Risk Identification

Question 1

What should be the first step in risk identification?

Answer 1

work with business process owners to understand the way in which the organisation operates that is broad enough to include not only the organisation itself, but also any external dependencies and assumptions. This includes understanding the goals, values, objectives and ethics of the organisation

Question 2

How is risk capacity typically defined?

Answer 2

the objectives amount of loss an enterprise can tolerate without its continued existence being called into question

Question 3

Who in the organisation typically sets the risk appetite?

Answer 3

The owners or board of directors

Question 4

How is risk appetite typically defined?

Answer 4

The amount of risk that an entity on a broad level is willing to accept in pursuit of its mission.

Question 5

How is risk tolerance typically defined?

Answer 5

The acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives

Question 6

Why should risk appetite and risk tolerance levels be communicated across an organisation?

Answer 6

• consistent implementation across units
• effective monitoring and communication of risk and changes in risk appetite
• consistent understanding of risk appetite and related tolerances or each organisational unit
• consistency between risk appetite, objectives and relevant reward systems

Question 7

Willingness to embrace, cautiously accept or avoid are commonly levels of what?

Answer 7

Risk culture

Question 8

What are the 3 elements of risk culture?

Answer 8

• Behaviour towards taking risk
• Behaviour towards policy compliance
• Behaviour toward negative outcomes

Question 9

What are the benefits of open communication on risk?

Answer 9

• More informed risk decisions by executive management due to an improved understanding of actual exposure and potential business impact
• stakeholders integrating risk management into their daily duties
• transparency to external stakeholders regarding risk management processes in use and level of risk facing the organisation

Question 10

What are some of the consequences of poor risk communication?

Answer 10

• False sense of confidence and unintentional acceptance due to ignorance of risk that exceeds organisations appetite
• Lack of direction or strategic planning
• Unbalanced communication of risk to external stakeholders, potentially leading to incorrect or negative perceptions by third parties.
• Perception that the organisation is trying to hide risk from stakeholders

Question 11

What are the 3 main types of IT risk information that should be communicated to the business?

Answer 11

1. Expectation
2. Capability
3. Status

Question 12

What is the definition of an impact analysis?

Answer 12

A study to prioritise the criticality of information resources for the enterprise based on cost or consequences of adverse events. Threats to assets are identified and potential business losses determined for different time periods. Used to justify the extent of safeguards, recovery time frames and recovery strategy

Question 13

What is an impact assessment?

Answer 13

A review of the possible consequences of a risk

Question 14

What is the difference between a threat and threat vector?

Answer 14

A threat is something capable of acting against an asset that could cause harm whereas a threat vector is the path or route used by the adversary to gain access to the target.

Question 15

What are the 4 common risk factors that should be considered when protecting an organisations assets?

Answer 15

• External Context
• Internal Context
• Risk Management Capabilities
• IT-related capabilities

Question 16

When discussing Risk Factors, what does the acronym EDM refer to?

Answer 16

Evaluate, direct and monitor

Question 17

When discussing Risk Factors, what does the acronym APO refer to?

Answer 17

Align, plan and organise

Question 18

When discussing Risk Factors, what does the acronym BAI refer to?

Answer 18

Build, acquire and implement

Question 19

When discussing Risk Factors, what does the acronym DSS refer to?

Answer 19

Deliver, service and support

Question 20

When discussing Risk Factors, what does the acronym MEA refer to?

Answer 20

Monitor, evaluate and assess

Question 21

The following statement describes which Intellectual Property Term? (Trademark, Copyright, Patent, Trade secret)

A sound, colour, logo, saying or other distinctive symbol that is closely associated with a certain product or company

Answer 21

Trademark

Question 22

The following statement describes which Intellectual Property Term? (Trademark, Copyright, Patent, Trade secret)

Protection of any work that is captured in a tangible form (e.g. written works, recordings, images, software, music, sculpture, dance)

Answer 22

Copyright

Question 23

The following statement describes which Intellectual Property Term? (Trademark, Copyright, Patent, Trade secret)

Protection of research and ideas that led to the development of a new, unique and useful product to prevent the unauthorised duplication of the idea

Answer 23

Patent

Question 24

The following statement describes which Intellectual Property Term? (Trademark, Copyright, Patent, Trade secret)

A formula, process, design, practice or other form of secret business information that provides a competitive advantage to the organisation that possesses the information

Answer 24

Trade secret

Question 25

What are highly skilled attackers who are determined (persistent) in their attempts to exploit systems commonly referred as?

Answer 25

Advanced Persistent Threat (APT)

Question 26

What type type of threat best describes a situation that includes unusual activity on a system, repeated alarms, slow system or network performance, or new or excessive activity in logs where the organisation had evidence of those issues, but it wasn't noticed or there wasn't effective enough monitoring in place?

Answer 26

Emerging threats

Question 27

The emergence of new technologies introduced into an organisation often fall into which threat category? - Internal threats - External threats - Emerging threats

Answer 27

Emerging threats

Question 28

What 3 categorised do threats typically fall under?

Answer 28

- Internal Threats - External Threats - Emerging Threats

Question 29

The capability to perform analysis of data from various sources of structured and unstructured data is generally called what?

Answer 29

Big Data

Question 30

What are 3 common risks to consider when leveraging Big Data services?

Answer 30

- Amplified technical impact - Privacy (Data collection) - Privacy (Re-identification)

Question 31

What is Amplified Technical Impact in relation to Big Data?

Answer 31

If an unauthorised user were to gain access to centralised repositories, it puts the entirety of that data in jeopardy rather than a subset

Question 32

What are two forms of impact that a risk practitioner should consider?

Answer 32

- Impact due to loss of compromise of information | - Impact due to loss of compromise of an information system

Question 33

What are the 2 typical principles of confidentiality that should be considered when assessing risk?

Answer 33

Need to know and least privilege

Question 34

What does RACI stand for in relation to risk management?

Answer 34

Responsible Accountable Consulted Informed

Question 35

Which role in a RACI model does the following sentence describe: Individuals tasked with getting the job done, performing the actual work effort to meet the stated objectives

Answer 35

Responsible

Question 36

Which role in a RACI model does the following sentence describe: The single person liable or answerable in the completion of the task, who oversees or manages the people responsible for the work effort

Answer 36

Accountable

Question 37

Which role in a RACI model does the following sentence describe: Individuals who provide input data, advice feedback or approvals

Answer 37

Consulted

Question 38

Which role in a RACI model does the following sentence describe: Individuals who are kept up to date on progress and deliverables but not necessarily involved in work effort

Answer 38

Informed