Information Security Risk Management Flashcards
(233 cards)
1
Q
What is the PRIMARY reason an enterprise would study cybersecurity threats? To establish:
A.a threat library.
B.a control baseline.
C.incident response playbooks.
D.a threat analysis.
A
D is the correct answer.
Justification
Threat libraries may be compiled in the course of threat analysis, but updating the threat library is not the main reason to study cybersecurity threats.
Although studying cybersecurity threats may help in designing and baselining controls, creating a control baseline is based on the overall risk (business impact), not threats alone.
An incident response playbook is set of processes for responding and resolving incidents. Studying cyberthreats certainly adds to an incident response plan, but that is not the reason to conduct cybersecurity threat analysis.
The main goal of threat analysis is to understand how the enterprise is positioned in the threat landscape. Threat analysis also supports decisions to prioritize control activities to mitigate the most critical risk. Threat analysis is an important factor in calculating risk value.
2
Q
The fact that an enterprise may suffer a significant disruption as the result of a distributed denial-of-service (DDoS) attack is considered:
A.an intrinsic risk.
B.a systemic risk.
C.a residual risk.
D.an operational risk.
A
D is the correct answer.
Justification
Intrinsic risk is the result of underlying internal and external factors that are not readily subject to controls.
Systemic risk refers to the collapse of an entire system as a result of the risk imposed by system interdependencies.
Residual risk is the level of risk remaining after controls and countermeasures are implemented, and it may approach intrinsic risk.
Operational risk is the risk to an enterprise as a result of its internal and external operations.
3
Q
An enterprise has learned of a security breach at another company that uses similar technology. The FIRST thing the information security manager should do is:
A.assess the likelihood of incidents from the reported cause.
B.discontinue the use of the vulnerable technology.
C.report to senior management that the enterprise is not affected.
D.remind staff that no similar security breaches have taken place.
A
A is the correct answer.
Justification
The security manager should first assess the likelihood of a similar incident occurring, based on available information.
Discontinuing the use of the vulnerable technology would not necessarily be practical because it would likely be needed to support the business.
Reporting to senior management that the enterprise is not affected due to controls already in place would be premature until the information security manager can first assess the impact of the incident.
Until this has been researched, it is not certain that no similar security breaches have taken place.
4
Q
Which of the following would present the GREATEST risk to information security?
A.Virus signature files updates are applied to all servers every day.
B.Security access logs are reviewed within five business days.
C.Critical patches are applied within 24 hours of their release.
D.Security incidents are investigated within five business days.
A
D is the correct answer.
Justification
Virus signature files updated every day do not pose a great risk.
Reviewing security access logs within five days is not the greatest risk.
Patches applied within 24 hours is not a significant risk.
Waiting to investigate security incidents can pose a major risk.
5
Q
Which of the following choices BEST reveals the evolving nature of attacks in an online environment?
A.A high-interaction honeypot
B.A rogue access point
C.Industry tracking groups
D.A vulnerability scanner
A
C is the correct answer.
Justification
A honeypot is used to lure a hacker and learn the methods of attacks. However, an attacker may or may not use known methods of attacks. Also, the honeypot will only reveal attacks directed against the enterprise, not the overall nature of attacks occurring in the broader online environment.
A rogue access point is put in place by an attacker to lure legitimate users to connect to it.
Industry tracking groups, such as Infraguard, US Computer Emergency Readiness Team (CERT) and Internet Storm Center, provide insight into what sort of attacks are affecting enterprises on a national or global scale.
Even if a vulnerability scanner is updated regularly, it will reveal vulnerabilities, not attacks.
6
Q
Which of the following actions would BEST help to enhance third-party risk management?
A. Outsourcing all critical services to reduce internal workload
B. Establishing airtight contracts with third-party vendors
C. Conducting regular security audits of third-party vendors
D. Creating a dedicated internal team to focus on third-party risk management
A
C is the correct answer.
Justification
While outsourcing critical services can reduce internal workload, it may also increase dependency on third-party vendors and potentially expose the organization to greater risk. Relying solely on outsourcing without adequate risk management measures can diminish control over critical operations and compromise security.
While it is important to include the security requirements in the contract, it is necessary to periodically audit the third party to ensure that the vendor is following all the contractual requirements for effective risk management.
Regular security audits of third-party vendors involve assessing their security practices, systems, and processes to identify vulnerabilities and ensure compliance with security standards and contractual agreements. This proactive measure helps mitigate risk associated with third-party relationships and strengthens overall cybersecurity resilience.
While having a dedicated team focusing on risk management is important, conducting regular audits of the vendors is more effective in enhancing risk management.
7
Q
Which function is PRIMARILY responsible for cultivating and implementing a culture of risk management within organizations using artificial intelligence (AI) systems?
A. Governance
B. Information security
C. Information technology
D. Compliance
A
A is the correct answer.
Justification
Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately, and verifying that the enterprise’s resources are used responsibly. It is infused throughout artificial intelligence (AI) risk management and enables the other functions of the process. Strong governance drives and enhances internal practices and norms to facilitate organizational risk culture.
Information security is responsible for addressing AI security risk in the information security program, developing and maintaining AI-related security policies, procedures, and processes, and working closely with the governance function in establishing AI risk assessment activities in support of a mature AI risk culture.
IT is responsible for IT strategy and IT project management activities, developing and maintaining AI-related policies, procedures, and processes, and working closely with the governance function in support of a mature AI risk culture.
Compliance teams evaluate the business opportunity that AI brings into the organization and carefully consider its impact from the legal and regulatory perspective to ensure that AI systems comply with industry-specific standards. The compliance function is not responsible for cultivating and implementing a culture of risk management.
8
Q
Which of the following provides the BEST means for identifying a user’s unauthorized expanded scope of an artificial intelligence (AI) system beyond its original purpose?
A. Business impact analysis
B. Risk register
C. Request for change
D. Risk assessment
A
D is the correct answer.
Justification
A business impact analysis is a study identifying the impact regarding different disaster scenarios and is not used to identify new risk in the organization.
The risk register is used to document specific factors associated with identified risk and is not used to identify new risk within the organization.
A request for change is submitted when a change to software or a system is required. It is not used to identify new risk within the organization.
A risk assessment is the best means of identifying new risk in the organization, as business functions should communicate the expanded use of new tools and software employed for business purposes.
9
Q
The BEST process for assessing an existing risk level is:
A.an impact analysis.
B.a security review.
C.a vulnerability assessment.
D.a threat analysis.
A
B is the correct answer.
Justification
An impact analysis is used to determine potential impact in the event of the loss of a resource.
A security review is used to determine the current state of security for various program components.
While vulnerability assessments help identify and classify weakness in the design, implementation, operation or internal control of a process, they are only one aspect of a security review.
A threat analysis is not normally a part of a security review. Threat assessments evaluate the type, scope and nature of events or actions that can result in adverse consequences; identification is made of the threats that exist against enterprise assets.
10
Q
Which of the following is the GREATEST concern for an enterprise in which there is a widespread use of mobile devices?
A.There is an undue reliance on public networks.
B.Batteries require constant recharges.
C.There is a lack of operating system standardization.
D.Mobile devices can be easily lost or stolen.
A
D is the correct answer.
Justification
The fact that mobile devices must be connected to public networks creates a security risk that can be exploited in the public space, but appropriate security controls can mitigate the risk.
The need to constantly recharge batteries is not a significant security concern.
While the lack of operating system standardization is a concern, it is not as great as the loss of devices.
Because of their size, mobile devices can be easily lost or stolen and sensitive information disclosed.
11
Q
Which of the following is the MAIN reason for performing risk assessment on a continuous basis?
A.The security budget must be continually justified.
B.New vulnerabilities are discovered every day.
C.The risk environment is constantly changing.
D.Management needs to be continually informed about emerging risk.
A
C is the correct answer.
Justification
Justification of a budget should never be the main reason for performing a risk assessment.
New vulnerabilities should be managed through a patch management process.
The risk environment is impacted by factors such as changes in technology and business strategy. These changes introduce new threats and vulnerabilities to the enterprise. As a result, risk assessment should be performed continuously.
Informing management about emerging risk is important but is not the main driver for determining when a risk assessment should be performed.
12
Q
Which of the following is the MOST important action an information security manager should take after user acceptance testing (UAT) for a new IT solution is completed?
A. Review the results of the UAT for security-related testing considerations.
B. Perform an internal audit to complete the post-implementation review.
C. Ensure logs from the solution are captured from monitoring activities.
D. Conduct a vulnerability assessment of the enterprise architecture (EA).
A
D is the correct answer.
Justification
Reviewing the results of user acceptance testing (UAT) is required, but it may not indicate vulnerabilities introduced while moving the new IT solution to production.
The post-implementation review should be performed after the new system is in operation to ensure the system is stabilized and initial issues are resolved.
Including operational logs in log monitoring systems will help with detecting threat materialization; however, ensuring there are no vulnerabilities that can be exploited by threats is the most important action.
Although all options are valid, conducting a vulnerability assessment of enterprise architecture (EA) is most important, since new IT solutions that interface with other IT systems may introduce vulnerabilities in the EA.
13
Q
A regulatory authority has just introduced a new regulation pertaining to the release of quarterly financial results. The FIRST task that the security officer should perform is to:
A.identify whether current controls are adequate.
B.communicate the new requirement to audit.
C.implement the requirements of the new regulation.
D.conduct a cost-benefit analysis of implementing the control.
A
A is the correct answer.
Justification
If current security practices and procedures already meet the new regulation, then there is no need to implement new controls.
It is likely that audit is already aware of the new regulation, and this is not the first thing to do.
New controls to comply with the new regulation should only be implemented after determining existing controls do not meet requirements.
A cost-benefit analysis would be useful after determining current controls are not adequate.
14
Q
Which of the following BEST assists the information security manager in identifying new threats to information security?
A.Performing more frequent reviews of the enterprise’s risk factors
B.Developing more realistic information security risk scenarios
C.Understanding the flow and classification of information used by the enterprise
D.A process to monitor post-incident review reports prepared by IT staff
A
C is the correct answer.
Justification
Risk factors determine the business impact or frequency of risk and are not related to the identification of threats.
Risk scenarios are not used to identify threats as much as they are used to identify the impact and frequency of threats exploiting vulnerabilities within the information security architecture.
Understanding the business objectives of the enterprise and how data are to be used by the business assists management in assessing whether an information security event should be considered a new information security threat.
The analysis of post-incident reviews assists managers in identifying IS threats that have materialized into incidents and does not necessarily assist IT managers in identifying threats that pose a risk to information security.
15
Q
Which of the following approaches is BEST to address emerging new threats?
A. Updating antivirus software regularly to mitigate potential threats
B. Conducting periodic threat intelligence assessments in diverse areas
C. Focusing on historical data to understand established threat patterns
D. Implementing strict access controls to protect information from threats
A
B is the correct answer.
Justification
Keeping antivirus software updated is an essential practice to address known threats; however, it does not address emerging threats.
Information security managers need to be aware of the ever-changing threat landscape and how it affects their enterprise. As infrastructure evolves, new threats often arise where least suspected. Regular threat intelligence assessments are essential for an information security manager to identify and understand emerging risk in diverse areas.
Focusing on historical data does not often point to emerging threats.
Implementing access control does not proactively identify emerging threats in diverse areas.
16
Q
Addressing risk scenarios at various information system life cycle stages is PRIMARILY a function of:
A.change management.
B.release management.
C.incident management.
D.configuration management.
A
A is the correct answer.
Justification
Change management is the overall process to assess and control risk scenarios introduced by changes.
Release management is the process to manage risk scenarios of production system deployment, and it is a component of change management.
Incident management addresses impacts when or after they occur.
Configuration management is the specific process to manage risk scenarios associated with systems configuration, and it is a component of change management.
17
Q
Which of the following internal or external influences on an enterprise is the MOST difficult to estimate?
A.Vulnerability posture
B.Compliance requirements
C.Outsourcing expenses
D.Threat landscape
A
D is the correct answer.
Justification
The vulnerability posture of an enterprise can be estimated with a high degree of accuracy through systematic, iterative review of systems, data flows, people and processes.
Compliance requirements may be ambiguous at first, but as requirements are reviewed and narrowed, their influence on an enterprise becomes more predictable until the requirements change or expand over time.
The long-term costs of outsourcing are difficult to predict, but the cost is generally clear for defined periods of time (e.g., contract periods). In contrast, the threat landscape is always difficult to estimate.
Threats originate from independent sources that may be natural or human-directed. Neither can be positively predicted in all cases. Human-directed threats in particular are extremely difficult to estimate in an information security context because very small numbers of threat actors (including individuals with no assistance) may be ready and able to initiate threat events for any reason at all, including reasons that are not sensible to the individual or an impartial observer.
18
Q
The acquisition of new IT systems that are critical to an enterprise’s core business can create significant risk. To effectively manage the risk, the information security manager should FIRST:
A.ensure that the IT manager accepts the risk of the technology choices.
B.require the approval of auditors prior to deployment.
C.obtain senior management approval for IT purchases.
D.ensure that appropriate procurement processes are employed.
A
D is the correct answer.
Justification
Acceptance of identified risk associated with particular technologies is the responsibility of the business process owner, and possibly of senior management, but it would happen after the risk was identified during the procurement process.
Auditors may identify risk but are not responsible for managing it.
Senior management will typically be involved in IT acquisitions only from a budgetary perspective.
Appropriate procurement processes will include processes to initially identify the risk that may be introduced by the new system.
19
Q
Which of the following is a PRIMARY source of account breaches related to the use of blockchain technology?
A. Tampering with account entries in databases
B. Poor application programming interface (API) key management
C. Replay attack corrupting the ledger entries in blockchain
D. Inadequate encryption of transaction data in the blockchain
A
B is the correct answer.
Justification
Use of cryptographic measures makes tampering unlikely.
An application programming interface (API) has distinct levels of permissions including withdrawal of funds from user accounts and execution of trades using programmable rules. If the API key is not securely managed, the user API can be manipulated by threat actors and breach the blockchain account.
Validation of read/write transaction sets make a replay attack unlikely.
Inadequate encryption could potentially lead to breaches, as transaction data could be readable and accessible. Despite this shortcoming, inadequate encryption is not typically the primary source of account breaches in blockchain technology, as it commonly uses strong encryption methods.
20
Q
Which of the following choices would be the MOST useful in determining the possible consequences of a major compromise?
A.Risk assessment
B.Asset valuation
C.Penetration testing
D.Architectural review
A
B is the correct answer.
Justification
A comprehensive risk assessment requires an assessment of probability and potential consequences, so it goes beyond what is required.
Asset valuation provides a cost representation of what the enterprise stands to lose in the event of a major compromise.
Penetration tests indicate vulnerability rather than the value of what may be affected if a vulnerability is exploited.
Architectural review may indicate vulnerability, but like penetration testing, it will not reveal the value of what may be affected if a vulnerability is exploited.
21
Q
Which of the following would be the FIRST step in effectively integrating risk management into business processes?
A.Workflow analysis
B.Business impact analysis
C.Threat and vulnerability assessment
D.Analysis of the governance structure
A
A is the correct answer.
Justification
Analyzing the workflow will be essential to understanding process vulnerabilities and where risk may exist in integrating risk management into business processes.
A business impact analysis will be important once the workflow and processes are understood in order to understand unit inputs, outputs and dependencies and the potential consequences of compromise.
Threat and vulnerability assessments are properly conducted after the relationship between risk management and business processes has been determined through workflow analysis.
The governance structure may be one of the vulnerabilities that poses a potential risk but it should be analyzed after the workflow analysis. Ideally, the governance structure should reflect the workflow.
22
Q
Attackers who exploit cross-site scripting vulnerabilities take advantage of:
A.a lack of proper input validation controls.
B.weak authentication controls in the web application layer.
C.flawed cryptographic Secure Sockets Layer implementations and short key lengths.
D.implicit web application trust relationships.
A
A is the correct answer.
Justification
Cross-site scripting attacks inject malformed input.
Attackers who exploit weak application authentication controls can gain unauthorized access to applications, but this has little to do with cross-site scripting vulnerabilities.
Attackers who exploit flawed cryptographic Secure Sockets Layer implementations and short key lengths can sniff network traffic and crack keys to gain unauthorized access to information. This has little to do with cross-site scripting vulnerabilities.
Web application trust relationships do not relate directly to the attack.
23
Q
When a major vulnerability in the security of a critical web server is discovered, immediate notification should be made to the:
A.system owner to take corrective action.
B.incident response team to investigate.
C.data owners to mitigate damage.
D.development team to remediate.
A
A is the correct answer.
Justification
In order to correct the vulnerabilities, the system owner needs to be notified quickly before an incident can take place.
Sending the incident response team to investigate is not correct because the incident has not taken place and notification could delay implementation of the fix data owners authorize to mitigate damage.
Data owners would be notified only if the vulnerability could have compromised data.
The development team may be called upon by the system owner to resolve the vulnerability.
24
Q
Vulnerabilities discovered during an assessment should be:
A.handled as a risk, even though there is no threat.
B.prioritized for remediation solely based on impact.
C.a basis for analyzing the effectiveness of controls.
D.evaluated for threat, impact and cost of mitigation
A
D is the correct answer.
Justification
Vulnerabilities may not be exposed to potential threats. Also, there may be no threat or possibly little or no impact even if they are exploited. While threats are always evolving, without additional information, the appropriate treatment cannot be determined.
Vulnerabilities should be prioritized for remediation based on probability of compromise (which is affected by the level of exposure), impact and cost of remediation.
Vulnerabilities discovered will to some extent show whether existing controls are in place to address a potential risk but that does not indicate the control effectiveness.
Vulnerabilities uncovered should be evaluated and prioritized based on whether there is a credible threat, the impact if the vulnerability is exploited, and the cost of mitigation. If there is a potential threat but little or no impact if the vulnerability is exploited, the risk is less and may not require controls to address it.
25
The PRIMARY objective of a vulnerability assessment is to:
A.reduce risk to the business.
B.ensure compliance with security policies.
C.provide assurance to management.
D.measure efficiency of services provided.
C is the correct answer.
Justification
It is necessary to identify vulnerabilities in order to mitigate them. Actual reduction of risk is accomplished through deployment of controls and is a business decision based on a cost-benefit analysis.
A security policy may mandate a vulnerability assessment program, but such a program is not established primarily to comply with policy.
A vulnerability assessment identifies vulnerabilities so that they may be considered for mitigation. By giving management a complete picture of the vulnerabilities that exist, a vulnerability assessment program allows management to prioritize those vulnerabilities deemed to pose the greatest risk.
Vulnerability assessment is not concerned with efficiency of services.
26
Which of the following environments represents the GREATEST risk to organizational security?
A.Locally managed file server
B.Enterprise data warehouse
C.Load-balanced web server cluster
D.Centrally managed data switch
A is the correct answer.
Justification
A locally managed file server is the least likely to conform to organizational security policies because it is generally subject to less oversight and monitoring.
Data warehouses are subject to scrutiny, good change control practices and monitoring.
Web server clusters are located in data centers or warehouses and are subject to good management.
Centrally managed switches are part of a data center or warehouse.
27
In conducting an initial technical vulnerability assessment, which of the following choices should receive top priority?
A.Systems impacting legal or regulatory standing
B.Externally facing systems or applications
C.Resources subject to performance contracts
D.Systems covered by business interruption insurance
D is the correct answer.
Justification
Legal and regulatory considerations are evaluated in the same manner as other forms of risk.
Externally facing systems or applications are not necessarily high-impact systems. The prioritization of a vulnerability assessment needs to be made on the basis of impact.
Although the impact associated with the loss of any resource subject to a performance contract is clearly quantifiable, it may not necessarily be a critical resource. If the loss of a contract system poses a significant impact to the enterprise, additional measures such as business interruption insurance will be in place.
Maintaining business operations is always the priority. If a system is covered by business interruption insurance, it is a clear indication that management deems it to be a critical system.
28
Which of the following will be the MOST likely exploitation target when looking at flaws in application controls?
A.Password change options at the login stage
B.Weak transaction monitoring controls
C.Inadequate validation checks in entry forms
D.Open ports available for external access
C is the correct answer.
Justification
Password cracking by exploiting a password change option may not be easy unless the perpetrator obtains a valid password in advance. Hence, attackers prefer to look for weaknesses in validation checks in the application control layer.
Weak or nonexistent transaction monitoring controls can be a target for exploitation; however, controls with nonexistent or inadequate validation checks are an easier target for attackers.
Many attackers exploit weaknesses existing in the application layer. A weak validation check-in entry screen may be vulnerable to structured query language (SQL) injection attacks. Hence, validation control is a key feature in application controls.
Control of open ports may be handled by network administration, which is separate from the application control layer. Hence, it is unlikely that attackers exploiting application weaknesses will look for open ports.
29
An information security manager receives a report showing an increase in the number of security events. The MOST likely explanation is:
A.exploitation of a vulnerability in the information system.
B.threat actors targeting the enterprise in greater numbers.
C.failure of a previously deployed detective control.
D.approval of a new exception for noncompliance by management.
A is the correct answer.
Justification
Exploitation of a vulnerability is likely to generate an increase in the number of security events.
Absent a change in vulnerability, an increase in the number of threat actors targeting the enterprise would not explain an increase in security events.
An increase in the number of security events that appear on reports suggests that detective controls are likely working properly, since failure of the control would result in an absence of events in the report.
Exceptions approved by management may result in a higher number of security events on reports if notice of the exceptions is not provided to information security to allow updates to monitoring. However, exceptions are typically communicated to the information security manager, so this is an unlikely explanation for the increase.
30
Which is the BEST way to assess aggregate risk derived from a chain of linked system vulnerabilities?
A.Vulnerability scans
B.Penetration tests
C.Code reviews
D.Security audits
B is the correct answer.
Justification
Security assessments, such as vulnerability scans, can help give an extensive and thorough risk and vulnerability overview but will not be able to test or demonstrate the final consequence of having several vulnerabilities linked together.
A penetration test is normally the only security assessment that can link vulnerabilities together by exploiting them sequentially. This gives a good measurement and prioritization of risk. Penetration testing can give risk a new perspective and prioritization based on the result of a sequence of security problems.
Code reviews are very time-consuming and unlikely to occur on different parts of a system at the same time, making the discovery of linked system vulnerabilities unlikely.
Audits are unlikely to assess aggregate risk from linked system vulnerabilities.
31
A serious vulnerability is reported in the firewall software used by an enterprise. Which of the following should be the immediate action of the information security manager?
A.Ensure that all operating system patches are up to date.
B.Block inbound traffic until a suitable solution is found.
C.Obtain guidance from the firewall manufacturer.
D.Commission a penetration test.
C is the correct answer.
Justification
Ensuring that all operating system patches are up to date is a good practice, in general, but it will not necessarily address the reported vulnerability in the firewall software.
Blocking inbound traffic may not be practical or effective from a business perspective.
The best source of information is the firewall manufacturer because the manufacturer may have a patch to fix the vulnerability or a workaround solution.
Commissioning a penetration test will take too much time and will not necessarily provide a solution for corrective actions.
32
The MOST important reason that statistical anomaly-based intrusion detection systems (stat IDSs) are less commonly used than signature-based IDSs, is that stat IDSs:
A.create more overhead than signature-based IDSs.
B.cause false positives from minor changes to system variables.
C.generate false alarms from varying user or system actions.
D.cannot detect new types of attacks.
C is the correct answer.
Justification
Due to the nature of statistical anomaly-based intrusion detection system (stat IDS) operations (i.e., they must constantly attempt to match patterns of activity to the baseline parameters), a stat IDS requires much more overhead and processing than signature-based versions. However, this is not the most important reason.
Due to the nature of a stat IDS—based on statistics and comparing data with baseline parameters— this type of IDS may not detect minor changes to system variables and may generate many false positives. However, this is not the most important reason.
A stat IDS collects data from normal traffic and establishes a baseline. It then periodically samples the network activity based on statistical methods and compares samples to the baseline. When the activity is outside the baseline parameter (clipping level), the IDS notifies the administrator. The baseline variables can include a host’s memory or central processing unit usage, network packet types and packet quantities. If actions of the users or the systems on the network vary widely with periods of low activity and periods of frantic packet exchange, a stat IDS may not be suitable, as the dramatic swing from one level to another almost certainly will generate false alarms. This weakness will have the largest impact on the operation of the IT systems.
Because the stat IDS can monitor multiple system variables, it can detect new types of variables by tracing for abnormal activity of any kind.
33
What is the PRIMARY objective of penetration testing?
A. Identifying all vulnerabilities in the system
B. Assigning responsibility for any identified weaknesses
C. Guaranteeing absolute protection against cyberthreats
D. Demonstrating the effectiveness of security controls
D is the correct answer.
Justification
While penetration testing aims to uncover vulnerabilities, it is not realistic to expect the identification of all vulnerabilities due to the evolving nature of cyberthreats.
Penetration testing is not intended for assigning blame or responsibility for weaknesses, but rather for improving security measures.
Absolute protection against all cyberthreats is an unattainable goal, and penetration testing focuses on assessing and improving defenses rather than providing guarantees.
The primary objective of penetration testing is to assess the effectiveness of security controls and measures in place by simulating real-world attack scenarios.
34
An internal review of a web-based application system reveals that it is possible to gain access to all employees’ accounts by changing the employee’s ID used for accessing the account on the uniform resource locator. The vulnerability identified is:
A.broken authentication.
B.unvalidated input.
C.cross-site scripting.
D.structured query language injection.
A is the correct answer.
Justification
The authentication process is broken because, although the session is valid, the application should reauthenticate when the input parameters are changed.
The review provided valid employee IDs, and valid input was processed. The problem here is the lack of reauthentication when the input parameters are changed.
Cross-site scripting is not the problem in this case because the attack is not transferred to any other user’s browser to obtain the output.
Structured query language (SQL) injection is not a problem because input is provided as a valid employee ID and no SQL queries are injected to provide the output.
35
Which of the following security mechanisms is MOST effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the enterprise’s network?
A.Configuration of firewalls
B.Strength of encryption algorithms
C.Authentication within application
D.Safeguards over keys
D is the correct answer.
Justification
Firewalls can be perfectly configured, but if the keys make it to the other side, they will not prevent the document from being decrypted.
Even easy encryption algorithms require adequate resources to break, whereas encryption keys can be easily used.
The application front door controls may be bypassed by accessing data directly.
Key management is the weakest link in encryption. If keys are in the wrong hands, documents can be read regardless of where they are on the network.
36
Which of the following is the MOST important risk associated with middleware in a client-server environment?
A.Server patching may be prevented.
B.System backups may be incomplete.
C.Data integrity may be affected
D.End-user sessions may be hijacked.
C is the correct answer.
Justification
Sever patching is not affected by the presence of middleware.
System backups are not affected.
The major risk associated with middleware in a client-server environment is that data integrity may be adversely affected if middleware should fail or become corrupted.
Hijacked end-user sessions can occur but they can be detected by implementing security checks in the middleware.
37
A third party was engaged to develop a business application. Which of the following is the BEST test for the existence of back doors?
A.System monitoring for traffic on network ports
B.Security code reviews for the entire application
C.Reverse engineering the application binaries
D.Running the application from a high-privileged account on a test system
B is the correct answer.
Justification
System monitoring for traffic on network ports would not be able to detect all instances of back doors and is time-consuming and would take much effort.
Security code reviews for the entire application is the best measure and will involve reviewing the entire source code to detect all instances of back doors.
Reverse engineering the application binaries may not provide any definite clues.
Back doors will not surface by running the application on high-privileged accounts because back doors are usually hidden accounts in the applications.
38
Who should the information security manger FIRST notify after the discovery of an information security threat that is likely to exploit an unpatched server holding critical information?
A.System administrators
B.The system owner
C.The data owner
D.Incident response manager
B is the correct answer.
Justification
System administrators may be involved, but they will act at the guidance of the system owner.
The first person to be notified when an exploit is found should be the system owner, who will determine the best mitigation strategy.
Data owners can be notified later in the process if the vulnerability may compromise data.
The incident response manager should be notified if an incident related to the vulnerability is confirmed.
39
What is the MOST important action prior to having a third party perform an attack and penetration test against an enterprise?
A.Ensure that the third party provides a demonstration on a test system.
B.Ensure that goals and objectives are clearly defined.
C.Ensure that technical staff has been briefed on what to expect.
D.Ensure that special backups of production servers are taken.
B is the correct answer.
Justification
A demonstration of the test system will reduce the spontaneity of the test.
The most important action is to clearly define the goals and objectives of the test.
Technical staff should not be briefed as that would reduce the spontaneity of the test.
Assuming that adequate backup procedures are in place, special backups should not be necessary.
40
Of the following, what does a network vulnerability assessment expect to identify?
A.Zero-day vulnerabilities
B.Malicious software and spyware
C.Security design flaws
D.Misconfiguration and missing updates
D is the correct answer.
Justification
Zero-day vulnerabilities by definition are not previously known and, therefore, are undetectable.
Malicious software and spyware are normally addressed through antivirus and antispyware policies.
Security design flaws require a deeper level of analysis.
A network vulnerability assessment intends to identify known vulnerabilities based on common misconfigurations and missing updates.
41
What mechanism should be used to identify deficiencies that would provide attackers with an opportunity to compromise a computer system?
A.Business impact analysis
B.Security gap analysis
C.System performance metrics
D.Incident response processes
B is the correct answer.
Justification
A business impact analysis does not identify vulnerabilities.
Security gap analysis is a process that measures all security controls in place against control objectives, which will identify gaps.
System performance metrics may indicate security weaknesses, but that is not their primary purpose.
Incident response processes exist for cases in which security weaknesses are exploited.
42
What is the root cause of a successful cross-site request forgery attack?
A.The application uses multiple redirects for completing a data commit transaction.
B.The application has implemented cookies as the sole authentication mechanism.
C.The application has been installed with a non-legitimate license key.
D.The application is hosted on a server along with other applications.
B is the correct answer.
Justification
Cross-site request forgery (XSRF) is related to an authentication mechanism, not to redirection.
XSRF exploits inadequate authentication mechanisms in web applications that rely only on elements such as cookies when performing a transaction. It is a type of website attack in which unauthorized commands are transmitted from a trusted user.
A non-legitimate license key is related to intellectual property rights, not to XSRF vulnerability.
Merely hosting multiple applications on the same server is not the root cause of this vulnerability.
43
What is the MOST cost-effective method of identifying new vendor vulnerabilities?
A.External vulnerability reporting sources
B.Periodic vulnerability assessments performed by consultants
C.Intrusion prevention software
D.Honeypots located in the demilitarized zone (DMZ)
A is the correct answer.
Justification
External vulnerability sources are the most cost-effective method of identifying these vulnerabilities.
The cost involved in periodic vulnerability assessments would be much higher.
Intrusion prevention software would not identify new vendor vulnerabilities.
Honeypots may or may not identify vulnerabilities and may create their own security risk.
44
Determining the level of effort needed to meet particular improvement targets in risk management can BEST be determined using which of the following tools?
A.A workflow diagram
B.A Gantt chart
C.A gap analysis
D.A return on investment computation
C is the correct answer.
Justification
Workflow diagrams document processes. Having a visual representation of how a risk management process works today versus how it would work in a desired state may be useful as part of proposing or implementing changes, but comparing the two states is not the same as knowing what tasks must be completed to move from the current state to the proposed future state, which is what is needed to determine the level of effort.
Gantt charts are used to schedule activities (tasks) needed to complete a project. A fully constructed schedule includes all tasks that must be completed and times they will take, but building a schedule deals with prioritization and issues that go beyond what is needed to determine the level of effort.
A gap analysis documents the tasks that must be completed to move from the current state to the desired state, and the level of effort may readily be determined. A gap analysis is required for various components of the strategy previously discussed, such as maturity levels, each control objective, and each risk and impact objective.
Return on investment, computed in its simplest form by dividing net income by the total investment over the period being considered, is a measure of operating performance and efficiency. It does not measure levels of effort.
45
When performing a qualitative risk analysis, which of the following will BEST produce reliable results?
A.Estimated productivity losses
B.Possible scenarios with threats and impacts
C.Value of information assets
D.Vulnerability assessment
B is the correct answer.
Justification
Estimated productivity losses are better suited to quantitative analysis but without threats being considered would not produce useful results.
Listing all reasonable scenarios that could occur, along with threats and impacts, would best frame the range of risk and facilitate a more informed discussion and decision.
Value of information assets would be part of a quantitative analysis requiring threat to be considered as well.
Vulnerability assessments would be better analyzed as a part of a quantitative analysis when threat is considered.
46
What is the BEST strategy for risk management?
A.Achieve a balance between risk and organizational goals.
B.Reduce risk to an acceptable level.
C.Ensure that policy development properly considers organizational risk.
D.Ensure that all unmitigated risk is accepted by management.
B is the correct answer.
Justification
Achieving balance between risk and organizational goals is not always practical.
The best strategy for risk management is to reduce risk to an acceptable level, taking into account the enterprise’s appetite for risk and the fact that it is not possible to eliminate all risk.
Policy development must consider organizational risk and business objectives but is not a strategy.
It may be prudent to ensure that management understands and accepts risk that it is not willing to mitigate, but that is a practice and is not sufficient to be considered a strategy.
46
An enterprise is considering the purchase of a new technology that will facilitate better customer interactions and will be integrated into the existing customer relationship management system. Which of the following is the PRIMARY risk the information security manager should consider related to this purchase?
A.The potential that the new technology will not deliver the promised functionality to support the business
B.The availability of ongoing support for the technology and whether existing staff can provide the support
C.The possibility of the new technology affecting the security or operation of other systems
D.The downtime required to reconfigure the existing system to implement and integrate the new technology
C is the correct answer.
Justification
The risk that the new technology will not support business needs is primarily a responsibility of the business manager rather than the information security manager.
The availability of support is a concern, but it is primarily a responsibility of the IT operations manager.
The greatest security risk is that the new technology may bypass existing security or impair the operation of existing systems. The security manager should examine the new system for these issues.
The downtime required to implement the new technology is primarily a business and IT department factor.
47
Which of the following should a successful information security management program use to determine the amount of resources devoted to mitigating exposures?
A.Risk analysis results
B.Audit report findings
C.Penetration test results
D.Amount of IT budget available
A is the correct answer.
Justification
Risk analysis results are the most useful and complete source of information for determining the amount of resources to devote to mitigating exposures.
Audit report findings may not address all risk and do not address annual loss frequency.
Penetration test results provide only a limited view of exposures.
The IT budget is not tied to the exposures faced by the enterprise.
48
During which phase of development is it MOST appropriate to begin assessing the risk of a new application system?
A.Feasibility
B.Design
C.Development
D.Testing
A is the correct answer.
Justification
Risk should be addressed as early in the development of a new application system as possible. The projected risk associated with a new system may make it unfeasible.
In some cases, identified risk could be mitigated through design changes. If needed changes are not identified until design has already commenced, such changes become more expensive. For this reason, beginning risk assessment during the design phase is not the best solution.
The development phase is too late in the system development life cycle (SDLC) for effective risk mitigation.
Waiting to assess risk until testing can result in having to start over on the project.
49
An information security manager’s MOST effective efforts to manage the inherent risk related to a third-party service provider will be the result of:
A.limiting organizational exposure.
B.a risk assessment and analysis.
C.strong service level agreements.
D.independent audits of third parties.
A is the correct answer.
Justification
It is likely to be more effective to control the enterprise’s vulnerabilities to third-party risk by limiting organizational exposure than to control the third party’s actions.
It is essential to know the risk but it does not manage the risk.
Defining contractual responsibilities of third parties is important but it will not directly manage risk.
Audits may indicate the threats posed by third parties but will not ensure that the risk is managed.
50
Which of the following is the BEST method to ensure the overall effectiveness of a risk management program?
A.User assessments of changes
B.Comparison of the program results with industry standards
C.Assignment of risk within the enterprise
D.Participation by all members of the enterprise
D is the correct answer.
Justification
User assessments are most likely focused on their convenience and ease of use rather than effectiveness of the program.
Comparing results with industry standards is a meaningless gauge; however, comparing results to program objectives would be very useful.
Assigning ownership of risk is a good first step in improving accountability and, therefore, probably effectiveness.
Effective risk management requires participation, support and acceptance by all applicable members of the enterprise, beginning with the executive levels. Personnel must understand their responsibilities and be trained on how to fulfill their roles.
51
The information security manager should treat regulatory compliance requirements as:
A.an organizational mandate.
B.a risk management priority.
C.a purely operational issue.
D.just another risk.
D is the correct answer.
Justification
While it is generally preferable to be as compliant as reasonably possible, the extent and level of regulatory compliance is a management decision, not a mandate.
All risk should be prioritized, and regulation may not be the highest priority.
Regulatory compliance is not just an operational issue; it is primarily a management issue.
Many regulations exist that must be considered. Priority should be given to those with the greatest impact, just as other risk is considered with priority given to feasibility, level of enforcement, possible sanctions and costs of compliance.
52
When performing a quantitative risk analysis, which of the following is MOST important to estimate the potential loss?
A.Evaluate productivity losses.
B.Assess the impact of confidential data disclosure.
C.Calculate the value of the information or asset.
D.Measure the probability of occurrence of each threat.
C is the correct answer.
Justification
Determining how much productivity could be lost and how much it would cost is a step in the potential risk estimation process.
Knowing the impact if confidential information is disclosed is also a step in the estimation of potential risk.
Calculating the value of the information or asset is the first step in a risk analysis process to determine the impact to the enterprise, which is the ultimate goal.
Measuring the probability of occurrence for each threat identified is a step in performing a threat analysis and, therefore, a partial answer.
53
Which one of the following factors of a risk assessment typically involves the GREATEST amount of speculation?
A.Exposure
B.Impact
C.Vulnerability
D.Likelihood
D is the correct answer.
Justification
Exposure can be determined within a range.
Impact can be determined within a range.
Vulnerability can be determined within a range.
The likelihood of a threat encountering a susceptible vulnerability can only be estimated statistically.
54
Which of the following is MOST essential when assessing risk?
A.Providing equal coverage for all asset types
B.Benchmarking data from similar enterprises
C.Considering both monetary value and likelihood of loss
D.Focusing on valid past threats and business losses
C is the correct answer.
Justification
Providing equal coverage for all asset types when assessing risk may not be relevant, depending on the significance the asset type has to the enterprise (e.g., the automobile fleet is not likely to have as much significance as the data center).
Benchmarking other enterprises when assessing risk is of relatively little value.
The likelihood of loss and the monetary value of those losses are the most essential elements to consider in assessing risk.
Past threats and losses may be instructive of potential future events but are not the most essential considerations when assessing risk.
55
Which of the following should be completed prior to a risk assessment?
A.Control identification
B.Asset identification
C.Threat identification
D.Risk register identification
B is the correct answer.
Justification
Controls are evaluated after assets are identified as part of the risk assessment process.
Asset identification must be completed prior to risk assessment because it is the basis of the risk assessment.
Threats are identified after assets are identified as part of the risk assessment process.
The risk register is a catalog of risk categories or an inventory of risks identified and is not part of the risk assessment process.
56
What is the FIRST step of performing an information risk analysis?
A.Establish the ownership of assets.
B.Evaluate the risk to the assets.
C.Take an asset inventory.
D.Categorize the assets.
C is the correct answer.
Justification
Assets must be inventoried before ownership of the assets can be established.
Assets must be inventoried before risk to the assets can be evaluated.
Assets must be inventoried before any of the other choices can be performed.
Assets must be inventoried before they can be categorized.
57
In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST:
A.prepare a security budget.
B.conduct a risk assessment.
C.develop an information security policy.
D.obtain benchmarking information.
B is the correct answer.
Justification
Preparing a security budget should follow risk assessment to determine activities that need to be undertaken to address areas of concern.
Risk assessment, analysis, evaluation and impact analysis will be the starting point for driving management’s attention to information security and for highlighting its importance with respect to business practices.
Developing an information security policy is based on and follows risk assessment.
Benchmarking information will only be relevant after a risk assessment has been performed for comparison purposes.
58
The MOST effective use of a risk register is to:
A.identify risk and assign roles and responsibilities for mitigation.
B.identify threats and probabilities.
C.facilitate a thorough review of all IT-related risk on a periodic basis.
D.record the annualized financial amount of expected losses due to risk.
C is the correct answer.
Justification
Identifying risk and assigning roles and responsibilities for mitigation are elements of the register.
Identifying threats and probabilities are two elements that are defined in the risk matrix, as differentiated from the broader scope of content in, and purpose for, the risk register.
A risk register is more than a simple list—it should be used as a tool to ensure comprehensive documentation, periodic review and formal update of all risk elements in the enterprise’s IT and related organizations.
While the annual loss expectancy should be included in the register, this quantification is only a single element in the overall risk analysis program.
58
What activity should information security management perform FIRST when assessing the potential impact of new privacy legislation on the enterprise?
A.Develop an operational plan for achieving compliance with the legislation.
B.Identify systems and processes that contain privacy components.
C.Restrict the collection of personal information until compliant.
D.Identify privacy legislation in other countries that may contain similar requirements.
B is the correct answer.
Justification
Developing an operational plan for achieving compliance with the legislation is incorrect because it is not the first step.
Identifying the relevant systems and processes is the best first step.
Restricting the collection of personal information comes later.
Identifying privacy legislation in other countries would not add much value.
59
A risk management process is MOST effective in achieving organizational objectives if:
A.asset owners perform risk assessments.
B.the risk register is updated regularly.
C.the process is overseen by a steering committee.
D.risk activities are embedded in business processes.
D is the correct answer.
Justification
Performing a risk assessment does not ensure mitigation as part of the business process.
Maintaining a risk register may be good for identifying issues but it does not mitigate risk.
Centralizing risk management under a steering committee is less effective than integrating it into each business process.
The primary objective of the risk management process is that risk is identified, assessed, communicated and addressed. This objective is most effectively achieved by embedding risk management activities in business processes (e.g., change management, incident response, new product design, sales campaign, etc.).
60
What is the PRIMARY basis for the selection and implementation of products to protect the IT infrastructure?
A.Regulatory requirements
B.Technical expert advisories
C.State-of-the-art technology
D.A risk assessment
D is the correct answer.
Justification
Regulatory requirements drive business requirements.
An expert advisory may not be aligned with business needs.
A risk assessment is the main driver for selecting technologies.
A risk assessment helps identify control gaps in the IT infrastructure and prioritize mitigation plans, which will help drive selection of security solutions.
61
An enterprise has identified a major threat to which it is vulnerable. Which of the following choices is the BEST reason information security management would not be concerned with preventive remediation under these circumstances?
A.The vulnerability is compartmentalized.
B.Incident response procedures are in place.
C.Compensating controls exist if there is any impact.
D.The identified threat has only been found on another continent.
A is the correct answer.
Justification
If the compartmentalization of the vulnerability results in the enterprise having no exposure, then there is no risk.
Prevention is a more prudent approach to dealing with major threats than even the most capable incident response.
Compensating controls are a less desirable approach to addressing a major threat than preventive remediation of its corresponding vulnerability.
Distance is an inadequate barrier to compromise in the context of information systems.
62
Highly integrated enterprise IT systems pose a challenge to the information security manager when attempting to set security baselines PRIMARILY from the perspective of:
A.increased difficulty in problem management.
B.added complexity in incident management.
C.determining the impact of cascading risk.
D.less flexibility in setting service delivery objectives.
C is the correct answer.
Justification
Determining root causes in problem management may be more difficult in highly integrated systems because of the many interconnected functions, but that is not the primary risk concern.
Incident management may be affected by the added complexity of highly integrated systems when attempting to quickly isolate and ascertain the source of a problem along a chain of tightly coupled functions; however, that is not the primary issue.
Highly integrated systems are more susceptible to cascading risk where the failure or compromise of any one element could cause a domino effect of failures.
Setting service delivery objectives will be constrained by the extent of the integration because most elements require the same level of functionality. This is due to a lower service level of any component reducing functionality of all dependent elements; however, this is not the primary consideration.
63
An enterprise security risk assessment was conducted based on assumptions about enterprise risk. Which of the following would be the BEST course of action to improve the quality of the assessment?
A.Recruit experienced interviewers to the assessment team
B.Review past risk assessments for background information
C.Request that business units classify information assets
D.Include relevant stakeholders during assessment activities
D is the correct answer.
Justification
Skilled interviewers may help in conducting risk assessments; however, interview skills alone may not resolve this type of problem.
Past risk assessments may not be relevant to the current state of the enterprise.
Classification of information assets is a part of an information security program conducted in the business area. It does not affect how an information security risk assessment is currently conducted.
Including relevant stakeholders is an ideal way to move beyond a risk assessment based on assumptions, as they can provide essential insight that would otherwise be missed.
64
Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system?
A.User ad hoc reporting is not logged.
B.Network traffic is through a single switch.
C.Operating system security patches have not been applied.
D.Database security defaults to ERP settings.
C is the correct answer.
Justification
Although the lack of logging for user ad hoc reporting is not necessarily good, it does not represent as serious a security weakness as the failure to install security patches.
Routing network traffic through a single switch is not unusual.
The fact that operating system security patches have not been applied is a serious weakness.
Database security defaulting to the enterprise resource planning system’s settings is not significant.
65
What is a PRIMARY advantage of performing a risk assessment on a consistent basis?
A.It lowers costs of assessing risk.
B.It provides evidence of attestation.
C.It is a necessary part of third-party audits.
D.It identifies trends in the evolving risk profile.
D is the correct answer.
Justification
There may be some minor cost benefits to performing risk assessments on a consistent basis, but that is not the main benefit.
An assessment deals with a review of a process, not a person’s claim of the process being in place. An attestation is a claim without the supporting evidence.
External audits do not require risk assessments, although it is encouraged.
Tracking trends in evolving risk is of significant benefit to managing risk and ensuring that appropriate controls are in place.
66
Which of the following situations presents the GREATEST information security risk for an enterprise with multiple, but small, domestic processing locations?
A.Systems operation guidelines are not enforced.
B.Change management procedures are poor.
C.Systems development is outsourced.
D.Systems capacity management is not performed.
B is the correct answer.
Justification
Because guidelines are generally not mandatory, their lack of enforcement is not a primary concern.
The lack of effective oversight is likely to result in inconsistent change management activities, which can present a serious security risk.
Systems that are developed by third-party vendors are becoming common and do not represent an increase in security risk as much as poor change management.
Poor capacity management may not necessarily represent a major security risk.
67
To improve accuracy, which of the following is the MOST important action to take to account for the subjective nature of risk assessment?
A.Train or calibrate the assessor.
B.Use only standardized approaches.
C.Ensure the impartiality of the assessor.
D.Use multiple methods of analysis.
A is the correct answer.
Justification
Studies show that training or calibrating the assessor improves accuracy and reduces the subjectivity of risk assessments.
A standardized approach is less effective in preventing overestimation of risk.
Assessor impartiality is important but does not compensate for the tendency to overestimate risk.
Multiple methods of analysis may help accuracy but training risk assessors is the most effective.
68
Risk assessments should be repeated at regular intervals because:
A.business threats are constantly changing.
B.omissions in earlier assessments can be addressed.
C.repetitive assessments allow various methodologies.
D.they help raise awareness of security in the business.
A is the correct answer.
Justification
As business objectives and methods change, the nature and relevance of threats change as well.
Omissions in earlier assessments do not, by themselves, justify regular reassessment.
Use of various methodologies is not a business reason for repeating risk assessments at regular intervals.
Risk assessments may help raise business awareness, but there are better ways of raising security awareness than by performing a risk assessment.
69
Which of the following BEST helps calculate the impact of losing frame relay network connectivity for 18 to 24 hours?
A.Hourly billing rate charged by the carrier
B.Value of the data transmitted over the network
C.Aggregate compensation of all affected business users
D.Financial losses incurred by affected business units
D is the correct answer.
Justification
Presumably the carrier would not charge if connectivity were lost, and this would not be useful in calculating impact.
The value of data is not affected by lost connectivity and would not help calculate impact.
Compensation of affected business users is not based on connectivity and would be useless in calculating impact.
Financial losses incurred by the business units would be a major factor in calculating the impact of lost connectivity.
70
What is the TYPICAL output of a risk assessment?
A.A list of appropriate controls for reducing or eliminating risk
B.Documented threats to the enterprise
C.Evaluation of the consequences to the entity
D.An inventory of risk that may impact the enterprise
D is the correct answer.
Justification
A list of appropriate controls for reducing risk follows the assessment.
Documented threats are a part of the input for a risk assessment.
Evaluation of the consequences follows the assessment.
An inventory of risk is the output of a risk assessment.
71
After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. The information security manager should recommend to business management that the risk be:
A.transferred.
B.treated.
C.accepted.
D.terminated.
C is the correct answer.
Justification
Transferring the risk is of limited benefit if the cost of the control is more than the potential cost of the risk manifesting.
Treating the risk is of limited benefit if the cost of the control is more than the cost of the risk being exploited.
When the cost of the control is more than the cost of the risk, the risk should be accepted.
If the value of the activity is greater than the potential cost of compromise, then terminating the activity would not be the appropriate advice.
72
What is the BEST action to undertake when a departmental system continues to be out of compliance with an information security policy’s password strength requirement?
A.Submit the issue to the steering committee.
B.Conduct a risk assessment to quantify the risk.
C.Isolate the system from the rest of the network.
D.Request a risk acceptance waiver from senior management.
B is the correct answer.
Justification
The issue should not be escalated before understanding the risk of noncompliance.
A risk assessment is warranted to determine whether a risk acceptance should be granted and to demonstrate to the department the danger of deviating from the established policy.
Isolating the system would not support the needs of the business.
Any waiver should be granted only after performing a risk assessment.
73
Which of the following processes is PRIMARILY supported by information asset identification and classification?
A.Risk register development
B.Risk assessment
C.Cybersecurity training program
D.Regulatory compliance requirement
B is the correct answer.
Justification
Tracking risk in a register is important, but it is not solely based on the classification of the asset.
Unless assets are identified and classified, it will not be possible to assess the risk associated with each asset.
Cybersecurity training should be risk-based. However, user training is typically based on a scenario, such as phishing.
While addressing compliance risk is valid, the key benefit goes beyond compliance because classification assists the enterprise in protecting the assets through incident response. If the incident response plan is lacking, the enterprise would consider additional policy statements to protect higher priority assets. Incident response plans are often safety nets for limiting damage when a control fails or does not exist.
74
When the security risk assessment result was reviewed, it was found that the rationale for risk rating varied by department. Which of the following would BEST improve this situation?
A.Apply common risk measurement criteria to each department
B.Introduce risk appetite and risk tolerance at the policy level
C.Place increased focus on quantitative risk assessment
D.Implement routine peer review of the risk assessment results
A is the correct answer.
Justification
If departments are reaching different risk ratings for the same outcomes, common risk measurement criteria that can be used across the enterprise are needed.
Risk appetite and risk tolerance inform the acceptance of risk but do not affect the risk ratings.
Quantitative risk assessments produces numeric results, but subjectivity in inputs may continue to yield varying risk ratings among departments unless common criteria are applied.
Peer review of risk assessments between departments may be hampered by differing expertise among staff members in different job functions. Also, the results of risk assessments generally should not be shared more broadly than is necessary to meet business goals.
75
Which of the following types of risk is BEST assessed using quantitative risk assessment techniques?
A.Stolen customer data
B.An electrical power outage
C.A defaced website
D.Loss of the software development team
B is the correct answer.
Justification
The effect of the theft of customer data could lead to a permanent decline in customer confidence, which does not lend itself to measurement by quantitative techniques.
The loss of electrical power for a short duration is more easily measurable than the other choices and can be quantified into monetary amounts that can be assessed with quantitative techniques.
The risk of website defacement by hackers is nearly impossible to quantify but could lead to a permanent decline in customer confidence, which does not lend itself to measurement by quantitative techniques.
Loss of a majority of the software development team would be impossible to quantify.
76
A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST:
A.meet with stakeholders to decide how to comply.
B.analyze key risk in the compliance process.
C.assess whether existing controls meet the regulation.
D.update the existing security/privacy policy.
C is the correct answer.
Justification
While meeting with stakeholders to decide how to comply is appropriate and important, this action comes after assessing whether existing controls meet the regulation and will depend on whether there is an existing control gap.
While analyzing key risk in the compliance process is appropriate and important, this action comes after assessing whether existing controls meet the regulation and will depend on whether existing controls are adequate.
If the enterprise is in compliance through existing controls, the need to perform other work related to the regulation is not a priority.
While updating the existing security/privacy policy is appropriate and important, this action is appropriate only if the assessment indicates a requirement to change the existing security/privacy policy.
77
The MOST likely reason that management would choose not to mitigate a risk that exceeds the risk appetite is that it:
A.is the residual risk after controls are applied.
B.is a risk that is expensive to mitigate.
C.falls within the risk tolerance level.
D.is a risk of relatively low frequency.
C is the correct answer.
Justification
The residual risk may or may not be considered appropriate depending on the level of acceptable risk and the tolerance for variation to that level.
If mitigation is too expensive, management should consider other treatment options and not simply choose not to address it.
Risk tolerance is the acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives.
Even if a risk occurs infrequently, the information security manager should address the risk if the magnitude is substantial.
78
Which of the following approaches is BEST for addressing regulatory requirements?
A.Treat regulatory compliance as any other risk.
B.Ensure that policies address regulatory requirements.
C.Make regulatory compliance mandatory.
D.Obtain insurance for noncompliance.
A is the correct answer.
Justification
There are many regulatory requirements with varying degrees of enforcement and possible sanctions. These should be assessed and treated as any other risk.
Policies addressing compliance with regulatory requirements are not by themselves sufficient to deal with regulatory requirements.
Mandatory compliance with all regulatory mandates without determining the risk and potential impact may not be cost-effective.
Insurance for regulatory noncompliance may not be available.
79
A company’s mail server allows anonymous File Transfer Protocol access, which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action?
A.A penetration test
B.A security baseline review
C.A risk assessment
D.A business impact analysis
C is the correct answer.
Justification
A penetration test may identify the vulnerability but not potential threats or the remedy.
A security baseline review may identify the vulnerability but not the remedy.
A risk assessment will identify the business impact of the vulnerability being exploited and the remedial options.
A business impact analysis will identify the impact of the loss of the mail server and requirements for restoration.
80
Risk management needs to be approached as a regular, ongoing program or activity primarily because:
A.people make mistakes.
B.technology becomes obsolete.
C.the environment changes.
D.standards are updated or replaced.
C is the correct answer.
Justification
People do make mistakes, but mistakes built into a risk management program might well be repeated any number of times in an ongoing program. Therefore, this is not a rationale for risk management as a regular program or activity.
Technology is subject to obsolescence over time, but periodic assessment would likely be adequate if it were the primary rationale for risk management.
Controls usually degrade over time and are subject to failure, and the threat landscape changes constantly. Therefore, it is important that risk management be performed as an ongoing program or activity in order to capture the implications of these changes and ensure that the enterprise continues to make risk-treatment decisions consistent with its objectives and risk appetite.
Standards do change, and an enterprise that has identified conforming to a particular standard may be obligated to adjust its technology and processes to remain compliant. However, risk management addresses broader concerns than adherence to standards.
81
At what interval should a risk assessment TYPICALLY be conducted?
A.Once a year for each business process and subprocess
B.Every three to six months for critical business processes
C.On a continuous basis
D.Annually or whenever there is a significant change
D is the correct answer.
Justification
Conducting a risk assessment once a year is insufficient if important changes take place.
Conducting a risk assessment every three to six months for critical processes is not typical and may not be necessary, or it may not address important changes in a timely manner.
Performing risk assessments on a continuous basis is generally financially not feasible; it is more cost-effective to conduct risk assessments annually or whenever there is a significant change.
Risk is constantly changing. Conducting a risk assessment annually or whenever there is a significant change offers the best alternative because it takes into consideration a reasonable time frame and allows flexibility to address significant change.
82
Which of the following is the MOST appropriate use of gap analysis?
A.Evaluating a business impact analysis
B.Developing a business balanced scorecard
C.Demonstrating the relationship between controls
D.Measuring current state versus desired future state
D is the correct answer.
Justification
A gap analysis is not most appropriate for evaluating a business impact analysis.
A gap analysis is not most appropriate for developing a business balanced scorecard.
A gap analysis is not most appropriate for demonstrating the relationship between controls.
A gap analysis is most useful in addressing the differences between the current state and future state.
83
An enterprise plans to outsource its customer relationship management to a third-party service provider. Which of the following should the enterprise do FIRST?
A.Request that the third-party provider perform background checks on their employees.
B.Perform an internal risk assessment to determine needed controls.
C.Audit the third-party provider to evaluate their security controls.
D.Perform a security assessment to detect security vulnerabilities.
B is the correct answer.
Justification
A background check should be a standard requirement for the service provider.
An internal risk assessment should be performed to identify the risk and determine needed controls.
Audit objectives should be determined from the risk assessment results.
Security assessment does not cover the operational risk.
84
Which type of risk is PRIMARILY characterized by problems with service or product delivery caused by failure of internal controls, information systems, and employee integrity?
A. Project management risk
B. Health and safety risk
C. Processing and behavioral risk
D. Criminal and illicit acts risk
C is the correct answer.
Justification
Project management risk results from the failure to plan and manage the resources required for achieving tactical project goals, leading to budget overruns, time overruns or both.
Health and safety risk is associated with threats to the personal health and safety of staff, customers, and members of the public.
Processing and behavioral risk is associated with problems with service or product delivery caused by failure of internal controls, information systems, employee integrity, errors, and mistakes, or through weaknesses in operating procedures.
Criminal and illicit acts risk refer to loss or damage caused by fraud, theft, willful neglect, gross negligence, vandalism, sabotage, or extortion.
85
Which of the following is the FIRST action to be taken when the information security manager notes that the controls for a critical application are inadequate?
A.Perform a risk assessment to determine the level of exposure.
B.Classify the risk as acceptable to senior management.
C.Deploy additional countermeasures immediately.
D.Transfer the remaining risk to another enterprise.
A is the correct answer.
Justification
It is most important to perform a risk assessment to determine the exposure if additional controls are not deployed.
The exposure level needs to be redetermined and compared with the residual risk before this decision can be made.
Additional countermeasures may be deployed after determining possible losses to avoid overprotecting or underprotecting the asset.
Risk transfer is an action that may be taken after reviewing the results of the risk assessment of the current situation.
86
High risk volatility would be a basis for the information security manager to:
A.base mitigation measures solely on assessed impact.
B.raise the assessed risk level and increase remediation priority.
C.disregard volatility as irrelevant to assessed risk level.
D.perform another risk assessment to validate results.
B is the correct answer.
Justification
Mitigation should be based on likelihood, potential impact and cost benefit.
High risk volatility means that the risk is higher during one period and lower in another. The appropriate response is to assess risk at its highest level and due to unpredictability, raise the priority of treatment.
Volatility must be considered in terms of maximum risk potential.
A second risk assessment would not be useful as a volatility assessment and it would be unnecessary.
87
Why should the analysis of risk include consideration of potential impact?
A.Potential impact is a central element of risk.
B.Potential impact is related to asset value.
C.Potential impact affects the extent of mitigation.
D.Potential impact helps determine the exposure.
C is the correct answer.
Justification
Impact is distinct and separate from risk and is not a central element of risk.
Impact is related to the loss of the value that the asset provides but is not relevant to the question.
The extent of the potential impact in the event of compromise coupled with the likelihood of occurrence will largely determine the extent of mitigation measures.
Knowing the impact will not determine the extent to which an asset is exposed to a threat.
88
A financial institution plans to allocate information security resources to each of its business divisions. What areas should security activities focus on?
A.Areas where strict regulatory requirements apply
B.Areas that require the shortest recovery time objective
C.Areas that can maximize return on security investment
D.Areas where threat likelihood and impact are greatest
D is the correct answer.
Justification
While regulatory requirements may be a major consideration, there may be other areas of greater threat and impact to the enterprise.
Watching the recovery time objective (RTO) requirement is very important from a business continuity perspective, but it only illustrates a part of the information security framework. Regulatory compliance may also touch upon RTO initiatives.
It is difficult to set up a single formula so that the most profitable business line always has the most critical information security initiatives in the enterprise.
Security activities should focus on the areas where threat, likelihood and impact are the greatest.
89
Which of the following is MOST essential for a risk management program to be effective?
A.Flexible security budget
B.Sound risk baseline
C.Detection of new risk
D.Accurate risk reporting
C is the correct answer.
Justification
A flexible security budget is essential for implementing risk management. However, without identifying new risk, other procedures will only be useful for a limited period.
A sound risk baseline is essential for implementing risk management. However, without identifying new risk, other procedures will only be useful for a limited period.
All of these procedures are essential for implementing risk management. However, without identifying new risk, other procedures will only be useful for a limited period.
Accurate risk reporting is essential for implementing risk management. However, without identifying new risk, other procedures will only be useful for a limited period.
90
Which two components PRIMARILY must be assessed in an effective risk analysis?
A.Visibility and duration
B.Likelihood and impact
C.Probability and frequency
D.Financial impact and duration
B is the correct answer.
Justification
Visibility and duration are not the primary elements of a risk analysis.
Likelihood and impact are the primary elements that are determined in a risk analysis.
Probability is the same as likelihood, and frequency is considered when determining annual loss expectancy, but it is a secondary analysis element.
Financial impact is one of the primary considerations, but duration is a secondary element of the analysis.
91
To be effective, risk management should be applied to:
A.all organizational activities.
B.elements identified by a risk assessment.
C.any area that exceeds acceptable risk levels.
D.only areas that have potential impact.
A is the correct answer.
Justification
While not all organizational activities will pose an unacceptable risk, the practice of risk management is still applied to determine which risk requires treatment.
Risk assessment is part of the risk management function. Risk assessment does not precede inclusion of the activity in the risk management program.
Whether a risk level is acceptable can be determined only when the risk is known.
Potential impact can be evaluated only when the risk is known and the value of the asset is determined.
92
There is a delay between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk during this time period?
A.Identify the vulnerable systems and apply compensating controls.
B.Minimize the use of vulnerable systems.
C.Communicate the vulnerability to system users.
D.Update the signatures database of the intrusion detection system
A is the correct answer.
Justification
The best protection is to identify the vulnerable systems and apply compensating controls until a patch is installed.
Minimizing the use of vulnerable systems could be a compensating control but would not be the first course of action.
Communicating the vulnerability to system users would not be of much benefit.
Updating the signatures database of the intrusion detection system (IDS) would not address the timing of when the IDS signature list would be updated to accommodate the vulnerabilities that are not yet publicly known. Therefore, this approach should not always be considered as the first option.
93
What is the PRIMARY purpose of using risk analysis within a security program?
A.The risk analysis helps justify the security expenditure.
B.The risk analysis helps prioritize the assets to be protected.
C.The risk analysis helps inform executive management of the residual risk.
D.The risk analysis helps assess exposures and plan remediation.
D is the correct answer.
Justification
Risk analysis indirectly supports the security expenditure but justifying the security expenditure is not its primary purpose.
Helping businesses prioritize the assets to be protected is an indirect benefit of risk analysis but not its primary purpose.
Informing executive management of residual risk value is not directly relevant.
Risk analysis explores the degree to which an asset needs protecting so remediation can be managed effectively.
94
When conducting a risk assessment, which of the following elements is the MOST important?
A.Consequences
B.Threat
C.Vulnerability
D.Probability
A is the correct answer.
Justification
Unless the exploitation of vulnerability by a threat has consequences, there is no risk to the enterprise.
A threat poses no risk absent corresponding vulnerability.
Vulnerability poses no risk absent a corresponding threat.
Probability is a function of threat and vulnerability, but even a guaranteed event poses no risk to the enterprise unless there are consequences.
95
Which of the following is an indicator of effective governance?
A.A defined information security architecture
B.Compliance with international security standards
C.Periodic external audits
D.An established risk management program
D is the correct answer.
Justification
A defined information security architecture is helpful but by itself is not a strong indicator of effective governance.
Compliance with international standards is not an indication of effective governance.
Periodic external audits may serve to provide an opinion on effective governance.
A dynamic risk management program is a key component, and an indicator, of effective governance.
96
In which phase of the development process should risk assessment be FIRST introduced?
A.Programming
B.Specification
C.User testing
D.Feasibility
D is the correct answer.
Justification
Assessment would not be relevant in the programming phase.
Risk should be considered in the specification phase, when the controls are designed, but this evaluation would still be based on the assessment carried out in the feasibility study.
Assessment would not be relevant in the user testing phase.
Risk should be addressed as early as possible in the development cycle. The feasibility study should include risk assessment so that the cost of controls can be estimated before the project proceeds.
97
A solution using an emerging security technology may allow an enterprise to increase its revenue, but the technology remains unproven. Which of the following is the BEST approach to take when considering use of the technology?
A.Hold until competitors introduce the solution.
B.Run a pilot project to assess potential risk.
C.Build the solution in a vendor’s environment.
D.Obtain insurance to cover unexpected losses.
B is the correct answer.
Justification
Management may advise holding off until a competitor implements the technology; however, the enterprise would then lose out on any potential revenue presented by the opportunity. This decision is best made once potential risk is assessed.
When considering using unproven, emerging technologies, it is best to start small. A pilot project will be best suited for this purpose because risk can be assessed in a controlled manner as the business explores the viability of the technology and potential further deployment on a larger scale.
Even when the solution is built in a service vendor’s technical environment, the service requestor must own the risk stemming from the technical solution. Therefore, the enterprise will want to assess the potential risk first.
It is not common practice to buy insurance in anticipation of failures may be caused by unproven technology.
98
At what point should a risk assessment of a new process occur to determine appropriate controls? It should occur:
A.only at the beginning and at the end of the new process.
B.throughout the entire life cycle of the process.
C.immediately after the business case for the process is approved.
D.prior to approving specifications for the new process.
B is the correct answer.
Justification
Risk changes at various stages of the life cycle. If the assessment occurs only at the beginning and end of the process, important issues will be missed.
A risk assessment should be conducted throughout the entire life cycle of a new or changed process. This allows an understanding of how implementation of an early control will affect control needs later.
The timing of assessments should occur at each stage of the life cycle regardless of the process.
Laws and regulations are not relevant to when risk should be assessed.
99
The PRIMARY purpose of risk evaluation is to:
A.provide a basis on which to select risk responses.
B.ensure that controls are deployed to mitigate risk.
C.provide a means of targeting assessment activities.
D.ensure that risk responses align with control objectives.
A is the correct answer.
Justification
Risk evaluation provides management with the extent that the risk meets the acceptability criteria and options for response. Response to risk may come in the form of acceptance, transfer (sharing), mitigation or avoidance.
Mitigation is only one possible response to risk.
Risk evaluation is the final stage of an assessment activity.
Control objectives align with the risk management strategy, which determines risk response.
100
An enterprise is transferring its IT operations to an offshore location. An information security manager should PRIMARILY focus on:
A.reviewing new laws and regulations.
B.updating operational procedures.
C.validating staff qualifications.
D.conducting a risk assessment.
D is the correct answer.
Justification
Reviewing new laws and regulations may or may not be identified as a mitigating measure based on the risk determined by the assessment.
Updating operational procedures may or may not be identified as a mitigating measure based on the risk determined by the assessment.
Validating staff qualifications may or may not be identified as a mitigating measure based on the risk determined by the assessment.
A risk assessment should be conducted to determine new risk introduced by the outsourced processes.
101
Under what circumstances do good information security practices dictate a full reassessment of risk?
A.After a material control failure
B.When regular assessments show unremediated risk
C.Subsequent to installing an updated operating system
D.After emergency changes have been initiated
A is the correct answer.
Justification
A significant control failure indicates that either the control was poorly designed or the risk was not properly identified and classified.
Depending on the nature and extent of unremediated risk, reassessment may be warranted; however, in some cases the process of change management while addressing the risk will have provided adequate understanding of the risk and adequacy of treatment.
Updating an operating system under change management will include an incremental assessment of any new risk and full reassessment is not likely to be needed.
Emergency changes usually require that the change management process be completed subsequently and any specific new risk addressed, making it unlikely that a full risk reassessment is required.
102
When introducing public cloud computing technology to the business, which of the following situations would be a MAJOR concern?
A.An upward curve in the running cost triggered by the scale expansion
B.A difficulty in identifying the origination of business transactions
C.An unawareness of risk scenarios that need to be included in the risk profile
D.An increased chance to be hit by attacks to exploit vulnerabilities
C is the correct answer.
Justification
In general, ease of scaling is the benefit of a cloud solution. Scaling is flexible with cloud computing technology at a predictable cost.
Identification of the origination point of a transaction may be a separate issue from cloud technology. Therefore, it is unnecessary to raise this concern for a cloud computing solution.
Cloud computing involves the interaction with a third party, as does any other outsourcing arrangement. Therefore, a cloud computing solution has a chance of introducing new risk that is not currently recognized by the enterprise’s risk profile. It is essential for the review risk profile to cover new risk scenarios.
The enterprise may come under attack regardless of the introduction of a cloud computing solution. If proper security management for cloud computing is in place, the chance of being compromised may be lower.
103
Which of the following will be the MAJOR concern when an employee connects an unauthorized personal device to the enterprise’s network?
A.Unintended release of malware
B.Inadvertent loss of the personal device
C.Undetected messaging among staff
D.Slowdown of network performance
A is the correct answer.
Justification
An uncontrolled technical device owned by an employee usually contains fewer controls and protective security measures than an enterprise device and, therefore, might be infected with malware. Connecting this type of device to the enterprise’s network is a major risk as malware will infiltrate the enterprise, bypassing firewalls. Employees need to be educated on the proper use of personal technical devices, and an acceptable use or Bring Your Own Device (BYOD) policy should be in place.
The loss of the device would present an issue; however, this would be secondary to a potential malware infection.
Messaging among staff using personal devices would not be as big of a concern as the release of malware into the network.
It is unlikely that network performance slows down as the result of personal devices connecting to the enterprise network.
104
An information security manager is tasked with initiating a risk assessment on controls focused on user access. Which of the following would be the MOST useful information to prepare for this assessment?
A.Previous audit reports
B.Current user access lists
C.Access approval procedures
D.Authentication log files
A is the correct answer.
Justification
Previous audit reports will provide insight into trends and identified vulnerabilities that will greatly assist in a risk assessment.
Current user access lists help with conducting the assessment, but the previous audit report may outline completed remediation actions.
Access approval procedures help with conducting the assessment, but the previous audit report may outline completed remediation actions.
Authentication log files help with conducting the assessment, but the previous audit report may outline completed remediation actions.
105
What is the PRIMARY deficiency in using annual loss expectancy to predict the annual extent of losses?
A.It is based on at least some subjective information.
B.The overall process and computations are time-consuming.
C.Effective use of the approach takes specialized training.
D.The approach is not recognized by international standards.
A is the correct answer.
Justification
When used for information risk, the annual loss expectancy (ALE) is based on at least some subjective information.
Information security does not possess sufficient historic data to complete actuarial tables and provide highly refined predictions of the occurrence of events (e.g., accident data for the automotive industry).
Time and training requirements are less important factors than the subjectivity that is inherent to ALE when assessing IT risk.
Some international standards do recognize ALE, and even if this were not the case, it would not be a primary concern in most instances.
106
Tightly integrated IT systems are MOST likely to be affected by:
A.aggregated risk.
B.systemic risk.
C.operational risk.
D.cascading risk.
D is the correct answer.
Justification
Aggregated risk can occur in homogenous systems in which one threat vector can compromise many systems whether integrated or not.
Systemic risk is unrelated to the degree of integration.
Operational risk is unrelated to the degree of integration.
Tightly integrated systems are more susceptible to cascading risk because the failure of one element causes a sequence of failures.
107
Which of the following groups would be in the BEST position to perform a risk analysis for a business?
A.External auditors
B.A peer group within a similar business
C.Process owners
D.A specialized management consultant
C is the correct answer.
Justification
External parties, including auditors, do not have the necessary level of detailed knowledge of the inner workings of the business.
Peer groups would not have a sufficiently detailed understanding of the business to be effective at analyzing a particular enterprise’s risk.
Process owners have the most in-depth knowledge of risk and compensating controls within their environment.
Management consultants are expected to have the necessary skills in risk analysis techniques but would still have to rely on a group with intimate knowledge of the business.
108
Which of the following risk scenarios would BEST be assessed using qualitative risk assessment techniques?
A.Theft of purchased software
B.Power outage lasting 24 hours
C.Permanent decline in customer confidence
D.Temporary loss of email services
C is the correct answer.
Justification
Theft of software can be quantified into monetary amounts.
Power outages can be quantified into monetary amounts more precisely than they can be assessed with qualitative techniques.
A permanent decline in customer confidence does not lend itself well to measurement with quantitative techniques. Qualitative techniques are more effective in evaluating things such as customer loyalty and goodwill.
Temporary loss of email can be easily quantified into monetary amounts.
109
A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take?
A.Enforce the existing security standard.
B.Change the standard to permit the deployment.
C.Perform a risk analysis to quantify the risk.
D.Perform research to propose use of a better technology.
C is the correct answer.
Justification
Enforcing existing standards is a good practice; however, standards need to be continuously examined in light of new technologies and the risk they present and business requirements.
Standards should not be changed without an appropriate risk assessment.
Resolving conflicts of this type should be based on a sound risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. A blanket decision should never be made without conducting such an analysis.
It would not be the job of the security manager to research alternative technologies.
110
Which of the following is a risk that would MOST likely be overlooked by an information security review during an onsite inspection of an offshore provider?
A.Cultural differences
B.Technical skills
C.Defense in depth
D.Adequate policies
A is the correct answer.
Justification
Individuals in different cultures often have perspectives on what information is considered sensitive or confidential and how it should be handled that may be inconsistent with the enterprise’s requirements. Cultural norms are not usually an area of consideration in a security review or during an onsite inspection.
Technical skills are common scope areas for a security review to ensure that the offshore provider meets acceptable standards.
Controls design and operational effectiveness are common scope areas for a security review to ensure that the offshore provider meets acceptable standards.
Information security policies are common scope areas for a security review to ensure that the offshore provider meets acceptable standards.
111
Which of the following is the BEST resolution when a security standard conflicts with a business objective?
A.Changing the security standard
B.Changing the business objective
C.Performing a risk analysis
D.Authorizing a risk acceptance
C is the correct answer.
Justification
The security standard may be changed once it is determined by analysis that the risk of doing so is acceptable.
It is highly improbable that a business objective could be changed to accommodate a security standard.
Conflicts between a security standard and a business objective should be resolved based on a risk analysis of the costs and benefits of allowing or disallowing an exception to the standard.
Risk acceptance is a process that derives from the risk analysis once the risk is determined to be acceptable.
112
Value at risk can be used:
A.as a qualitative approach to evaluating risk.
B.to determine maximum probable loss over a period of time.
C.for risk analysis applicable only to financial enterprises.
D.as a useful tool to expedite the assessment process.
B is the correct answer.
Justification
Value at risk (VAR) is an analysis tool, not an assessment tool and is quantitative rather than qualitative.
VAR provides a quantitative value of the maximum probable loss in a given time period—typically at 95 or 99 percent certainty.
While primarily used by financial enterprises, applicability to information security has been demonstrated.
VAR calculations are typically complex and time-consuming.
113
What is the PRIMARY reason an information security manager should have a sound understanding of information technology?
A.To prevent IT personnel from misleading the information security manager
B.To implement supplemental information security technologies
C.To understand requirements of a conceptual information security architecture
D.To understand the IT risk related to achieving adequate information security
D is the correct answer.
Justification
This is not the main reason for the information security manager to have technical knowledge, but it is helpful.
The information security manager is not responsible for implementing IT security controls.
Technical knowledge is not required for developing a conceptual information security architecture.
The information security manager has to understand any risk related to IT systems that could affect the business objectives or affect the business strategy achievement in order to propose an appropriate level of controls.
114
The human resources (HR) department is planning to introduce a procedure to deactivate an employee record within 24 hours of termination of employment. Which of the following would be of MOST concern to the information security manager when reviewing this procedure?
A.Potential internal fraud to circumvent the controls in place
B.Interdependencies between HR systems and business systems
C.Integrity of the HR system record to produce a job assignment history
D.Justification of 24 hours from risk management perspective
B is the correct answer.
Justification
There is a possibility of internal fraud by a terminated employee, but this is a less severe threat than the interdependencies between HR systems and other business operations.
Production systems will refer to the human resources (HR) database to check the identity of employees. If the reference to an employee attribute is lost during business transactions, it may affect business processes. (For instance, the financial ledger system may reject journal entries related to post-termination events pertaining to an employee, such as severance, tax adjustments, etc.) Thus, dependencies within the production systems need to be reviewed before this procedure is implemented.
It is not common to generate a job assignment history of employees after termination. Therefore, the integrity of a record is not a priority.
Justification of timeframe (e.g., 24 hours) in a procedure may be evaluated by business and security management and then mutually signed off on. Unless there are any specific issues, this will not be a major concern.
115
When should risk assessments be performed for optimum effectiveness?
A.At the beginning of security program development
B.On a continuous basis
C.While developing the business case for the security program
D.During the business change management process
B is the correct answer.
Justification
The beginning of a security program is only one time a risk assessment should be performed.
Risk assessment needs to be performed on a continuous basis because of organizational and technical changes. Risk assessment must take into account all significant changes in order to be effective.
During development of the business case is another point when risk assessment should occur.
Risk should be assessed during the change management process but that is only one point.
116
What is the PRIMARY objective of a risk management program?
A.Minimize inherent risk.
B.Eliminate business risk.
C.Implement effective controls.
D.Achieve acceptable risk.
D is the correct answer.
Justification
Inherent risk may already be acceptable and require no remediation. Minimizing below the acceptable level is not the objective and usually raises costs.
Elimination of business risk is not possible.
Effective controls are naturally a clear objective of a risk management program with the primary goal of achieving acceptable risk across the enterprise.
The goal of a risk management program is to ensure that acceptable risk levels are achieved and maintained.
117
When a proposed system change violates an existing security standard, the conflict would be BEST resolved by:
A.calculating the risk.
B.enforcing the security standard.
C.redesigning the system change.
D.implementing mitigating controls.
A is the correct answer.
Justification
Decisions regarding security should always weigh the potential loss from a risk against the benefits derived from the change.
It is a management decision to determine if the change in risk is worth the benefit.
Redesigning the proposed change might not always be the best option because it might not meet the business needs.
Implementing additional controls might be an option, but it would be done after the change in risk was known.
117
Which of the following activities is the FIRST step toward implementing a bring your own device (BYOD) program?
A.Allow or deny access to devices based on their approval status.
B.Conduct a stringent assessment process prior to approving devices.
C.Implement a plan-do-check-act approach.
D.Review and approve applications in the enterprise’s application store.
B is the correct answer.
Justification
For device access to be determined on the basis of approval status, an assessment process must be in place to grant approval.
A stringent assessment process is critical to comply with corporate and regulatory requirements around policies, encryption, detection of jailbreaking or rooted devices, etc.
Implementing a plan-do-check-act approach is part of the monitoring and enforcement process, but it is not a prerequisite.
Having a review and approval process for applications in the enterprise’s application store applies only to devices granted approval to access the network.
118
Which of the following is the MOST important consideration when performing a risk assessment?
A.Management supports risk mitigation efforts.
B.Annual loss expectancies have been calculated for critical assets.
C.Assets have been identified and appropriately valued.
D.Attack motives, means and opportunities are understood.
C is the correct answer.
Justification
Management support is always important but is not relevant when performing a risk assessment except to the extent that a lack of support may present a risk.
The annual loss expectancy calculations can be used in risk analysis subsequent to assets first being identified and properly valued.
Identification and valuation of assets provides the essential basis for risk assessment efforts. Without knowing an asset exists and its value to the enterprise, the risk and impact cannot be determined.
Understanding motives, means and opportunities is a part of risk identification, but they must be considered in the context of identified and valued assets.
119
At what point in the risk management process is residual risk determined?
A.When evaluating the results of the application of new or existing controls or countermeasures
B.When identifying and classifying information resources or assets that need protection
C.When assessing threats and the consequences of a compromise
D.After the elements of risk have been established, when combining them to form an overall view of risk
A is the correct answer.
Justification
The objective of information risk management is to bring the information security residual risk to an acceptable level, so residual risk is evaluated first on the basis of existing controls and again after any new controls are designed or implemented.
Identification and classification of information resources or assets that need protection is the first step of risk management and is followed by assessment of threats and vulnerabilities to determine probability. Probability is an input to calculating initial risk, so there is no basis for calculating residual risk at this stage.
Knowledge of the threat environment and consequences of a compromise is inadequate to determine residual risk because it does not take into account vulnerability and exposures.
The overall view of risk reflects an initial risk level that has not yet been reduced by application of controls. After elements of risk are combined to form an overall view of risk, the next step is to identify existing controls or design new controls to bring risk to an acceptable level.
120
Which of the following components is established during the INITIAL steps of developing a risk management program?
A.Management acceptance and support
B.Information security policies and standards
C.A management committee to provide oversight for the program
D.The context and purpose of the program
D is the correct answer.
Justification
Although an important component in the development of any managed program, obtaining management acceptance and support ideally occurs well before the development of the program, in the plan and organize phase.
Information security policies and standards are a component of the risk management program but do not belong to the initial stages of its development. Information security policies and standards are formed by the decisions made in the planning phase of the program and are developed based on the outcomes and business objectives established by the enterprise.
Management and oversight of the risk management program is a monitoring control that is developed to ensure that the program is satisfying the outcomes and business objectives established by the business. This process is designed at the latter stages of development once the purpose of the program and the mechanics of its deployment have been established. This oversight process could be integrated with internal audit activities or other compliance program processes.
An initial requirement is to determine the enterprise’s purpose for creating an information security risk management program, determine the desired outcomes and define objectives.
121
Acceptable levels of information security risk should be determined by:
A.legal counsel.
B.security management.
C.external auditors.
D.the steering committee.
D is the correct answer.
Justification
Legal counsel is not the authority to determine the acceptable levels of information security risk for the enterprise.
Security management is not the authority to determine the acceptable levels of information security risk for the enterprise.
External auditors can point out areas of risk but are not the authority to determine the acceptable levels of information security risk for the enterprise.
Senior management, represented in the steering committee, has ultimate responsibility for determining what levels of risk the enterprise is willing to accept.
122
Which of the following is KEY for selecting a third-party information security provider?
A.Contract review
B.Audit report review
C.Projected cost of services
D.Risk assessment
D is the correct answer.
Justification
The contract review is important, but the risk assessment should provide guidance concerning whether the enterprise should engage with the third party.
The audit review is important after the risk assessment is complete. Some items identified in the assessment will determine if any of the findings are material to the enterprise.
Projected cost of services is important, but the risk assessment will guide the enterprise concerning whether it should engage with the third party.
The risk assessment is essential because it provides guidance to the enterprise concerning whether it should engage with the third party. The risk assessment should address strategic, operational, compliance and other key risk relevant to the enterprise.
123
The return on investment of information security can BEST be evaluated through which of the following?
A.Support of business objectives
B.Security metrics
C.Security deliverables
D.Process improvement models
A is the correct answer.
Justification
One way to determine the return on security investment is to illustrate how information security supports the achievement of business objectives.
Security metrics measure improvement and effectiveness within the security practice but do not necessarily tie to business objectives.
Listing deliverables does not necessarily tie to business objectives.
Creating process improvement models does not necessarily tie directly to business objectives.
124
Quantitative risk analysis is MOST appropriate when assessment results:
A.include customer perceptions.
B.contain percentage estimates.
C.lack specific details.
D.contain subjective information.
B is the correct answer.
Justification
Qualitative analysis is a more appropriate approach for customer perceptions, which are difficult to express in a purely quantitative manner.
Percentage estimates are a characteristic of quantitative risk analysis.
Qualitative analysis is a more appropriate approach when there is a lack of specific details.
Qualitative analysis is a more appropriate approach for subjective information.
125
Faced with numerous risk scenarios, the prioritization of treatment options will be MOST effective if based on the:
A.existence of identified threats and vulnerabilities.
B.likelihood of compromise and subsequent impact.
C.results of vulnerability scans and remediation cost.
D.exposure of corporate assets and operational risk.
B is the correct answer.
Justification
Threats and vulnerabilities are the measure of risk, but without knowing potential impact, the most cost-effective treatment options will not be clear.
Probability of compromise coupled with the likely impact will be the most important considerations for selecting treatment options.
Vulnerabilities and the cost to remediate without considering impact do not provide enough information to make the best treatment selection.
Exposure of assets will modify the effective risk by affecting the likelihood that a vulnerability will be exploited; however, it is insufficient information to choose the best treatment option. Operational risk is only one part of overall risk.
126
What are the essential elements of risk?
A.Impact and threat
B.Likelihood and impact
C.Threat and exposure
D.Sensitivity and exposure
B is the correct answer.
Justification
Threat is an element of risk only in combination with vulnerability.
Risk is the combination of the probability of an event and its impact.
Threat and exposure are insufficient to determine risk.
Sensitivity is a measure of consequence but does not take into account probability.
127
As part of system development, how should an enterprise determine which element of the confidentiality, integrity and availability triad requires the MOST protection?
A.It should be based on the threat to each of the elements.
B.Availability is most important.
C.It should be based on the likelihood and impact to each element if compromised.
D.All elements are equally important.
C is the correct answer.
Justification
Even if the threat of compromise is high, the impact may be low; the best basis to determine where to implement the most protection is the risk to the specific element.
While it may seem that availability is the most important, if the system is down, there is no access to the data. There are many cases in which the standard business processes can continue, even if the system is down, but stringent controls must be maintained around confidentiality and integrity of information. The level of control should be based on the risk to the specific element.
The probability of compromise and the impact on the enterprise are combined to determine which element requires the greatest protection, with emphasis on impact.
It is very unlikely that all elements of the confidentiality, integrity or availability triad require equal levels of protection.
128
Which of the following steps in conducting a risk assessment should be performed FIRST?
A.Identify business assets
B.Identify business risk
C.Assess vulnerabilities
D.Evaluate key controls
A is the correct answer.
Justification
Risk assessment requires that the business assets that need to be protected be identified before identifying the threats.
The second step in risk assessment is to establish whether the threats represent business risk by identifying the likelihood and effect of occurrence.
Assessing the vulnerabilities that may affect the security of the asset follows identifying business assets and risk.
Risk evaluation after analysis is used to determine whether controls address the risk to meet the criteria for acceptability.
129
High risk tolerance is useful when:
A.the enterprise considers high risk acceptable
B.the uncertainty of risk shown by an assessment is high.
C.the impact from compromise is very low.
D.indicated by a business impact analysis.
B is the correct answer.
Justification
Risk tolerance is the acceptable deviation from acceptable risk and is not related to whether the risk is high or low.
High risk tolerance (i.e., a high degree of variability in acceptable risk) addresses the issue of uncertainty in the risk assessment process itself.
Risk tolerance is unrelated to impact.
The degree of risk tolerance is not indicated by a business impact analysis.
130
Which of the following metrics will provide the BEST indication of organizational risk?
A.Annual loss expectancy
B.The number of information security incidents
C.The extent of unplanned business interruptions
D.The number of high-impact vulnerabilities
C is the correct answer.
Justification
Annual loss expectancy is the quantification of loss exposure based on probability and frequency of outages with a known or estimated cost. It is part of a business impact analysis and may be calculated at the enterprise or system level, but it is based on projections rather than on observed data.
The number of recorded or recognized incidents does not reveal impact or indicate organizational risk.
An unplanned business interruption will be the best indication of organizational risk as it provides a quantifiable measure of how much business may be lost due to the inability to acquire, process and produce results that affect customers.
The number of high-impact vulnerabilities provides an indication of weakness within the information network and/or systems but is not by itself an indicator of risk.
131
For risk management purposes, the value of a physical asset should be based on:
A.original cost.
B.net cash flow.
C.net present value.
D.replacement cost.
D is the correct answer.
Justification
Original cost may be significantly different from the current cost of replacing the asset.
Net cash flow does not accurately reflect the true value of the asset.
Net present value does not accurately reflect the true value of the asset.
The value of a physical asset should be based on its replacement cost because this is the amount that would be needed to replace the asset if it were to become damaged or destroyed.
132
Information security managers should use risk assessment techniques to:
A.justify selection of risk mitigation strategies.
B.maximize the return on investment.
C.provide documentation for auditors and regulators.
D.quantify risk that would otherwise be subjective.
A is the correct answer.
Justification
Information security managers should use risk assessment techniques as one of the main bases to justify and implement a risk mitigation strategy as efficiently as possible.
Risk assessment is only one part of determining return on investment.
Providing documentation for auditors and regulators is a secondary aspect of using risk assessment techniques.
If assessed risk is subjective, risk assessment techniques will not meaningfully quantify them.
133
Which of the following authentication methods is MOST the secure when users require remote access to production systems?
A.A one-time password
B.A virtual private network
C.Multifactor authentication
D.Complex passwords
C is the correct answer.
Justification
One-time passwords are more secure than static passwords, but alone, they are not the most secure method.
A virtual private network is an encryption connection from a device to a network; it is not an authentication method.
Multifactor authentication is the most secure way to authenticate users when remote access to production system is required. Multifactor authentication uses three common factors: something you know (e.g., passwords), something you have (e.g., tokens, smart cards) and something you are (e.g., biometric methods such as fingerprints or retina scans). A complex password includes two out of three common factors used for multifactor authentication.
Requiring complex passwords is a good practice, but it is not the most secure method.
134
Quantifying the level of acceptable risk can BEST be indicated by which of the following choices?
A.Surveying business process owners and senior managers
B.Determining the percentage of the IT budget allocated to security
C.Determining the ratio of business interruption insurance to its cost
D.Determining the number and severity of incidents impacting the enterprise
C is the correct answer.
Justification
Surveying management typically provides a widely varying perspective on acceptable risk.
The amount spent on security is an indicator but does not quantify acceptable levels of risk.
The amount of business interruption insurance carried and the cost specifies a directly quantifiable level of risk that the enterprise will accept, and at what cost.
The history of incidents will show what risk was not addressed and elicit comments about acceptability but will not indicate what the enterprise is willing to spend on mitigation.
135
A cost-benefit analysis is performed on any proposed control to:
A.define budget limitations.
B.demonstrate due diligence to the budget committee.
C.verify that the cost of implementing the control is within the security budget.
D.demonstrate the costs are justified by the reduction in risk.
D is the correct answer.
Justification
A cost-benefit analysis does not define budget constraints; the board of directors or senior management of the enterprise will do that based on a variety of factors.
The purpose of the analysis is not to show that due diligence was performed, but to establish a result that will show the cost of the control and the reduction in risk.
A cost-benefit analysis does not help verify that the cost of a control is within the security budget; it may, however, help identify controls that require additional expenses that exceed the established security budget.
Senior management can weigh the cost of the risk against the cost of the control and show that the control will reduce that risk by some measure.
136
Logging is an example of which type of defense against systems compromise?
A.Containment
B.Detection
C.Reaction
D.Recovery
B is the correct answer.
Justification
Examples of containment defenses are awareness, training and physical security defenses.
Detection defenses include logging, monitoring, measuring, auditing, detecting viruses and intrusion.
Examples of reaction defenses are incident response, policy and procedure change, and control enhancement.
Examples of recovery defenses are backups and restorations, failover and remote sites, and business continuity plans and disaster recovery plans.
137
Which of the following is the BEST quantitative indicator of an enterprise’s current risk appetite?
A.The number of incidents and the subsequent mitigation activities
B.The number, type and layering of deterrent control technologies
C.The extent of risk management requirements in policies and standards
D.The ratio of cost to insurance coverage for business interruption protection
D is the correct answer.
Justification
Incident history can provide only an approximation of the enterprise’s efforts to mitigate further occurrences after consequences have been determined. Incident history may also indicate a lack of risk awareness.
Controls deployment can provide a rough qualitative estimation of risk appetite as long as technologies are tested and effectiveness is determined.
Requirements set in policies and standards can only serve as a qualitative approximation of risk appetite.
The cost of a business interruption can be accurately determined. The comparison of this expense (added to any deductible) with the total cost of premiums paid for a specific amount of insurance can serve as an accurate indicator of how much the enterprise will spend to protect against a defined loss.
138
When considering the extent of protection requirements, which of the following choices would be the MOST important consideration affecting all the others?
A.Exposure
B.Threat
C.Vulnerability
D.Magnitude
A is the correct answer.
Justification
Exposure is the quantified potential for loss that may occur due to an adverse event, calculated as the product of probability and magnitude (impact). Because probability is itself a function of threat and vulnerability, exposure takes into account all three of the other factors and, if known, is the most important consideration.
A threat is anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm. Threats may cause harm only if they correspond to vulnerability, so the probability of an event can be calculated only when both are known.
Vulnerability is a weakness in the design, implementation, operation or internal control that could expose the system to adverse threats from threat events. Vulnerability may lead to harm only when acted on by a corresponding threat, so the probability of an event can be calculated if both are known.
Magnitude (or impact) measures the potential severity of loss from a realized event/scenario. Whether such an event will be realized depends on its probability (likelihood), which requires assessment of both threat and vulnerability.
139
Which of the following is the MOST supportable basis for prioritizing risk for treatment?
A.Cost and asset value
B.Frequency and impact
C.Frequency and scope
D.Cost and effort
B is the correct answer.
Justification
Cost to remediate is a major factor relative to the value of the applicable assets (i.e., is remediation appropriate for this asset versus another risk treatment option?). It is ineffective as a means of prioritization across different assets, because it does not take into account their business value.
The balance between impact and frequency captures the adjusted probability of loss to the enterprise associated with each risk. It provides an immediate and relevant basis for prioritization of treatment, with high-impact and high-frequency risk ranking highest on the list.
Breadth of scope is not necessarily equivalent to impact. Prioritizing a risk that affects a broad range of relatively unimportant systems over a risk that impacts a single critical system would not be beneficial to the enterprise.
Effort is a subset of overall cost representing time and expertise. Unto itself, cost is not a suitable basis for prioritization.
140
Inherent cybersecurity risk is treated via:
A.Internet firewalls.
B.security awareness.
C.risk assessment.
D.controls.
D is the correct answer.
Justification
Internet firewalls are only one kind of control and do not constitute a comprehensive approach to reducing risk in cybersecurity.
In the absence of controls that mitigate risk, cybersecurity risk will remain the same regardless of awareness efforts.
Risk assessments may be used to guide risk response, but on their own, they do not treat inherent risk.
A risk prior to mitigation is called inherent risk. The risk that remains after countermeasures and controls have been implemented is residual risk. Controls are most often used to treat the risk after the risk is analyzed.
141
What is the goal of risk aggregation?
A.To combine homogeneous elements to reduce overall risk
B.To influence the enterprise’s risk acceptance methodologies
C.To group individual acceptable risk events for simplified risk reporting
D.To identify significant overall risk from a single threat vector
D is the correct answer.
Justification
Combining homogeneous elements does not in itself reduce risk; it may actually increase risk.
Aggregation does not affect the methodology used for risk acceptance.
Risk reporting is not a primary consideration of risk aggregation.
Individual risk with minimal impact may constitute a significant overall risk if each risk can be exploited from the same threat vector. The threat vector is the method used to exploit the target.
142
Why might an enterprise rationally choose to mitigate a risk that is estimated to be at a level higher than its stated risk appetite but within its stated risk tolerance?
A.The board of directors may insist that all risk be mitigated if it exceeds the appetite.
B.Senior executives may prefer to transfer risk rather than formally accepting it.
C.There may be pressure from key stakeholders to avoid risk that exceeds the appetite.
D.Senior management may have concern that the stated impact is underestimated.
D is the correct answer.
Justification
The board of directors determines the risk appetite and tolerance, so there would be no tolerance in excess of the appetite if the board took this position.
The purpose of determining levels of risk appetite and tolerance is to have clear thresholds for accepting risk without mitigation or transfer.
Risk avoidance is the best choice for responding to a risk only when it exceeds both the appetite and the tolerance, despite all efforts at mitigation or transfer.
Risk that exceeds organizational appetite but lies within tolerable levels is not risk the enterprise wants to accept. When there is concern that the impact has been underestimated, senior management may prefer to mitigate the risk to acceptable levels rather than unintentionally accept risk whose impact ends up exceeding the tolerance.
143
After residual risk has been determined, the enterprise should NEXT:
A.transfer the remaining risk to a third party.
B.acquire insurance against the effects of the residual risk.
C.validate that the residual risk is acceptable.
D.formally document and accept the residual risk.
C is the correct answer.
Justification
Transfer of the risk is a step that might be taken after initial validation occurs.
Acquiring insurance is a step taken after initial validation occurs.
After residual risk has been determined, the next step should be to validate that the risk is acceptable (or not) and within the enterprise’s risk tolerance.
Formally documenting and accepting the residual risk is a step taken after initial validation occurs.
144
After a thorough analysis of a low-impact security issue, a security analyst has identified similar, historical issues that were undetected and did not cause any disruptions to business operations. What information would BEST help effectively document the next steps for senior management to make mitigation decisions?
A.Cost-benefit analysis
B.Incident metrics
C.Gap analysis
D.Vulnerability scan results
A is the correct answer.
Justification
A cost-benefit analysis will reveal whether a control is worth the cost to implement.
Incident metrics are useful, but a low-impact event is unlikely to help with decision-making.
Gap analysis is a part of the risk assessment and analysis process, not a part of the risk treatment process
Vulnerability scan results are a part of the risk monitoring process, not a part of the risk treatment process.
145
Control baselines are MOST directly related to the:
A.enterprise’s risk appetite.
B.external threat landscape.
C.effectiveness of mitigation options.
D.vulnerability assessment.
A is the correct answer.
Justification
Control baselines are designed to mitigate risk and will depend on the enterprise’s risk appetite.
The viability and existence of threats will have a direct bearing on control baselines, but only to the extent that they can exploit vulnerabilities and create a risk of potential impact.
In some cases, the effectiveness may modify the control objectives if it is not feasible to mitigate the risk, but generally that will not change the objectives.
Vulnerability assessments are conducted against a control baseline.
146
Risk acceptance is a component of which of the following?
A.Risk assessment
B.Risk mitigation
C.Risk identification
D.Risk monitoring
B is the correct answer.
Justification
Risk assessment includes identification and analysis to determine the likelihood and potential consequences of a compromise, which is not when risk is to be considered for acceptance or required mitigation.
If after risk evaluation a risk is unacceptable, acceptability is determined following risk mitigation efforts.
Risk identification is the assessment process that identifies viable risk through developing a series of potential risk scenarios.
Monitoring is unrelated to risk acceptance.
147
Which of the following measures would be MOST effective against insider threats to confidential information?
A.Role-based access control
B.Audit trail monitoring
C.Privacy policy
D.Defense in depth
A is the correct answer.
Justification
Role-based access control is a preventive control that provides access according to business needs; therefore, it reduces unnecessary access rights and enforces accountability.
Audit trail monitoring is an after-the-fact detective control.
Privacy policy is not relevant to this risk.
Defense in depth primarily focuses on external threats and control layering.
148
The chief information security officer (CISO) has recommended several information security controls (such as antivirus) to protect the enterprise’s information systems. Which one of the following risk treatment options is the CISO recommending?
A.Risk transfer
B.Risk mitigation
C.Risk acceptance
D.Risk avoidance
B is the correct answer.
Justification
Risk transfer involves transferring the risk to another entity such as an insurance company.
By implementing security controls, the company is trying to decrease risk to an acceptable level, thereby mitigating risk.
Risk acceptance involves accepting the risk in the system and doing nothing further.
Risk avoidance stops the activity causing the risk.
149
Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented?
A.Cost-benefit analysis
B.Penetration testing
C.Frequent risk assessment programs
D.Annual loss expectancy calculation
A is the correct answer.
Justification
In a cost-benefit analysis, the annual cost of safeguards is compared with the expected cost of loss. This comparison can then be used to justify a specific control measure.
Penetration testing may indicate the extent of a weakness but, by itself, will not establish the cost-benefit of a control.
Frequent risk assessment programs will certainly establish what risk exists but will not determine the cost of controls.
Annual loss expectancy is a measure that will contribute to the potential cost associated with the risk but does not address the benefit of a control.
150
Reducing exposure of a critical asset is an effective mitigation measure because it reduces:
A.the impact of a compromise.
B.the likelihood of being exploited.
C.the vulnerability of the asset.
D.the time needed for recovery.
B is the correct answer.
Justification
The impact of a successful exploit will not change.
Reducing exposure reduces the likelihood of a vulnerability being exploited.
The vulnerabilities of the asset will not change because exposure is reduced.
The recovery time is not affected by a reduction in exposure.
151
Which of the following would be MOST relevant to include in a cost-benefit analysis of a two-factor authentication system?
A.Annual loss expectancy of incidents
B.Frequency of incidents
C.Total cost of ownership
D.Approved budget for the project
C is the correct answer.
Justification
Annual loss expectancy could help measure the benefit but would not address the costs.
The potential reduction in the frequency of incidents could help measure the benefit but would not address cost.
The total cost of ownership would be the most relevant piece of information to determine both the total cost and the benefit.
The approved budget for the project is not relevant to the cost-benefit analysis.
152
Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level?
A.Implement countermeasures.
B.Eliminate the risk.
C.Transfer the risk.
D.Accept the risk.
C is the correct answer.
Justification
Implementing countermeasures may not be possible likely would not be the most cost-effective approach to security management.
Eliminating the risk may not be possible.
Risk is typically transferred to insurance companies when the probability of an incident is low but the impact is high. Examples include hurricanes, tornadoes and earthquakes.
Accepting the risk would leave the enterprise vulnerable to a catastrophic disaster that might cripple or ruin the enterprise. It would be more cost-effective to pay recurring insurance costs than to be affected by a disaster from which the enterprise could not financially recover.
153
Under what circumstances is it MOST appropriate to reduce control strength?
A.Assessed risk is below acceptable levels.
B.Risk cannot be determined.
C.The control cost is high.
D.The control is not effective.
A is the correct answer.
Justification
It is appropriate to reduce control strength if it exceeds mitigation requirements set by acceptable risk levels.
An inability to determine risk is not a justification for reducing control strength.
Excessive control cost is not a reason to reduce strength, although it suggests that a redesign of the control is needed.
Control effectiveness does not change the control strength requirement.
154
The PRIMARY reason for classifying information resources according to sensitivity and criticality is to:
A.determine inclusion of the information resource in the information security program.
B.define the appropriate level of access controls.
C.justify the costs of each information resource.
D.determine the overall budget of the information security program.
B is the correct answer.
Justification
The assignment of sensitivity and criticality takes place with the information assets that have already been included in the information security program.
The assigned class of sensitivity and criticality of the information resource determines the level of access controls to be put in place.
Classification is unrelated to the costs of the information resource.
The overall security budget is not directly related to classification.
155
Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices?
A.Regular review of access control lists
B.Security guard escort of visitors
C.Visitor registry log at the door
D.A biometric coupled with a personal identification number
A is the correct answer.
Justification
A review of access control lists is a detective control that will enable an information security manager to ensure that authorized persons are entering in compliance with corporate policy.
Visitors accompanied by a guard will also provide assurance but that may not be cost-effective.
A visitor registry is the next most cost-effective control but not as secure.
A biometric coupled with a personal identification number will strengthen access control; however, compliance assurance logs will still have to be reviewed to ensure only authorized access.
156
What activity needs to be performed for previously accepted risk?
A.Risk should be reassessed periodically because risk changes over time.
B.Accepted risk should be flagged to avoid future reassessment efforts.
C.Risk should be avoided next time to optimize the risk profile.
D.Risk should be removed from the risk log after it is accepted.
A is the correct answer.
Justification
Acceptance of risk should be regularly reviewed to ensure that the rationale for the initial risk acceptance is still valid within the current business context. The rationale for initial risk acceptance may no longer be valid due to changes, and risk therefore cannot be accepted permanently.
Even risk that has been accepted should be monitored for changing conditions that could alter the original decision.
Risk is an inherent part of business and avoiding it to improve the risk profile would be misleading and dangerous.
Even risk that has been accepted should be maintained in the risk log and monitored for changing conditions that could alter the original decision.
157
Which of the following items determines the acceptable level of residual risk in an enterprise?
A.Management discretion
B.Regulatory requirements
C.Inherent risk
D.Internal audit findings
A is the correct answer.
Justification
Deciding what level of risk is acceptable to an enterprise is fundamentally a function of management. At its discretion, organizational management may decide to accept risk. The target risk level for a control is ultimately subject to management discretion.
Failure to comply with regulatory requirements has consequences, but those consequences are considered in the context of organizational risk. In some cases, the cost of failure to comply may be lower than the cost of compliance; in this case, management may decide to accept the risk.
Inherent risk is the risk that exists before controls are applied.
The results of an internal audit are used to determine the actual level of residual risk, but whether this level is acceptable is fundamentally a function of management.
158
Which of the following is the MOST important factor to be considered in the loss of mobile equipment with unencrypted data?
A.Disclosure of personal information
B.Sufficient coverage of the insurance policy for accidental losses
C.Potential impact of the data loss
D.Replacement cost of the equipment
C is the correct answer.
Justification
Personal information is not defined in the question as the data that were lost.
If insurance is available, it is unlikely to compensate for all potential impact.
When mobile equipment is lost or stolen, the information contained on the equipment matters most in determining the impact of the loss. The more sensitive the information, the greater the liability. If staff carries mobile equipment for business purposes, an enterprise must develop a clear policy as to what information should be kept on the equipment and for what purpose.
Cost of equipment would be a less important issue.
159
Which of the following would BEST address the risk of data leakage?
A.File backup procedures
B.Database integrity checks
C.Acceptable use policies
D.Incident response procedures
C is the correct answer.
Justification
File backup procedures ensure the availability of information in alignment with data retention requirements but do nothing to prevent leakage.
Database integrity checks verify the allocation and structural integrity of all the objects in the specified database but do nothing to prevent leakage.
An acceptable use policy establishes an agreement between users and the enterprise and defines for all parties the ranges of use that are approved before gaining access to a network or the Internet.
Incident response procedures provide detailed steps that help an enterprise minimize the impact of an adverse event but do not directly address data leakage.
160
The information security manager has determined that a risk exceeds risk appetite, yet the manager does not mitigate the risk. What is the MOST likely reason that management would consider this course of action appropriate?
A.The risk is the residual risk after controls are applied.
B.The risk is expensive to mitigate.
C.The risk falls within the risk tolerance level.
D.The risk is of relatively low frequency.
C is the correct answer.
Justification
Even if the risk is residual, if it exceeds the risk appetite, then it is acceptable only if it falls within the risk tolerance. The residual risk may or may not be considered appropriate depending on the level of acceptable risk and the tolerance for variation to that level.
If mitigation is too expensive compared to the benefit, the information security manager should consider other treatment options. Just knowing the expense is not enough.
Risk tolerance is the acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives.
Low frequency alone does not warrant ignoring a risk.
161
An effective risk management program should reduce risk to:
A.zero.
B.an acceptable level.
C.an acceptable percent of revenue.
D.an acceptable probability of occurrence.
B is the correct answer.
Justification
Reducing risk to zero is impossible, and the attempt would be cost-prohibitive.
An effective risk management program reduces the risk to an acceptable level; this is achieved by reducing the probability of a loss event through preventive measures and by reducing the impact of a loss event through corrective measures.
Tying risk to a percentage of revenue is inadvisable because there is no direct correlation between the two.
Reducing the probability of risk occurrence may not always be possible, as in the case of natural disasters.
162
The use of insurance is an example of which of the following?
A.Risk mitigation
B.Risk acceptance
C.Risk elimination
D.Risk transfer
D is the correct answer.
Justification
The effects of a potential event can be shared by procuring insurance, but the risk is not mitigated.
Acceptance of risk is a decision by the enterprise to assume the impact of the effects of an event.
Risk is never fully eliminated, unless the activity that causes the risk is stopped or avoided.
Insurance is a method of offsetting the financial loss that might be incurred as a result of an adverse event. Some, but not all, of the potential costs are transferred to the insurance company.
163
What is a reasonable expectation to have of a risk management program?
A.It removes all inherent risk.
B.It maintains residual risk at an acceptable level.
C.It implements preventive controls for every threat.
D.It reduces control risk to zero.
B is the correct answer.
Justification
Risk management is not intended to remove every identified risk because it may not be cost-effective.
The goal of risk management is to ensure that all residual risk is maintained at a level acceptable to the business.
Risk management is not intended to implement controls for every threat because not all threats pose a risk, and it would not be cost-effective.
Control risk is the risk that a control may not be effective; it is a component of the program but it is unlikely to be reduced to zero.
164
Risk management programs are designed to reduce risk to:
A.a level that is too small to be measurable.
B.the point at which the benefit exceeds the expense.
C.a level that the enterprise is willing to accept.
D.a rate of return that equals the current cost of capital.
C is the correct answer.
Justification
Reducing risk to a level too small to measure is impractical and is often cost-prohibitive.
Depending on the risk preference of an enterprise, it may or may not choose to pursue risk mitigation to the point at which the benefit equals or exceeds the expense.
Risk should be reduced to a level that an enterprise is willing to accept.
To tie risk to a specific rate of return ignores the qualitative aspects of risk that must also be considered.
165
An online banking institution is concerned that a breach of customer personal information will have a significant financial impact due to the need to notify and compensate customers whose personal information may have been compromised. The institution determines that residual risk will always be too high and decides to:
A.mitigate the impact by purchasing insurance.
B.implement a circuit-level firewall to protect the network.
C.increase the resiliency of security measures in place.
D.implement a real-time intrusion detection system.
A is the correct answer.
Justification
Residual risk is the remaining risk after management has implemented a risk response. Because residual risk will always be too high, the only practical solution is to mitigate the financial impact by purchasing insurance. Purchasing insurance is also known as risk transfer.
The enterprise has determined the residual risk will always be too high and chosen to transfer the risk, so there is no need to attempt further mitigation.
The enterprise has determined the residual risk will always be too high and chosen to transfer the risk, so there is no need to attempt further mitigation.
The enterprise has determined the residual risk will always be too high and chosen to transfer the risk, so there is no need to attempt further mitigation.
166
The ULTIMATE purpose of risk response is to:
A.reduce cost.
B.lower vulnerability.
C.minimize threat.
D.control impact.
D is the correct answer.
Justification
Reducing cost in the short term is rarely the purpose of risk response. Reducing the overall impact of loss associated with risk is only one approach that an enterprise may take; a level of risk that is already acceptable should generally be allowed regardless of whether it might be further reduced.
Lowering vulnerability is only one approach that an enterprise may take to respond to risk.
Risk response rarely seeks to reduce threat in the aggregate and is generally unable to minimize it.
Enterprises respond to risk in ways that control impact by keeping it within acceptable (or tolerable) levels.
167
Management decided that the enterprise will not achieve compliance with a recently issued set of regulations. Which of the following is the MOST likely reason for the decision?
A.The regulations are ambiguous and difficult to interpret.
B.Management has a low level of risk tolerance.
C.The cost of compliance exceeds the cost of possible sanctions.
D.The regulations are inconsistent with the organizational strategy.
C is the correct answer.
Justification
Management should address ambiguous regulations by requesting clarification from the issuer or the legal department.
Management decisions on compliance should be based on a cost-benefit analysis.
Management may decide it is less expensive to deal with possible sanctions than to attempt to comply.
The fact that the regulations are inconsistent with the organizational strategy is not a major factor in deciding not to comply.
168
Which of the following approaches would be BEST to address significant system vulnerabilities that were discovered during a network scan?
A.All significant vulnerabilities must be mitigated in a timely fashion.
B.Treatment should be based on threat, impact and cost considerations.
C.Compensating controls must be implemented for major vulnerabilities.
D.Mitigation options should be proposed for management approval.
B is the correct answer.
Justification
Some vulnerabilities may not have significant impact and may not require mitigation.
The treatment should consider the degree of exposure and potential impact and the costs of various treatment options.
Compensating controls are considered only when there is a viable threat and impact, and only if the primary control is inadequate.
Management approval may not be required in all cases.
169
How does knowledge of risk appetite help to increase security control effectiveness?
A.It helps to gain required support from senior management for information security strategy.
B.It provides a basis for redistributing resources to mitigate risk above the risk appetite.
C.It requires continuous monitoring because the entire risk environment is constantly changing.
D.It facilitates communication with management about the importance of security.
B is the correct answer.
Justification
Having knowledge of the enterprise's risk appetite is not the sole requirement for gaining senior management support.
Understanding risk appetite in key security control areas helps redirect resources from risk at or below acceptable levels to risk above the appetite. The result is improved control effectiveness at no additional cost.
This answer does not address the value of understanding risk appetite. The risk environment and control effectiveness do change, but continuous monitoring applies more to rapidly changing controls and to areas of greatest risk. Risk appetite changes are usually more stable.
Knowledge of risk appetite does help to facilitate communication with management but is only one small element of effective communication with senior management.
170
Which of the following choices is MOST likely to achieve cost-effective risk mitigation across the enterprise?
A.A chief risk officer
B.Consistent risk assessments
C.Assurance process integration
D.Defined acceptable risk levels
C is the correct answer.
Justification
A chief risk officer is usually helpful in identifying many types of risk faced by an enterprise, but remediation is a function of many organizational units, and unless their activities are integrated, there is the possibility of duplicated efforts or gaps in protection.
Risk assessments are helpful in exposing risk but by themselves do not serve to mitigate the identified risk.
Integrating the risk mitigation of the typical enterprise’s many risk management and assurance functions will best ensure that there are no gaps in protection efforts and a minimum of duplicated efforts, which is likely to result in the best coverage at the lowest cost.
Defining acceptable risk levels can provide guidance to the enterprise about the required levels of mitigation required but does not prevent duplication of efforts or gaps in protection.
171
What is the MOST effective way to ensure network users are aware of their responsibilities to comply with an enterprise’s security requirements?
A. Logon banners displayed at every logon
B.Periodic security-related email messages
C.An intranet website for information security
D.Circulating the information security policywith an enterprise’s security requirements?
A is the correct answer.
Justification
Logon banners would appear every time the user logged on, and the user would be required to read and agree to terms before using the resources. Because the message would be conveyed in writing and would appear consistently, it could be easily enforceable in any enterprise.
Security-related email messages are frequently considered spam by network users and would not, by themselves, ensure that the user agreed to comply with security requirements.
The existence of an Intranet website would not force users to access it and read the information.
Circulating the information security policy alone would not confirm that an individual user read, understood and agreed to comply with its requirements unless it was associated with a formal acknowledgment, such as a user’s signature of acceptance.
172
One of the MOST important internal critical factors that affects the information security strategy is:
A.a well-defined organizational structure.
B.widespread promoted IT security awareness.
C.the organizational security culture.
D.established enterprise risk appetite and tolerance levels.
D is the correct answer.
Justification
A well-defined organizational structure could be an enabler for an effective security strategy, but it is not the most important factor.
A lack of internal IT security awareness could be part of the threat landscape, but it is not as important as the risk appetite and tolerance.
Enterprise security culture may have an impact on the information security strategy; however, enterprise risk appetite still has the biggest impact.
The security strategy is primarily led by an established enterprise risk appetite and levels.
173
The decision whether an IT risk has been reduced to an acceptable level should be determined by:
A.organizational requirements.
B.information systems requirements.
C.information security requirements.
D.international standards.
A is the correct answer.
Justification
Organizational requirements should determine when a risk has been reduced to an acceptable level.
The acceptability of a risk is ultimately a management decision, which may or may not be consistent with information systems requirements.
The acceptability of a risk is ultimately a management decision, which may or may not be consistent with information security requirements.
Because each enterprise is unique, international standards may not represent the best solution for specific enterprises and are primarily a guideline.
174
Which of the following is the BEST indicator of the level of acceptable risk in an enterprise?
A.The proportion of identified risk that has been remediated
B.The ratio of business insurance coverage to its cost
C.The percentage of the IT budget allocated to security
D.The percentage of assets that have been classified
B is the correct answer.
Justification
The proportion of unremediated risk may be an indicator, but there are many other factors unrelated to acceptable risk such as treatment feasibility, availability of controls, etc.
The amount of business insurance coverage carried and the cost provide a directly quantifiable indication of the level of risk the enterprise will accept and at what cost.
The percentage of the IT budget allocated to security is an indicator but does not quantify acceptable levels of risk.
Classifying assets will indicate which assets are more important than others but does not quantify the acceptability of risk.
175
Why would an enterprise decide not to take any action on a denial-of-service vulnerability found by the risk assessment team?
A.There are sufficient safeguards in place to neutralize the risk.
B.The needed countermeasures are too complicated to deploy.
C.The cost of countermeasures outweighs the value of the asset and potential loss.
D.The likelihood of the risk occurring is unknown.
C is the correct answer.
Justification
The safeguards need to match the risk level. You can never be certain of having sufficient safeguards because threats are always evolving.
While countermeasures could be too complicated to deploy, this is not the most compelling reason.
An enterprise may decide to live with specific risk because it would cost more to protect the enterprise than to incur the potential loss.
It is unlikely that a global financial institution would not be exposed to such attacks, and the likelihood could not be predicted.
176
Which of the following actions should the information security manager take FIRST on finding that current controls are not sufficient to prevent a serious compromise?
A.Strengthen existing controls.
B.Reassess the risk.
C.Set new control objectives.
D.Modify security baselines.
B is the correct answer.
Justification
Unless a detailed assessment of the finding is completed, spending resources on strengthening the existing controls will not be an appropriate step.
Control decisions are driven by risk. Risk should be carefully reassessed and analyzed to correct potential misjudgment in the original assessment.
A control objective is a statement of the desired result or purpose to be achieved by implementing control procedures in a particular process. Changes to control objectives should be made after risk has been reassessed.
Security baselines set by appropriate standards are the minimum security requirements for different trust domains across the enterprise. Baselines may need to be strengthened after risk has been reassessed.
177
Security risk assessments are MOST cost-effective to a software development enterprise when they are performed:
A.before system development begins.
B.at system deployment.
C.before developing a business case.
D.at each stage of the system development life cycle
D is the correct answer.
Justification
A risk assessment performed before system development will not find vulnerabilities introduced during development.
Performing a risk assessment at system deployment is generally not cost-effective and can miss a key risk.
If performed prior to business case development, a risk assessment will not discover risk introduced during the system development life cycle (SDLC).
Performing risk assessments at each stage of the SDLC is the most cost-effective method because it ensures that vulnerabilities are discovered as soon as possible.
178
Which of the following controls would BEST prevent accidental system shutdown from the console or operations area?
A.Redundant power supplies
B.Protective switch covers
C.Shutdown alarms
D.Biometric readers
B is the correct answer.
Justification
Redundant power supplies would not prevent an individual from powering down a device.
Protective switch covers would reduce the possibility of an individual accidentally pressing the power button on a device, thereby turning off the device.
Shutdown alarms would take effect after the fact.
Biometric readers would be used to control access to the systems.
179
The information security manager realized that the proposed acquisition of a new IT application will change the risk levels for the business function. The FIRST course of action is to:
A.report the changes in risk levels to the business function head.
B.stop the acquisition until implementing mitigating controls.
C.proactively design and implement controls to mitigate risk.
D.Engage a third party to reassess the risk.
A is the correct answer.
Justification
An information security manager should report the risk of the new system to the business unit and recommend controls to mitigate the risk. Then the business can make the appropriate risk-based decision.
The decision to proceed with the acquisition or not would be outside the scope of the information security manager.
An information security manager may design the controls and the proposal but may not be able to enforce implementation. This is usually the responsibility of the system owner/business function head.
A security manager may engage a third party to reassess the risk to confirm earlier assessments but subsequently must report the possible changes in risk levels to decision makers.
180
A bank is undergoing a merger, and the IT infrastructure integration poses security challenges. The chief information security officer (CISO) discovers potential risk in data confidentiality and access controls. What is the recommended approach for risk and control ownership in this situation?
A. Delegate responsibility to the IT teams of the merging organizations.
B. Consult with legal counsel and external auditors to understand the regulatory implications.
C. Escalate the issue to the CEO for insight.
D. Assume control ownership and collaborate with the IT teams of both organizations.
D is the correct answer.
Justification
Delegating responsibility solely to the IT teams of the merging organizations may result in fragmented efforts and inconsistencies in addressing security risk. The chief information security officer (CISO) should provide leadership and coordination to ensure a cohesive approach to security across the merged entity.
While legal counsel and external auditors can provide valuable guidance on regulatory compliance and risk management, they may not have the technical expertise required to address specific security challenges related to IT infrastructure integration.
While the CEO should be kept informed of significant security concerns, escalating the issue to the CEO may not be necessary at this stage unless there are broader strategic implications, or the risk poses an imminent threat to the organization. The CISO should first work with relevant stakeholders, including both IT teams, to assess and address the identified risk before considering escalation to senior leadership.
The CISO should be responsible for owning and assessing the risk related to data confidentiality and access controls, as it falls within their domain of expertise and responsibility. Collaborating with the IT teams of both organizations is crucial because the merger involves integrating the IT infrastructures of both entities. By working together, they can assess the existing security measures, identify gaps or conflicts, and develop a unified approach to mitigate the risk effectively.
181
Control objectives are MOST closely aligned with:
A.risk tolerance.
B.criticality.
C.risk appetite.
D.sensitivity.
C is the correct answer.
Justification
Risk tolerance is the acceptable level of deviation from acceptable risk and is not directly affected by control objectives.
Criticality is the importance to the business and is one of the considerations when control objectives are set in addition to potential impact, exposure, cost and feasibility of possible controls. However, criticality plays a lesser role in relationships between risk and control. Criticality is more a need for the business than a control to reduce risk for the environment.
Risk appetite is the amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission. Control objectives are set so that controls can be designed on that basis.
Sensitivity is the potential impact of unauthorized disclosure, which is one of the considerations in control objectives but is not a control itself. Sensitivity creates risk, which is weighed against the controls put in place to reduce that risk, but sensitivity is an identification marker or classification of data for a control and does not define acceptable risk.
182
An information security manager reviewing user access to a critical business application to ensure that users have rights aligned with their job responsibilities notes many instances of excessive access. Which of the following individuals would be the PRIMARY contact to inform regarding this risk?
A.Application owner
B.Users' manager
C.Security manager
D.Database administrator
A is the correct answer.
Justification
The application owner should be informed about any potential risk to make appropriate decisions.
The users' manager is responsible for access to the application; however, the application owner is the primary contact in this case.
Security would not be immediately informed of this risk unless determined by the application owner.
The database administrator is responsible for revoking access if determined by the application owner.
183
A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an enterprise. There is disagreement between the information security manager and the business department manager who will be responsible for evaluating the results and identified risk. Which of the following would be the BEST approach of the information security manager?
A.Acceptance of the business manager’s decision on the risk to the corporation
B.Acceptance of the information security manager’s decision on the risk to the corporation
C.Review of the risk assessment with executive management for final input
D.Create a new risk assessment and BIA to resolve the disagreement
C is the correct answer.
Justification
This is not the best approach, as the business manager is likely to be focused on getting the business done as opposed to managing the risk posed to the enterprise.
The typical information security manager is focused on risk and may overestimate risk by considering worst-case scenarios rather than the most probable events.
Executive management will be in the best position to consider the big picture and the trade-offs between security and functionality for the entire enterprise.
There is no indication that the assessments are inadequate or defective in some way; therefore, repeating the exercise is not warranted.
184
Which of the following factors would be MOST influential in assigning a risk owner to a specific risk?
A. Risk appetite and risk tolerance levels of the enterprise
B. The impact level of the risk on the assets in the custody of the individual
C. An individual’s authority level and the risk’s relevance to the individual’s role
D. Risk management and reporting capabilities of the individual monitoring the risk
C is the correct answer.
Justification
A risk owner is assigned for risk that exceeds the organization’s set risk appetite and risk tolerance levels. Considerations regarding risk appetite and risk tolerance do not influence the assignment of a specific owner to a risk.
Asset ownership and custody shows relevance of the risk to the individual’s job functions. The level of impact associated with the potential risk of asset loss does not influence the selection of a risk owner, but it does influence the risk rating.
A risk owner should be an individual whose job function is relevant to the risk and who has the authority to make decisions about the risk.
Managing and reporting risk are among the risk owner’s main responsibilities, but associated skills are not the main criteria for why an individual is selected as the risk owner.
185
The board of a healthcare company has a low risk appetite for compromises of confidential information. The information security manager notes that employees have been issued laptops to help them perform their duties. Which of the following device controls will BEST protect the data stored on it, if the device is lost or stolen?
A. Data loss prevention software
B. Full-disk encryption
C. Workstation firewall
D. Antivirus software
B is the correct answer.
Justification
Data loss prevention software ensures data is classified and confidential information cannot be leaked to unauthorized parties. It deals with data in transit and not data stored; therefore, it cannot protect the confidentiality of data in storage.
Full-disk encryption ensures that data stored in a laptop cannot be accessed by third parties even if they remove the hard disk and attempt to install it in another computer.
A workstation firewall can prevent malicious network connections to a device. It cannot protect the confidentiality of stored data.
Antivirus software can protect a laptop against viruses by scanning operating system files. It does not protect data stored on hard disks from being accessed by malicious third parties.
186
An organization is adopting a bring-your-own-device (BYOD) policy. The IT department is concerned about the increased risk of unauthorized access and data breaches. What is the BEST action to take regarding risk and control ownership?
A. Create a BYOD policy and update the acceptable use policy to include a reference to BYOD.
B. Determine the risk and transfer the risk to an external insurance provider.
C. Assess the risk and delegate control ownership to the IT department.
D. Collaborate with the chief risk officer (CRO) to assess and manage the risk.
D is the correct answer.
Justification
While the bring-your-own-device (BYOD) and acceptable use policies define the employees’ responsibilities concerning the device, the policy-based directive is not sufficient to minimize the risk of unauthorized access and data breaches.
While cyber insurance can provide financial protection in the event of a data breach or other security incident, it does not address the underlying risk or prevent it from occurring.
Delegating control ownership to the IT department alone may overlook the broader organizational implications of implementing a BYOD policy. While the IT department plays a crucial role in implementing technical controls and managing IT infrastructure, managing the risk associated with BYOD requires a multidisciplinary approach involving collaboration across different departments, including risk management, legal, HR, and compliance. Additionally, effective risk management requires involvement and oversight from senior leadership to ensure that risk is adequately addressed and aligned with organizational objectives.
Implementing a BYOD policy introduces new risk related to unauthorized access and data breaches, which requires a comprehensive risk assessment and management approach. Collaborating with the chief risk officer (CRO) ensures that the risk associated with BYOD is evaluated holistically and in alignment with the organization’s overall risk management strategy.
187
What is the BEST document that helps in resolving issues with roles and responsibilities of outsourced providers?
A. External audit report
B. Service level agreement
C. Security policy
D. Memorandum of understanding
B is the correct answer.
Justification
An external audit report is an attestation that an organization is conforming to certain requirements, but it does not address roles and responsibilities of third parties.
A service level agreement clearly states which party is responsible for each aspect of a service and states the penalties/incentives for performance.
A security policy is essential as it shows management’s intention with regard to outsourcing; however, it does not address roles and responsibilities.
A memorandum of understanding is only a letter of intent; it does not address roles and responsibilities.
188
An organization using an artificial intelligence (AI)-integrated application has implemented restricted access control mechanisms to protect against unauthorized modification or tampering with the learning data. Which of the following is the MOST appropriate role to designate as the owner of this control?
A. Business process manager
B. Information security manager
C. Board of directors
D. IT system manager
D is the correct answer.
Justification
In this case, the business process manager does not have the technical expertise to effectively implement, assess, monitor, manage, design, and modify (when needed) access control mechanisms.
An information security manager can be consulted by the control owner for the given control implementation, design, and modification but typically does not perform routine control effectiveness activities.
The board of directors can be risk owners of strategic risk, but they typically are not control owners.
A control owner is responsible for ensuring that the control is implemented and is operating effectively and efficiently. Only technically capable personnel, such as an IT system manager, can best implement, assess, monitor, manage, design, and modify (when needed) access control mechanisms.
189
In an environment where ownership of risk and related controls is assigned to different individuals, the MAIN responsibility of the risk owner is to:
A. analyze and evaluate identified risk with the help of the business entity.
B. oversee and measure the effectiveness of the associated controls.
C. determine risk appetite and tolerance levels for acceptable risk.
D. decide on a risk response option and select the appropriate controls.
D is the correct answer.
Justification
The risk owner’s primary role is not to assess and evaluate risk, although risk owners may be involved during the risk assessment process. The risk owner’s main responsibilities are more closely related to decision-making about the management of the risk.
The owner of a risk should also own any associated controls and be held accountable for ensuring the monitoring of their effectiveness. A risk owner’s main duty is not to oversee and measure the associated controls if there are individual control owners. The control owner is responsible for oversight and measurement of the controls to make sure they are effective. Control owners are responsible for adequacy of the control environment.
Risk appetite and tolerance levels are determined and approved by executive management and not necessarily by risk owners. Risk owners must ensure that these levels are determined in order to select the most appropriate risk response.
The risk owner is accountable for properly managing any given risk to an acceptable level. Therefore, the risk owner decides on which risk response options are selected, which controls are selected, and which resources are assigned. The risk owner also monitors risk and makes sure that it remains at an acceptable level.
190
The PRIMARY reason to consider information security during the first stage of a project life cycle is:
A.the cost of security is higher in later stages.
B.information security may affect project feasibility.
C.information security is essential to project approval.
D.it ensures proper project classification.
B is the correct answer.
Justification
Introducing security at later stages can cause projects to exceed budgets and can create issues with project schedules and delivery dates, but these outcomes are generally avoided if security issues are assessed in feasibility.
Project feasibility can be directly impacted by information security requirements and is the primary reason to introduce information security requirements at this stage. The cost of security must be factored into any business case that will support project feasibility, and sometimes the cost of doing something securely exceeds the benefits that the project is anticipated to produce.
Project approval is a business decision that may be influenced by information security considerations, but they are not essential.
Considering information security during the first stage will not ensure proper project classification.
191
An organization is scheduled to launch an interactive customer relationship management (CRM) system that uses artificial intelligence (AI) and machine learning (ML) features to enhance the customer experience. Who is the PRIMARY owner of the risk and controls in this scenario?
A. The information security manager
B. The risk and compliance function manager
C. The business process owner
D. The IT research manager
C is the correct answer.
Justification
The information security manager’s role is to ensure that adequate safeguards are in place before the launch of the customer relationship management (CRM) system and to continually monitor the operation of the controls. The information security manager acts as the subject matter expert for all related issues.
The risk and compliance function is the second line of defense; the manager’s role is to ensure that the business process owner is aware of the risk that exists before initial controls are put in place, that the residual risk is known after controls are put in place, and that the residual risk does not exceed the risk appetite set by the governing body of the organization.
The business process owner is the first line of defense and primarily owns all the risk and controls affecting CRM system.
The IT research team’s role is to develop feasible solutions; its members would not be appropriate owners of the risk associated with business solution implementations.
192
The research and development (R&D) department is considering integrating generative artificial intelligence (AI) models into the product development process to automate the generation of code snippets and enhance productivity. Which of the following would BEST address risk and control ownership of this AI implementation?
A. Designating the responsibility for overseeing generative AI models to the R&D department as its staff are the experts on the system
B. Outsourcing the development and management of generative AI models to a specialized AI vendor to transfer risk
C. Allocating additional budget to the R&D department for training programs on how to use generative AI effectively
D. Implementing a comprehensive review process for generated code snippets, involving both automated and manual code reviews
D is the correct answer.
Justification
Designating the responsibility solely to the research and development (R&D) department may lead to siloed decision-making and overlook other important aspects of risk management, such as security and compliance. Effective risk management requires involvement from multiple departments to ensure that all relevant risk is addressed.
While outsourcing the development of artificial intelligence (AI) models to a specialized vendor may alleviate some resource burdens, it does not absolve the company from ultimate responsibility for the performance and security of AI algorithms. Effective risk management entails active involvement and oversight by internal stakeholders.
While investing in training programs for software developers is important, effective risk management requires a holistic approach involving multiple departments. Allocating resources exclusively to R&D may neglect other critical aspects of risk management, such as compliance considerations.
The implementation of a comprehensive review process for generated code snippets, involving both automated tools and manual reviews by experienced developers, ensures that the code produced by generative AI models meets coding standards and is free from potential security vulnerabilities, thus demonstrating effective risk and control ownership.
193
Once the objective of performing a security review has been defined, the NEXT step for the information security manager is to determine:
A.constraints.
B.approach.
C.scope.
D.results.
C is the correct answer.
Justification
Constraints must be determined to understand the limits of the review, but this is not the next step
Approach must be defined after scope and constraints.
Scope is defined after objectives are determined.
Results are last after scope, constraints and approach.
194
When defining risk and control ownership within an organization’s governance structure, which of the following BEST describes the responsibility of control owners? Control owners are:
A. accountable for updating risk management policies based on outcomes of control monitoring.
B. tasked with monitoring and reporting on the effectiveness of risk management processes.
C. required to approve all risk treatment decisions made by the risk management team.
D. responsible for implementing and maintaining specific controls to mitigate identified risk.
D is the correct answer.
Justification
Control owners are not accountable for updating risk management policies.
While control owners may monitor control performance, they are typically not responsible for monitoring and reporting on risk management processes.
Approving risk treatment decisions is typically performed by other stakeholders within the risk management process, such as risk managers, risk analysts or executive management.
Control owners are responsible for implementing and maintaining specific controls designed to mitigate identified risk. This includes ensuring that controls are effectively designed, implemented, and operated. It also includes overseeing their effectiveness and making necessary adjustments.
195
An artificial intelligence (AI) startup is currently collaborating with a healthcare organization on a generative AI project. Sensitive health data is shared by the healthcare organization to generate therapeutic predictions. Which of the following PRIMARILY is responsible for deciding on the controls to remediate the project risk associated?
A. The head data scientist of the startup
B. The IT security manager of the healthcare organization
C. The owner of the health data shared for the project
D. The legal representative overseeing the collaboration
C is the correct answer.
Justification
While the head data scientist plays a pivotal role in the startup, especially concerning the effective use of data, risk evaluation and remediation decisions are more suited to the owner of the health data.
The IT security manager of the healthcare organization would be involved in securing the IT infrastructure and providing control options, but the responsibility of decision-making on control options should primarily rest with the data owner.
The owner of the sensitive health data used for this project is responsible for making the decisions on the controls used to remediate the associated risk.
While the legal representative oversees the legalities of the collaboration, the main responsibility for control decision-making rests with the data owner.
196
Which of the following positions is MOST appropriate to approve an exception to a control implemented to mitigate IT-related risk?
A. Head of IT
B. Risk owner
C. Control owner
D. Risk manager
B is the correct answer.
Justification
The head of IT may consult with the risk owner on exception approvals, but they would not approve the exception.
The risk owner is accountable for the loss due to risk and, therefore, would be the proper person to approve exceptions to the control.
The control owner is responsible for ensuring that the control is effective in managing risk at an acceptable level but may not be accountable for loss due to risk.
The risk manager helps the business and IT in identifying and assessing risk and deciding risk response options but may not be accountable for loss due to risk.
197
Which of the following BEST demonstrates effective risk and control ownership when adopting blockchain technology for secure financial transaction processing?
A. Establishing a dedicated blockchain governance committee comprised of representatives from various departments to oversee the initiative
B. Transferring the responsibility for blockchain security and compliance to the IT department to standardize security protocols and procedures across all blockchain applications.
C. Outsourcing the development and management of blockchain infrastructure to a third-party vendor specialist in blockchain technologies
D. Allocating additional budget resources exclusively to the IT department to invest in blockchain training programs for IT staff
A is the correct answer.
Justification
The establishment of a dedicated blockchain governance committee involving representatives from various departments ensures that different stakeholders are involved in decision-making processes related to blockchain adoption, thus promoting effective risk management and control ownership.
Transferring the responsibility solely to the IT department might lead to siloed thinking and to overlooking important aspects such as legal, compliance, and operational risk associated with blockchain implementation. This approach does not promote effective risk and control ownership.
While outsourcing blockchain infrastructure management to a third-party vendor may alleviate some operational risk, it doesn’t absolve the financial institution from ultimate responsibility for security and compliance. Effective risk management entails active involvement and oversight by internal stakeholders.
While investing in blockchain training programs for IT staff is important, effective risk management requires a holistic approach involving multiple departments. Allocating resources exclusively to IT may neglect other critical aspects of blockchain governance, such as legal and compliance considerations.
198
Who is MOST likely to be identified as a risk owner by senior management for the risk associated with Internet-facing application security?
A. The individual responsible for providing, developing, and maintaining the application
B. The risk manager with expertise in testing the Internet-facing application for vulnerabilities
C. The individual accountable for loss due to affected IT services in business functions
D. The independent expert identifying risk associated with Internet-facing applications
C is the correct answer.
Justification
Application development and maintenance staff may not be accountable for loss due to breaches of application security. They are responsible for supporting and closing the issues.
The risk manager is responsible for guiding risk owners in making risk-related decisions but despite having expertise in application testing may not be accountable for loss due to risk.
A risk owner is a senior individual with the authority and budget necessary to work with the business function that owns the application and assumes accountability for loss due to risk that might impact IT services provided by the application.
An independent expert is an external person and cannot be accountable for loss to the business.
199
What is the PRIMARY benefit for appointing the same individual as the owner of a risk and its associated controls?
A. To ensure that an appropriate individual is assigned to the risk
B. To assess controls more effectively
C. To ensure timely action is taken on control deficiencies
D. To report changes in the risk accurately
C is the correct answer.
Justification
Identifying new risk is part of the risk owner’s and risk practitioner’s responsibilities. Control ownership does not play a role in the early identification of new risk.
Effective assessment of controls depends on the control owner’s capabilities and the effectiveness of the control assessment tools and techniques. Having the same person as the control owner and the risk owner can improve assessment efficiency but not assessment effectiveness.
Risk owners need regular feedback and conduct ongoing evaluation of control results from control owners to make risk-related decisions. If the risk owner also owns the controls, the feedback loop is shorter, and deficiencies can be addressed more quickly.
Accurate reporting of risk changes depends on effective risk reporting channels, reporting techniques, and target audience requirements. Accurate reporting is not impacted by control ownership.
200
The information security policies of an enterprise require that all confidential information must be encrypted while communicating to external entities. A regulatory agency insisted that a compliance report must be sent without encryption. The information security manager should:
A.extend the information security awareness program to include employees of the regulatory authority.
B.send the report without encryption on the authority of the regulatory agency.
C.initiate an exception process for sending the report without encryption.
D.refuse to send the report without encryption.
C is the correct answer.
Justification
Although this choice may not be possible, the information security manager can discuss and understand the reason for insisting on an unencrypted report and try to convince the regulatory authority.
If the information security manager chooses to ignore the regulatory authority’s request (which may not be possible in many parts of the world), it is necessary that a comparative risk assessment be conducted.
The information security manager should first assess the risk in sending the report to the regulatory authority without encryption. The information security manager can consider alternate communication channels that will address the risk and provide for the exception.
The information security policy states that confidential information must be encrypted when sent to external entities. The information security manager’s role is to find a way within the policy to complete the task. The best way to do this is to initiate an exception.
201
Which of the following is the MOST appropriate to communicate to senior management to enable them to make ongoing, timely decisions on current information security risk?
A.Information security risk assessment results
B.Key risk indicators related to critical business assets
C.Internal and external loss historical data
D.Information security risk scenario analysis results
B is the correct answer.
Justification
Information risk assessments mostly focus on an enterprise’s future risk. Although the risk assessment compares current controls against future and current risk, risk assessments cannot be conducted continuously.
Key risk indicators (KRIs) focus on the current risk and serve as an early warning of a potential risk. Reporting KRIs to senior management would help them make decisions on current risk, such as adjusting or replacing the controls that are mitigating them. KRIs continuously alert senior management to make management risk decisions.
Internal and external loss data show past information risk but not current risk.
Risk scenario analysis data are based on future possibilities and do not accurately show the current state of risk.
202
Finding that a lack of adequate compliance with a set of standards poses a significant risk, an information security manager should FIRST:
A.review and modify policy to address the risk.
B.create a new set of guidelines to reduce the risk.
C.advise management of the risk and possible consequences.
D.determine whether the standards are consistent with policy.
C is the correct answer.
Justification
The extent of risk mitigation is a business decision, so any action taken to address or reduce risk must be based on input from the business.
The extent of risk mitigation is based on policy, which is defined with input from the business.
If a lack of compliance with standards creates a significant risk, the information security manager should assess possible consequences and advise appropriate managers to determine whether it is acceptable risk.
It is generally useful to determine whether standards reflect the intent of policy, but the main purpose of policies is to address risk that might not be included in standards.
203
An information security manager observed a high degree of noncompliance for a specific control. The business manager explained that noncompliance was necessary for operational efficiency. The information security manager should:
A.evaluate the risk due to noncompliance and suggest an alternative control.
B.ignore the issue of operational efficiency and insist on compliance for the control.
C.change the security policies to reduce the amount of noncompliance risk.
D.conduct an awareness session for the business manager to emphasize compliance.
A is the correct answer.
Justification
The information security manager must consider the business requirements of the control and assess the risk of noncompliance.
Information security cannot ignore issues related to operational efficiency. The business can decide to accept the risk.
Changing the information security policies may not reduce the risk.
Conducting an awareness session may be a good idea, but it may not resolve the issue in this situation.
204
The effectiveness of managing business risk is BEST measured by the number of:
A.significant IT-related incidents that were not identified during risk assessment.
B.security assessments compliant with organizational standards and guidelines.
C.vulnerabilities identified by risk assessment and not properly mitigated.
D.security incidents causing significant financial loss or business disruption.
D is the correct answer.
Justification
Identification of incidents is only one part of effective risk management. If impact is not limited to acceptable levels, the program is not effective. Merely identifying incidents through a risk assessment is insufficient to limit impact.
While compliance is important, it is only one aspect of risk management. If impact is not limited to acceptable levels, the program is not effective. Demonstrating that a program is compliant is not a measure of the effectiveness of limiting impact.
Identifying unmitigated vulnerabilities is insufficient without knowledge of potential threats, impacts and control measures to determine the potential effectiveness of the risk management program.
The goal of risk management is to limit impact and minimize business disruptions. Each instance of a security incident that causes significant financial loss or business disruption is an indication of inadequate risk management.
205
Which of the following would BEST provide insight into the potential for unauthorized access or malicious cybersecurity attacks on an enterprise?
A.Network scanning
B.Password management
C.Ethical hacking
D.Application database monitoring
C is the correct answer.
Justification
Network scanning only looks for open ports and services at the network level and not at a systems level.
Password management is focused on enforcing the password policy for minimum password criteria.
Ethical hacking is supervised hacking done to identify potential threats to a system or network. This helps to identify if unauthorized access or malicious attacks are possible.
Application database monitoring focuses primarily on performance of the specific application and would not provide insight into the entire enterprise.
205
Which of the following is the MOST important element to consider when planning what to report to senior management related to information security risk?
A.Business objectives
B.Program metrics
C.Risk tolerance
D.Control objectives
A is the correct answer.
Justification
The link of the risk to business objectives is the most important element that would be considered by senior management.
Information security program metrics should be provided in the context of impact to business objectives.
Risk tolerance is a baseline established by senior management, but the business objectives provide scope to risk management activities.
Control objectives are an input for assessing risk.
206
With which of the following business functions is integration of information security MOST likely to result in risk being addressed as a standard part of production processing?
A.Quality assurance
B.Procurement
C.Compliance
D.Project management
A is the correct answer.
Justification
Quality assurance uses metrics as indicators to identify systemic problems in processes that may result in unacceptable levels of output quality. Because this monitoring is intended to be effectively continuous as a matter of statistical sampling, integrating information security with quality assurance helps to ensure that risk is addressed as a standard part of production processing.
Procurement approves initial acquisitions, but it has no involvement in implementation or production monitoring.
Compliance focuses on legal and regulatory requirements, which represent a subset of overall risk.
The involvement of the project management office is typically limited to planning and implementation.
206
Addressing risk at various life cycle stages is BEST supported by:
A.change management.
B.release management.
C.incident management.
D.configuration management.
A is the correct answer.
Justification
Change management is the overall process to assess and control risk introduced by changes. It is involved in the greatest range of the system life cycle.
Release management is the specific process to manage risk of production system deployment.
Incident management is not directly relevant to life cycle stages.
Configuration management is the specific process to manage risk associated with systems configuration, but change management addresses a broader range of risk.
207
Which of the following is the PRIMARY reason for implementing a risk management program? A risk management program:
A.allows the enterprise to eliminate risk.
B.is a necessary part of management’s due diligence.
C.satisfies audit and regulatory requirements.
D.assists in increasing the return on investment.
B is the correct answer.
Justification
The elimination of risk is not possible.
The key reason for performing risk management is that it is an essential part of management’s due diligence.
Satisfying audit and regulatory requirements is of secondary importance.
A risk management program may or may not increase the return on investment.
208
Which of the following choices would be the BEST measure of the effectiveness of a risk assessment?
A.The time, frequency and cost of assessing risk
B.The scope and severity of new risk discovered
C.The collective potential impact of defined risk
D.The percentage of incidents from unknown risk
D is the correct answer.
Justification
The time and cost of performing a risk assessment is not an indicator of its effectiveness in discovering new risk.
The scope and severity of new risk discovered is a useful indicator, but it is not as good a measure of effectiveness as the risk that is not uncovered and leads to a security incident.
The potential impact of defined risk is a secondary measure that may be useful in determining the extent of remedial actions to consider.
Incidents that result from unidentified risk are the best indicators of how well the risk assessment served to discover risk, thereby indicating effectiveness.
209
Which of the following is the MOST important reason to include an effective threat and vulnerability assessment in the change management process?
A.To reduce the need for periodic full risk assessments.
B.To ensure that information security is aware of changes.
C.To ensure that policies are changed to address new threats.
D.To maintain regulatory compliance.
A is the correct answer.
Justification
By assessing threats and vulnerabilities during the change management process, changes in risk can be determined and a risk assessment can be updated incrementally. This keeps the risk assessment current without the need to complete a full reassessment.
Information security should have notification processes in place to ensure awareness of changes that might impact security other than threat and vulnerability assessments.
Policies should rarely require adjustment in response to changes in threats or vulnerabilities.
While including an effective threat and vulnerability assessment may assist in maintaining compliance, it is not the primary reason for the change management process.
209
Which of the following situations would be the PRIMARY candidate for a risk reassessment in an enterprise?
A.The antivirus management console has flagged two user laptops with outdated antivirus signatures.
B.The key software solution vendor has been bought by an unknown enterprise.
C.An incident of tailgating into the facility has been reported by an employee.
D.The enterprise’s email filters are picking up more spam in recent months.
B is the correct answer.
Justification
The existing control (antivirus management console) is working effectively to identify the gaps, and it is alerting the relevant people.
Given that not much is known about the enterprise acquiring the vendor, a risk reassessment is required to identify and manage any supply chain risk. Acquisition is considered a major change that would require risk reassessment.
The reported incident would have been managed in keeping with the enterprise’s incident management process.
The existing control (email filter) is working effectively to identify the gaps and alerting the relevant people.
209
Which of the following should be understood before defining risk management strategies?
A.Risk assessment criteria
B.Organizational objectives and risk appetite
C.IT architecture complexity
D.Enterprise disaster recovery plans
B is the correct answer.
Justification
The assessment criteria are not relevant to defining risk management strategies.
The risk management strategy must be designed to achieve organizational objectives and to provide adequate controls to limit risk to be consistent with the risk appetite.
IT architecture complexity may pose a challenge to the risk assessment process but should not affect the risk management strategy directly.
Disaster recovery plans are an element of the risk management strategy but are addressed by organizational objectives and risk appetite.
210
Which of the following BEST helps information security managers to report changes in risk levels based on compliance with controls implemented to mitigate risk?
A.Lead indicators
B.Predictive analysis
C.Lag indicators
D.Incident reports
C is the correct answer.
Justification
Lead indicators analyze the existing level of compliance and predict future compliance levels based on the findings. This helps in decision-making, but predictions may change.
Predictive analysis helps in determining lead indicators.
Lag indicators provide information about the performance of controls after control execution. Noncompliance of controls indicates elevation in risk levels. Timely reporting of noncompliance helps risk owners in decision-making.
Incident reports help in reporting noncompliance but they are useful only after risk has materialized.
211
After a risk assessment study, a bank with global operations decided to continue conducting business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to:
A.increase its customer awareness efforts in those regions.
B.implement monitoring techniques to detect and react to potential fraud.
C.outsource credit card processing to a third party.
D.make the customer liable for losses if they fail to follow the bank’s advice.
B is the correct answer.
Justification
While customer awareness helps mitigate risk, this is insufficient on its own to control fraud risk.
Implementing monitoring techniques, which will detect and deal with potential fraud cases, is the most effective way to deal with this risk.
If the bank outsources its processing, the bank still retains liability.
While it is an unlikely possibility to make the customer liable for losses, the bank needs to be proactive in managing risk.
212
An information security manager is performing a security review and determines that not all employees comply with the access control policy for the data center. The FIRST step to address this issue should be to:
A.assess the risk of noncompliance.
B.initiate security awareness training.
C.prepare a status report for management.
D.increase compliance enforcement.
A is the correct answer.
Justification
Assessing the risk of noncompliance will provide the information needed to determine the most effective remediation requirements.
If awareness is adequate, training may not help and increased compliance enforcement may be indicated.
A report may be warranted but will not directly address the issue that is normally a part of the information security manager’s responsibilities.
Increased enforcement is not warranted if the problem is a lack of effective communication about security policy.
213
An enterprise’s IT change management process requires that all change requests be approved by the asset owner and the information security manager. The PRIMARY objective of getting the information security manager’s approval is to ensure that:
A.changes comply with security policy.
B.risk from proposed changes is managed.
C.rollback to a current status has been considered.
D.changes are initiated by business managers.
B is the correct answer.
Justification
A change affecting a security policy is not handled by an IT change process.
Changes in the IT infrastructure may have an impact on existing risk. An information security manager must ensure that the proposed changes do not adversely affect the security posture.
Rollback to a current state may cause a security risk event and is normally part of change management, but it is not the primary reason that security is involved in the review.
The person who initiates a change has no effect on the person who reviews and authorizes an actual change.
214
Which of the following BEST describes the outcome of effective risk management?
A.Allows an enterprise to obtain a continuous overview of vulnerabilities
B.Measures the feasibility of systems compromise and evaluates any related consequences
C.Determines the gap between controls and controls objectives
D.Reduces the incidence of significant adverse impact on an enterprise
D is the correct answer.
Justification
Vulnerability management is a component of risk management. However, a risk management program that does not reduce significant adverse impacts is not effective.
Penetration testing, which is a technique for vulnerability assessment, measures the feasibility of systems compromise and evaluates any related consequences. However, unless significant adverse impact to the enterprise is reduced, a risk management program is ineffective.
Gap analysis determines the gap between controls and controls objectives. However, unless identified gaps are addressed in ways that result in reduced impact to the enterprise, the risk management program is ineffective.
Effective risk management serves to reduce the incidence of significant adverse impacts on an enterprise either by addressing threats, mitigating exposure, or reducing vulnerability or impact.
215
Which of the following BEST supports continuous improvement of the risk management process?
A.Regular review of risk treatment options
B.Classification of assets in order of criticality
C.Adoption of a maturity model
D.Integration of assurance functions
C is the correct answer.
Justification
Risk treatment is an element of the risk management process. Elements such as risk identification, risk communication and acceptance also need to be considered.
Classification of assets is important but is an element of the risk management process and is not sufficient to ensure continuous improvement.
A maturity model such as the capability maturity model (CMM) can be used to classify an enterprise as initial, repeatable, defined, managed or optimized. As a result, an enterprise can easily know where it falls and then start working to reach the optimized state.
There are many benefits from integrating assurance functions. However, this is not a holistic approach because the best of assurance functions will be reactive if risk management does not cascade through the entire enterprise. Measures must be taken to ensure that all staff members, rather than only the assurance functions, are risk conscious.
216
What is the MOST essential attribute of an effective key risk indicator (KRI)? The KRI:
A.is accurate and reliable.
B.provides quantitative metrics.
C.indicates required action.
D.is predictive of a risk event.
D is the correct answer.
Justification
Key risk indicators (KRIs) usually signal developing risk but do not indicate what the actual risk is. This option is not a most essential attribute since KRIs are neither accurate nor reliable.
KRIs typically do not provide quantitative metrics about risk.
KRIs will not indicate that any particular action is required other than to investigate further.
The most essential attribute is that a KRI should be predictive and indicate that a risk is developing or changing to show that investigation is needed to determine the nature and extent of a risk.
217
During a third-party assessment of an information security system, the assessment team leader is informed that the vulnerability scanning team has not been providing information related to all critical and high vulnerabilities to system stakeholders. What is the FIRST action the assessment team leader should take?
A.Inform management of the finding
B.Request a full vulnerability scan report from the vulnerability scanning team
C.Inform the vulnerability scanning team leader of the finding
D.Inform the system owner of the finding
A is the correct answer.
Justification
Managers (i.e., risk manager, information security manager) need to be informed of this finding so they can take corrective actions related to missed critical and high vulnerabilities and inform senior management of the risk.
Requesting a full vulnerability scan of the system may uncover problems with the scanning software, weaknesses in team processes and procedures, and misunderstandings in roles and responsibilities. However, management needs to be aware of the issue and determine the next steps.
A meeting with the team leader may not be sufficient to address the risk as the problem may be with the manager, staff training, processes or other causes.
Informing the system owner should occur, but it would not be the first step.
218
Which of the following is the MOST cost-effective approach to test the security of a legacy application?
A.Identify a similar application and refer to its security weaknesses.
B.Recompile the application using the latest library and review the error codes.
C.Employ reverse engineering techniques to derive functionalities.
D.Conduct a vulnerability assessment to detect application weaknesses.
D is the correct answer.
Justification
Many applications that appear to be functionally similar may be remarkably dissimilar at the code implementation level. Even a newer version of the same software may have been entirely rewritten, and any software developed in-house is necessarily unique to the environment.
Recompiling a legacy application is possible only when source code is available. It may not function properly if underlying libraries or coding standards have changed.
Reverse engineering a legacy application is likely to cost significantly more than a vulnerability assessment and deriving the functionalities of the application is not the goal.
Identifying vulnerabilities will allow an enterprise to determine what compensating controls may be needed to continue operating a legacy application where replacement is not an option. Vulnerability assessments are not necessarily comprehensive in all cases, but they are generally effective when planned properly.
218
An information security manager is advised by contacts in law enforcement that there is evidence that the company is being targeted by a skilled gang of hackers known to use a variety of techniques, including social engineering and network penetration. The FIRST step that the security manager should take is to:
A.perform a comprehensive assessment of the enterprise’s exposure to the hackers’ techniques.
B.initiate awareness training to counter social engineering.
C.immediately advise senior management of the elevated risk.
D.increase monitoring activities to provide early detection of intrusion.
C is the correct answer.
Justification
The security manager should assess the risk, but senior management should be immediately advised.
It may be prudent to initiate an awareness campaign after sounding the alarm if awareness training is not current.
Information about possible significant new risk from credible sources should be provided to management along with advice on steps that need to be taken to counter the threat.
Monitoring activities should be increased after notifying management.
219
Which of the following choices would be the MOST significant key risk indicator?
A.A deviation in employee turnover
B.The number of packets dropped by the firewall
C.The number of viruses detected
D.The reporting relationship of IT
A is the correct answer.
Justification
Significant changes in employee turnover indicate that something of consequence is impacting the workforce, which deserves the attention of the information security manager. If many senior developers are leaving the research and development group, for instance, it may indicate that a competitor is attempting to obtain the enterprise’s development plans or proprietary technology.
An increase in the number of packets being dropped may indicate a change in the threat environment, but there is no impact unless legitimate traffic is being impacted. Therefore, the number of packets dropped is not an effective key risk indicator (KRI).
An increase in the number of viruses detected may indicate a change in the threat environment, but the increase in detected viruses also indicates that the threat is adequately countered by existing controls.
Changes in reporting relationships come about as a result of intentional business decisions, so the reporting relationship of IT is not a KRI.
220
Monitoring has flagged a security noncompliance. What is the MOST appropriate action?
A.Validate the noncompliance.
B.Escalate the noncompliance to management.
C.Update the risk register.
D.Fine-tune the key risk indicator threshold.
A is the correct answer.
Justification
Before any other action is taken, the security manager should ensure that the noncompliance identified by monitoring is not a false positive.
The escalation to management should not occur until more is known about the situation, and even then only if it is outside the security manager’s scope to address the issue.
Updating the risk register is one possible response to validated noncompliance.
Key risk indicator threshold changes would occur only if subsequent investigation found them to be necessary.
221
Which of the following choices represents the BEST attribute of key risk indicators?
A.High flexibility and adaptability
B.Consistent methodologies and practices
C.Robustness and resilience
D.The cost-benefit ratio
B is the correct answer.
Justification
High flexibility and adaptability are commendable attributes but do not provide a consistent baseline for determination of significant deviations.
Effective key risk indicators are the result of deviation from baselines. Consistent methodologies and practices establish baselines that represent the best attribute as they provide a stable point of reference for reporting progress.
Robustness and resilience are commendable attributes, but they do not provide a consistent baseline for determination of significant deviations.
The cost-benefit ratio is not a risk indicator.
222
Which of the following BEST indicates a successful risk management practice?
A.Overall risk is quantified.
B.Inherent risk is eliminated.
C.Residual risk is acceptable.
D.Control risk is tied to business units.
C is the correct answer.
Justification
The fact that overall risk has been quantified does not necessarily indicate the existence of a successful risk management practice.
Eliminating inherent risk is virtually impossible.
A successful risk management practice reduces residual risk to acceptable levels.
Although the tying of control risk to business may improve accountability, it is not as desirable as achieving acceptable residual risk levels.
223
Which of the following is MOST likely to initiate a review of an information security standard? Changes in the:
A.effectiveness of security controls.
B.responsibilities of department heads.
C.information security procedures.
D.results of periodic risk assessments.
D is the correct answer.
Justification
Changes in the effectiveness of security controls will require a review of the controls, not necessarily the standards.
Changes in the roles and responsibilities of department heads will not require a change to security standards, which will be captured during risk review.
Standards set the requirements for procedures, so a change in procedures is not likely to affect the standard.
Security policies need to be reviewed regularly in order to ensure they appropriately address the enterprise’s security objectives. A review of a security standard is prompted by changes in external and internal risk factors that are captured during risk assessment.
224
Which of the following is the MOST usable deliverable of an information security risk analysis?
A.Business impact analysis report
B.List of action items to mitigate risk
C.Assignment of risk to process owners
D.Quantification of organizational risk
B is the correct answer.
Justification
The business impact analysis report is a useful report primarily for future incident response and business continuity purposes but does not mitigate current risk.
List of action items to mitigate risk is the most useful in presenting direct, actionable items to address organizational risk.
Assigning risk is useful but does not by itself result in risk mitigation activities.
Quantification of risk does not directly result in risk mitigation activities.
225
Ongoing tracking of remediation efforts to mitigate identified risk can BEST be accomplished through the use of which of the following approaches?
A.Tree diagrams
B.Venn diagrams
C.Heat maps
D.Bar charts
C is the correct answer.
Justification
Tree diagrams are useful for decision analysis.
Venn diagrams show the connection between sets but are not useful in indicating status.
Heat maps, sometimes referred to as stoplight charts, quickly and clearly show the current status of remediation efforts.
Bar charts show relative size but are a less direct presentation approach to tracking status of remediation efforts.
