Risk Mgt.
When doing an IT risk assessment, such as the NIST 800-30, what is the first step? a. determination b. prioritization c. identification
C. Identification
Why do IT risk owners like the Minimum Viable approach to mitigating risk? a. It greatly increases the number of risk treatment options. b. It overcomes the inability to explain the impact of the risk using ordinary business language. c. It provides just enough capability to reduce the risk while minimizing implementation and operations costs.
It provides just enough capability to reduce the risk while minimizing implementation and operations costs.
Why is it difficult for an organization's risk tolerance to be quantified and managed using money as the primary measurement? a. No one knows how to quantify residual risk. b. This is actually very easy, but most people are just too lazy to do it. c. The currency fluctuations for large organizations makes it impractical. d. This requires significant effort and specialized skills, which makes the risk management seem unaffordable or impractical to many senior decision makers.
This requires significant effort and specialized skills, which makes the risk management seem unaffordable or impractical to many senior decision makers.
After implementing mitigations to reduce natural or inherent risks to an asset, what remains? a. residual risk b. operational risk c. risk threshold d. liquidity risk
a. residual risk
Which option is not an example of a general IT threat? a. spear phishing b. natural disasters c. power loss d. human error
a. spear phishing
What are components of an IT risk? a. threat and vulnerability b. cost and access c. revenue and mitigation d. integrity and maintenance
a. threat and vulnerability
Why do most people start automating their IT risk management work with good, old fashioned spreadsheets? a. A spreadsheet-based approach provides workflow automation by default. b. A spreadsheet-based approach gives you the freedom to rapidly prototype different workflows, reports, and data visualizations c. People actually don't do this, because dedicated GRC tools are inexpensive. d. People actually don't do this, because learning how to use a dedicated GRC tool is easy.
b. A spreadsheet-based approach gives you the freedom to rapidly prototype different workflows, reports, and data visualizations
Why is it important to understand that there will always be some IT risk in the big things that you do at work? a. Most IT risks can't be controlled. b. Only by taking risk will you have enough opportunity to earn profits or to make the world a better place. c. It is not important, because you can make all IT risks trivial with just a little effort. d. IT risk management techniques are too sophisticated and complex to be useful in reducing IT risk.
b. Only by taking risk will you have enough opportunity to earn profits or to make the world a better place.
If risks are not avoided, controlled, or transferred, what happens to the risks by default? a. They are not considered risks. b. They are accepted. c. They are outsourced
b. They are accepted.
The term "IT risk management market" is more commonly referred to as _____. a. the Electronics, Industry, and Alliance (EIA) tools b. the Governance, Risk, and Compliance (GRC) tools c. the Confidentiality, Integrity, and Availability (CIA) tools
b. the Governance, Risk, and Compliance (GRC) tools
Who usually decides how to treat an IT risk once the treatment options are determined? a. the internal audit team b. the asset's owners c. the compliance team d. the control operator
b. the asset's owners
Which is not one of the four basic IT risk management techniques as described by the acronym ACAT? a. Control b. Accept c. Confirm d. Transfer
c. Confirm
If you suggest that your customer should control the risk as their risk treatment option, what will you also need to suggest? a. operation costs b. one or more mitigations c. one or more aggravating factors
c. one or more aggravating factors
Which term means "knowing how much risk the organization is comfortable assuming"? a. IT risk b. insurance c. risk appetite d. unexpected damage
c. risk appetite
The risk register is not a useful tool for which purpose? a. to stimulate cross-functional debate and cooperation b. to have a single place to write down all of the IT risks that you find c. to ensure that no one forgets what IT risks have been discovered d. to help prove that you're meeting your organization's legal standard of due care
c. to ensure that no one forgets what IT risks have been discovered
According to the NIST SP 800-39, what is the second step in the four-step risk management process? a. Respond to the risk. b. Monitor your risk. c. Understand your risk context. d. Assess your risk.
d. Assess your risk.
Why is it important to measure IT risk early in the systems development lifecycle, or SDLC? a. It's not. You'll have more success by measuring later in the SDLC. b. It will help you know in which region to locate your redundant servers. c. It will help you know in which region to locate your redundant servers. d. IT risks are almost always cheaper to mitigate before you begin developing the system or enhancement, rather than once the system goes live.
d. IT risks are almost always cheaper to mitigate before you begin developing the system or enhancement, rather than once the system goes live.
Why can it be difficult for small and medium-sized organizations to use the standard risk assessment technique? a. Small and medium-sized organizations lack cybersecurity requirements in their outsourcing contracts. b. Groupthink affects the technique. c. The overconfidence bias affects the technique. d. The technique was designed assuming you'd have the resources of a very large organization.
d. The technique was designed assuming you'd have the resources of a very large organization.
An organization is willing to be eager and innovative, and also take greater risks to achieve higher rewards. Which type of IT risk appetite does the organization most likely have? a. minimal b. Cautious c. open d. hungry
d. hungry
In the world of IT risk management, the first line of defense is Asset Owners. What is their main duty? a. to follow the procedures every time the control needs to be used b. to know the laws, regulations, and best practices for dealing with well-known risks c. to decide how to treat an IT risk once the treatment options are determined d. to periodically test controls to make sure they are operating effectively
to decide how to treat an IT risk once the treatment options are determined
