Domain 4 - Risk and Control Monitoring and Reporting
R4-53. When would a risk professional ideally perform a complex enterprise wide threat analysis? A. On a yearly basis B. When malware is detected C. When regulatory requirements change D. Following a security incident
A. A complete threat analysis would be performed on a yearly basis, and it can be broken down into monthly or quarterly increments, if desired.
R4-75. What is the BEST approach to determine whether existing security control management meets the organizational needs? A. Perform a process maturity assessment. B. Perform a control self-assessment (CSA). C. Review security logs for trends or issues. D. Compare current and historical security test results.
A. A process maturity assessment can be used to determine the presence of the control as well as the reliable operation and maintenance of the control and determine any gaps between the desired and current state of the control.
R4-56. How can an enterprise determine the aggregated risk from several sources? A. Through a security information and event management (SIEM) system B. Through a fault tree analysis C. Through a failure modes and effects analysis D. Through a business impact analysis (BIA)
A. A security information and event management (SIEM) system will gather incident activity from several locations and prepare reports from risk trends and correlated events.
R4-4. Previously accepted risk should be: A. reassessed periodically because the risk can be escalated to an unacceptable level due to revised conditions. B. removed from the risk log once it is accepted. C. accepted permanently because management has already spent resources (time and labor) to conclude that the risk level is acceptable. D. avoided next time because risk avoidance provides the best protection to the enterprise.
A. Accepted risk should be reviewed regularly to ensure that the initial risk acceptance rationale is still valid within the current business context.
R4-35. Which of the following causes the GREATEST concern to a risk practitioner reviewing a corporate information security policy that is out of date? The policy: A. was not reviewed within the last three years. B. is missing newer technologies/platforms. C. was not updated to account for new locations. D. does not enforce control monitoring.
A. Not reviewing the policy for three years and updating it as necessary does not follow best practices and is the greatest concern.
R4-2. Which of the following is MOST essential for a risk management program to be effective? A. New risk detection B. A sound risk baseline C. Accurate risk reporting D. A flexible security budget
A. Without identifying new risk, other procedures will only be useful for a limited period.
R4-51. What is the MOST essential attribute of an effective key risk indicator (KRI)? A. The KRI is accurate and reliable. B. The KRI is predictive of a risk event. C. The KRI provides quantitative metrics. D. The KRI indicates required actions.
B. A KRI should indicate that a risk is developing or changing to show that investigation is needed to determine the nature and extent of a risk.
R4-34. An excessive number of standard workstation images can be categorized as a key risk indicator (KRI) for: A. change management. B. configuration management. C. IT operations management. D. data management.
B. An excessive number of unique workstation images is an indicator that poor configuration management processes are in place and that sufficient attention to actual business requirements has not been paid during the initial image definition.
R4-7. Which of the following MOST enables risk-aware business decisions? A. Robust information security policies B. An exchange of accurate and timely information C. Skilled risk management personnel D. Effective process controls
B. An exchange of information is a key area for management to be able to make risk-related decisions. Accuracy and timeliness of information are success factors.
R4-42. The MOST important reason for reporting control effectiveness as part of risk reporting is that it: A. enables audit reporting. B. affects the risk profile. C. requires mitigation. D. helps manage the control life cycle.
B. Changes may render a control ineffective and allow a vulnerability to be exploited. Changes in control may also strengthen the enterprise's risk profile (e.g., in cases where highly manual process are automated).
R4-45. Which of the following BEST helps the risk practitioner identify IS control deficiencies? A. An IT control framework B. Defined control objectives C. A countermeasure analysis D. A threat analysis
B. Controls are deployed to achieve the desired objectives based on risk assessment and to meet the business requirements.
R4-89. Which of the following choices is MOST important to ensure meaningful reporting of key risk indicators (KRIs)? Data are extracted from: A. a variety of control types. B. a representative sample. C. automated systems. D. direct sources.
B. Data extracted from a representative sample is going to provide the most meaningful reporting because multiple controls will be taken into consideration to derive the current level of risk.
R4-70. What is the MOST important factor in the success of an ongoing information security monitoring program? A. Logs that capture all network and application traffic for later analysis B. Staff who are qualified and trained to execute their responsibilities C. System components all have up-to-date patches D. A security incident and event management (SIEM) system is in place
B. Information security monitoring requires the gathering and analysis of data and reporting the results to management. This requires staff who are trained in using the tools , generating the data requests, performing the analysis and being able to communicate effectively. Not having staff with adequate training will result in a monitoring effort that may be inaccurate, incomplete or may miss critical trends.
R4-98. Which of the following activities is related to the use of key performance indicators (KPIs) for management of technology controls. A. Conducting a threat modeling exercise for technology used by a business line B. Measurement of control effectiveness to determine that business requirements are being met C. Implementation of controls to meet control objectives D. Monitoring the threat environment for changes in probability of key risk events
B. Key performance indicators (KPIs) can be used to determine whether a control is operating within management-specified requirements.
R4-13. Where are the key risk indicators (KRIs) MOST likely identified when initiating risk management across a range of projects? A. Risk governance B. Risk response C. Risk analysis D. Risk monitoring
B. Key risk indicators (KRIs) and risk definition and prioritization are both considered part of the risk response process. After having identified, quantified and prioritized the risk to the enterprise, relevant risk indicators need to be identified to help provide risk owners with meaningful information about a specific risk or a combination of types of risk.
R4-14. Which of the following can be expected when a key control is being maintained at an optimal level? A. The shortest lead time until the control breach comes to the surface B. Balance between control effectiveness and cost C. An adequate maturity level of the risk management process D. AN accurate estimation of operational risk amounts
B. Maintaining controls at an optimal level translates into a balance between control cost and derived benefit.
R4-44. A key objective when monitoring information systems control effectiveness against the enterprise's external requirements is to: A. design the applicable information security controls for external audits. B. create the enterprise's information security policy provisions for third parties. C. ensure that the enterprise's legal obligations have been satisfied. D. identify those legal obligations that apply to the enterprise's security practices.
C. Legal obligations are one of the principal external requirements to which compliance should be monitored.
R4-60. Which of the following choices is the MOST important critical success factor (CSF) of implementing a risk-based approach to the system development life cycle (SDLC)? A. Existence os a risk management framework B. Defined risk mitigation strategies C. Compliance with the change management process D. Adequate involvement of business representatives
D. A CSF for system development is the adequate involvement of business representatives, including management, users, quality assurance, IT, privacy, legal audit, regulatory affairs or compliance teams in high-risk regulatory situations.
R4-61. Monitoring has flagged a security exception. What is the MOST appropriate action? A. Escalate the exception. B. Update the risk register. C. Activate the risk response plan. D. Validate the exception.
D. Before any other action is taken, the security manager should ensure that the exception identified by monitoring is not a false positive.
R4-47. Which of the following considerations is MOST important when implementing key risk indicators (KRIs)? A. The metric is easy to measure. B. The metric is easy to aggregate. C. The metric is easy to interpret. D. The metric links to a specific risk.
D. Linking to a specific risk is the most important criterion when selecting a KRI.
R4-10. Which of the following reviews will provide the MOST insight into an enterprise's risk management capabilities? A. A capability maturity model (CMM) review B. A capability comparison with industry standards or regulations C. A self-assessment of capabilities D. An internal audit review of capabilities
A. Capability maturity modeling allows an enterprise to understand its level of maturity in its risk capabilities, which is an indicator of operational readiness and effectiveness.
R4-38. A risk practitioner has become aware of a potential merger with another enterprise. What actions should the risk practitioner take? A. Evaluate how the changes in the business operations and culture could affect the risk assessment. B. Monitor the situation to see if any new risk emerges due to the proposed changes. C. Continue to monitor and enforce the current risk program because it is already tailored appropriately for the enterprise. D. Implement changes to the risk program to prepare for the transition.
A. Changes to the business may impact risk calculations, and the risk practitioner should be proactive and be prepared to deal with any changes as they happen.
R4-97. Which of the following actions will BEST preserve availability of a service during a penetration test? A. Schedule testing of critical systems during maintenance windows. B. Automate the testing of critical applications and servers. C. Exclude noncritical systems from tests. D. Establish monitoring and help desk units to handle incidents.
A. Conducting the penetration tests during maintenance windows will give ample time to correct any fallout before business resumption.
R4-65. One way to determine control effectiveness is by determining: A. the test results of intended objectives. B. whether it is preventative, detective or compensatory. C. the capability of providing notification of failure. D. the evaluation and analysis reliability.
A. Control effectiveness requires a process to verify that the control process worked as intended. Examples such as dual-control or dual-entry bookkeeping provide verification and assurance that the process operated as intended.
R4-59. Which of the following activities should a risk professional perform to determine whether firewall deployments are deviating from the enterprise's information security policy? A. Review the firewall parameter settings. B. Review the firewall intrusion prevention system (IPS) logs. C. Review the firewall hardening procedures. D. Analyze the firewall log file for recent attacks.
A. Firewall parameter settings will tie the configuration which are linked to the governing security policy. So if the parameter settings are different that what the policy states/requires, then there is a deviation.
R4-22. Management wants to ensure that IT is successful in delivering against business requirements. Which of the following BEST supports that effort? A. An internal control system or framework B. A cost-benefit analysis C. A return on investment (ROI) analysis D. A benchmark process
A. For IT to be successful in delivering against business requirements, management should develop an internal control system that supports its business requirements.
R4-5. After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft is widespread. To MOST effectively deal with the risk, the business should: A. implement monitoring techniques to detect and react to potential fraud. B. make the customer liable for losses if the customer fails to follow the bank's advice. C. increase its customer awareness efforts in this regions. D. outsource credit card processing to a third party.
A. Implementing monitoring techniques that will detect and deal with potential fraud cases is the most effective way to deal with this risk.
R4-87. A process associated with an established key performance indicator (KPI) requires attention when it is: A. outside of a threshold. B. higher than the average. C. lower than the average. D. fluctuating over time.
A. Key performance indicators (KPIs) are lead indicators meant to provide insight into whether associated goals will be reached, with sufficient advance notice such that corrective action can be taken if there is a problem. Values that are higher or lower that the average or that fluctuate over time may be entirely normal. What reveals that a process requires attention is when a KPI associated with it moves outside of a threshold, which may be established on the basis of upper or lower boundaries, degree of variance or any other measurement appropriate to the nature of the process.
R4-68. Which of the following MUST be included when developing metrics to identify and monitor the control life cycle? A. Thresholds that identify when controls no longer provide the intended value B. Customized reports of the metrics for key stakeholders C. A description of the methods and practices used to develop the metrics D. Identification of a repository where metrics will be maintained and stored
A. Metrics used to monitor the control life cycle require thresholds to identify when controls are no longer providing their intended value, which ensures that the enterprise is aware and can take appropriate action. Without this information, an enterprise may be under the impression that ineffective controls are still effective and do not need to be adjusted or retired.
R4-76. Which of the following practices BEST mitigates the risk associated with outsourcing a business function? A. Performing audits to verify compliance with contract requirements B. Requiring all vendor staff to attend annual awareness training sessions C. Retaining copies of all sensitive data on internal systems D. Reviewing the financial records of the vendor to verify financial soundness
A. Regular audits verify that the vendor is compliant with contract requirements.
R4-67. When the key risk indicator (KRI) for the IT change management process reaches its threshold a risk practitioner should FIRST report this to the: A. business owner. B. chief information security officer (CISO). C. help desk. D. incident response team.
A. Reporting to the business owners first is the most appropriate action because they own the risk and determine the risk response.
R4-18. Which of the following is the BEST indicator of high maturity of an enterprise's IT risk management process? A. People have appropriate awareness of risk and are comfortable talking about it. B. Top management is prepared to invest more money in IT security. C. Risk assessment is encouraged in all areas of IT and business management. D. Business and IT are aligned in risk assessment and risk ranking.
A. Some of the most important measures of a mature IT risk management process are those related to a risk-aware culture - an enterprise where people recognize the risk inherent to their activities, are able to discuss it and are willing to work together to resolve the risk.
R4-16. A database administrator notices that the externally hosted, web-based corporate address book application requires users to authenticate, but that the traffic between the application and users is not encrypted. The MOST appropriate course of action is to: A. notify the business owner and the security manager of the discovery and propose an addition to the risk register. B. contact the application administrators and request that they enable encryption of the application's web traffic. C. alert all staff about the vulnerability and advise them not to log on from public networks. D. accept the current controls are suitable for non sensitive business data.
A. The business owner and security manager should be notified and the risk should be documented on the operational or security risk register to enable appropriate risk treatment.
R4-31. The PRIMARY reason for developing an enterprise security architecture is to: A. align security strategies between the functional areas of an enterprise and external entities. B. build a barrier between the IT systems of an enterprise and the outside world. C. help with understanding of the enterprise's technologies and the interactions between them. D. protect the enterprise from external threats and proactively monitor the corporate network.
A. The enterprise security architecture must align with the strategies and objectives of the enterprise, taking into consideration the importance of the free flow of information within an enterprise as well as business with partners, customers and suppliers.
R4-92. The GREATEST benefit of performing a periodic disaster recovery site exercise is to: A. ensure the continued suitability of the contingency facilities. B. ensure the continued availability of data sent from the primary site. C. ensure that the correct equipment is at the contingency facilities. D. ensure that security measures at recovery sites are the same as the primary site.
A. The greatest benefit is continued suitability of the contingency facilities because if the facility itself is not proper, then even with data and personnel resources, the disaster recovery plan (DRP) will not work.
R4-33. There is an increase in help desk call levels because the vendor hosting the human resources (HR) self-service portal has reduced the password expiration from 90 to 30 days. The corporate password policy requires password expiration after 60 days and HR is unaware of the change. The risk practitioner should FIRST: A. formally investigate the cause of the unauthorized change. B. request the service provider reverse the password expiration period to 90 days. C. initiate a request to strengthen the corporate password expiration requirement to 30 days. D. notify employees of the change in password expiration period.
A. The key risk for the business process owner is that the external vendor is performing unauthorized changes to the configuration settings. All other actions are incorrect, because any change carries risk and requires a rigorous management approach.
R4-24. Which of the following metrics os the MOST useful in measuring the monitoring of violation logs? A. Penetration attempts investigated B. Violation log reports produced C. Violation log entries D. Frequency of corrective actions taken
A. The most useful metric is one that measures the degree to which complete follow-through has taken place.
R4-32. During an organizational risk assessment it is noted that many corporate IT standards have not been updated. The BEST course of action is to: A. review the standards against the current requirements and make a determination of adequacy. B. determine that the standards should be updated annually. C. report that IT standards are adequate and do not need to be updated. D. review the IT policy document and see how frequently IT standards should be updated.
A. The risk practitioner should verify that the standards are still adequate. If standards are lacking, then they should be updated
R4-82. A large organization recently implemented a key risk indicator (KRI) to alert top executives of security incidents. However, several security incidents were identified, but top executives were not notified. The MOST likely reason is that: A. the incidents did not meet the KRI sensitivity threshold. B. the KRI is not linked to a specific control. C. the cost of maintaining the KRI is too high to justify. D. the KRI provides results that cannot be compared over time.
A. The sensitivity of a key risk indicator (KRI) determines the threshold at which reporting occurs, and each KRI is related to the risk appetite and tolerance levels of the enterprise. Security incidents occur frequently in large organizations, but few of them reach the threshold at which it would make sense to alert top executives. Most likely, the KRI that has been established is designed to refrain from generating an alert unless and until a particular security incident has a potential for enterprise-level impact.
R4-69. The MOST important objective of regularly testing information system controls is to: A. identify design flaws, failures and redundancies. B. provide the necessary evidence to support management assertions. C. assess the control risk and formulate an opinion on the level of reliability. D. evaluate the need for a risk assessment and indicate the corrective action(s) to be taken, where applicable.
A. This choice is the best statement because it contains the necessary activities to ensure that the control is designed correctly and is operating effectively and efficiently during the production phase.
R4-49. An enterprise has just completed an information systems audit and a large number of findings have been generated. This list of finding is BEST addressed by: A. a risk mitigation plan. B. a business impact analysis (BIA). C. an incident management plan. D. revisions to information security procedures.
A. This is the proper tool to address the identified risk. A risk mitigation plan will put forward a schedule and strategy for addressing the audit findings.
R4-62. Which of the following criteria is MOST essential for the effectiveness of operational metrics? A. Relevance to the recipient B. Timeliness of the reporting C. Accuracy of the measurement D. Cost of obtaining the metrics
A. Unless the metric is relevant to the recipient and the recipient understands what the metric means and what action to take, if any, all other criteria are of little importance.
R4-77. A key risk indicator (KRI) is indicating alarms, which have been determined to be a false positive, for a network intrusion detection system (IDS). The alarms are related to volumes of malformed packets by the network engineer. Which of the following choices might a risk practitioner recommend that the risk owner adjust? A. Sensitivity B. Timing C. Frequency D. Reliability
A. When a risk practitioner notices a threshold bein exceeded on a key risk indicator (KRI), such as in 'tis situation, the first line of defense is to speak to the risk and/or control owner. It should be explained that the way an intrusion detection systems (IDS) is tuned can have an impact on whether the events have reached the threshold.
R4-66. Implementing continuous monitoring controls is the BEST option when: A. legislation requires strong information security controls. B. incidents may have a high impact and frequency. C. incidents may have a high impact, but low frequency. D. e-commerce is a primary business driver.
B. Because they are expensive, continuous monitoring control initiatives are used in areas where the risk is at its greatest level. These areas have a high impact and frequency of occurrence.
R4-37. Which of the following is the PRIMARY reason for conducting periodic risk assessments? A. Changes to the asset inventory B. Changes to the threat and vulnerability profile C. Changes in asset classification levels D. Changes in the risk appetite
B. Changes in threats and vulnerabilities, including new occurrences of either, are the primary reasons to conduct periodic risk assessments.
R4-41. An enterprise is expanding into new nearby domestic locations (office park). Which of the following is MOST important for a risk practitioner to report on? A. Competitor analysis B. Legal and regulatory requirements C. Political issues D. The potential of natural disasters
B. Legal and regulatory requirements are most likely to change when moving to a nearby location because each municipality may enforce significantly different regulations, including environmental requirements, taxation and others.
R4-21. Which of the following is the BEST way to ensure that contract programmers comply with organizational security policies? A. Have the contractors acknowledge the security policies in writing. B. Perform periodic security reviews of the contractors. C. Explicitly refer to contractors in the security standards. D. Create penalties for noncompliance in the contracting agreement.
B. Periodic reviews are the most effective way of obtaining compliance.
R4-95. When developing key risk indicators (KRIs), which of the following choices will BEST guide the risk practitioner? A. Data extraction tools B. Policies and regulations C. Nonperforming assets D. Summary reports
B. Policies and regulations oversee the business operations of the company, and these rules, established by management and the board, provide the baseline for defining measures against business goals and objectives.
R4-50. What is the PRIMARY reason for reporting significant changes in information risk to senior management? A. To revise the key risk indicators (KRIs) B. To enable educated decision making C. To gain support for new countermeasures D. To recalculate the value of existing information assets
B. The changes in information risk will impact critical business processes. The risk practitioner should report this to management so that management is able to make informed risk response decisions.
R4-57. What is the MOST important criterion when reviewing information security controls? A. To provide assurance to management of control monitoring B. To ensure that the controls are effectively addressing risk C. To review the impact of the controls on business operations and performance D. To establish a baseline as a benchmark for future tests
B. The primary purpose of a control is to ensure that it is effectively addressing the risk for which the control was selected and implemented.
R4-81. Which of the following choices is the GREATEST risk related to the review of log files? A. Logs are not backed up periodically. B. Unauthorized system actions are not identified. C. Routine events are recorded. D. Procedures for reviewing logs are not documented.
B. The review of log files is to detect system-related activities. However, if unauthorized system actions are not identified during the review of log files, it poses a risk to the business.
R4-83. The PRIMARY objective of risk reporting is to: A. keep stakeholders informed and reduce the level of enterprise risk. B. provide the risk owner with information to initiate risk response. C. control the threat environment by limiting the potential consequences. D. guarantee the open sharing of information related to enterprise risk.
B. The risk owner is accountable for properly managing any given risk to an acceptable level, which is based on the organization's risk appetite and tolerance. Risk reporting provides the risk owner with a summary of the risk assessment results (in accordance with regulatory requirements) and highlights areas that require attention by the risk owner; particularly those areas where corrective action is necessary, such as when the controls are not in line with the control objectives, control thresholds have been exceeded or the control is not adequate to meet current or emerging regulatory requirements.
R4-86. Capability models are used PRIMARILY to assess risk management processes by: A. benchmarking what other organizations are doing to mitigate risk. B. measuring the gap between actual and desired states. C. demonstrating the presence of vulnerabilities in existing business processes. D. quantifying the organizational changes needed to reach the highest maturity level.
B. Use of a process capability model helps determine the current risk management process capability level and allows management to determine whether it is in alignment with the desired state. The model helps determine how to close the gap between actual and desired states and tracks process performance over time.
R4-52. A company has set the unacceptable error level at 10 percent. Which of the following tools can be used to trigger a warning when the error level reaches eight percent? A. A fault tree analysis B. Statistical process control (SPC) C. A key performance indicator (KPI) D. A failure modes and effects analysis (FMEA)
C. A key performance indicator (KPI) is a tool that will show a performance change indication. A KPI is a measure that determines how well the process is performing in enabling the goal to be reached.
R4-36. Which of the following provides the BEST capability to identify whether controls that are in place remain effective in mitigating their intended risk? A. A key performance indicator (KPI) B. A risk assessment C. A key risk indicator (KRI) D. An audit
C. A key risk indicator (KRI) identifies whether a risk exists and has the potential to be realized in such way that it will have a negative impact on the enterprise. If controls that are in place to mitigate identified risk are working properly, then KRIs should not report a concern.
R4-3. A network vulnerability assessment is intended to identify: A. security design flaws. B. zero-day vulnerabilities. C. misconfiguration and missing updates. D. malicious software and spyware.
C. A network vulnerability assessment intends to identify known vulnerabilities that are based on common misconfiguration and missing updates.
R4-6. Which of the following BEST indicates a successful risk management practice? A. Control risk is tied to business units. B. Overall risk is quantified. C. Residual risk is minimized. D. Inherent risk is eliminated.
C. A successful risk management practice minimizes the residual risk to the enterprise.
R4-79. Which of the following threats associated with third-party management is BEST addressed through the establishment of a service level agreement (SLA)? A. Service interruption at the client home office B. Undetected degradations in service performance C. Financial loss resulting from service interruption D. Bankruptcy of the third-party organization
C. An SLA addresses immediate and measurable financial losses due to service levels not being met.
R4-19. As part of risk monitoring, the administrator of a two-factor authentication system identifies a trusted independent source indicating that the algorithm used for generating keys has been compromised. The vendor of the authentication system has not provided further information. Which of the following is the BEST initial course of action? A. Wait for the vendor to formally confirm the breach and provide a solution. B. Determine and implement suitable compensating controls. C. Identify all systems requiring two-factor authentication and notify their business owners. D. Disable the system and rely on the single-factor authentication until further information is received.
C. Business owners should be notified, even when some of the information may not be available. Business owners are responsible for responding to new risk.
R4-8. Which of the following should be of MOST concern to a risk practitioner? A. Failure to notify the public of an intrusion B. Failure to notify the police of an attempted intrusion C. Failure to internally report a successful attack D. Failure to examine access rights periodically
C. Failure t o report a successful intrusion is a serious concern to the risk practitioner and could - in some instances - be interpreted as abetting.
R4-30. Which of the following is MOST critical when system configuration files for a critical enterprise application system are being reviewed? A. Configuration files are frequently changed. B. Changes to configuration files are recorded. C. Access to configuration files is not restricted. D. Configuration values do not impact system efficiency.
C. If access to configuration files is not restricted, then the security of the overall system will be in question.
R4-55. Reliability of a key risk indicator (KRI) would indicate that the metric: A. performs within the appropriate thresholds. B. tests the target at predetermined intervals. C. flags exceptions every time they occur. D. initiates corrective action.
C. KRIs that are reporting on the data points that cannot be controlled by the enterprise, or are not alerting management at the correct time to an adverse condition, must be adjusted (optimized) to be more precise, more relevant or more accurate. Flagging exceptions every time they occur indicates the reliability of the KRI.
R4-91. A backward-looking key risk indicator (KRI) is intended to: A. provide early warning. B. serve as a predictor. C. improve risk responses. D. indicate risk variances.
C. KRIs that provide insight into events that have already occurred, enabling risk responses and management to be improved, are referred to as backward-looking indicators.
R4-80. The selection of key risk indicators (KRIs) for monitoring the risk management program should be based on selecting: A. indicators that drill down to the actual symptoms of events. B. indicators identified with the involvement of critical stakeholders. C. a balance between lead and lag indicators. D. automated systems that can provide the relevant data on indicators.
C. Lead and lag indicators should be in balance because any KRI should be a combination of risk events that have occurred and proactive monitoring of risk to initiate action. Lead indicators are forward looking and signal that a high risk is emerging, while lag indicators are backward looking and signal events that have occurred. Enabling risk response improvement requires both of these elements.
R4-90. Elements of IT infrastructure should be selected for monitoring on the basis of their criticality, which can be quantified on the basis of: A. audit logs. B. thresholds. C. dependencies. D. replacement cost.
C. One way to identify the criticality of a system, process or capability is to quantify the number and type of systems, process and capabilities that depend on its continued operations. In general, a system on which many other things depend is critical even if the individual importance of any one of the elements that it supports is relatively low.
R4-72. What is the MOST important reason for periodically testing controls? A. To meet regulatory requirements B. To meet due care requirements C. To ensure the control objectives are met D. To achieve compliance with standard policy
C. Periodically testing controls ensures that controls continue to meet control objectives.
R4-48. Which of the following data is MOST useful for communicating enterprise risk to management? A. Control self-assessment results B. A controls inventory C. Key risk indicators (KRIs) D. Independent audit reports
C. Reporting on key risk indicators (KRIs) is the most useful for informing management of the current state of enterprise risk.
R4-93. Which of the following information system (IS) control practices provides the BEST key performance indicator (KPI) of an organization's disaster recovery readiness? A. The approved disaster recover plan (DRP) B. The presence of a hot site C. The results of tests and drills D. An updated call tree and escalation mechanism
C. Results of tests and drills are the best evidence that the organization is prepared for disaster recovery because the organization can test what would occur in a simulated disaster scenario.
R4-73. Which of the following measures is MOST effective against insider threats to confidential information? A. Audit trail monitoring B. A privacy policy C. Role-based access control (RBAC) D. Defense in depth
C. Role-based access control (RBAC) provides access according to business needs; therefore, it reduces unnecessary access rights and enforces accountability.
R4-17. Which of the following is the PRIMARY reason for periodically monitoring key risk indicators (KRIs)? A. The cost of risk response needs to be minimized. B. Errors in results of KRIs need to be minimized. C. The risk profile may have changed. D. Risk assessment needs to be continually improved.
C. The current set of risk impacting the enterprise can change over time and periodic monitoring of KRIs proactively identifies changes in the risk profile so that new risk can be addressed and changes in levels in existing risk can be better controlled.
R4-84. Which of the following types of control assessment offers the system owner the GREATEST level of assurance regarding the effectiveness of implemented security controls? A. Vulnerability assessment B. Third-party assurance C. Penetration test D. Self-assessment
C. The intent of a penetration test is to simulate a real-world attack situation with the goal of identifying how far an attacker would be able to penetrate into an environment. Penetration testing typically includes a vulnerability assessment, but it goes beyond identification of vulnerabilities to explore the extent to which these can be realistically attacked and the potential to exploit them for broader system access.
R4-26. When a significant vulnerability is discovered in the security of a critical web server, immediate notification should be made to the: A. development team to remediate. B. data owners to mitigate damage. C. system owner to take corrective action. D. incident response team to investigate.
C. To correct the vulnerabilities, the system owner needs to be notified quickly, before an incident can take place.
R4-29. Despite a comprehensive security awareness program annually undertaken and assessed for all staff and contractors, an enterprise has experienced a breach through a spear phishing attack. What is the MOST effective way to improve security awareness? A. Review the security awareness program and improve coverage of social engineering threats. B. Launch a disciplinary process against the people who leaked the information. C. Perform a periodic social engineering test against all staff and communicate summary results to the staff. D. Implement a data loss prevention system that automatically points users to corporate policies.
C. Users who are aware of security threats may need a reminder that these threats are real. Periodic social engineering tests help in maintaining a level of alertness.
R4-39. Which of the following BEST enables an enterprise to measure its risk management process against peers? A. Adoption of an enterprise architecture (EA) model B. Adoption of a balanced scorecard (BC) C. Adoption of a risk assessment methodology D. Adoption of a maturity model
D. A maturity model consists of various levels of competence that enterprises can use as benchmarks to assess how they compare to peers.
R4-88. Which of the following choices is MOST important when conducting a penetration test? A. Nondisclosure agreements (NDAs) signed by the testers B. Scope defined by business objectives C. Use of proprietary rather than open-source tools D. Senior management approval of exercise parameters
D. A penetration test has far-reaching consequences that can include denial of service, loss of confidentiality and even a threat to the going concern of the organization. Thus, it is important that senior management review and approve the testing parameters before the penetration test is executed.
R4-23. Which of the following is the MOST effective way to ensure that third-party providers comply with the enterprise's information security policy? A. Security awareness training B. Penetration testing C. Service level monitoring D. Periodic auditing
D. A regular audit exercise can spot any gap in the information security compliance.
R4-74. A well-known hacking group has publicly stated they will target a company. What is the risk professional's FIRST action? A. Advise IT management about the threat. B. Inform all employees about the threat. C. Contact law enforcement officials about the threat. D. Inform senior management about the threat.
D. All senior management needs to be aware of the threat so that they can be prepared if an incident takes place.
R4-43. Which of the following is MOST suitable for reporting IT-related business risk to senior management? A. Balanced scorecards (BSCs) B. Gantt charts/program evaluation and review technique (PERT) diagrams C. Technical vulnerability reports D. Dashboards
D. Dashboards are most suitable for reporting risk to senior management because they provide a high-level overview of risk levels that can be easily understood.
R4-58. Control objectives are useful to risk professionals because they provide the basis for understanding the: A. techniques for securing information for a given risk. B. information security policies, procedures and standards. C. control best practices relevant to a specific entity. D. desired outcomes of implementing specific control procedures.
D. IT control objectives define the main purpose or objective for an IT control and help implement specific control procedures.
R4-46. The BEST reason to implement a maturity model for risk management is to: A. permit alignment with business objectives. B. help improve governance and compliance. C. ensure that security controls are effective. D. enable continuous improvement.
D. Maturity models are designed to enable continuous improvement. This is achieved by first assessing the current maturity level of specific business processes and determining whether it is congruent with the desired maturity levels. Where gaps exist, maturity models implicitly provide steps to improve the process by defining requirements for each maturity level.
R4-25. Which of the following is MOST important for measuring the effectiveness of a security awareness program? A. Increased interest in focus groups on security issues B. A reduced number of security violation reports C. A quantitative evaluation to ensure user comprehension D. An increased number of security violation reports
D. Of the choices offered, an increase in the number of violation reports is the best indicator of a high level of security awareness. As with automated alerts, each security violation report needs to be assessed for validity.
R4-28. Which of the following MOST effectively ensures that service provider controls are within the guidelines set forth in the organization's information security policy? A. Service level monitoring B. Penetration testing C. Security awareness training D. Periodic auditing
D. Periodic audits help ensure compliance with the organization's information security policy.
R4-40. A risk practitioner has collected several IT-related key risk indicators (KRIs) related for the core financial application. These would MOST likely be reported to: A. stakeholders. B. the IT administrator group. C. the finance department. D. senior management.
D. Senior management is a key target group for sharing IT-related KRIs for the financial application because they make decisions related to risk response.
R4-64. Which of the following BEST assists is the proper design of an effective key risk indicator (KRI)? A. Generating the frequency of reporting cycles to report on the risk B. Preparing a business case that includes the measurement criteria for the risk C. Conducting a risk assessment to provide an overview of the key risk D. Documenting the operational flow of the business from beginning to end
D. Prior to starting to design the KRI, a risk manager must understand the end to-end operational flow of the respective business. This gives insight into the detailed processes, data flows, decision-making processes, acceptable levels of risk for the business, etc., which in turn give the risk manager the ability to apply top and bottom levels for the KRI.
R4-20. Which of the following is MOST useful in developing a series of recovery time objectives (RTOs)? A. Regression analysis B. Risk analysis C. Gap analysis D. Business impact analysis (BIA)
D. Recovery time objectives (RTOs) are a primary deliverable of a BIA. RTOs relate to the financial impact of a system not being available.
R4-1. Which of the following is the MOST important reason for conducting periodic risk assessments? A. Risk assessments are not always precise. B. Reviewers can optimize and reduce the cost of controls. C. Periodic risk assessments demonstrate the value of the risk management function to senior management. D. Business risk is subject to frequent change.
D. Risk is constantly changing, so a previously conducted risk assessment may not include measured risk that has been introduced since the last assessment.
R4-11. Which of the following practices is MOST closely associated with risk monitoring? A. Assessment B. Mitigation C. Analysis D. Reporting
D. Risk reporting is the only activity listed that is typically associated with risk monitoring.
R4-94. The PRIMARY purpose of system audit logs is to: A. verify that system changes are documented. B. improve operational efficiency. C. provide information to auditors. D. validate user activities.
D. System audit logs track which user has initiated which system event as part of his/her activities and other details that establish accountability for user activities.
R4-15. The PRIMARY reason to report significant changes in IT risk to management is to: A. update the information asset inventory on a periodic basis. B. update the values of probability and impact for the related risk. C. reconsider the degree of importance of existing information assets. D. initiate a risk impact analysis to determine if additional response is required
D. The changes in information risk will impact the business process of a department or multiple departments and the security manager should report this to department heads so that they are able to initiate a risk analysis to determine the impact and if there are changes needed.
R4-12. As part of an enterprise risk management (ERM) program, a risk practitioner BEST leverages the work performed by an internal audit function by having it: A. design, implement and maintain the ERM process. B. manage and assess the overall risk awareness. C. evaluate ongoing changes to organizational risk factors. D. assist in monitoring, evaluations, examining and reporting on controls.
D. The internal audit function is responsible for assisting management and the board of directors in monitoring, evaluating, examining and reporting on internal controls, regardless of whether an ERM function has been implemented.
R4-27. Which of the following is the BEST metric to manage the information security program? A. The number of systems that are subject to intrusion detection B. The amount of downtime caused by security incidents C. The time lag between detection, reporting and acting on security incidents D. The number of recorded exceptions from the minimum information security requirememts
D. The number of exceptions from set requirements is a direct correlation to the quality of the security program.
R4-63. Which of the following is the MOST appropriate metric to measure how well the information security function is managing the administration of user access? A. Elapsed time to suspend accounts of terminated users B. Elapsed time to suspend accounts of users transferring C. Ratio of actual accounts to actual end users D. Percent of accounts with configurations in compliance
D. The percent of accounts with configurations in compliance is the best measure of ho well the administration is being managed because this shows the overall impact.
R4-85. The purpose of system certification is to demonstrate that: A. security plans are created and aligned with organizational objectives. B. risk assessments are performed according to established test plans. C. approval to operate the system is provided by the business owner. D. security controls and processes are assessed for effectiveness.
D. The purpose of certification is to have an impartial third party review the security plans and risk assessments associated with the system and provide an objective recommendation to the business owner on whether he/she should approve the operation of the system.
R4-71. What role does the risk professional have in regard to the IS control monitoring process? The risk professional: A. maintains and operates IS controls. B. approves the policies for IS control monitoring. C. determines the frequency of control testing by internal audit. D. assists in planning, reporting and scheduling tests of IS controls.
D. The risk professional plays a key role in scheduling, supervising and reporting on risk. This includes the responsibility for working with the testing teams.
R4-78. Which of the following choices is the MOST important IT risk communication component when reporting IT risk status to management? A. Amendments to the risk register B. Lessons learned from loss events C. Technical details in the vulnerabilities D. Risk profile of the enterprise
D. The risk profile of the enterprise is the most important component compared to the other choices because it provides the overall portfolio of identified risk to which the enterprise is exposed. This is most important for management to know.
R4-54. Risk monitoring provides timely information on the actual status of the enterprise with regard to risk. Which of the following choices provides an overall risk status of the enterprise? A. Risk management B. Risk analysis C. Risk appetite D. Risk profile
D. The risk profile provides the current overall portfolio of the dentifrice do risk to which the enterprise is exposed. Because the profile is kept updated with evolving and new risk, it provides the enterprise's current risk status.
R4-9. Which of the following is the FIRST step when developing a risk monitoring program? A. Developing key indicators to monitor outcomes B. Gathering baseline data on indicators C. Analyzing and reporting findings D. Conducting a capability assessment
D. This step determines the capacity and readiness of the entity to develop a risk management program. This assessment identifies champions, barriers, owners and contributors to this program, including identifying the overall goal of the program. A capability assessment helps determine the enterprise's maturity in its risk management processes and the capacity and readiness of the entity to develop a risk management program. When the enterprise is more mature, more sophisticated responses can be implemented; when the enterprise is rather immature, some basic responses may be a better starting point.
R4-96. Which of the following choices is the INITIAL step in implementing continuous risk monitoring systems for a risk practitioner? A. Perform compliance testing on internal controls. B. Establish a risk and controls monitoring steering committee. C. Document the risk to existing internal controls. D. Identify high-risk areas within the organization.
D. When implementing continuous monitoring systems, a risk practitioner's first step is to identify high-risk areas within the organization.