liability. If
staff carries mobile equipment for business purposes, an organization must develop a clear policy
as to what information should be kept on the equipment and for what purpose. Personal
information is not defined in the question as the data that were lost. Insurance may be a relatively
smaller issue as compared with information theft or opportunity loss, although insurance is also an
important factor for a successful business. Cost of equipment would be a less important issue as
compared with other choices.

Answer 190

A

Answer: B
Explanation:
Since they are regulatory requirements, a gap analysis would be the first step to determine the
level of compliance already in place. Implementing a security committee or compensating controls
would not be the first step. Demanding immediate compliance would not assess the situation.

Answer 191

A

Answer: C
Explanation:
The total cost of ownership (TCO) would be the most relevant piece of information in that it would
establish a cost baseline and it must be considered for the full life cycle of the control. Annual loss
expectancy (ALE) and the frequency of incidents could help measure the benefit, but would have
more of an indirect relationship as not all incidents may be mitigated by implementing a two-factor
authentication system. The approved budget for the project may have no bearing on what the
project may actually cost.

Answer 192

A

Answer: C
Explanation:
Control effectiveness requires a process to verify that the control process worked as intended.
Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that
the process operated as intended. The type of control is not relevant, and notification of failure is
not determinative of control strength. Reliability is not an indication of control strength; weak
controls can be highly reliable, even if they are ineffective controls.

Answer 193

A

Answer: D
Explanation:
A network vulnerability assessment intends to identify known vulnerabilities based on common
misconfigurations and missing updates. 0-day vulnerabilities by definition are not previously known
and therefore are undetectable. Malicious software and spyware are normally addressed through
antivirus and antispyware policies. Security design flaws require a deeper level of analysis.

Answer 194

A

Answer: C
Explanation:
The data owner is responsible for applying the proper classification to the data. Senior
management is ultimately responsible for the organization. The security officer is responsible for
applying security protection relative to the level of classification specified by the owner. The
technology group is delegated the custody of the data by the data owner, but the group does not
classify the information.

Answer 195

A

Answer: C
Explanation:
When the cost of control is more than the cost of the risk, the risk should be accepted.
Transferring, treating or terminating the risk is of limited benefit if the cost of that control is more
than the cost of the risk itself.

Answer 196

A

Answer: B
Explanation:
When reporting an incident to senior management, the initial information to be communicated
should include an explanation of what happened and how the breach was resolved. A summary of
security logs would be too technical to report to senior management. An analysis of the impact of
similar attacks and a business case for improving controls would be desirable; however, these
would be communicated later in the process.

Answer 197

A

Answer: B
Explanation:
Exceptions to policy are warranted in circumstances where compliance may be difficult or
impossible and the risk of noncompliance is outweighed by the benefits. Being busy is not a
justification for policy exceptions, nor is the fact that compliance cannot be enforced. User
inconvenience is not a reason to automatically grant exception to a policy.

Answer 198

A

Answer: D
Explanation:
When defining the information classification policy, the requirements of the data owners need to
be identified. The quantity of information, availability of IT infrastructure and benchmarking may be
part of the scheme after the fact and would be less relevant.

Answer 199

A

Answer: B
Explanation:
Key controls primarily reduce risk and are most effective for the protection of information assets.
The other choices could be examples of possible key controls.

Answer 200

A

Answer: D
Explanation:
The owner of the information asset should be the person with the decision-making power in the
department deriving the most benefit from the asset. In this case, it would be the head of the sales
department. The organizational unit cannot be the owner of the asset because that removes
personal responsibility. The database administrator is a custodian. The chief information officer
(CIO) would not be an owner of this database because the CIO is less likely to be knowledgeable
about the specific needs of sales operations and security concerns.

Answer 201

A

Answer: B
Explanation:
Identifying the relevant systems and processes is the best first step. Developing an operational
plan for achieving compliance with the legislation is incorrect because it is not the first step.
Restricting the collection of personal information comes later. Identifying privacy legislation in
other countries would not add much value.

Answer 202

A

Answer: B
Explanation:
Risk assessment needs to be performed on a continuous basis because of organizational and
technical changes. Risk assessment must take into account all significant changes in order to be
effective.

Answer 203

A

Answer: C
Explanation:
The risk environment is impacted by factors such as changes in technology, and business
strategy. These changes introduce new threats and vulnerabilities to the organization. As a result,
risk assessment should be performed continuously. Justification of a budget should never be the
main reason for performing a risk assessment. New vulnerabilities should be managed through a
patch management process. Informing management about emerging risks is important, but is not
the main driver for determining when a risk assessment should be performed.

Answer 204

A

Answer: A
Explanation:
The best protection is to identify the vulnerable systems and apply compensating controls until a
patch is installed. Minimizing the use of vulnerable systems and communicating the vulnerability to
system users could be compensating controls but would not be the first course of action. Choice D
does not make clear the timing of when the intrusion detection system (IDS) signature list would
be updated to accommodate the vulnerabilities that are not yet publicly known. Therefore, this
approach should not always be considered as the first option.

Answer 205

A

Answer: B
Explanation:
Penetration testing focuses on identifying vulnerabilities. None of the other choices would identify
vulnerabilities introduced by changes.

Answer 206

A

Answer: A
Explanation:
In a countermeasure cost-benefit analysis, the annual cost of safeguards is compared with the
expected cost of loss. This can then be used to justify a specific control measure. Penetration
testing may indicate the extent of a weakness but, by itself, will not establish the cost/benefit of a
control. Frequent risk assessment programs will certainly establish what risk exists but will not
determine the maximum cost of controls. Annual loss expectancy (ALE) is a measure which will
contribute to the value of the risk but. alone, will not justify a control.

Answer 207

A

Answer: C
Explanation:
Risk can never be eliminated entirely. Transferring the risk gives it away such as buying insurance
so the insurance company can take the risk. Implementing additional controls is an example of
mitigating risk. Doing nothing to mitigate the risk would be an example of accepting risk.

Answer 208

A

Answer: D
Explanation:
Although the information owner may be in a management position and is also considered a user,
the information owner role has the responsibility for determining information classification levels.
Management is responsible for higher-level issues such as providing and approving budget,
supporting activities, etc. The information custodian is responsible for day-to-day security tasks
such as protecting information, backing up information, etc. Users are the lowest level. They use
the data, but do not classify the data. The owner classifies the data.

Answer 209

A

Answer: B
Explanation:
The assigned class of sensitivity and criticality of the information resource determines the level of
access controls to be put in place. The assignment of sensitivity and criticality takes place with the
information assets that have already been included in the information security program and has
only an indirect bearing on the costs to be incurred. The assignment of sensitivity and criticality
contributes to, but does not decide, the overall budget of the information security program.

Answer 210

A

Answer: C
Explanation:
Gap analysis would help identify the actual gaps between the desired state and the current
implementation of information security management. BIA is primarily used for business continuity
planning. Technical vulnerability assessment is used for detailed assessment of technical controls,
which would come later in the process and would not provide complete information in order to
identify gaps.

Answer 211

A

Answer: B
Explanation:
Listing all possible scenarios that could occur, along with threats and impacts, will better frame the
range of risks and facilitate a more informed discussion and decision. Estimated productivity
losses, value of information assets and vulnerability assessments would not be sufficient on their
own.

Answer 212

A

Answer: D
Explanation:
Effective risk management requires participation, support and acceptance by all applicable
members of the organization, beginning with the executive levels. Personnel must understand
their responsibilities and be trained on how to fulfill their roles.

Answer 213

A

Answer: C
Explanation:
A risk register is more than a simple list — it should lie used as a tool to ensure comprehensive
documentation, periodic review and formal update of all risk elements in the enterprise’s IT and
related organization. Identifying risks and assigning roles and responsibilities for mitigation are
elements of the register. Identifying threats and probabilities are two elements that are defined in
the risk matrix, as differentiated from the broader scope of content in, and purpose for, the risk
register. While the annualized loss expectancy (ALE) should be included in the register, this
quantification is only a single element in the overall risk analysis program.

Answer 214

A

Answer: B
Explanation:
When establishing an information security program, conducting a risk assessment is key to
identifying the needs of the organization and developing a security strategy. Defining security
metrics, performing a gap analysis and procuring security tools are all subsequent considerations.

Answer 215

A

Answer: A
Explanation:
The main purpose of a BIA is to measure the downtime tolerance, associated resources and
criticality of a business function. Options B, C and D are all associated with business continuity
planning, but are not related to the BIA.

Answer 216

A

Answer: A
Explanation:
Risk management is identifying all risks within an organization, establishing an acceptable level of
risk and effectively managing risks which may include mitigation or transfer. Accepting the
security- posture provided by commercial security products is an approach that would be limited to
technology components and may not address all business operations of the organization.
Education is a part of the overall risk management process. Tools may be limited to technology
and would not address non-technology risks.

Answer 217

A

Answer: C
Explanation:
Risks are typically transferred to insurance companies when the probability of an incident is low
but the impact is high. Examples include: hurricanes, tornados and earthquakes. Implementing
countermeasures may not be the most cost-effective approach to security management.
Eliminating the risk may not be possible. Accepting the risk would leave the organization
vulnerable to a catastrophic disaster which may cripple or ruin the organization. It would be more
cost effective to pay recurring insurance costs than to be affected by a disaster from which the
organization cannot financially recover.

Answer 218

A

Answer: D
Explanation:
BIA is an essential component of an organization’s business continuity plan; it includes an
exploratory component to reveal any vulnerabilities and a planning component to develop
strategies for minimizing risk. It is the first crucial step in business continuity planning. Qualitative
and quantitative risk analysis will have been completed to define the dangers to individuals,
businesses and government agencies posed by potential natural and human-caused adverse
events. Assigning value to assets is part of the BIA process. Weighing the cost of implementing
the plan vs. financial loss is another part of the BIA.

Answer 219

A

Answer: A
Explanation:
The information security organization is responsible for options B and D within an organization, but
they are not its primary mission. Reviewing and adopting appropriate standards (option C) is a
requirement. The primary objective of an information security organization is to ensure that

Answer 220

A

Answer: A
Explanation:
Security controls must be compatible with business needs. It is not feasible to eliminate all
vulnerabilities. Usage by similar organizations does not guarantee that controls are adequate.
Certification by a third party is important, but not a primary concern.

Answer 221

A

Answer: B
Explanation:
The aim of risk management is to reduce impacts to an acceptable level. “Acceptable” or
“reasonable” are relative terms that can vary based on environment and circumstances. A
minimum level that is consistent with regulatory requirements may not be consistent with business
objectives, and regulators typically do not assign risk levels. The minimum level possible may not
be aligned with business requirements.

Answer 222

A

Answer: C
Explanation:
The business owner of the application needs to understand and accept the residual application
risks.

Answer 223

A

Answer: C
Explanation:
Corrective controls serve to reduce or mitigate impacts, such as providing recovery capabilities.
Preventive controls reduce adverse events, such as firewalls. Compromise can be detected by
detective controls, such as intrusion detection systems (IDSs). Compliance could be ensured by
preventive controls, such as access controls.

Answer 224

A

Answer: D
Explanation:
The information security infrastructure should be based on risk. While considering personal
information devices as part of the security policy may be a consideration, it is not the most
important requirement. A BIA is typically carried out to prioritize business processes as part of a
business continuity plan. Initiating IT security training may not be important for the purpose of the
information security infrastructure.

Answer 225

A

Answer: A
Explanation:
Acceptance of risk should be regularly reviewed to ensure that the rationale for the initial risk
acceptance is still valid within the current business context. The rationale for initial risk acceptance
may no longer be valid due to change(s) and. hence, risk cannot be accepted permanently. Risk is
an inherent part of business and it is impractical and costly to eliminate all risk. Even risks that
have been accepted should be monitored for changing conditions that could alter the original
decision.

Answer 226

A

Answer: C
Explanation:
Information about possible significant new risks from credible sources should be provided to
management along with advice on steps that need to be taken to counter the threat. The security
manager should assess the risk, but senior management should be immediately advised. It may
be prudent to initiate an awareness campaign subsequent to sounding the alarm if awareness
training is not current. Monitoring activities should also be increased.

Answer 227

A

Answer: C
Explanation:
The first step in the risk assessment methodology is a system characterization, or identification
and valuation, of all of the enterprise’s assets to define the boundaries of the assessment.
Interviewing is a valuable tool to determine qualitative information about an organization’s
objectives and tolerance for risk. Interviews are used in subsequent steps. Identification of threats
comes later in the process and should not be performed prior to an inventory since many possible
threats will not be applicable if there is no asset at risk. Determination of likelihood comes later in
the risk assessment process.

Answer 228

A

Answer: B
Explanation:
A challenge/response mechanism prevents replay attacks by sending a different random
challenge in each authentication event. The response is linked to that challenge. Therefore,
capturing the authentication handshake and replaying it through the network will not work. Using
hashes by itself will not prevent a replay. A WEP key will not prevent sniffing (it just takes a few
more minutes to break the WEP key if the attacker does not already have it) and therefore will not
be able to prevent recording and replaying an authentication handshake. HTTP Basic
Authentication is clear text and has no mechanisms to prevent replay.

Answer 229

A

Answer: C
Explanation:
The risk assessment process is continual and any changes to an established process should include a new- risk assessment. While a review of the SAS 70 report and a vulnerability assessment may be components of a risk assessment, neither would constitute sufficient due diligence on its own.

Answer 230

A

Answer: D
Explanation
The information security manager must understand the business risk profile of the organization.
No model provides a complete picture, but logically categorizing the risk areas of an organization
facilitates focusing on key risk management strategies and decisions. It also enables the
organization to develop and implement risk treatment approaches that are relevant to the business
and cost effective.

Answer 231

A

Answer: A

Answer 232

A

Answer: B

Answer 233

A

Answer: B

Answer 234

A

Answer: B

Answer 235

A

Answer: B

Answer 236

A

Answer: D

Answer 237

A

Answer: C

Answer 238

A

Answer: C

Answer 239

A

Answer: B

Answer 240

A

Answer: B

Answer 241

A

Answer: A

Answer 242

A

Answer: C

Answer 243

A

Answer: A

Answer 244

A

Answer: B

Answer 245

A

Answer: A

Answer 246

A

Answer: A

Answer 247

A

Answer: B

Answer 248

A

Answer: B

Answer 249

A

Answer: A

Answer 250

A

Answer: A

Answer 251

A

Answer: D

Answer 252

A

Answer: C

Answer 253

A

Answer: D

Answer 254

A

Answer: A

Answer 255

A

Answer: A

Answer 256

A

Answer: D

Answer 257

A

Answer: A

Answer 258

A

Answer: A

Answer 259

A

Answer: A

Answer 260

A

Answer: C
Explanations
One approach seeing increasing use is to report and monitor risk through the use of key risk
indicators (KRIs). KRIs can be defined as measures that, in some manner, indicate when an
enterprise is subject to risk that exceeds a defined risk level. Typically, these indicators are trends
in factors known to increase risk and are generally developed based on experience. They can be as diverse as increasing
absenteeism or increased turnover in key employees to rising levels of security events or
incidents.

Answer 261

A

Answer: A

Answer 262

A

Answer: A

Answer 263

A

Answer: B

Answer 264

A

Answer: C

Answer 265

A

Answer: A

Answer 266

A

Answer: B

Answer 267

A

Answer: D

Answer 268

A

Answer: A

Answer 269

A

Answer: A

Answer 270

A

Answer: A

Answer 271

A

Answer: A

Answer 272

A

Answer: D

Answer 273

A

Answer: A

Answer 274

A

Answer: A

Answer 275

A

Answer: A

Answer 276

A

Answer: A

Answer 277

A

Answer: D

Answer 278

A

Answer: B

Answer 279

A

Answer: C

Answer 280

A

Answer: B

Answer 281

A

Answer: A

Answer 282

A

Answer: B

Answer 283

A

Answer: B

Answer 284

A

Answer: D

Answer 285

A

Answer: D

Answer 286

A

Answer: C

Answer 287

A

Answer: A

Answer 288

A

Answer: A

Answer 289

A

Answer: A

Answer 290

A

Answer: C

Answer 291

A

Answer: B

Answer 292

A

Answer: C

Answer 293

A

Answer: A

Answer 294

A

Answer: B

Answer 295

A

Answer: C

Answer 296

A

Answer: C

Answer 297

A

Answer: A

Answer 298

A

Answer: D

Answer 299

A

Answer: A

Answer 300

A

Answer: A

Answer 301

A

Answer: B
Explanation
Acceptance of a risk is an alternative to be considered in the risk mitigation process. Assessment.
evaluation and risk quantification are components of the risk analysis process that are completed
prior to determining risk mitigation solutions.

Answer 302

A

Answer: B
Explanation:
Risk should be reduced to an acceptable level based on the risk preference of the organization.
Reducing risk to zero is impractical and could be cost-prohibitive. Tying risk to a percentage of
revenue is inadvisable since there is no direct correlation between the two. Reducing the
probability of risk occurrence may not always be possible, as in the ease of natural disasters. The
focus should be on reducing the impact to an acceptable level to the organization, not reducing the
probability of the risk.

Answer 303

A

Answer: B
Explanation:
Risks are constantly changing. A previously conducted risk assessment may not include
measured risks that have been introduced since the last assessment. Although an assessment
can never be perfect and invariably contains some errors, this is not the most important reason for
periodic reassessment. The fact that controls can be made more efficient to reduce costs is not
sufficient. Finally, risk assessments should not be performed merely to justify the existence of the
security function.

Answer 304

A

Answer: C
Explanation:
A successful risk management practice minimizes the residual risk to the organization. Choice A is
incorrect because the fact that overall risk has been quantified does not necessarily indicate the
existence of a successful risk management practice. Choice B is incorrect since it is virtually
impossible to eliminate inherent risk. Choice D is incorrect because, although the tying of control
risks to business may improve accountability, this is not as desirable as minimizing residual risk.

Answer 305

A

Answer: C
Explanation:
Although the theft of software, interruption of utility services and internal frauds are all significant,
the loss of customer confidence is the most damaging and could cause the business to fail.

Answer 306

A

Answer: A
Explanation:
Risk analysis results are the most useful and complete source of information for determining the
amount of resources to devote to mitigating exposures. Audit report findings may not address all
risks and do not address annual loss frequency. Penetration test results provide only a limited
view of exposures, while the IT budget is not tied to the exposures faced by the organization.

Answer 307

A

Answer: C
Explanation:
Because past performance is a strong predictor of future performance, background checks of
prospective employees best prevents attacks from originating within an organization. Static IP
addressing does little to prevent an internal attack. Internal address translation using non-routable
addresses is useful against external attacks but not against internal attacks. Employees who
certify that they have read security policies are desirable, but this does not guarantee that the
employees behave honestly.

Answer 308

A

Answer: D
Explanation:
The value of a physical asset should be based on its replacement cost since this is the amount
that would be needed to replace the asset if it were to become damaged or destroyed. Original
cost may be significantly different than the current cost of replacing the asset. Net cash flow and
net present value do not accurately reflect the true value of the asset.

Answer 309

A

Answer: C
Explanation:
The value of an information system should be based on the cost incurred if the system were to
become unavailable. The cost to design or recreate the system is not as relevant since a business
impact analysis measures the impact that would occur if an information system were to become
unavailable. Similarly, the cost of emergency operations is not as relevant.

Answer 310

A

Answer: A
Explanation:
Residual risk is the risk that remains after putting into place an effective risk management
program; therefore, acceptable risk is achieved when this amount is minimized. Transferred risk is
risk that has been assumed by a third party and may not necessarily be equal to the minimal form
of residual risk. Control risk is the risk that controls may not prevent/detect an incident with a
measure of control effectiveness. Inherent risk cannot be minimized.

Answer 311

A

Answer: A
Explanation:
Individual business managers are in the best position to determine the value of information assets
since they are most knowledgeable of the assets’ impact on the business. Business systems
developers and information security managers are not as knowledgeable regarding the impact on
the business. Peer companies’ industry averages do not necessarily provide detailed enough
information nor are they as relevant to the unique aspects of the business.

Answer 312

A

Answer: A
Explanation:
Risk should be addressed as early in the development of a new application system as possible. In
some cases, identified risks could be mitigated through design changes. If needed changes are
not identified until design has already commenced, such changes become more expensive. For
this reason, beginning risk assessment during the design, development or testing phases is not
the best solution.

Answer 313

A

Answer: B
Explanation:
Change is a process in which new risks can be introduced into business processes and systems.
For this reason, risk management should be an integral component of the change management
process. Policy development, awareness training and regular monitoring, although all worthwhile
activities, are not as effective as change management.

Answer 314

A

Answer: D
Explanation:
Recovery time objectives (RTOs) are a primary deliverable of a business impact analysis. RTOs
relate to the financial impact of a system not being available. A gap analysis is useful in
addressing the differences between the current state and an ideal future state. Regression
analysis is used to test changes to program modules. Risk analysis is a component of the
business impact analysis.

Answer 315

A

Answer: C
Explanation:
The recovery time objective (RTO) is based on the amount of time required to restore a system;
disaster declaration occurs at the beginning of this period. Recovery of the backups occurs shortly
after the beginning of this period. Return to business as usual processing occurs significantly later
than the RTO. RTO is an “objective,” and full restoration may or may not coincide with the RTO.
RTO can be the minimum acceptable operational level, far short of normal operations.

Answer 316

A

Answer: D
Explanation:
Residual risk provides management with sufficient information to decide to the level of risk that an
organization is willing to accept. Control risk is the risk that a control may not succeed in
preventing an undesirable event. Risk exposure is the likelihood of an undesirable event occurring.
Inherent risk is an important factor to be considered during the risk assessment.

Answer 317

A

Answer: B
Explanation:
Visibility of impact is the best measure since it manages risks to an organization in the timeliest
manner. Likelihood of occurrence and incident frequency are not as relevant. Mitigating controls is
not a determining factor on incident reporting.

Answer 318

A

Answer: B
Explanation:
Risk acceptance is one of the alternatives to be considered in the risk mitigation process.
Assessment and evaluation are components of the risk analysis process. Risk acceptance is not a
component of monitoring.

Answer 319

A

Answer: C
Explanation:
Risk should be reduced to a level that an organization is willing to accept. Reducing risk to a level
too small to measure is impractical and is often cost-prohibitive. To tie risk to a specific rate of
return ignores the qualitative aspects of risk that must also be considered. Depending on the risk
preference of an organization, it may or may not choose to pursue risk mitigation to the point at
which the benefit equals or exceeds the expense. Therefore, choice C is a more precise answer.

Answer 320

A

Answer: D
Explanation:
Risks are constantly changing. Choice D offers the best alternative because it takes into
consideration a reasonable time frame and allows flexibility to address significant change.
Conducting a risk assessment once a year is insufficient if important changes take place.
Conducting a risk assessment every three-to-six months for critical processes may not be
necessary, or it may not address important changes in a timely manner. It is not necessary for
assessments to be performed by external parties.

Answer 321

A

Answer: B
Explanation:
A risk management program should minimize the amount of risk that cannot be otherwise
eliminated or transferred; this is the residual risk to the organization. Quantifying overall risk is
important but not as critical as the end result. Eliminating inherent risk is virtually impossible.
Maximizing the sum of all ALEs is actually the opposite of what is desirable.

Answer 322

A

Answer: C
Explanation:
A permanent decline in customer confidence does not lend itself well to measurement by
quantitative techniques. Qualitative techniques are more effective in evaluating things such as
customer loyalty and goodwill. Theft of software, power outages and temporary loss of e-mail can
be quantified into monetary amounts easier than can be assessed with quantitative techniques.

Answer 323

A

Answer: B
Explanation:
Network address translation is helpful by having internal addresses that are non routable.
Background checks of temporary employees are more likely to prevent an attack launched from
within the enterprise. Static IP addressing does little to prevent an attack. Writing all computer logs
to removable media does not help in preventing an attack.

Answer 324

A

Answer: D
Explanation:
The value of the server should be based on its cost of replacement. The original cost may be
significantly different from the current cost and, therefore, not as relevant. The value of the
software is not at issue because it can be restored from backup media. The ALE for all risks
related to the server does not represent the server’s value.

Answer 325

A

Answer: B
Explanation:
A business impact analysis (BIA) is the best tool for calculating the priority of restoration for
applications. It is not used to determine total cost of ownership, annualized loss expectancy (ALE)
or residual risk to the organization.

Answer 326

A

Answer: A
Explanation:
Since residual risk is the risk that remains after putting into place an effective risk management
program, it is probable that the organization will decide that it is an acceptable risk if sufficiently
minimized. Transferred risk is risk that has been assumed by a third party, therefore its magnitude
is not relevant. Accordingly, choices B and D are incorrect since transferred risk does not
necessarily indicate whether risk is at an acceptable level. Minimizing residual risk will not reduce
control risk.

Answer 327

A

Answer: B
Explanation:
Percentage estimates are characteristic of quantitative risk analysis. Customer perceptions, lack of
specific details or subjective information lend themselves more to qualitative risk analysis.

Answer 328

A

Answer: C
Explanation:
Identification and prioritization of risk allows project managers to focus more attention on areas of
greater importance and impact. It will not reduce the overall amount of slack time, facilitate
establishing implementation milestones or allow a critical path to be completed any sooner.

Answer 329

A

Answer: D
Explanation:
A gap analysis is most useful in addressing the differences between the current state and an ideal
future state. It is not as appropriate for evaluating a business impact analysis (BIA), developing a
balanced business scorecard or demonstrating the relationship between variables.

Answer 330

A

Answer: C
Explanation:
A risk analysis should take into account the potential size and likelihood of a loss. It could include
comparisons with a group of companies of similar size. It should not assume an equal degree of
protection for all assets since assets may have different risk factors. The likelihood of the loss
should not receive greater emphasis than the size of the loss; a risk analysis should always
address both equally.

Answer 331

A

Answer: B
Explanation:
The recovery point objective (RPO) is the point in the processing flow at which system recovery
should occur. This is the predetermined state of the application processing and data used to
restore the system and to continue the processing flow. Disaster declaration is independent of this
processing checkpoint. Restoration of the system can occur at a later date, as does the return to
normal, after-image processing.

Answer 332

A

Answer: B
Explanation:
The lack of change management is a severe omission and will greatly increase information
security risk. Since procedures are generally nonauthoritative, their lack of enforcement is not a
primary concern. Systems that are developed by third-party vendors are becoming commonplace
and do not represent an increase in security risk as much as poor change management. Poor
capacity management may not necessarily represent a security risk.

Answer 333

A

Answer: B
Explanation:
Risk analysis should include all organizational activities. It should not be limited to subsets of
systems or just systems and infrastructure.

Answer 334

A

Answer: A
Explanation:
Organizational requirements should determine when a risk has been reduced to an acceptable
level. Information systems and information security should not make the ultimate determination.
Since each organization is unique, international standards of best practice do not represent the
best solution.

Answer 335

A

Answer: B
Explanation:
The key reason for performing risk management is that it is part of management’s due diligence.
The elimination of all risk is not possible. Satisfying audit and regulatory requirements is of
secondary importance. A risk management program may or may not increase the return on
investment (ROD.

Answer 336

A

Answer: C
Explanation:
Process owners have the most in-depth knowledge of risks and compensating controls within their
environment. External parties do not have that level of detailed knowledge on the inner workings
of the business. Management consultants are expected to have the necessary skills in risk
analysis techniques but are still less effective than a group with intimate knowledge of the
business.

Answer 337

A

Answer: A
Explanation:
Successful risk management should lead to a breakeven point of risk reduction and cost. The
other options listed are not achievable. Threats cannot be totally removed or transferred, while
losses cannot be budgeted in advance with absolute certainty.

Answer 338

A

Answer: B

Answer 339

A

Answer: B

Answer 340

A

Answer: B

Answer 341

A

Answer: A

Answer 342

A

Answer: D

Answer 343

A

Answer: B

Answer 344

A

Answer: C

Answer 345

A

Answer: A

Answer 346

A

Answer: B

Answer 347

A

Answer: A

Answer 348

A

Answer: D

Answer 349

A

Answer: D

Answer 350

A

Answer: C

Answer 351

A

Answer: A

Answer 352

A

Answer: B

Answer 353

A

Answer: D

Answer 354

A

Answer: D

Answer 355

A

Answer: C

Answer 356

A

Answer: B

Answer 357

A

Answer: A

Answer 358

A

Answer: C

Answer 359

A

Answer: B

Answer 360

A

Answer: D

Answer 361

A

Answer: B

Answer 362

A

Answer: A

Answer 363

A

Answer: A

Answer 364

A

Answer: A

Answer 365

A

Answer: B

Answer 366

A

Answer: A

Answer 367

A

Answer: D

Answer 368

A

Answer: C

Answer 369

A

Answer: A

Answer 370

A

Answer: A

Answer 371

A

Answer: D

Answer 372

A

Answer: B

Answer 373

A

Answer: C

Answer 374

A

Answer: B
Explanation:
The effect of the theft of customer data or web site defacement by hackers could lead to a
permanent decline in customer confidence, which does not lend itself to measurement by
quantitative techniques. Loss of a majority of the software development team could have similar
unpredictable repercussions. However, the loss of electrical power for a short duration is more
easily measurable and can be quantified into monetary amounts that can be assessed with
quantitative techniques.

Answer 375

A

Answer: D
The bottom line on calculating the impact of a loss is what its cost will be to the organization. The
other choices are all factors that contribute to the overall monetary impact.

Answer 376

A

Answer: B
Explanation:
Although all of these are important, the list of action items is used to reduce or transfer the current
level of risk. The other options materially contribute to the way the actions are implemented.

Answer 377

A

Answer: C
Explanation:
Meat charts, sometimes referred to as stoplight charts, quickly and clearly show the current status
of remediation efforts. Venn diagrams show the connection between sets; tree diagrams are useful
for decision analysis; and bar charts show relative size.

Answer 378

A

Answer: D

Answer 379

A

Answer: A

Answer 380

A

Answer: B

Answer 381

A

Answer: A

Answer 382

A

Answer: D

Answer 383

A

Answer: C

Answer 384

A

Answer: A

Answer 385

A

Answer: B

Answer 386

A

Answer: C

Answer 387

A

Answer: D

Answer 388

A

Answer: D

Answer 389

A

Answer: D

Answer 390

A

Answer: A

Answer 391

A

Answer: D

Brainscape's Knowledge GenomeTM

D3-Information Risk Management Flashcards

Information Risk Management

Brainscape's Knowledge Genome^TM