CRISC Q&A Domain 2
Which of the following should be in place before a black box penetration test begins? A. A clearly stated definition of scope B. Previous test results C. Proper communication and awareness training D. An incident response plan
A is the correct answer. Justification: A. A clearly stated definition of scope ensures a proper understanding of risk and success criteria. B. Previous test results may help define the scope. C. Communication and awareness training are not a necessary requirement. D. An incident response plan is not a necessary requirement. In fact, a penetration test could help promote thecreation and execution of the incident response plan.
Which of the following signifies the need to review an enterprise's risk practices? A. Business owners regularly challenge risk assessment findings. B. Manufacturing assigns its own internal risk management roles. C. The finance department finds exceptions during its yearly risk review. D. Sales department risk management procedures were last reviewed 11 months ago.
A is the correct answer. Justification: A. An enterprise's risk management practices must be clearly understood and supported by business stakeholders. This principle must be documented in the organization's risk management policy/ framework/planwith senior management approval and direction. If business owners challenge the risk assessment findings,either they do not support the findings, or fail to understand them clearly. B. Assigning internal risk management roles to staff is what each department in the enterprise should do. C. It is common to find exceptions during a review that need to be addressed. This is a normal and expected result ofa yearly review. D. Normally, a yearly review of risk management procedures is sufficient to keep them up to date.
Which of the following BEST helps identify information systems control deficiencies? A. Gap analysis B. The current IT risk profile C. The IT controls framework D. Countermeasure analysis
A is the correct answer. Justification: A. Controls are deployed to achieve control objectives based on risk assessments and business requirements. The gap between desired control objectives and actual control design and operationaleffectiveness identifies control deficiencies in information systems. B. Without knowing the gap between desired state and current state, one cannot identify control deficiencies relative toa desired state. The current IT risk profile does not expose this gap. C. The IT controls framework is a generic document with no information on the desired future state of IS controls or the current state of the enterprise; therefore, it will not help identify IS control deficiencies. D. Countermeasure analysis only helps in identifying deficiencies in countermeasures and not in the full set of primarycontrols.
Which of the following BEST ensures that identified risk remains at an acceptable level? A. Reviewing controls periodically, according to the risk action plan B. Listing each risk as a separate entry in the risk register C. Creating a separate risk register for every department D. Maintaining a key risk indicator for assets in the risk register
A is the correct answer. Justification: A. Controls deployed according to the risk action plan should provide the desired results because the risk action plan is based on management's acceptance of residual risk and management's approval of deploymentsteps in the plan. B. Listing each risk as a separate entry in the risk register _may help in better evaluating the risk, but the register initself does not ensure risk management of identified risk at a reasonable level. C. Creating a separate risk register for every department may help inform better risk assessment exercises, butseparation of registers does not necessarily ensure risk management of identified risk at a reasonable level. D. Maintaining a key risk indicator for assets in the risk register may improve the overall risk management cycle, but the register in itself does not ensure that the management of identified risk has been performed according to the risk actionplan.
A PRIMARY reason for initiating a policy-exception process is when: A. the risk is justified by the benefit. B. policy compliance is difficult to enforce. C. operations are too busy to comply. D. users may initially be inconvenienced.
A is the correct answer. Justification: A. Exceptions to policies are warranted in circumstances in which the benefits outweigh the costs of policycompliance; however, the enterprise needs to asses both the tangible and intangible risk and evaluate both inthe context of existing risk. B. Difficulty in enforcement does not justify policy exceptions. C. Lack of resources to achieve compliance does not justify policy exceptions. D. User inconvenience does not warrant an automatic exception to a policy.
Information security procedures should: A. be updated frequently as new software is released. B. underline the importance of security governance. C. define the allowable limits of behavior. D. describe security baselines for each platform.
A is the correct answer. Justification: A. Often, security procedures have to change frequently to keep up with changes in software. Because a procedure is ahow-to document, it must be kept current with frequent changes in software. B. High-level objectives of an enterprise, such as security governance, are normally addressed in a security policy. C. Security policies define behavioral limits and are generally not updated as frequently as procedures. D. Security standards define platform baselines; however, they do not provide the detail on how to apply the securitybaseline and are generally not updated as frequently as procedures.
Which of the following provides the MOST valuable input to incident-response efforts? A. Qualitative analysis of threats B. The annual loss expectancy C. A vulnerability assessment D. Penetration testing
A is the correct answer. Justification: A. Qualitative analysis of threats reflects an intuitive view of the outcome of various threat sources. Knowingthe kinds of incidents that may occur in order of consequence will be of great benefit to incident-responseefforts. B. The annual loss expectancy is the total cost associated with each source of risk and its probability ofoccurrence. This total may be of interest when preparing the budget, but cannot be directly linked to incident-response efforts. C. A vulnerability assessment is used to determine how easily security can be breached. Tiris provides data about risk. D. Penetration testing is used to provide tangible evidence that existing vulnerabilities can be exploited and the degreeof difficulty to exploit them.
Deriving the likelihood and impact of risk scenarios through statistical methods is BEST described as: A. quantitative risk analysis. B. risk scenario analysis. C. qualitative risk analysis. D. probabilistic risk assessment.
A is the correct answer. Justification: A. Quantitative risk analysis derives the probability and impact of risk scenarios from statistical methods and data. B. A risk scenario analysis generally includes several risk analysis methods, including quantitative,semiquantitative and qualitative. The question stem describes only the quantitative risk analysis method. C. A qualitative risk analysis would use nonquantitative measures to estimate the likelihood and impact ofadverse events; these might include low, medium and high for likelihood and low, medium, high andcatastrophic for the impact. D. Probabilistic risk assessments are mostly applied to risk associated with complex engineered technology (e.g., nuclearplants, airplanes). They rely on a systematic and comprehensive methodology and consider both quantitative andqualitative risk analysis. The question stem describes only the quantitative risk analysis method.
It is MOST important for a risk evaluation to: A. take into account the potential size and likelihood of a loss. B. consider inherent and control risk. C. include a benchmark of similar companies in its scope. D. assume an equal degree of protection for all assets.
A is the correct answer. Justification: A. Risk evaluation should consider the potential size and likelihood of a loss. B. Although inherent and control risk should be considered in the analysis, the impact of the risk (potentiallikelihood and impact ofloss) should be the primary driver. C. Risk evaluation can include comparisons with a group of companies of similar size. D. Risk evaluation should not assume an equal degree of protection for all assets because assets may have differentrisk factors.
How often should risk be evaluated? A. Annually or when there is a significant change B. Once a year for each business process and subprocess C. Every three to six months for critical business processes D. Only after significant changes occur
A is the correct answer. Justification: A. Risk is constantly changing. Evaluating risk annually or when there is a significant change offers the best alternative; this approach considers reasonable frequency of review and allows flexibility to addresssignificant intervening change. B. Evaluating risk once a year is insufficient if important changes take place. C. Evaluating risk every three to six months for critical processes may not be necessary; alternatively, it may notaddress important intervening changes in a timely manner. D. Evaluating risk only after significant changes occur may fail to consider less significant changes thatcollectively affect overall risk.
A third party is engaged to develop a business application. Which of the following BEST ensures detection of back doors? A. Security code reviews for the entire application B. System monitoring for traffic on network ports C. Reverse engineering the application binaries D. Running the application from a high-privileged account on a test system
A is the correct answer. Justification: A. Security code reviews for the entire application are the best method. The reviews examine source code comprehensively to detect all instances of back doors. B. System monitoring for traffic on network ports cannot detect all instances of back doors; is time consuming; and isresource intensive. · C. Reverse engineering the application binaries may not provide definite clues. D. Back doors do not surface by running the application on high-privileged accounts because back doors are usuallyhidden accounts in the applications.
Of the following, which control would a risk practitioner recommend to mitigate the risk that personnel who have the ability tochange system configuration settings also modify computer operational logs? A. Segregation of duties B. Authentication C. Authorization D. Shift rotation
A is the correct answer. Justification: A. Segregation of duties would ensure that authorization to change system configuration is separated from theability to modify or delete logs. B. Authentication may still allow users to perform both functions. C. Authorization may still allow users to perform both functions. D. Shift rotation does not prevent the user from performing both functions.
Testing compliance of a response and recovery plan should begin by conducting a: A. tabletop exercise. B. review of archived logs. C. penetration test. D. business impact analysis.
A is the correct answer. Justification: A. Tabletop exercises simulate incidents to test the response capability of an enterprise. The exercise involves scenarios that require a coordinated response to realistic incidents developing in real time. Participants gather to formulate responses to each development. Tabletop exercises are used extensively by police, fire and emergency medical services to gather key personnel who practice response and recovery in the context ofsimulated incidents likely within a given jurisdiction. B. Logs provide a way to trace the activities performed during the vulnerability assessment. C. Penetration tests highlight specific weaknesses; but while these tests generally are very controlled, they do not providethe depth and breadth of a tabletop exercise. D. A business impact analysis provides input to the response and recovery plan as of a given point in time and reflects the viewpoint of business owners. It should be used as the basis for building test scripts to validate compliance, butin and of itself, it is not a testing tool.
Which of the following BEST assists a risk practitioner in measuring the existing level of development of risk managementprocesses against their desired state? A. A capability maturity model B. Risk management audit reports C. A balanced scorecard D. Enterprise security architecture
A is the correct answer. Justification: A. The capability maturity model grades processes on a scale of O to 5, based on their maturity, and iscommonly used by entities to measure their existing state and then to determine the desired one. B. Risk management audit reports offer a limited view of the current state of risk management. C. A balanced scorecard enables management to measure the implementation of strategy and assists in itstranslation into action. D. Enterprise security architecture explains the security architecture of an entity in terms of business strategy, objectives,relationships, risk, constraints and enablers and provides a business-driven and business-focused view ofsecurity architecture.
Which of the following is the BEST way to verify that critical production servers are using up-to-date antivirus signature files? A. Check a sample of servers. B. Verify the date that signature files were last pushed out. C. Use a recently identified benign virus to test whether it is quarantined. D. Research the most recent signature file, and compare it to the console.
A is the correct answer. Justification: A. The only effective way to verify currency of signature files is to look at a sample of servers. B. The fact that an update was pushed out to a server does not guarantee that it was properly loaded onto that server. Inconjunction with the sample testing, the process for updating the signature files should be verified. C. Personnel should never release a virus, no matter how benign. D. Comparing the vendor's most recent signature file to the management console will not indicate whether the file was properly loaded on the server.
When performing a risk assessment on the impact of losing a server, calculating the monetary value of the server should be based onthe: A. cost to obtain a replacement. B. annual loss expectancy. C. cost of the software stored. D. original cost to acquire.
A is the correct answer. Justification: A. The value of the server should be based on its replacement cost; however, the financial impact to theenterprise may be much broader, based on the function that the server performs for the business and thevalue it brings to the enterprise. B. The annual loss expectancy for all risk related to the server does not represent the server's value. C. The software can be restored from backup media. D. The original cost may be significantly different from the current cost and, therefore, not as relevant.
Which of the following factors should be included when assessing the impact of losing network connectivity for 18 to 24 hours? A. The hourly billing rate charged by the carrier B. Financial losses incurred by affected business units C. The value of the data transmitted over the network D. An aggregate compensation of all affected business users
B is the correct answer. Justification: A- The hourly billing rate charged by the carrier may be a factor that contributes to the overall financial impact;however, it reflects only a minor consequence of losing network connectivity. B. The impact of network unavailability reflects the cumulative costs incurred by the enterprise. C. The value of the data transmitted over the network reflects only a subset of financial losses incurred by affectedbusiness units. D. Aggregate compensation of all affected business users represents only a subset of financial losses incurred by affectedbusiness units.
In the risk management process, a cost-benefit analysis is MAINLY performed: A. as part of an initial risk assessment. B. as part of risk-response planning. C. during an information asset valuation. D. when insurance is calculated for risk transfer.
B is the correct answer. Justification: A. A cost-benefit analysis is not only performed once, but every time controls need to be selected to address new orchanging risk. B. In risk response, a range of controls will be identified that can mitigate risk; however, a cost-benefit analysis in this process will help identify the right controls that will address the risk at acceptable levels within the budget. C. In information asset valuation, business owners determine the value based on business importance and there is no cost-benefit involved. D. Calculating insurance for the purpose of transferring risk is not the stage where a cost-benefit analysis is performed.
Which of the following will produce comprehensive results when performing a qualitative risk analysis? A. A vulnerability assessment B. Scenarios with threats and impacts C. The value of information assets D. Estimated productivity losses
B is the correct answer. Justification: A. A vulnerability assessment itself provides a one-sided view unless it is linked to specific risk scenarios that helpdetermine likelihood and impact. B. Using a list of possible scenarios with threats and impacts will better frame the range of risk and facilitatea more informed discussion and decision. C. The value of information assets is an important starting. point when performing a qualitative risk analysis.However, value without consideration of realistic threats and determination of likelihood and impact is notsufficient for a risk analysis. D. Estimated productivity losses may be necessary to project magnitude of impact. However, this choice isinsufficient on its own.
Capability models are used PRIMARILY to assess risk management processes by: A. benchmarking what other organizations are doing to mitigate risk. B. measuring the gap between actual and desired states. C. demonstrating the presence of vulnerabilities in existing business processes. D. quantifying the organizational changes needed to reach the highest maturity level.
B is the correct answer. Justification: A. After the capability assessment is complete, organizations may use benchmarking to compare themselves against others in the industry. Benchmarking is not a means of mitigating risk. B. Capability models can help determine the current state of risk management process capability and whether it aligns with a given desired state. The model helps close the gap between actual and desired states and tracksprocess performance over time. C. A process capability model is not designed to detect vulnerabilities in existing business processes. This would beaccomplished through a vulnerability or risk assessment. D. Capability models will assist in determining the current maturity level of a program; however, the model will notprovide the ability to quantify the organizational changes needed to reach the highest maturity level. That should bedetermined by management at the beginning of the maturity assessment.
The goal of IT risk analysis is to: A. enable the alignment of IT risk management with enterprise risk management. B. enable the prioritization of risk responses. C. satisfy legal and regulatory compliance requirements. D. identify known threats and vulnerabilities to information assets.
B is the correct answer. Justification: A. Aligning IT risk management with enterprise risk management is important to ensure the cost-effectiveness of theoverall risk management process. However, risk analysis does not enable such an alignment. B. Risk analysis estimates the likelihood and magnitude of IT risk scenarios. Risk analysis helps ensure that areas with greatest risk likelihood and impact are prioritized above those with lower likelihood and impact.Prioritization of IT risk helps maximize return on investment in risk responses. C. Risk analysis evaluates risk on the basis of likelihood and impact and includes financial, environmental,regulatory and other risk. It considers regulatory risk as one of many types of risk. It is not specifically designedto satisfy legal and regulatory compliance requirements. D. Risk analysis occurs after risk identification and evaluation. Risk identification uncovers threats and vulnerabilities; risk evaluation assesses their risk and creates valid risk scenarios. Risk analysis quantifies risk along vectors of likelihood and impact to help prioritize risk responses.
The IT department wants to use a server for an enterprise database, but the hardware is not certified by its manufacturer for theintended operating system or database software. A risk practitioner determines that introducing the hardware presents: A. a minimal level of risk. B. an unknown level of risk. C. a medium level of risk. D. a high level of risk.
B is the correct answer. Justification: A. Although most personal computers and servers feature standard interfaces (e.g., universal serial bus [USB] ports, SATA and HDMI), the internal architecture and basic input/output system (BIOS) calls of all PCs and servers differ from vendor to vendor. Unless the hardware is certified to work with at least the operating system (OS)-andideally both the OS and the database-support can be very difficult to manage and will not represent a minimal levelof risk. B. Because the hardware is not certified by its manufacturer to work without major issues using the OS or the database software, the risk is unknown. An enterprise database is a critical application and the unknown risk should not beapproved. C. Using uncertified hardware for an enterprise database system is an unknown risk; it is usually such a high risk that noenterprise would deploy uncertified hardware. Costs for downtime and support are almost always higher in the longterm than the purchase price of the hardware. D. The database vendor typically supports different OSs, while the OS vendor usually supports hardware and/or itsvendor. Because database vendors do not support hardware directly, this answer is incorrect, and the risk level(strictlydefined)remainsunknown.
Which of the following is BEST suited for the review of IT risk analysis results before the results are sent to management forapproval and use in decision making? A. An internal audit review B. A peer review C. A compliance review D. A risk policy review
B is the correct answer. Justification: A. An internal audit review is not best suited for the review of IT risk analysis results. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an enterprise's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate andimprove the effectiveness of risk management, control and governance processes. B. It is effective, efficient and good practice to perform a peer review of IT risk analysis results before sendingthem to management. C. A compliance review is not best suited for the review of IT risk analysis results. Compliance reviews measureconformance with a specific, measurable standard. D. A review of the risk policy may change the content and methodology of the risk analysis eventually, but this is nota way of reviewing IT risk analysis results before sending them to management.
Which of the following is used to determine whether unauthorized modifications were made to production programs? A. An analytical review B. Compliance testing C. A system log analysis D. A forensic analysis
B is the correct answer. Justification: A. Analytical review assesses the general control environment of an enterprise. B. Compliance testing helps to verify that the change management process has been applied consistently. C. It is unlikely that system log analysis would provide information about the modification of programs. D. Forensic analysis is a specialized technique for criminal investigation.
Which of the following actions.will MOST likely occur during an incident response plan activation? A. Enabling logging to track what resources have been accessed B. Shutting down a server to patch defects in the operating system C. Implementing virus scanning tools to scan attachments in incoming email D. Assisting in the migration to an alphanumeric password authorization policy
B is the correct answer. Justification: A. Enabling logging is not a function of the incident response plan but can provide information if it was enabled prior to the incident. B. An incident response plan defines actions to be taken in response to a threat, loss or vulnerability event. Shutting down servers to patch defects is a corrective action against identified events. Once installed, the upgradedversion of the operating system might be able to mitigate further risk. C. Use of a virus scanner is a preventive and a detective action rather than correcting what has occurred. Use of a virusscanner in the response to an incident will mean scanning email that has already been received. D. Generally, an alphanumeric password authorization policy is a preventive rather than a corrective control.
Which of the following is the PRIMARY reason for subjecting the risk management process to review by independent riskauditors/assessors? A. To ensure that the risk results are consistent B. To ensure that the risk factors and risk profile are well defined C. To correct any mistakes in risk assessment D. To validate the control weaknesses for management reporting
B is the correct answer. Justification: A. Ensuring that risk results are consistent is very important to ensure that risk mitigation/management is effective; that is why risk management results are reviewed by independent risk auditors/assessors, who can be internal or external to theenterprise. B. Risk profile and risk factors are defined during the risk assessment process; an independent review helpsensure that the underlying process is effective and helps identify areas for future improvement. C. Risk assessment by an independent party is primarily performed to ensure and/or improve the quality of the riskassessment process, not to c01Tect 1isk assessment mistakes. D. The primary purpose of independent review is not to validate control weaknesses for management reporting, althoughit may be an outcome of the process.
Which of the following BEST describes the role of management in implementing a risk management strategy? A. Ensure that the planning, budgeting and performance of information security components are appropriate. B. Assess and incorporate the results of risk management into the decision-making process. C. Identify, evaluate and minimize risk to IT systems that support the mission of the organization. p. Understand the risk management process so that appropriate training materials and programs can be developed.
B is the correct answer. Justification: A. Ensuring the planning, budgeting and performance of information security components is usually the responsibility of the chief information officer (CIO). Although the CIO is a member of senior management, this does not best describe the collective role of senior management in establishing and implementing the risk managementstrategy. B. Assessing and incorporating the results of risk management into the decision-making process best describes therole of senior management in establishing and implementing a risk management strategy. C. Identifying, evaluating and minimizing risk to IT systems supporting the corporate mission is done by IT security managers or an IT security function, but this does not best describe the role of senior management in creating the riskmanagement strategy. D. Understanding the risk management process to develop appropriate training materials and programs is usually therole of corporate security trainers, not of senior management.
The PRIMARY goal of a postincident review is to: A. gather evidence for subsequent legal action. B. identify ways to improve the response process. C. identify individuals who failed to take appropriate action. D. make a determination as to the identity of the attacker.
B is the correct answer. Justification: A. Evidence should have been gathered earlier in the process, not during a postincident review. B. The goal of a postincident review is to identify ways to improve the incident response process. C. A postincident review should not focus on finding and punishing individuals who did not take appropriate action, butrather on improving the incident response process and reducing the likelihood of similar incidents in the future. D. Identifying attackers is not a goal of the postincident review process.
Which of the following activities is MOST important when evaluating and assessing the risk to an enterprise or business process? A. Identification of controls that are currently in place to mitigate identified risk B. Threat intelligence, including likelihood of identified threats C. Historical risk assessment data D. Control testing results
B is the correct answer. Justification: A. Identification of controls that are currently in place is an important part of the risk assessment process but is not as important as threat intelligence. B. One of the key requirements of effective risk assessment is its association and alignment with currentintelligence that includes data on the likelihood of identified threats. The probability of risk being realized isone of the primary determinations of risk prioritization. C. Historical risk assessment data are useful in understanding previously identified risk but are not essential to the risk assessmentprocess. D. Control testing results are a component of risk assessment that helps support conclusions. Threat intelligence will often drive the testing of specific controls based on the identification of risk scenarios during the evaluation and assessment activity. These data are valuable to the risk assessment process but are not as valuable as accurate threatintelligence.
A risk professional has been asked to determine which factors were responsible for a loss event. Which of the following methodsshould be used? A. Key risk indicators B. Cause-and-effect analysis C. Business process modeling D. Business impact analysis
B is the correct answer. Justification: A. Key risk indicators are a subset of risk indicators that are highly relevant and possess a high probability ofpredicting or indicating important risk. They are not used after a loss event occurs. B. Cause-and-effect analysis is a predictive or diagnostic analytical tool used to explore the root causes or factors that contribute to positive or negative effects or outcomes. It can also be used to identify potentialrisk. A typical form is the fishbone diagram. C. Business process modeling is used to model business processes and is not used for root cause analysis. D. Business impact analysis is a process to determine the impact of losing the support of any resource and is not used for root cause analysis
Which of the following considerations is MOST applicable to risk assessments dealing with data management? A. Changing market conditions B. Changing configuration item data C. Lack of staff education D. Growing capabilities of attackers
B is the correct answer. Justification: A. Market conditions influence business objectives and may affect available resources, but these impacts tend to bedistributed broadly and do not have any special applicability to risk assessment. B. Attributes and relationships for configuration items are subject to frequent change, and risk assessmentsmust have accurate and up-to-date configuration item data in order to target correct information assets. C. Lack of staff education represents an increase in general organizational vulnerability and does not have any specialapplicability to risk assessment. D. The growing capabilities of attackers represent an increase in the general threat environment and do not have anyspecial applicability to risk assessment.
IT risk is measured by its: A. level of damage to IT systems. B. impact on business operations. C. cost of countermeasures. D. annual loss expectancy.
B is the correct answer. Justification: A. Measurement by IT damage alone is not comprehensive; business risk must also be considered. B. IT risk includes information and communication technology risk but is primarily measured by its impact on thebusiness. IT risk is the business risk associated with the use, ownership, operation, involvement, influence andadoption of IT within an enterprise. C. The cost and benefit of countermeasures is concerned with risk response, not with risk assessment. D. Annual loss expectancy is a quantitative measure and must be used in conjunction with qualitative measures, such asJoss of reputation.
Which of the following activities is.MOST important in determining the risk mitigation strategy? A. Review vulnerability assessment results. B. Perform a cost-benefit analysis related to risk acceptance. C. Conduct a business impact analysis of affected areas. D. Align the strategy with the security controls framework.
B is the correct answer. Justification: A. Results from a vulnerability assessment are used in a risk assessment to determine the level of risk but not in the selection of a mitigation strategy. B. Risk mitigation ensures that residual risk is maintained at an acceptable level. Cost-benefit analysis ensuresthat the cost of mitigating risk does not exceed the cost that the enterprise would incur if an incident happens. C. Business impact analysis facilitates development of mitigation and recovery strategy because it documentsprocesses, key deliverables and recovery time objectives. However, the cost of mitigation is the key criterion forthe business. D. Understanding the enterprise's security controls framework assists with design and implementation of controls once themitigation strategy is determined for a given risk.
The PRIMARY result of a risk assessment process is: A. a defined business plan. B. input for risk-aware decisions. C. data classification. D. minimized residual risk.
B is the correct answer. Justification: A. Risk assessment deliverables are not the primary input into the business plan as a business plan defines how a business goal will be achieved. B. Risk assessment identifies and prioritizes risk and relates the aggregated risk to the enterprise's risk appetite and risktolerance levels to enable risk-aware decision making. C. Establishing classification levels is one of the outputs of risk assessment, but is not the primary result. D. Residual risk is reduced after taking the cost of the risk response and the related benefit into consideration; risk minimization itself is not a primary result of risk management because it may not optimize overall business results.
Which of the following factors should be assessed after the likelihood of a loss event has been determined? A. Risk tolerance B. Magnitude of impact C. Residual risk D. Compensating controls
B is the correct answer. Justification: A. Risk tolerance reflects acceptable deviation from acceptable risk. Risk tolerance requires quantification of risk,which in tum requires determining the magnitude of impact. B. Once likelihood has been determined, the next step is to determine magnitude of impact. C. Residual risk is the risk that remains after management implements a risk response. It cannot be calculated untilcontrols are selected. D. Compensating controls are internal controls that reduce the risk of an existing or potential control weakness that can result in errors and omissions. They would not be assessed directly in conjunction with assessing the likelihood of aloss event.
Which of the following_ is the BEST method to analyze risk, incidents and related interdependencies to determine the impacton organizational goals? A. Security information and event management solutions B. A business impact analysis C. Enterprise risk management steering committee meetings D. Interviews with business leaders to develop a risk profile
B is the correct answer. Justification: A. Security information and event management solutions will primarily account for technical risk and typically do notevaluate the impact that business process objectives have on operational components. B. A business impact analysis should include the examination of risk, incidents and interdependencies to identifyconsequences for business objectives. C. Enterprise risk management steering committees are useful for reviewing analyses that have been completed, but notfor conducting analysis. D. Interviews with business leaders will assist in identifying risk tolerance and key business objectives and activities,but will not yield risk or incident analysis.
Which of the following techniques BEST helps determine whether there have been unauthorized program changes since the lastauthorized program update? A. A test data run B. An automated code comparison C. A code review D. A review of code migration procedures
B is the correct answer. Justification: A. Test data runs help verify the processing of preselected transactions but provide no evidence about unexercised portionsof a program. B. An automated code comparison involves programmatic comparison of two versions of the same programto determine their correspondence; one version must reflect the last authorized program update. It is an efficient technique because it is automated. C. A code review involves reading program source code to determine whether it contains potential errors or inefficientstatements. A code review can facilitate code comparison, but not very efficiently, because human software developersexecute the review. D. A review of code migration procedures would not detect program changes.
Once a risk assessment has been completed, the documented test results should be: A. destroyed. B. retained. C. summarized. D. published.
B is the correct answer. Justification: A. Test results should be stored in a secure manner for future reference and comparison and not destroyed. B. Test results should be retained in order to ensure that future tests can be compared with past results andensure reporting consistency. C. Test results are summarized as part of the risk assessment process. D. Assessment results are not usually published due to vulnerability disclosure.
A substantive test to verify that tape library inventory records are accurate involves: A. determining whether bar code readers are installed. B. conducting a physical count of the tape inventory. C. checking whether receipts and issues of tapes are accurately recorded. D. determining whether the movement of tapes is authorized.
B is the correct answer. Justification: A. Testing the existence of bar code readers is a compliance test, not a substantive test. A substantive test involvesgathering evidence to evaluate the integrity of individual transactions, data or other information. B. A substantive test involves gathering evidence to evaluate the integrity of individual transactions, data or other information. Conducting a physical count of the tape inventory is a substantive test. C. Confirming that receipts and issues of tapes are accurately recorded is a compliance test, not a substantive test. Asubstantive test involves gathering evidence to evaluate the integrity of individual transactions, data or otherinformation. D. Testing the approval of tape movements is a compliance test, not a substantive test. A substantive test involvesgathering evidence to evaluate the integrity of individual transactions, data or other information.
The board of directors wants to know the financial impact of specific, individual risk scenarios. What type of approach is BEST suitedto fulfill this requirement? A. Delphi method B. Quantitative analysis C. Qualitative analysis D. Financial risk modeling
B is the correct answer. Justification: A. The Delphi method is a forecasting method based on expert opinions that are gathered over several iterations ofanonymous surveys. B. A quantitative approach to risk evaluations would be the best approach because it is formula-based and puts a monetary amount on the potential loss resulting from a risk scenario. C. Qualitative analysis does not quantify the risk and loss in numbers and therefore is not the best option. D. Financial risk modeling determines aggregate risk in a financial portfolio. It is generally not used to provide thefinancial impact of individual risk scenarios.
When would an enterprise project management department PRIMARILY use risk analysis? A. During preparation for natural disasters B. During go/no-go decisions C. During workplace safety training development D. During regulation bulletin reviews
B is the correct answer. Justification: A. The business continuity department may use risk analysis results to assist in planning for natural disasters, but theenterprise project management department would not. B. The project management department can use results of risk analysis to assist in making go/no-go decisions at critical stages/phases of a project as well as during project planning to help account for potential threats and knownvulnerabilities. C. The facilities/safety department may use risk analysis results to understand safety-related risk and may work withtraining to build safety training programs, but it is not the primary use. D. The compliance department would use risk analysis to gain understanding of the potential impact to theenterprise based on a newly communicated regulation bulletin.
Which of the following BEST describes the risk-related roles and responsibilities of an organizational business unit (BU)? TheBU management team: A. owns the mitigation plan for the risk belonging to their BU, while b_oard members are responsible foridentifying and assessing risk as well as reporting on that risk to the appropriate support functions. B. owns the risk and is responsible for identifying, assessing and mitigating risk as well as reporting on that risk to theappropriate support functions and the board of directors. C. carries out the respective risk-related responsibilities, but ultimate accountability for the day-to-day work of riskmanagement and goal achievement belongs to the board members. D. is ultimately accountable for the day-to-day work of risk management and goal achievement, and board membersown the risk.
B is the correct answer. Justification: A. The business unit (BU) management team owns both the risk management activities (identifying, assessing and reporting the mitigation plan for the risk belonging to their BU) and the reporting activities. The boardmembers do not perform the risk identification, assessment and risk reporting functions. B. The BU is responsible for owning the risk and its resulting actions. Risk owners have the responsibility ofidentifying, measuring, monitoring, controlling and reporting on risk to executive management as establishedby the corporate risk framework. C. The ultimate accountability for the day-to-day work also belongs to the BU, not the board of directors. TheboardmembersdonotowntheBUrisk;theBUleaderownsitand,alongwiththeBUmanagementteam,isaccountablefortheremediationefforts.
Which of the following BEST demonstrates the organization's readiness for unexpected events? A. Change management plan B. Incident response plan C. Communication plan D. Disaster recovery plan
B is the correct answer. Justification: A. The change management plan defines activities and role to manage and control change; however, it does not manage unexpected events. B. The incident response plan indicates the preparedness of the organization to handle unexpected events. C. The communication plan would ensure that all stakeholders are informed during an unexpected event; however,it does help demonstrate readiness for unexpected events. D. The disaster recovery plan would define activities to restore operations to their state before a disaster; "'however, not all unexpected events are disasters.
Who is MOST likely responsible for data classification? A. The data user B. The data owner C. The data custodian D. The system administrator
B is the correct answer. Justification: A. The data user gains access based on justified business need and the approval of the data owner. B. The data owner is responsible for classifying data according to the enterprise's data classification scheme. Theclassification scheme then defines who is eligible to access the data and what controls are required. C. The data custodian is responsible for safe custody, transport and storage of data, including implementation ofassociated business rules. · D. System administrators are considered data custodians because they ensure safe custody, transport and storage of data, including implementation of associated business rules.
Which of the following roles provides formal authorization on user access? A. Database administrator B. Data owner C. Process owner D. Data custodian
B is the correct answer. Justification: A. The database administrator is responsible for overall database maintenance, support and performance and may grantaccess to data within the database once the data owner has approved the access request. B. The data owner provides formal authorization to grant user access. C. The process owner is responsible for a specific business process. D. The data custodian is responsible for the safe custody, transport and storage of data and implementation of businessrules, such as granting access to data, once the data owner has approved the access request.
Business continuity plans should be written and maintained by: A. the information security and information technology functions. B. representatives from all functional units. C. the risk management function. D. executive management.
B is the correct answer. Justification: A. The information security and information technology functions have primary responsibility for disasterrecovery planning. However, business continuity plans represent business priorities that inform how IS/ IT builds, tests and maintains disaster recovery plans. Therefore, business continuity plans should representbroader business objectives and stakeholders than those in IT/IS functions. B. Business continuity planning is an enterprisewide activity; it is only successful if all business ownerscollaborate in developing, testing and maintaining the plan. C. In many enterprises, risk management may oversee the business continuity program. However, riskmanagement is not in the best position to write or maintain business portions of the plan. D. Executive management is responsible for assuring that appropriate planning is completed; the plan is viable; and thatexecutive responsibility is understood, should the plan be executed.
An enterprise has outsourced personnel data processing to a supplier, and a regulatory violation occurs during processing. Whowill be held legally responsible? A. The supplier, because it has the operational responsibility B. The enterprise, because it owns the data C. The enterprise and the supplier D. The supplier, because it did not comply with the contract
B is the correct answer. Justification: A. The supplier has operational responsibility pursuant to contractual terms, but the regulatory authority will hold theenterprise responsible. B. The enterprise retains responsibility for the management of, and adherence to, policies, procedures andregulatory requirements. If the supplier fails to provide appropriate controls and/or performance given contractual terms, the enterprise may have legal recourse. However, the regulatory authority will generally hold the enterprise responsible for failure to comply with regulations, including any penalties that may result. C. From the point of view of the regulatory authority the enterprise is legally responsible; in other words, the enterprise may face litigation and/or penalties for noncompliance with regulations. Supplier responsibilities are limited to thecontractual tenns with the enterprise. D. The supplier has operational responsibility pursuant to contractual terms, but the regulatory authority will hold theenterprise responsible.
The PRIMARY benefit of using a maturity model to assess the enterprise's data management process is that it: A. can be used for benchmarking. B. helps identify gaps. C. provides goals and objectives. D. enforces continuous improvement.
B is the correct answer. Justification: A. While maturity models can be used for benchmarking, the benchmarking is not a primary benefit. B. Maturity models can be used to help identify gaps between the current and the desired state to help enterprisesdetermine necessary remediation efforts. C. While maturity models help determine goals and objectives, their primary value is to identify current as well as desiredstates. Understanding gaps between the two states can help define remedial action. D. Continuous improvement may not be the objective of an enterprise, particularly when the current maturity levelmeets its needs.
A procurement employee notices that new printer models offered by the vendor keep a copy of all printed documents on aninternal hard disk. Considering the risk of unintentionally disclosing confidential data, the employee should: A. proceed with the order and configure printers to automatically wipe all data on disks after each print job. B. notify the security manager to conduct a risk assessment for the new rquipment. C. seek another vendor that offers printers without built-in hard disk drives. D. procure printers with built-in hard disks and notify staff to wipe hard disks when decommissioning the printer.
B is the correct answer. Justification: A. Wiping hard disks after each job is not appropriate without a prior risk assessment. The data may be useful for forensicinvestigation; furthermore, the consumption of processing resources may affect printer performance. B. Risk assessment is most appropriate because it yields risk mitigation techniques that are appropriate fororganizational risk context and appetite. C. Focusing solely on risk and ignoring opportunity are inappropriate. A risk associated with nonvolatile storage is not a sufficient reason for changing vendors. Default archiving of copies to the internal disk may be a general industry trend with printers; furthermore, it may bring business benefit in addition to the risk that should be evaluated. D. Notifying staff is not a sufficient control and does not mitigate risk associated with printers serviced by an externalparty.
Which of the following BEST enables a peer review of an enterprise's risk management process? A. A balanced scorecard B. An industry survey C. A capability maturity model D. A framework
C is the correct answer. Justification: A. A balanced scorecard is a coherent set of performance measures organized into four categories that include traditional financial measures, customer processes, internal business processes and learning and growth perspectives. B. An industry survey does provide a view of current practices. Because survey results are generally presented in anaggregated manner, they do not enable a peer review of an enterprise's risk management process. C. A capability maturity model describes essential elements and criteria for effective processes for one or more disciplines. It also outlines an evolutionary improvement path from ad hoc, immature processes to disciplined,mature processes with improved quality and effectiveness. D. A framework is a set of concepts, assumptions and practices that define how a given discipline or function can be approached or understood; relationships among its various components; roles of those involved; and conceptual andorganizational boundaries.
When assessing the capability of the risk management process, a regulatory body would place the GREATEST reliance on: A. a peer review. B. an internal review. C. an external review. D. a process capability review.
C is the correct answer. Justification: A. A peer review is a means to evaluate the work of another member of a team. The level of independence is not as high asthat of an external review. B. An internal review may be subject to management influence and does not have the same level of independence as an external review. C. Regulatory entities generally use assessments performed by an objective and independent third party. Of the choices presented, an external review is the most objective and independent. D. A process capability review determines the capability of a process, such as the risk management process. However, theoption does not indicate the level of independence and objectivity and is thus not the best option.
What is the FIRST step for a risk practitioner when an enterprise has decided to outsource all IT services and support to a third party? A. Validate that the internal systems of the service provider are secure. B. Enforce the regulations and standards associated with outsourcing data management for restrictions ontransborder data flow. C. Ensure that security requirements are addressed in all contracts and agreements. D. Build a business case to perform an onsite audit of the third-party vendor.
C is the correct answer. Justification: A. A risk practitioner will rarely have access to validate the security of a third party, and must seek otherassurances from an external audit or other standards. B. A risk practitioner can advise on risk associated with outsourcing and regulations but cannot enforce such rules. C. A contract only covers the topics listed in the contract. If security is not explicitly included in the contractterms, the enterprise may not be properly protected. D. Even though IT management has been outsourced, the enterprise that outsourced the service function remainsresponsible for protecting its data.
The MOST likely trigger for conducting a comprehensive risk assessment is changes to: A. the asset inventory. B. asset classification levels. C. the business environment. D. information security policies.
C is the correct answer. Justification: A. Additions and removals of assets from the asset inventory is an ongoing process and will not generally trigger a risk assessment. B. Give the risk assessment, one can understand asset classification requirements, but the latter does not triggercomprehensive periodic risk assessment. C. Changes in the business environment, including new threats, vulnerabilities or changes to information assetdeployment, will trigger comprehensive periodic risk assessment. Based on periodic risk assessment, policies may be modified. However, risk assessment is not necessarily performed because policy changes are made. D. Information security policies may change when a risk assessment indicates deficiencies at the level of security policies;however, changes to security policies do not trigger risk assessments.
Which of the following uses risk scenarios when estimating the likelihood and impact of significant risk to the organization? A. An IT audit B. A security gap analysis C. A threat and vulnerability assessment D. An IT security assessment
C is the correct answer. Justification: A. An IT audit typically uses technical evaluation tools or assessment methodologies to enumerate risk. B. A security gap analysis typically uses technical evaluation tools or assessment methodologies to enumerate risk orareas of noncompliance but does not use risk scenarios. C. A threat and vulnerability assessment typically evaluates all elements of a business process for threats andvulnerabilities and identifies the likelihood of occurrence and the business impact if the threats were realized. D. An IT security assessment typically uses technical evaluation tools or assessment methodologies to enumerate risk orareas of noncompliance but does not use risk scenarios.
Which of the following should management use to allocate resources for risk response? A. Audit report findings B. Penetration test results C. Risk analysis results D. Vulnerability test results
C is the correct answer. Justification: A. An audit report provides recommendation and remediation areas. B. Penetration test results help identify vulnerabilities. C. Risk analysis results provide a basis for prioritizing risk responses and allocating resources. D. Vulnerability test results provide an enterprise with a list of known vulnerabilities for the systems that have beenassessed. They do not take "control-in-depth" considerations into accqunt and are not a meaningful tool fordetermining the allocation of risk response resources.
A lack of adequate controls represents: A. an impact. B. a risk indicator. C. a vulnerability. D. a threat.
C is the correct answer. Justification: A. Impact measures the financial loss posed by a threat. B. A risk indicator is a metric capable of showing that the enterprise is subject to, or has a high probability of beingsubject to, a risk that exceeds the defined risk appetite. C. The lack of adequate controls represents a vulnerability, exposing sensitive processes and/or data to thepossibility of malicious damage, attack or unauthorized access by hackers. Vulnerabilities can result in loss ofsensitive information, financial loss, legal penalties, etc. D. A threat is a potential cause or actor behind an adverse incident.
Which of the following is the PRIMARY factor when deciding between conducting a quantitative or qualitative risk assessment? A. The corporate culture B. The amount of time available C. The availability of data D. The cost involved with risk assessment
C is the correct answer. Justification: A. Management will make decisions based on the risk assessment provided. If management makes decisions based only on financial values, then a quantitative risk analysis is appropriate. If the decision will be based on non-numerical values regarding conceptual elements, !hen a qualitative analysis is appropriate. B. The amount of time available may be a factor in deciding between a quantitative and qualitative analysis, but it is not theprimary factor. C. The availability of data is the primary factor in deciding between a quantitative and qualitative risk analysis.Quantitative analysis provides benefit relative to the adequacy and availability of data. D. The cost involved with a risk assessment may be a factor in deciding between a quantitative and qualitative analysis,but it is not the primary factor.
Risk assessment techniques should be used by a risk practitioner to: A. maximize the return on investment B. provide documentation for auditors and regulators. C. justify the selection of risk mitigation strategies. D. quantify the risk that would otherwise be subjective. C is the correct answer.
C is the correct answer. Justification: A. Maximizing the return on investment may be a key objective for implementing risk responses, but is not part of the risk assessment process. B. A risk assessment does not focus on auditors or regulators as primary recipients of the risk assessmentdocumentation. However, risk assessment results may provide input into the audit process. C. A risk practitioner should use risk assessment techniques to justify and implement a risk mitigation strategyas efficiently as possible. D. Risk assessment is generally high-level, whereas risk analysis can be either quantitative or qualitative, based on theneeds of the organization.
When assessing the performance of a critical application server, the MOST reliable assessment results may be obtained from: A. activation of native database auditing. B. documentation of performance objectives. C. continuous monitoring. D. documentation of security modules.
C is the correct answer. Justification: A. Native database audit logs are a good detective control but do not provide information about the application server performance. B. Documentation of performance objectives is important but does not provide information about the application serverperformance. C. It is essential to obtain monitoring data in a consistent manner to achieve reliable results. Changing the monitoringmethodology will likely yield discrepant data and defeat comparison of performance at discrete points in time. D. Documentation of associated security modules may be helpful but does not provide information about theapplication server performance.
Risk assessments should be repeated at regular intervals because: A. omissions in earlier assessments can be addressed. B. periodic assessments allow various methodologies. C. business threats are constantly changing. D. they help raise risk awareness among staff.
C is the correct answer. Justification: A. Omissions not found in earlier assessments do not necessarily justify regular reassessments. B. Unless the environment changes, risk assessments should be performed using the same methodologies. C. As business objectives and methods change, the nature and relevance of threats also change. D. There are better ways ofraising security awareness than by performing a risk assessment, such as riskawareness training.
Risk assessments are MOST effective in a software development organization when they are performed: A. before system development begins. B. during system deployment. C. during each stage of the system development life cycle. D. before developing a business case.
C is the correct answer. Justification: A. Performing a risk assessment before system development does not reveal any of the vulnerabilities introduced duringdevelopment. B. Performing a risk assessment at system deployment is not cost effective. C. Performing risk assessments at each stage of the system development life cycle is most cost-effective becauseit tends to ensure that flaws are caught as soon as they become discoverable. D. Performing a risk assessment before developing a business case does not reveal any of the vulnerabilitiesfound during the system development life cycle.
An internal assessment reveals that servers log only a couple dozen hardcoded individual transactions. The set of logged transactions does not meet regulatory requirements. The assessment also establishes that log entries are stored according to the first in, first out (FIFO) principle. Most files recycle in fewer than 24 hours. What is the MOST financiallydamaging vulnerability associated with the current logging practice? A. The log data stored recycles in fewer than 24 hours. B. The log files are stored on the originating servers. C. Transactions required by regulation may not be tracked. D. Transactions being logged are hardcoded.
C is the correct answer. Justification: A. Recycling logs in fewer than 24 hours can jeopardize root cause analysis but is generally not as damaging financially as failing to track regulation-related transactions properly. B. Backing up iog files to the same server can have a significant impact. In the event of an incident, log files may be compromised. Additionally, privileged accounts can make changes and modify logged data. However, this practice isgenerally not as damaging financially as failing to track regulation-related transactions properly. C. The enterprise may be fined for failing to track regulation-related transactions properly. D. The scope of logged transactions is limited because only transactions explicitly defined for inclusion will be captured.Thus the majority of transactions are executed without leaving an audit trail.
Which of the following concepts of data validation is MOST likely to be of value to organizations reviewing transactiondata for fraudulent activity? A. Reliability B. Duplicates C. Reasonableness D. Validity
C is the correct answer. Justification: A. Reliability considers the integrity of the data extracted from the system. While it is not impossible for criminal activity to result in changes to an IT system as a means of disguising activities, reviewing transactional data for reliability is not a primary means of fraud detection. Reliability is typically called into question only after fraudulent activity isdiscovered through other means. B. Duplicate transactions occur in IT systems and must be addressed. The presence of duplicates may be legitimateactivity. Further checks are required to identify whether the duplicate transactions are a result of fraud. C. Reasonableness considers reliability, validity and duplicate transactions. It identifies values that aresubstantially different from the norm, and routes them for additional scrutiny. D. Validity involves matching data to definitions in a table layout. Extracted data that are invalid indicate a systemproblem but not necessarily fraud; nor is fraud generally correlated with invalid data. Further checks are requiredto identify whether invalid data is a result of fraud.
Senior management has defined the enterprise risk appetite as moderate. A business-critical application has been determined to posea high risk. What is the NEXT action the risk practitioner should undertake? A. Remove the high-risk application and replace it with another system.. B. Recommend management increases its acceptable risk level for the application. C. Assess the impact of planned controls to the application. D. Restrict access to the application only to trusted users.
C is the correct answer. Justification: A. Removing the application may lead to unacceptable downtime for a critical business function. B. Recommending an increase in acceptable risk level is not the task of the risk practitioner but the business ownersand stakeholders. C. The risk practitioner should determine whether new controls to be implemented on the system may lower therisk from high to moderate or low before taking any further action. D. Restricting the access to trusted users may not mitigate the high risk that the application poses.
What is the ULTIMATE goal of risk aggregation? A. To prevent attacks from exploiting a combination oflow-level types of risk that individually have not been properly mitigated B. To address the threat of an exploit that attacks a system through a series of individual attacks C. To ensure that the combined value of low-level risk is not overlooked in the risk management process D. To stop attackers from gaining low-level access and then escalating their attack through access aggregation
C is the correct answer. Justification: A. Risk aggregation is the process of integrating risk assessments at a corporate level to obtain a complete view on the overall risk for the enterprise and assessing more specifically for exploit opportunities, whereas a series or combination of types of low-level risk left unaddressed can provide an attacker a means to exploit one or more enterprise resources. B. An exploit using several different attacks in sequence to launch an attack is not an example of risk aggregation but of a chainedexploit. C. Individual or singular, discrete, low-level incidents may have minimal impact, and considered independently, the risk remains relatively low. However, significant overall risk can accrue if several instances are aggregated to defeat risk controls. For example, one machine cannot flood a network, but many machines working together can. Likewise, illicit access to an individual record in a database is not generally considered a high risk; however, if multiple records are accessed and/or manipulated, an attacker may gather and/orcompromise sufficient information to classify the incident at a higher level. D. Many attacks today start at a low level and then increase their capability as they move through the system. Such attacks areoften facilitated through accounts with excessive levels of access. This is not an example of risk aggregation.
Which of the following risk management activities initially identifies critical business functions and key business risk? A. Risk monitoring B. Risk analysis C. Risk assessment D. Risk evaluation
C is the correct answer. Justification: A. Risk monitoring provides timely information on the actual status of risk in the enterprise. B. Risk analysis estimates the frequency and magnitude of IT risk scenarios. C. Risk assessment identifies and evaluates risk and its potential effects. It includes recognizing and assessing critical functions and processes necessary for an enterprise to continue operating, defines the controls in placeto reduce exposure and evaluates the cost for such controls. D. Risk evaluation compares estimated risk against given risk criteria to determine the significance of the risk.
An enterprise is hiring a consultant to help determine the maturity level of the risk management program. The MOST important element of the request for proposal is the: A. sample deliverable. B. past experience of the engagement team. C. methodology used in the assessment. D. references from other organizations.
C is the correct answer. Justification: A. Sample deliverables only tell how the assessment is presented, not the process. B. Past experience of the engagement team is not as important as the methodology used. C. Methodology illustrates the consultant's process and offers a basis to align expectations with execution of theassessment. Methodology establishes requirements of all parties involved in the assessment. D. References from other organizations are important but not as important as the methodology used in the assessment.
Which of the following is MOST important during the quantitative risk analysis process? A. Statistical analysis B. Decision trees C. Expected monetary value D. Net present value
C is the correct answer. Justification: A. Statistical analysis may be used because it helps risk managers make better decisions under conditions of uncertainty. However, it is not the most important. B. Decision trees help determine the optimal course of action in complex situations with uncertain outcomes. C. Expected monetary value reflects the weighted average of probable outcomes. It represents the expected averagepayoff if you made a given decision, using the same payoffs and probabilities, an infinite number of times. D. Net present value is calculated by using an after-tax discount rate of an investment and a series of expectedincremental cash outflows (the initial investment and operational costs) and cash inflows (cost savings or revenues)that occur at regular periods during the life cycle of the investment.
Which of the following BEST describes the objective of a business impact analysis? A. The identification of threats, risk and vulnerabilities that can adversely affect the enterprise B. The development of procedures for initial response and stabilization during an emergency C. The identification o·f time-sensitive critical business functions and interdependencies D. The development of communication procedures in case of crisis
C is the correct answer. Justification: A. The identification of threats, risk and vulnerabilities is the objective of risk identification and analysis. B. The development of procedures for initial response and stabilization during an emergency is a key output ofpreparedness and response planning. C. Identification of time-sensitive critical business functions and interdependencies is a deliverable of the business impact analysis (BIA); the BIA includes metrics like recovery-time objectives and recovery-point objectives. D. Communication procedures are beneficial to every business process, including crisis management; however, they are not the main deliverable of the BIA and relate more closely to business continuity and disaster recovery planning.
How can a risk professional calculate the total impact to operations if hard drives supporting a critical financial system fail? A. Calculate the replacement cost for failed equipment and the time needed for service restoration. B. Gather the cost estimates from the finance department to determine the cost. C. Use quantitative and qualitative methods to measure the cumulative effects on all business areas. D. Review regulatory and contractual requirements to quantify liabilities.
C is the correct answer. Justification: A. The risk is not solely dependent on the IT-related costs of the failed equipment. The impact on the businessmust also be determined. B. Gathering cost estimates is a quantitative method of risk assessment and may not be a reflection of the total impact ofthe event if only the finance department's costs are taken into consideration. C. An event in one department may affect many areas of the enterprise, and the impact on all areas should be included in the risk calculation. Using quantitative and qualitative methods will provide the informationrequired to assess the effects of the failure. D. The regulatory and contractual requirements must be included in.the risk calculation, but they are not the only relevantfactors.
Which automated monitoring technique in an application uses triggers to indicate a suspicious condition? A. Snapshots B. An integrated test facility C. Audit hooks D. Continuous and intermittent simulation
C is the correct answer. Justification: A. The snapshots technique takes a picture of system status to identify specific values or configuration settings. B. An integrated test facility feeds dummy transactions into the production flow and compares them topredetermined results. C. The audit hooks technique involves embedded hooks in the application that act as triggers if certainconditions are met. D. In continuous and intermittent simulation, data are monitored only if they meet certain criteria.
What is a PRIMARY advantage of performing a risk assessment on a consistent basis? A. It Jowers the costs of assessing risk. B. It provides evidence of threats. C. It indicates trends in the risk profile. D. It eliminates the need for periodic audits.
C is the correct answer. Justification: A. There may be some minor cost benefits to performing risk assessments on a consistent basis, but that is not the mainbenefit. B. A risk assessment provides evidence of risk; however, it is not intended to provide evidence of threats. C. Tracking trends in evolving risk is of significant benefit to managing risk and ensuring that appropriate controlsare in place. D. The performance of risk assessment on a consistent basis does not preclude the requirement to perform periodic independent audits.
The PRIMARY reason to have the risk management process reviewed by independent risk management professional(s) is to: A. validate cost-effective solutions for mitigating risk. B. validate control weaknesses detected by the internal team. C. assess the validity of the end-to-end process. D. assess that the risk profile and risk factors are properly defined.
C is the correct answer. Justification: A. This is not necessary because cost-effective solutions can be provided by the internal teams. B. The internal team can find weaknesses. It is not necessary to involve external risk professionals to validate theweaknesses as detected by the internal team. C. Because independent risk professionals are not affected by internal politics and other factors, they can provide anunbiased assessment on the validity of the end-to-end risk management process. D. The risk profile and risk factors are properly defined when the risk assessment process is performed correctly. Anindependent assessment may result in further improvements.
An asset's annual loss expectancy is calculated as the: A. exposure factor (EF) multiplied by the annualized rate of occurrence (ARO). B. single loss expectancy (SLE) multiplied by the EF. C. SLE multiplied by the ARO. . D. asset value multiplied by the SLE.
C is the correct answer. Justification: A. This is not the correct formula to calculate annual loss expectancy (ALE). ALE is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO), the number of times the enterprise expects theloss to occur. B. This is not the correct formula to calculate ALE. ALE is calculated by multiplying the SLE by the ARO, the numberof times the enterprise expects the loss to occur. C. ALE is calculated by multiplying the SLE by the ARO (the number of times the enterprise expects the loss tooccur). D. This is not the correct formula to calculate ALE. ALE is calculated by multiplying the SLE by the ARO (thenumber of times the enterprise expects the loss to occur).
Which of the following BEST estimates the likelihood of significant events affecting an enterprise? A. Threat analysis B. Cost-benefit analysis C. Scenario analysis D. Countermeasure analysis
C is the correct answer. Justification: A. Threat analysis does not provide sufficient information to estimate likelihood. While there may be a threat, many other factors, including existing controls, must be considered to determine the likelihood of a threat. B. Cost-benefit analysis is used in selecting controls and does not help estimate the likelihood of significant events. C. Scenario analysis along with vulnerability analysis _best determines whether a particular risk is relevant tothe enterprise and helps estimate the likelihood that significant events will affect the enterprise. D. Countermeasure analysis is used to assess controls that address specific attacks, sometimes while the attack is occurring.Countermeasure analysis does not help estimate the likelihood of significant events.
The use of a capability maturity model is based on: A. the training of staff to ensure consistent knowledge transfer. B. the development of new controls to replace aging or diminished controls. C. the application of standard, repeatable processes that can be measured. D. users developing new innovative solutions to problems.
C is the correct answer. Justification: A. Training staff involves the transfer of knowledge. Capability maturity models address the consistent application of procedures, not training. B. The use of a capability maturity model relies on consistently applied metrics, not the replacement of controls. C. The use of maturity models requires development, implementation and measuring of consistent proceduresand activities. A maturity model contains the essential elements of effective processes for one or more disciplines. It also describes an evolutionary improvement path from ad hoc, immature processes todisciplined, mature processes with improved quality and effectiveness. D. Empowering users to develop new solutions applies to total quality management, while capability maturity modelsencourage the use of standard, repeatable procedures.
A process by which someom; logs onto a web site, then receives a token via a short message service (SMS) message, is an example of what control type? A. Deterrent B. Directive C. Compensating D. Preventive
D is the correct answer. Justification: A. A deterrent control will discourage improper behavior but will not prevent it. B. A directive control guides behavior but will not prevent unauthorized access. C. A compensating control addresses a weakness in other controls, but the use of a token-based system will provideadequate control. D. The use of a token with a short message service (SMS) message will prevent unauthorized access to the systemthrough two-factor authentication.
A risk assessment process that uses likelihood and impact in calculating the level of risk is a: A. qualitative process. B. failure modes and effects analysis. C. fault tree analysis. D. quantitative process.
D is the correct answer. Justification: A. A qualitative risk assessment process uses scenarios and ranking of risk levels in calculating the level of risk. B. A failure modes and effects analysis determines the extended impact of an adverse event on other systems oroperational areas. C. A fault tree analysis risk assessment determines threats by considering all sources that threaten a business process. D. A quantitative risk assessment uses likelihood and impact to calculate the monetary value of risk.
Which of the following is the BEST way to ensure that a corporate network is adequately secured against external attack? A. Use an intrusion detection system. B. Establish minimum security baselines. C. Implement vendor recommended settings. D. Perform periodic penetration testing.
D is the correct answer. Justification: A. An intrusion detection system may detect an attempted attack, but it will not confirm whether the perimeter is secure. B. Minimum security baselines are beneficial, but they will not provide the level of assurance that is provided bypenetration testing. C. Applying vendor recommended settings is beneficial, but it will not provide the level of assurance that is providedby penetration testing. D. Penetration testing is the best way to ensure that perimeter security is adequate.
Investments in risk management technologies should be based on: A. audit recommendations. B. vulnerability assessments. C. business climate. D. value analysis.
D is the correct answer. Justification: A. Basing decisions on audit recommendations is reactive in nature and may not comprehensively address the key business needs. B. Vulnerability assessments are useful, but they do not determine whether the cost is justified. C. Demonstrated value takes precedence over the current business climate because the climate is ever changing. D. Investments in risk management technologies should be based on a value analysis and sound business case.
Which of the following capability dimensions is MOST important when using a maturity model for assessing the risk managementprocess? A. Effectiveness B. Efficiency C. Profitability D. Performance
D is the correct answer. Justification: A. Effectiveness is a subset of the performance capability criterion. B. Efficiency is a subset of the performance capability criterion. C. Profitability is generally not considered when using a capability maturity model for assessing the riskmanagement process. D. The most important criterion when using a capability maturity model is performance. Performance is achieved when the implemented process fulfils its purpose; thus performance is the most important capability dimension when using a capability maturity model to assess the risk management process.
A company has been improving its organizational security and compliance program since the last security review was conductedone year ago. What should the company do to evaluate its current risk profile? A. Review previous findings and ensure that all issues have been resolved. B. Conduct follow-up audits in areas that were found deficient in the previous review. C. Monitor the results of the key risk indicators and use those to develop targeted assessments. D. Perform a new enterprise risk assessment using an independent expert.
D is the correct answer. Justification: A. Even though the findings of the previous test have been addressed, a new risk assessment would be the best way toindicate the effectiveness of the controls and uncover any new risk. B. Making changes in one area may cause inadvertent effects in other areas. Therefore, an enterprisewide riskassessment would be better than just testing the previous areas. C. Monitoring key risk indicators (KRls) can indicate areas of emerging risk and unsatisfactory security levels, and thisapproach should drive individual tests during the year. However, KRls are one of many tools used to determine theentire enterprise risk profile. One common mistake when implementing KRls is selecting too many. D. The best way to ensure that an enterprise's ecurity posture is still within compliance is to conduct anotherrisk assessment It has been a year, and a lot can change in a year. Using an independent expert can providemore objective results than using an internal person who would be testing his/her own work.
Because of its importance to the business, an enterprise wants to quickly implement a technical solution that deviates from thecompany's policies. The risk practitioner should: A. recommend against implementation because it violates the company's policies. B. recommend revision of the current policy. C. conduct a risk assessment and allow or disallow based on the outcome. D. recommend a risk assessment and subsequent implementation only if residual risk is accepted.
D is the correct answer. Justification: A. Every business decision is driven by cost and benefit considerations. A risk practitioner's contribution to the process is most likely a risk assessment, identifying both the risk and opportunities related to the proposed solution. B. A recommendation to revise the current policy should not be triggered by a single request without conducting arisk assessment. C. While a risk practitioner may conduct a risk assessment to enable a risk-aware business decision, it ismanagement who will make the final decision. D. A risk assessment should be conducted to clarify the risk, whenever the company's policies cannot be followed. Thesolution should only be implemented if the related risk is formally accepted by the business.
Which of the following BEST ensures the overall effectiveness ofa risk management program? A. Obtaining feedback from all end users B. Assigning a dedicated risk manager to run the program C. Applying quantitative risk methodologies D. Participating relevant stakeholders
D is the correct answer. Justification: A. It is generally not feasible to obtain feedback from all end users even though theoretically such comprehensive feedback would give the most complete view of an enterprise's risk universe. Each employee has a unique perspective on a givensubset of processes. Comprehensive employee feedback would therefore require extensive review and integration toproduce a coherent assessment. B. Assigning a dedicated risk manager, such as a program manager, is a good option but is less effective without stakeholder involvement. C. Either methodology can be selected to create an effective risk management process. Selection of a quantitative orqualitative risk assessment methodology depends on the needs of the organization. D. Without participation from stakeholders of the enterprise--including active supervision and riskmonitoring-the risk management program will be ineffective because stakeholders are the critical partyresponsible for risk-related decisions. Stakeholders directly or indirectly determine the risk response.
Which of the following is MOST beneficial to improvement of an enterprise's risk management process? A. Key risk indicators B. External benchmarking C. The latest risk assessment D. A maturity model
D is the correct answer. Justification: A. Key risk indicators are metrics that help monitor risk over time; they may be used to identify trends but do not help define the desired state of the enterprise like a maturity model and thus are not the best option. B. External benchmarking helps determine how other similar enterprises manage risk; but it does not help define thedesired state of the enterprise in the way maturity models do. Thus it is not the best option. C. The latest risk assessment will be an input into the ·risk·management process improvement effort. However, the risk assessment does not help define a desired state of the enterprise like a maturity model; thus it is not the best option. D. A maturity model helps identify the status quo as well as the desired state and, thus, is most helpful when anenterprise desires to improve a business process, such as risk management.
A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an IT manager.The manager should FIRST: A. meet with stakeholders to decide how to comply. B. analyze the key risk in the compliance process. C. update the existing security/privacy policy. D. assess whether existing controls meet the regulation.
D is the correct answer. Justification: A. Meeting with stakeholders is subsequent to understanding the impact and requirements and performing a gap assessment. B. Analyzing the key risk in the compliance process is subsequent to understanding the impact and requirements and performing a gap assessment. C. Updating the existing security/privacy policy is subsequent to understanding the impact and requirements and performing a gap assessment. D. The first step is to understand the impact and requirements of the new regulation, which includes assessing how the enterprise will comply with the regulation and to what extent existing controls support compliance. The risk practitioner should then assess any existing gaps.
Which of the following approaches BEST helps an enterprise achieve risk-based organizational objectives? A. Ensure that asset owners perform annual risk assessments. B. Review and update the risk register regularly. C. Assign a steering committee to the risk management process. D. Embed risk management activities into business processes.
D is the correct answer. Justification: A. Performing a risk assessment does not achieve risk-based organizational objectives. B. Maintaining a risk register may be good for identifying issues but does not achieve risk-based organizationalobjectives. C. Assigning a steering committee to the risk management process will aid in alignment; however, it will not be as effective asembedding risk management activities into business processes. D. The primary objective of embedding risk management activities into business processes is to achieve risk-based organizational objectives in the most effective manner possible.
Which of the following is the BEST reason to perform a risk assessment? A. To satisfy regulatory requirements B. To budget appropriately for needed controls C. To analyze the effect on the business D. To help determine the current state of risk
D is the correct answer. Justification: A. Performing a risk assessment may satisfy regulatory requirements but is not the reason to perform a risk assessment. B. Budgeting may improve but is not the reason to perform a risk assessment. C. Analyzing the effect on the business is part of the process, but understanding the current state of risk will better inform howthose effects impact the business ai:i,d what responses would be appropriate to take if any. D. The risk assessment is used to identify and evaluate the impact of failure on critical business processes (and IT components supporting them) and to determine time frames, priorities, resources and interdependencies. It is part of the process to help determine the current state of risk and helps determinerisk countermeasures in alignment with business objectives.
Which of the following BEST assists in the development of the risk profile? A. The presence of preventive and detective controls B. Inherent risk and detection risk C. Cost-benefit analysis of controls D. Likelihood and impact of risk
D is the correct answer. Justification: A. Preventive and detective controls by themselves do not help in the development of the risk profile. B. Inherent risk and detection risk are components of the total risk and by themselves do not help in developing the risk profile. Inherent risk reflects risk level or exposure without accounting for actions that management has taken ormight take (e.g., implementing controls). Detection risk reflects risk that material errors or misstatements haveoccurred and will not be detected by the IS auditor. C. Cost-benefit analysis of controls helps in selecting controls for a given risk, but not in development of the risk profileitself. D. Likelihood and impactof risk help in the development of the risk profile.
Which type of risk assessment methods involves conducting interviews and using anonymous questionnaires by subject matterexperts? A. Quantitative B. Probabilistic C. Deterministic D. Qualitative
D is the correct answer. Justification: A. Quantitative risk assessments use a mathematical calculation based on security metrics on the asset (system or application). B. Probabilistic risk assessments use a mathematical model to construct the qualitative risk assessment approach whileusing the quantitative risk assessment techniques and principles. C. Deterministic methods use point estimates which are often (but not necessarily always) worst-case estimates. D. Qualitative risk assessment methods include interviewing and the Delphi method described in the question stem.
A MAJOR risk of single sign-on is that it: A. uses complex technologies for password management. B. may potentially bypass the enterprise firewall. C. is prone to distributed denial-of-service attacks. D. may be a potential single point of compromise.
D is the correct answer. Justification: A. Single sign-on (SSO) technologies have built-in routines for password management; once the application isconfigured, it is generally easy to manage by qualified personnel. B. SSO deployments do not bypass an enterprise firewall; they generally involve a server that talks to each user's system and if the system is outside the network, specific firewall ports will be configured to allow inbound and outboundtraffic. C. SSO in itself is not prone to distributed denial-of-service attacks; it enforces access to multiple applications and devices using a single username and password. If properly hardened, an SSO server will ensure that security attacksat the operating system or systemic level are controlled. D. Because SSO uses a single username and password for access to multiple systems, loss or disclosure of thissingle username and password may compromise a broad range of systems.
An enterprise's corporate policy specifies that servers log only access requests, including whether the request fails or succeeds. Whatis the PRIMARY risk to the enterprise? A. The source Internet Protocol (IP) address is not logged. B. The destination IP address is not logged. C. Login information can be lost if the data are not automatically moved to secondary storage. D. The details of what commands were executed is missing.
D is the correct answer. Justification: A. Source Internet Protocol (IP) addresses are logged for failed and successful access requests. B. The destination IP address is already known. C. While servers have limited storage, backups are generally stored according to the first in, first out (FIFO) principle. Therefore, unless secondary storage is available to house these data in a timely fashion, logging information canbe lost. This is a risk, but not a primary one. D. Login statistics alone do not provide adequate forensic information. Logs need to record all executedcommands and transactions. Otherwise, illicit activity cannot be tracked to the full extent, should amalicious party gain access successfully.
Which of the following is MOST useful when computing annual loss exposure? A. The cost of existing controls B. The number of vulnerabilities C. The net present value of the asset D. The business value of the asset
D is the correct answer. Justification: A. The cost of existing controls is not taken into consideration for calculation of the annual loss exposure. B. The number of vulnerabilities does not help determine the annual loss exposure. C. Net present value is based on asset depreciation value and is a difficult basis for annual loss exposure because it may notreflect the true risk associated with the asset. D. Annual loss exposure is a function of value of the information asset and the impact if a given potential risk materializes. Annual loss exposure should be identified primarily to determine exposure associated with other answer choices in the question stem.
Which of the following roles is responsible for evaluating the effectiveness of existing internal information security controls within anenterprise? A. The data owner B. Senior management C. End users D. The system auditor
D is the correct answer. Justification: A. The data owner defines the business requirements for internal information security controls. B. Senior management is responsible for ensuring that existing internal information security controls are effective. C. End users are not responsible for evaluating the effectiveness of existing internal information security controls. D. The system auditor is responsible for providing continuous feedback to senior management about the ·effectiveness of internal controls within the enterprise. This is part of the system auditor's normal routineresponsibilities.
Which of the following is the GREATEST challenge of performing a quantitative risk analysis? A. Obtaining accurate figures on the impact of a realized threat B. Obtaining accurate figures on the value of assets C. Calculating the annual loss expectancy of a specific threat D. Obtaining accurate figures on the frequency of specific threats
D is the correct answer. Justification: A. The impact of a threat can be determined based on the type of threat that occurs. B. The value of an asset should be easy to ascertain. C. Annual loss expectancy will not be difficult to calculate if you know the correct frequency of threat occurrence. D. It can be challenging to obtain an accurate figure representing the frequency of threat occurrence.
Which of the following objectives is the PRIMARY reason that risk professionals conduct risk assessments? A. To maintain the enterprise's risk register B. To enable management to choose the right risk response C. To provide assurance on the risk management process ·D. To identify risk with the highest business impact
D is the correct answer. Justification: A. The maintenance of the risk register is part of the ongoing risk assessment process. B. Management chooses the right risk response strategy based on risk analysis. A risk assessment itself is not sufficientto make educated risk response decisions. C. Assurance on risk management is not the main reason risk assessment is performed by the risk professional. D. A risk assessment is the process used to identify risk and develop risk scenarios to determine how specificthreats may adversely affect the business.
The MOST effective method to conduct a risk assessment on an internal system in an organization is to start by understanding the: A. performance metrics and indicators. B. policies and standards. C. recent audit findings and recommendations. D. system and its subsystems.
D is the correct answer. Justification: A. The person performing the risk assessment should already understand the performance metrics and indicators. B. The person performing the risk assessment should already understand the policies and standards of the organization. C. Recent audit findings and recommendations could be usefyl but are not as important as understanding the system. D. To conduct a proper risk assessment, the risk practitioner must understand the system, subsystems and howthey work. This knowledge provides the basis for understanding how policies and standards are applied within the system and subsystems, process-specific risk, existing interdependencies and performanceindicators.
While prioritizing the risk for treatment, the IT risk practitioner should PRIMARILY consider the: A. risk impact B. risk appetite C. risk exposure D. risk rating
D is the correct answer. Justification: A. The risk impact is only one component of the risk assessment and prioritization process. A high-impact event mayhave a low likelihood, thus resulting in a low risk rating. B. The risk appetite is only one component of the risk assessment and prioritization process. Risk should be quantifiedto determine if it falls within the organization's risk appetite; therefore, the risk rating is needed. C. The risk exposure is only one component of the risk assessment and prioritization process. It may or may not be able tobe quantified at the time ofprioritization. · D. The risk rating quantifies the risk by providing a ranking (for example, high, medium, low) that can be used toprioritize treatment.
During an internal risk assessment in a global enterprise, a risk manager notes that local management has proactivelymitigated some of the high-level risk related to the global purchasing process. This means that: A. the local management is now responsible for the risk. B. the risk owner is the corporate chief risk officer. C. the risk owner is the local purchasing manager. D. corporate management remains responsible for the risk.
D is the correct answer. Justification: A. While the local management has mitigated the risk, corporate management remains responsible for the risk. B. The corporate chief risk officer is responsible for the corporate risk management program; yet does not own the riskrelated to the global purchasing process. C. The risk owner is the global purchasing manager. D. Corporate management remains responsible for the risk, even when the risk response is executed at a lowerorganizational level.
Question 47 has an image
check 47 in book
