CISM - Risk management & Response
B is the correct answer. Justification Upgrading the system is likely to be a costly option and is a management issue. It is a business decision how management wants to deal with the problem, not directly a security issue. Conflicts of this nature are best addressed by management. Given that management has set the requirement, it is unlikely that going back to a manual entry control system will be acceptable. Increasing compliance efforts does not address the underlying issue. Regardless, such a choice should be made by management.
A company has installed biometric fingerprint scanners at all entrances in response to a management requirement for better access control. Due to the large number of employees coupled with a slow system response, it takes a substantial amount of time for all workers to gain access to the building and workers are increasingly piggybacking. What is the BEST course of action for the information security manager to address this issue? Replace the system for better response time. Escalate the issue to management. Revert to manual entry control procedures. Increase compliance enforcement.
D is the correct answer. Justification A cost-benefit analysis does not define budget constraints; the board of directors or senior management of the organization will do that based on a variety of factors. The purpose of the analysis is not to show that due diligence was performed, but to establish a result that will show the cost of the control and the reduction in risk. A cost-benefit analysis does not help verify that the cost of a control is within the security budget; it may, however, help identify controls that require additional expenses that exceed the established security budget. Senior management can weigh the cost of the risk against the cost of the control and show that the control will reduce that risk by some measure.
A cost-benefit analysis is performed on any proposed control to: define budget limitations. demonstrate due diligence to the budget committee. verify that the cost of implementing the control is within the security budget. demonstrate the costs are justified by the reduction in risk.
D is the correct answer. Justification Performing a risk assessment does not ensure mitigation as a part of the business process. Maintaining a risk register may be good for identifying issues, but does not mitigate risk. Centralizing risk management under a steering committee is less effective than integrating it into each business process. The primary objective of the risk management process is that risk is identified, assessed, communicated and addressed. This objective is most effective by embedding risk management activities in business processes, e.g., change management, incident response, new product design, sales campaign, etc.
A risk management process is MOST effective in achieving organizational objectives if: asset owners perform risk assessments. the risk register is updated regularly. the process is overseen by a steering committee. risk activities are embedded in business processes.
B is the correct answer. Justification While customer awareness helps mitigate risk, this is insufficient on its own to control fraud risk. Implementing monitoring techniques, which will detect and deal with potential fraud cases, is the most effective way to deal with this risk. If the bank outsources its processing, the bank still retains liability. While it is an unlikely possibility to make the customer liable for losses, the bank needs to be proactive in managing risk.
After a risk assessment study, a bank with global operations decided to continue conducting business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to: increase its customer awareness efforts in those regions. implement monitoring techniques to detect and react to potential fraud. outsource credit card processing to a third party. make the customer liable for losses if they fail to follow the bank's advice.
B is the correct answer. Justification Senior management will have to ensure that the business manager has a clear understanding of the risk assessed, but it will not be in a position to decide on specific controls. The business manager will be in the best position, based on the risk assessment and mitigation proposals, to decide which controls should/could be implemented, in line with the business strategy and with budget. The IT audit manager will take part in the process to identify threats and vulnerabilities and make recommendations for mitigations. The information security officer could make some decisions regarding implementation of controls. However, the business manager will have a broader business view and better understanding of control impact on the business goals and, therefore, will be in a better position to make strategic decisions.
After completing a full IT risk assessment, who is in the BEST position to decide which mitigating controls should be implemented? Senior management The business manager The IT audit manager The information security officer
C is the correct answer. Justification While minimizing risk is generally preferable, doing so beyond what is acceptable is likely too costly and counterproductive. The risk tolerance triggers the risk response; however, it does not define the actual treatment method. Control objectives will have been determined based on acceptable risk and the least costly or most efficient approach to do so will be the most appropriate. Mitigation is just one treatment option and may not be the most appropriate.
An appropriate risk treatment method is: the method that minimizes risk to the greatest extent. based on the organization's risk tolerance. an efficient approach to achieve control objectives. the method that maximizes risk mitigation.
B is the correct answer. Justification Reducing risk to zero is impossible, and the attempt would be cost prohibitive. An effective risk management program reduces the risk to an acceptable level; this is achieved by reducing the probability of a loss event through preventive measures as well as reducing the impact of a loss event through corrective measures. Tying risk to a percentage of revenue is inadvisable because there is no direct correlation between the two. Reducing the probability of risk occurrence may not always be possible, as in the case of natural disasters.
An effective risk management program should reduce risk to: zero. an acceptable level. an acceptable percent of revenue. an acceptable probability of occurrence.
C is the correct answer. Justification Unimportant information may require less protection, but it is unlikely that it should be totally unprotected because it may provide an avenue into the rest of the network. It is unlikely that hardening a server will render it incapable of performing required tasks. If the second server has no exposure, there is no probability that a compromise can occur. Monitoring may indicate when an attack occurs, but will not preclude an attack.
An information security manager has two identical servers in the network subject to a viable threat, but decides to harden only one of them. The MOST likely reason for this choice is that the second server: handles only unimportant information. will be unable to perform required tasks. is placed such that it has no exposure. has constant monitoring that precludes attack.
A is the correct answer. Justification Residual risk is the remaining risk after management has implemented a risk response. Because residual risk will always be too high, the only practical solution is to mitigate the financial impact by purchasing insurance. Purchasing insurance is also known as risk transfer. The organization has determined the residual risk will always be too high and chosen to transfer the risk, so there is no need to attempt further mitigation. The organization has determined the residual risk will always be too high and chosen to transfer the risk, so there is no need to attempt further mitigation. The organization has determined the residual risk will always be too high and chosen to transfer the risk, so there is no need to attempt further mitigation.
An online banking institution is concerned that the breach of customer personal information will have a significant financial impact due to the need to notify and compensate customers whose personal information may have been compromised. The institution determines that residual risk will always be too high and decides to: mitigate the impact by purchasing insurance. implement a circuit-level firewall to protect the network. increase the resiliency of security measures in place. implement a real-time intrusion detection system.
A is the correct answer. Justification If the compartmentalization of the vulnerability results in the organization having no exposure, then there is no risk. Prevention is a more prudent approach to dealing with major threats than even the most capable incident response. Compensating controls are a less desirable approach to addressing a major threat than preventive remediation of its corresponding vulnerability. Distance is an inadequate barrier to compromise in the context of information systems.
An organization has identified a major threat to which it is vulnerable. Which of the following choices is the BEST reason why information security management would not be concerned with preventive remediation under these circumstances? The vulnerability is compartmentalized. Incident response procedures are in place. Compensating controls exist if there is any impact. The identified threat has only been found on another continent.
B is the correct answer. Justification The risk acceptance level is the level of risk the organization is willing to accept. This does not measure the effectiveness of the controls. Risk controls are adequate once the residual risk is less than or equal to acceptable risk. Risk avoidance is the ceasing the activity associated with the risk, not the implementation of controls. Annual loss expectancy justifies the amount that can be spent on risk mitigation but does not indicate whether the controls are adequate.
An organization has implemented several risk mitigation strategies to reduce an identified risk. The risk control measures are sufficient when: the risk acceptance level is less than or equal to the total risk level. the residual risk is less than or equal to the risk acceptance level. risk avoidance is justified by cost-benefit analysis. risk mitigation is equal to annual loss expectancy.
B is the correct answer. Justification The indemnity clause would not reduce the likelihood of an incident. An indemnity clause is a compensating control that serves to reduce impact if the provider causes financial loss. An indemnity clause is generally not a regulatory requirement. An indemnity clause may provide an incentive to perform, but will not ensure it.
An organization is MOST likely to include an indemnity clause in a service level agreement because an indemnity clause: reduces the likelihood of an incident. limits impact to the organization. is a regulatory requirement. ensures performance.
C is the correct answer. Justification Analyses are predictive, so differences between the organizations will not affect adequacy in the event of recovery. Organizations must collaborate on frequency of testing to ensure that each meets its needs. However, such agreements are generally established when arranging reciprocity and do not constitute ongoing risk. If organizations have dissimilar infrastructure or lack capacity, it may be difficult to implement recovery. Differences in security policies and procedures are generally addressed when establishing reciprocity and can be managed over time through monitoring and reporting.
An organization is considering a reciprocal arrangement with a similar organization as a recovery option. Which of the following is the GREATEST risk associated with a reciprocal arrangement? Variations between the risk and impact assessments Frequency of testing of the recovery and continuity plans Similarities in infrastructure and capacity Differences in security policies and procedures
C is the correct answer. Justification Even if the threat of compromise is high, the impact may be low; the best basis to determine where to implement the most protection is the risk to the specific element. While it may seem that availability is the most important, if the system is down, there is no access to the data; there are many cases in which the standard business processes can continue, even if the system is down, but stringent controls must be maintained around confidentiality and integrity of information. The level of control should be based on the risk to the specific element. The probability of compromise and the impact on the organization are combined to determine which element requires the greatest protection with emphasis on impact. It is very unlikely that all elements of the confidentiality, integrity or availability triad require equal levels of protection.
As part of system development, how should an organization determine which element of the confidentiality, integrity and availability triad requires the MOST protection? It should be based on the threat to each of the elements. Availability is most important. It should be based on the risk to each of the elements. All elements are equally important.
B is the correct answer. Justification Even the most effective incident response plan is unlikely to reduce exposure as effectively as reducing the attack surface. The attack surface determines the extent of exposure. Reducing the attack surface by limiting entry points, ports and protocols and taking other precautions reduces the exposure. Compartmentalization may limit the degree to which impact sustained by one customer results in increased vulnerability or impact for another customer, but the per-customer exposure would not be affected. Compensating controls are appropriate in cases where existing controls are incapable of reducing risk to acceptable levels, but reducing the attack surface will be more effective under circumstances where it is technically feasible.
Assuming all options are technically feasible, which of the following would be the MOST effective approach for the information security manager to address excessive exposure of a critical customer-facing server? Develop an incident response plan Reduce the attack surface Initiate compartmentalization Implement compensating controls
A is the correct answer. Justification Risk should be addressed as early in the development of a new application system as possible. The projected risk associated with a new system may make it not feasible. In some cases, identified risk could be mitigated through design changes. If needed changes are not identified until design has already commenced, such changes become more expensive. For this reason, beginning risk assessment during the design phase is not the best solution. The development phase is too late in the system development life cycle (SDLC) for effective risk mitigation. Waiting to assess risk until testing can result in having to start over on the project.
During which phase of development is it MOST appropriate to begin assessing the risk of a new application system? Feasibility Design Development Testing
B is the correct answer. Justification Threats and vulnerabilities are the measure of risk, but without knowing potential impact, the most cost-effective treatment options will not be clear. Probability of compromise coupled with the likely impact will be the most important considerations for selecting treatment options. Vulnerabilities and the cost to remediate without considering impact do not provide enough information to make the best treatment selection. Exposure of assets will modify the effective risk by affecting the likelihood that a vulnerability will be exploited, but is also insufficient information to choose the best treatment option. Operational risk is only one part of overall risk.
Faced with numerous risk scenarios, the prioritization of treatment options will be MOST effective if based on the: existence of identified threats and vulnerabilities. likelihood of compromise and subsequent impact. results of vulnerability scans and remediation cost. exposure of corporate assets and operational risk.
D is the correct answer. Justification The level of uncertainty is not directly related to the degree of homogeneity. Without proper consideration of a possible collective impact, actual consequences of compromise may not be apparent. Single points of failure are always a consideration, but are not related to the degree of homogeneity. Cascading risk is not a function of homogeneity, but of how closely systems are coupled. A homogenous network of the same devices is subject to compromise from a common threat vector that, while possibly acceptable in a single device, can create an unacceptable or catastrophic impact in the aggregate (collectively).
From an information security perspective, which of the following poses the MOST important impact concern in a homogenous network? Increased uncertainty Single points of failure Cascading risk Aggregated risk
B is the correct answer. Justification Using a deterrent control will have only a limited effect on the possibility of compromise. Reducing exposure reduces the probability that a risk can be exploited. Using a compensating control will serve to limit impact, but do nothing to prevent exploitation. Reassessing risk may provide a clearer picture of the risk, but does nothing to reduce exploitation.
If a defined threat needs to be addressed and a preventive control is not feasible, the next BEST option is to do which of the following activities? Use a deterrent control. Reduce exposure. Use a compensating control. Reassess the risk.
C is the correct answer. Justification Only after data are determined critical to the organization can a data leak prevention program be properly implemented. User awareness training can be helpful but only after data have been classified. Information classification must be conducted first. Network intrusion detection is a technology that can support the data leak prevention program, but it is not a primary consideration.
In controlling information leakage, management should FIRST establish: a data leak prevention program. user awareness training. an information classification process. a network intrusion detection system.
B is the correct answer. Justification Platform security is usually the responsibility of the information security manager. Data owners are responsible for assigning user entitlements and approving access to the systems for which they are responsible. Intrusion detection is the responsibility of the information security manager. Antivirus controls are the responsibility of the information security manager.
In which of the following areas are data owners PRIMARILY responsible for establishing risk mitigation? Platform security Entitlement changes Intrusion detection Antivirus controls
D is the correct answer. Justification Assessment would not be relevant in the programming phase. Risk should also be considered in the specification phase, where the controls are designed, but this would still be based on the assessment carried out in the feasibility study. Assessment would not be relevant in the user testing phase. Risk should be addressed as early as possible in the development cycle. The feasibility study should include risk assessment so that the cost of controls can be estimated before the project proceeds.
In which phase of the development process should risk assessment be FIRST introduced? Programming Specification User testing Feasibility
C is the correct answer. Justification Transfer of the risk is a step that might be taken after initial validation occurs. Acquiring insurance is a step taken after initial validation occurs. After residual risk has been determined, the next step should be to validate that the risk is acceptable (or not) and within the enterprise's risk tolerance. Formally documenting and accepting the residual risk is a step taken after initial validation occurs.
Once residual risk has been determined, the enterprise should NEXT: transfer the remaining risk to a third party. acquire insurance against the effects of the residual risk. validate that the residual risk is acceptable. formally document and accept the residual risk.
D is the correct answer. Justification Although indemnification clauses are intended to deflect liability, the legal consequences associated with compromises in information security cannot be fully transferred. The cost-effectiveness of various forms of risk transfer depends on many factors, such as the scope of operations, limits of liability, specialized knowledge that may be required for implementation and criteria for indemnification. Clients deal directly with the organization, not its supply chain. Outsourcing generally has no effect on reputational risk, which remains associated with the organization's own brand regardless of outsourcing arrangements or indemnification clauses. Indemnification clauses can transfer operational risk and financial impacts associated with that risk; however, legal responsibility for the consequences of compromise generally remains with the original entity.
Outsourcing combined with indemnification: reduces legal responsibility but leaves financial risk relatively unchanged. is more cost-effective as a means of risk transfer than purchasing insurance. eliminates the reputational risk present when operations remain in-house. reduces financial risk but leaves legal responsibility generally unchanged.
D is the correct answer. Justification Security monitoring software is generally incapable of detecting a phishing attack. Encryption would not mitigate this threat. Two-factor authentication would not mitigate this threat. Phishing is a type of email attack that attempts to convince a user that the originator is genuine, but with the intention of obtaining information for use in social engineering. It can best be mitigated by appropriate user awareness.
Phishing is BEST mitigated by which of the following? Security monitoring software Encryption Two-factor authentication User awareness
C is the correct answer. Justification Surveying management may provide a typically widely varying perspective on acceptable risk. The amount spent on security is an indicator, but does not quantify acceptable levels of risk. The amount of business interruption insurance carried and the cost provides a directly quantifiable level of risk that the organization will accept and at what cost. The history of incidents will show what risk was not addressed and elicit comments about acceptability but will not indicate what the organization is willing to spend on mitigation.
Quantifying the level of acceptable risk can BEST be indicated by which of the following choices? Surveying business process owners and senior managers Determining the percentage of the IT budget allocated to security Determining the ratio of business interruption insurance to its cost Determining the number and severity of incidents impacting the organization
B is the correct answer. Justification The impact of a successful exploit will not change. Reducing exposure reduces the likelihood of a vulnerability being exploited. The vulnerabilities of the asset will not change because exposure is reduced. The recovery time is not affected by a reduction in exposure.
Reducing exposure of a critical asset is an effective mitigation measure because it reduces: the impact of a compromise. the likelihood of being exploited. the vulnerability of the asset. the time needed for recovery.
B is the correct answer. Justification Risk assessment includes identification and analysis to determine the likelihood and potential consequences of a compromise, which is not when risk is to be considered for acceptance or requires mitigation. If after risk evaluation a risk is unacceptable, acceptability is determined after risk mitigation efforts. Risk identification is the process during assessment during which viable risk is identified through developing a series of potential risk scenarios. Monitoring is unrelated to risk acceptance.
Risk acceptance is a component of which of the following? Risk assessment Risk treatment Risk identification Risk monitoring
D is the correct answer. Justification A risk assessment performed before system development will not find vulnerabilities introduced during development. Performing a risk assessment at system deployment is generally not cost-effective and can miss a key risk. If performed prior to business case development, a risk assessment will not discover risk introduced during the SDLC. Performing risk assessments at each stage of the SDLC is the most cost-effective method because it ensures that vulnerabilities are discovered as soon as possible.
Security risk assessments are MOST cost-effective to a software development organization when they are performed: before system development begins. at system deployment. before developing a business case. at each stage of the software development life cycle.
B is the correct answer. Justification An impact analysis is used to determine potential impact in the event of the loss of a resource. A security review is used to determine the current state of security for various program components. While vulnerability assessments help identify and classify weakness in the design, implementation, operation or internal control of a process, they are only one aspect of a security review. A threat analysis is not normally a part of a security review. Threat assessments evaluate the type, scope and nature of events or actions that can result in adverse consequences; identification is made of the threats that exist against organization assets.
The BEST process for assessing an existing risk level is a(n): impact analysis. security review. vulnerability assessment. threat analysis.
C is the correct answer. Justification The residual risk may or may not be considered appropriate depending on the level of acceptable risk and the tolerance for variation to that level. If mitigation is too expensive, management should consider other treatment options and not simply choose not to address it. Risk tolerance is the acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives. Even if a risk occurs infrequently, the information security manager should address the risk if the magnitude is substantial.
The MOST likely reason that management would choose not to mitigate a risk that exceeds the risk appetite is that it: is the residual risk after controls are applied. is a risk that is expensive to mitigate. falls within the risk tolerance level. is a risk of relatively low frequency.
A is the correct answer. Justification Risk evaluation provides management with the extent that the risk meets the acceptability criteria and options for response. Response to risk may come in the form of acceptance, transfer (sharing), mitigation or avoidance. Mitigation is only one possible response to risk. Risk evaluation is the final stage of an assessment activity. Control objectives align with the risk management strategy, which determines risk response. Domain
The PRIMARY purpose of risk evaluation is to: provide a basis on which to select risk responses. ensure that controls are deployed to mitigate risk. provide a means of targeting assessment activities. ensure that risk responses align with control objectives.
B is the correct answer. Justification Introducing security at later stages can cause projects to exceed budgets and can also create issues with project schedules and delivery dates, but this is generally avoided if security issues are assessed in feasibility. Project feasibility can be directly impacted by information security requirements and is the primary reason to introduce information security requirements at this stage. The cost of security must be factored into any business case that will support project feasibility, and sometimes the cost of doing something securely exceeds the benefits that the project is anticipated to produce. Project approval is a business decision that may be influenced by information security considerations but is not essential. Considering information security during the first stage will not ensure proper project classification.
The PRIMARY reason to consider information security during the first stage of a project life cycle is: the cost of security is higher in later stages. information security may affect project feasibility. information security is essential to project approval. it ensures proper project classification.
D is the correct answer. Justification Reducing cost in the short term is rarely the purpose of risk response. Reducing the overall impact of loss associated with risk is only one approach that an organization may take; a level of risk that is already acceptable should generally be accepted regardless of whether it might be further reduced. Lowering vulnerability is only one approach that an organization may take to response to risk. Risk response rarely seeks to reduce threat in the aggregate and is generally unable to minimize it. Organizations respond to risk in ways that control impact by keeping it within acceptable (or tolerable) levels.
The ULTIMATE purpose of risk response is to: reduce cost. lower vulnerability. minimize threat. control impact.
D is the correct answer. Justification Acceptance of identified risk associated with particular technologies is the responsibility of the business process owner, and possibly of senior management, but would happen after the risk was identified during the procurement process. Auditors may identify risk but are not responsible for managing it. Senior management will typically be involved in IT acquisitions only from a budgetary perspective. Appropriate procurement processes will include processes to initially identify the risk that may be introduced by the new system.
The acquisition of new IT systems that are critical to an organization's core business can create significant risk. To effectively manage the risk, the information security manager should FIRST: ensure that the IT manager accepts the risk of the technology choices. require the approval of auditors prior to deployment. obtain senior management approval for IT purchases. ensure that appropriate procurement processes are employed.
B is the correct answer. Justification Risk transfer involves transferring the risk to another entity such as an insurance company. By implementing security controls, the company is trying to decrease risk to an acceptable level, thereby mitigating risk. Risk acceptance involves accepting the risk in the system and doing nothing further. Risk avoidance stops the activity causing the risk.
The chief information security officer (CISO) has recommended several information security controls (such as antivirus) to protect the organization's information systems. Which one of the following risk treatment options is the CISO recommending? Risk transference Risk mitigation Risk acceptance Risk avoidance
A is the correct answer. Justification Organizational requirements should determine when a risk has been reduced to an acceptable level. The acceptability of a risk is ultimately a management decision, which may or may not be consistent with information systems requirements. The acceptability of a risk is ultimately a management decision, which may or may not be consistent with information security requirements. Because each organization is unique, international standards may not represent the best solution for specific organizations and are primarily a guideline.
The decision as to whether an IT risk has been reduced to an acceptable level should be determined by: organizational requirements. information systems requirements. information security requirements. international standards.
D is the correct answer. Justification Identification of incidents is only one part of effective risk management. If impact is not limited to acceptable levels, the program is not effective. Merely identifying incidents through a risk assessment is insufficient to limit impact. While compliance is important, it is only one aspect of risk management. If impact is not limited to acceptable levels, the program is not effective. Demonstrating that a program is compliant is not a measure of the effectiveness of limiting impact. Identifying unmitigated vulnerabilities is insufficient without knowledge of potential threats, impacts and control measures to determine the potential effectiveness of the risk management program. The goal of risk management is to limit impact and minimize business disruptions. Each instance of a security incident that causes significant financial loss or business disruption is an indication of inadequate risk management.
The effectiveness of managing business risk is BEST measured by the number of: significant IT-related incidents that were not identified during risk assessment. security assessments compliant with organizational standards and guidelines. vulnerabilities identified by risk assessment and not properly mitigated. security incidents causing significant financial loss or business disruption.
C is the correct answer. Justification Even if the risk is residual, if it exceeds the risk appetite, then it is acceptable only if it falls within the risk tolerance. The residual risk may or may not be considered appropriate depending on the level of acceptable risk and the tolerance for variation to that level. If mitigation is too expensive compared to the benefit, the information security manager should consider other treatment options. Just knowing the expense is not enough. Risk tolerance is the acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives. Low frequency alone does not warrant ignoring a risk.
The information security manager has determined that a risk exceeds risk appetite, yet the manager does not mitigate the risk. What is the MOST likely reason that management would consider this course of action appropriate? The risk is the residual risk after controls are applied. The risk is expensive to mitigate. The risk falls within the risk tolerance level. The risk is of relatively low frequency.
C is the correct answer. Justification Business plans are an output of management translating strategic aspirations into attainable business goals. Business plans provide background, goal statements and plans for reaching those goals. Audit charters are documents describing the purpose, rights and responsibilities of the audit function. They do not rely on the risk assessment process. The risk management process is about making specific, security-related decisions such as the selection of specific risk responses. Software design decisions are based on stakeholder needs, not the risk management process.
The output of the risk management process is an input for making: business plans. audit charters. security policy decisions. software design decisions.
D is the correct answer. Justification The effects from a potential event can be shared by procuring assurance, but the risk is not mitigated. Acceptance of risk is a decision by the enterprise to assume the impact of the effects of an event. Risk is never fully eliminated, unless the activity that causes the risk is stopped or avoided. Insurance is a method of offsetting the financial loss that might be incurred as a result of an adverse event. Some, but not all, of the potential costs are transferred to the insurance company.
The use of insurance is an example of which of the following? Risk mitigation Risk acceptance Risk elimination Risk transfer
A is the correct answer. Justification While not all organizational activities will pose an unacceptable risk, the practice of risk management is still applied to determine which risk requires treatment. Risk assessment is part of the risk management function. Risk assessment does not precede inclusion of the activity in the risk management program. Whether a risk level is acceptable can be determined only when the risk is known. Potential impact can be evaluated only when the risk is known and the value of the asset is determined.
To be effective, risk management should be applied to: all organizational activities. those elements identified by a risk assessment. any area that exceeds acceptable risk levels. only those areas that have potential impact.
C is the correct answer. Justification Vulnerability without threat is not risk (no probability of compromise) and, therefore, not a good basis for prioritization. Exposure is not by itself a risk and so is not a basis for prioritization. Frequency and magnitude are the primary basis for prioritizing treatment with high frequency (or likelihood) and magnitude (or impact) being at the top of the list. Mitigation cost and effectiveness will be a consideration after frequency and magnitude have been determined.
Treatment of risk should be prioritized PRIMARILY based on: vulnerability and impact. exposure and frequency. frequency and impact. mitigation cost and effectiveness.
B is the correct answer. Justification Threat is an element of risk only in combination with vulnerability. Risk is the combination of the probability of an event and its consequence. (ISO/IEC 73) The probability of an event is threat exploiting a vulnerability. Threat and exposure are insufficient to determine risk. Sensitivity is a measure of consequence, but does not take into account probability. Exposure moderates risk, but is not in itself a component of risk.
What are the essential elements of risk? Impact and threat Likelihood and consequence Threat and exposure Sensitivity and exposure
D is the correct answer. Justification Where there is a high cost of protection paired with a low likelihood, organizations generally find it more cost effective to transfer risk. A detective control alone does nothing to limit the impact. The fact that the likelihood is low suggests that exposure is already minimal. Additional reductions to exposure would do nothing to limit impact. High-impact, low-likelihood situations are typically most cost effectively covered by transferring the risk to a third party, e.g., insurance.
What is the BEST risk response for risk scenarios where the likelihood of a disruptive event for an asset is very low, but the potential financial impact is very high? Accept the high cost of protection. Implement detective controls. Ensure that asset exposure is low. Transfer the risk to a third party.
C is the correct answer. Justification Risk analysis quantifies risk to prioritize risk responses. The annual loss expectancy is the monetary loss that can be expected for an asset due to a risk over a one-year period but does nothing to prioritize controls. Cost-benefit analysis is performed to ensure that the cost of a safeguard does not outweigh its benefit and that the best safeguard is provided for the cost of implementation. An impact analysis is a study to prioritize the criticality of information resources for the enterprise based on costs (or consequences) of adverse events. In an impact analysis, threats to assets are identified and potential business losses determined for different time periods. This assessment is used to justify the extent of safeguards that are required and recovery time frames. This analysis is the basis for establishing the recovery strategy.
What is the BEST technique to determine which security controls to implement with a limited budget? Risk analysis Annualized loss expectancy calculations Cost-benefit analysis Impact analysis
A is the correct answer. Justification External vulnerability sources are the most cost-effective method of identifying these vulnerabilities. The cost involved in periodic vulnerability assessments would be much higher. Intrusion prevention software would not identify new vendor vulnerabilities. Honeypots may or may not identify vulnerabilities and may create their own security risk.
What is the MOST cost-effective method of identifying new vendor vulnerabilities? External vulnerability reporting sources Periodic vulnerability assessments performed by consultants Intrusion prevention software Honeypots located in the demilitarized zone (DMZ)
B is the correct answer. Justification The focus must include procedural, operational and other risk—not just IT risk. The balance between cost and benefits should direct controls selection. Resource management is not directly related to controls. The implementation of controls is based on the impact and risk, not on the number of assets.
What is the PRIMARY basis for the selection of controls and countermeasures? Eliminating IT risk Cost-benefit balance Resource management The number of assets protected
D is the correct answer. Justification Inherent risk may already be acceptable and require no remediation. Minimizing below the acceptable level is not the objective and usually raises costs. Elimination of business risk is not possible. Effective controls are naturally a clear objective of a risk management program to the extent of achieving the primary goal of achieving acceptable risk across the organization. The goal of a risk management program is to ensure that acceptable risk levels are achieved and maintained.
What is the PRIMARY objective of a risk management program? Minimize inherent risk. Eliminate business risk. Implement effective controls. Achieve acceptable risk.
D is the correct answer. Justification The threat may remain constant, but each segment may represent a different vector against which it must be directed. Criticality of data is not affected by the manner in which it is segmented. Sensitivity of data is not affected by the manner in which it is segmented. Segmenting data reduces the quantity of data exposed as a result of a particular event.
What is the result of segmenting a highly sensitive database? It reduces threat. It reduces criticality. It reduces sensitivity. It reduces exposure.
D is the correct answer. Justification Vulnerability management is a component of risk management. However, a risk management program that does not reduce significant adverse impact is not effective. Penetration testing, which is a technique for vulnerability assessment, measures the feasibility of systems compromise and evaluates any related consequences. However, unless significant adverse impact to the organization is reduced, a risk management program is ineffective. Gap analysis determines the gap between controls and controls objectives. However, unless identified gaps are addressed in ways that result in reduced impact to the organization, the risk management program is ineffective. Effective risk management serves to reduce the incidence of significant adverse impacts on an organization either by addressing threats, mitigating exposure and/or by reducing vulnerability or impact.
Which of the following BEST describes the outcome of effective risk management? Allows an organization to obtain a continuous overview of vulnerabilities Measures the feasibility of systems compromise and evaluates any related consequences Determines the gap between controls and controls objectives Reduces the incidence of significant adverse impact on an organization
C is the correct answer. Justification The fact that overall risk has been quantified does not necessarily indicate the existence of a successful risk management practice. Eliminating inherent risk is virtually impossible. A successful risk management practice reduces residual risk to acceptable levels. Although the tying of control risk to business may improve accountability, this is not as desirable as achieving acceptable residual risk levels.
Which of the following BEST indicates a successful risk management practice? Overall risk is quantified. Inherent risk is eliminated. Residual risk is minimized. Control risk is tied to business units.
B is the correct answer. Justification Some vulnerabilities may not have significant impact and may not require mitigation. The treatment should consider the degree of exposure and potential impact and the costs of various treatment options. Compensating controls are considered only when there is a viable threat and impact, and only if the primary control is inadequate. Management approval may not be required in all cases.
Which of the following approaches would be BEST to address significant system vulnerabilities that were discovered during a network scan? All significant vulnerabilities must be mitigated in a timely fashion. Treatment should be based on threat, impact and cost considerations. Compensating controls must be implemented for major vulnerabilities. Mitigation options should be proposed for management approval.
D is the correct answer. Justification An information/data dictionary is a useful management tool, but is only one aspect of holistic information asset management. A data classification program helps to prioritize asset protection based on business value, but management of information assets goes beyond asset protection. The security culture of an organization does not drive the effectiveness or efficiency of information assets. A risk policy that is oriented to business needs promotes the achievement of organizational objectives. The holistic risk-based approach to the management of information assets includes and addresses a broad range of factors such as data linkages, privacy, business orientation and risk relevance, which in turn help the assets to be managed in an effective and efficient manner.
Which of the following choices is MOST strongly supported by effective management of information assets? An information/data dictionary A data classification program An information-based security culture A business-oriented risk policy
A is the correct answer. Justification Disaster recovery is driven by risk, which is a combination of likelihood and consequences. Once likelihood has been determined, the next step is to determine the magnitude of impact. Risk tolerance is the acceptable deviation from acceptable risk. This is taken into account once risk has been quantified, which is dependent on determining the magnitude of impact. Replacement cost is needed only when replacement is required. Book value does not represent actual asset value and cannot be used to measure magnitude of impact.
Which of the following choices should be assessed after the likelihood of a loss event has been determined? The magnitude of impact Risk tolerance The replacement cost of assets The book value of assets
D is the correct answer. Justification Although an important component in the development of any managed program, obtaining management acceptance and support ideally occurs well before the development of the program, in the plan and organize phase according to the COBIT framework. Information security policies and standards are a component of the risk management program, but do not belong to the initial stages of its development. Information security policies and standards are formed by the decisions made in the planning phase of the program and are developed based on the outcomes and business objectives established by the business. Management and oversight of the risk management program is a monitoring control that is developed to ensure that the program is satisfying the outcomes and business objectives established by the business. This process is designed at the latter stages of development once the purpose of the program and the mechanics of its deployment have been established. This oversight process could be integrated with internal audit activities or other compliance program processes. An initial requirement is to determine the organization's purpose for creating an information security risk management program, determine the desired outcomes and define objectives.
Which of the following components is established during the INITIAL steps of developing a risk management program? Management acceptance and support Information security policies and standards A management committee to provide oversight for the program The context and purpose of the program
C is the correct answer. Justification Prioritizing information security activities is always useful, but eliminating even low-priority security services is a last resort. If budgets are seriously constrained, management is already addressing increases in other risk and is likely to be aware of the issue. A proactive approach to doing more with less will be well received. Outsourcing of some information security activities can cut costs and increase resources for other security activities in a proactive manner, as can automation of some security procedures. Reducing monitoring activities may unnecessarily increase risk when lower cost options to perform those functions may be available.
Which of the following is the BEST approach to deal with inadequate funding of the information security program? Eliminate low-priority security services. Require management to accept the increased risk. Use third-party providers for low-risk activities. Reduce monitoring and compliance enforcement activities.
D is the correct answer. Justification User assessments are most likely focused on their convenience and ease of use rather than effectiveness of the program. Comparing results with industry standards is a meaningless gauge; however, comparing results to program objectives would be very useful. Assigning ownership of risk is a good first step in improving accountability and, therefore, probably effectiveness. Effective risk management requires participation, support and acceptance by all applicable members of the organization, beginning with the executive levels. Personnel must understand their responsibilities and be trained on how to fulfill their roles.
Which of the following is the BEST method to ensure the overall effectiveness of a risk management program? User assessments of changes Comparison of the program results with industry standards Assignment of risk within the organization Participation by all members of the organization
D is the correct answer. Justification Incident history can provide only an approximation of the organization's efforts to mitigate further occurrences after consequences have been determined. Incident history may also indicate a lack of risk awareness. Controls deployment can provide a rough qualitative estimation of risk appetite as long as technologies are tested and effectiveness is determined. Requirements set in policies and standards can only serve as a qualitative approximation of risk appetite. The cost of a business interruption can be accurately determined. The comparison of this expense (added to any deductible) with the total cost of premiums paid for a specific amount of insurance can serve as an accurate indicator of how much the organization will spend to protect against a defined loss.
Which of the following is the BEST quantitative indicator of an organization's current risk appetite? The number of incidents and the subsequent mitigation activities The number, type and layering of deterrent control technologies The extent of risk management requirements in policies and standards The ratio of cost to insurance coverage for business interruption protection
D is the correct answer. Justification A gap analysis is not as appropriate for evaluating a business impact analysis. A gap analysis is not as appropriate for developing a business balanced scorecard. A gap analysis is not as appropriate for evaluating demonstrating the relationship between controls. A gap analysis is most useful in addressing the differences between the current state and future state.
Which of the following is the MOST appropriate use of gap analysis? Evaluating a business impact analysis Developing a balanced business scorecard Demonstrating the relationship between controls Measuring current state versus desired future state
C is the correct answer. Justification Implementing countermeasures may not be possible or the most cost-effective approach to security management. Eliminating the risk may not be possible. Risk is typically transferred to insurance companies when the probability of an incident is low but the impact is high. Examples include hurricanes, tornadoes and earthquakes. Accepting the risk would leave the organization vulnerable to a catastrophic disaster that may cripple or ruin the organization. It would be more cost-effective to pay recurring insurance costs than to be affected by a disaster from which the organization cannot financially recover.
Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level? Implement countermeasures. Eliminate the risk. Transfer the risk. Accept the risk.
B is the correct answer. Justification Cost to remediate is a major factor only relative to the value of the assets to which remediation applies (i.e., is remediation appropriate for this asset versus another risk treatment option?). It is ineffective as a means of prioritization across different assets, because it does not take into account their business value. The balance between impact and frequency captures the adjusted probability of loss to the organization associated with each risk. Therefore, this provides an immediate and relevant basis for prioritization of treatment, with risks that are high-impact and high-frequency ranking the highest on the list. Breadth of scope is not necessarily equivalent to impact. Prioritizing a risk that affects a broad range of relatively unimportant systems over a risk that impacts a single critical system would not be beneficial to the organization. Effort is a subset of overall cost representing time and expertise. Unto itself, cost is not a suitable basis for prioritization.
Which of the following is the MOST supportable basis for prioritizing risk for treatment? Cost and asset value Frequency and impact Frequency and scope Cost and effort
A is the correct answer. Justification Because organizations rarely have adequate resources to address all concerns, a risk-based information security program is typically implemented to provide a basis for efficient allocation of limited resources. Motivation is useful in getting the job done, but is not necessarily a result of implementing a risk-based information security program. Optimization is a long-term benefit associated with a mature risk-based program. It does not present itself during initial implementation. Standardization is a technique that offers numerous benefits and may support risk management activities. It is not the result of a focus on risk.
Which of the following is the PRIMARY driver for initial implementation of a risk-based information security program? Prioritization Motivation Optimization Standardization
A is the correct answer. Justification Deciding what level of risk is acceptable to an organization is fundamentally a function of management. At its discretion, organizational management may decide to accept risk. The target risk level for a control is therefore ultimately subject to management discretion. Failure to comply with regulatory requirements has consequences, but those consequences are considered in the context of organizational risk. In some cases, the cost of failure to comply may be lower than the cost of compliance; in this case, management may decide to accept the risk. Inherent risk is the risk that exists before controls are applied. The results of an internal audit are used to determine the actual level of residual risk, but whether this level is acceptable is fundamentally a function of management.
Which of the following items determines the acceptable level of residual risk in an organization? Management discretion Regulatory requirements Inherent risk Internal audit findings
A is the correct answer. Justification Role-based access control is a preventive control that provides access according to business needs; therefore, it reduces unnecessary access rights and enforces accountability. Audit trail monitoring is a detective control, which is "after the fact." Privacy policy is not relevant to this risk. Defense in depth primarily focuses on external threats and control layering.
Which of the following measures would be MOST effective against insider threats to confidential information? Role-based access control Audit trail monitoring Privacy policy Defense in depth
A is the correct answer. Justification The business impact analysis (BIA) is the critical process for deciding prioritization of restoration of the information system/business processes in case of a security incident. Risk assessment provides information on the likelihood of occurrence of a security incident and assists in the selection of countermeasures, but not in prioritization of restoration. A vulnerability assessment provides information regarding the security weaknesses of the system, supporting the risk analysis process. Business process mapping assists in conducting a BIA, but additional information obtained during a BIA is needed to determine restoration prioritization.
Which of the following processes is CRITICAL for deciding prioritization of actions in a business continuity plan? Business impact analysis Risk assessment Vulnerability assessment Business process mapping
A is the correct answer. Justification In a cost-benefit analysis, the annual cost of safeguards is compared with the expected cost of loss. This can then be used to justify a specific control measure. Penetration testing may indicate the extent of a weakness but, by itself, will not establish the cost-benefit of a control. Frequent risk assessment programs will certainly establish what risk exists but will not determine the cost of controls. Annual loss expectancy is a measure that will contribute to the potential cost associated with the risk but does not address the benefit of a control.
Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented? Cost-benefit analysis Penetration testing Frequent risk assessment programs Annual loss expectancy calculation
C is the correct answer. Justification File backup procedures ensure the availability of information in alignment with data retention requirements but do nothing to prevent leakage. Database integrity checks verify the allocation and structural integrity of all the objects in the specified database but do nothing to prevent leakage. An acceptable use policy establishes an agreement between users and the enterprise and defines for all parties the ranges of use that are approved before gaining access to a network or the Internet. Incident response procedures provide detailed steps that help an organization minimize the impact of an adverse event and do not directly address data leakage.
Which of the following would BEST address the risk of data leakage? File backup procedures Database integrity checks Acceptable use policies Incident response procedures
A is the correct answer. Justification Analyzing the workflow will be essential to understanding process vulnerabilities and where risk may exist in integrating risk management into business processes. A business impact analysis will be important once the workflow and processes are understood in order to understand unit inputs, outputs and dependencies and the potential consequences of compromise. Threat and vulnerability assessments are properly conducted after the relationship between risk management and business processes has been determined through workflow analysis. The governance structure may be one of the vulnerabilities that pose a potential risk but should be analyzed after the workflow analysis. Ideally, the governance structure should reflect the workflow.
Which of the following would be the FIRST step in effectively integrating risk management into business processes? Workflow analysis Business impact analysis Threat and vulnerability assessment Analysis of the governance structure
D is the correct answer. Justification The board of directors determines the risk appetite and tolerance, so there would be no tolerance in excess of the appetite if the board took this position. The purpose of determining levels of risk appetite and tolerance is to have clear thresholds of when risk can be accepted without mitigation or transfer. Risk avoidance is the best choice for responding to a risk only when it exceeds both the appetite and the tolerance despite all efforts at mitigation or transfer. Risk that exceeds organizational appetite but lies within tolerable levels is not risk that the organization wants to accept. When there is concern that the impact has been underestimated, senior management may prefer to mitigate the risk to acceptable levels rather than unintentionally accept risk whose impact ends up exceeding the tolerance.
Why might an organization rationally choose to mitigate a risk that is estimated to be at a level higher than its stated risk appetite but within its stated risk tolerance? The board of directors may insist that all risk be mitigated if it exceeds the appetite. Senior executives may prefer to transfer risk rather than formally accepting it. There may be pressure from key stakeholders to avoid risk that exceeds the appetite. Senior management may have concern that the stated impact is underestimated.