CRISC

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Why was COBIT designed?

Was designed to help businesses take advantage of IT assets, increase compliance levels, and manage risk through an integrated framework.

What are the outputs of the SDLC Disposal/Retirement phase?

1) Logs of hardware and media sanitization/destruction 2) Transition plan

What are the 4 main types of controls (Policies vs Firewalls, etc)?

1) Managerial 2) Technical 3) Operational 4) Preparedness

Name some Control Frameworks

1) NIST 2) COBIT 3) VAL IT 4) SANS 5) PCI-DSS 6) ISO/IEC

What attributes should KPIs include?

1) Objective 2) Descriptive 3) Data Source 4) Metric Owner 5) Reporting Period 6) Reporting Frequency 7) Present Value 8) Previous Value 9) Baseline 10) Trend 11) Thresholds

Which of the the following provide the most valuable input to incident response efforts?

Qualitative analysis of threats

Risk tolerance

Quantifies risk appetite

Risk Analysis Methodologies

Quantitative Risk Assessment Qualitative Risk Assessment Semiquantitative Risk Assessment

What is Delphi risk assessment method?

Questionnaire and then secondary questionnaire consolidaiton

What are the three areas of the Risk Evaluation portion of the ISACA Risk IT Framework, and what is a key component of the last one?

RE1: Collect Data RE2: Analyze Risk RE3: Maintain Risk Profile Should develop KRI's in RE3

The Risk Evaluation (RE) domain of the Risk IT framework is comprised of what 3 processes?

RE1: Collect Data RE2: Analyze Risk RE3: Maintain risk profile

Risk IT Framework Risk Evaluation components

RE1: Collect data RE2: Analyze risk RE3: Maintain risk profile

NIST 800-115

Technical Guide to Information Security Testing and Assessment

Technology Infrastructure

Technology, human resources and facilities that enable the processing and use of applications

The installations of many insecure devices on the internet

The most important external factors that should be considered in a risk assessment are?

Business impact

The net effect, positive or negative, on the achievement of business objectives

Business continuity

The new application should be able to continue with newer records as added (or appended) and help in ensuring seamless business continuity.

Which of the following is the best metric to manage the information security program?

The number of recorded exceptions from the minimum information security requirements.

Information

The primary objective for any enterprise is to protect their mission-critical information based on a risk assessment

What are the layers of COBIT?

Governance and Management

KRI or KPI? Network availability

KPI

ERM

enterprise risk management

expected loss

BPM

business process modeling

Risk practioners primary role is to:

consult and recommend risk responses

OCTAVE

operationally critical threat and vulnerability evaluation

5 KRI components

•Impact—Indicators of risk with high business impact are more likely to be KRIs. •Effort—For different indicators that are equivalent in sensitivity, the one that is easier to measure and maintain is preferred. •Reliability—The indicator must possess a high correlation with the risk and be a good predictor or outcome measure. •Sensitivity—The indicator must be representative of risk and capable of accurately indicating risk variances. •Repeatable—A KRI must be repeatable and able to be measured on a regular basis to show trends and patterns in activity and results.

Public cloud

•Made available to the general public or a large industry group •Owned by an organization selling cloud services

Private cloud

•Operated solely for an enterprise •May be managed by the enterprise or a third party •May exist on- or off-premise

Types of threat categories

•Physical •Natural events •Loss of essential services •Disturbance due to radiation •Compromise of information •Technical failures •Unauthorized actions •Compromise of functions

Community cloud

•Shared by several enterprises •Supports a specific community that has a shared mission or interest •May be managed by the enterprises or a third party •May reside on- or off-premise

To avoid being seen as obstructionist, the risk practitioner should seek to:

•Understand the business •Listen to the strategy •Proactively seek out ways to secure new technologies and business processes •Build relationships and communication infrastructure to weave risk management into each business process and new project •Be aware of and mitigate the risk of change •Work to create a culture that encourages integration of risk management into business processes •Identify realistic ways that would make "yes" align with the risk appetite instead of saying "no"

factors that can affect likelihood

•Volatility—Unpredictability, also referred to as dynamic range; the degree to which conditions vary from one moment to another, making projections difficult •Velocity—Speed of onset, a measure of how much prior warning and preparation time an organization may have between the event's occurrence and impact, which itself can be split into speed of reaction and speed of recovery •Proximity—The time from the event occurring and the impact on the organization •Interdependency—The degree to which materialization of two or more types of risk might impact the organization differently, depending on whether the events occur simultaneously or consecutively •Motivation—In cases involving an active/sentient threat, the extent to which the perpetrator of the threat wants to succeed, which may result in a higher chance of success •Skill—The ability brought to bear by the perpetrator of an active/sentient threat relative to other perpetrators •Visibility—The extent to which a vulnerability is known, which can make it a more likely target of attack

Which of the following causes the GREATEST concern to a risk practitioner reviewing a corporate information security policy that is out of date? The policy: A. was not reviewed within the last three years. B. is missing newer technologies/platforms. C. was not updated to account for new locations. D. does not enforce control monitoring.

(A) A. Not reviewing the policy for three years and updating it as necessary does not follow best practices and is the greatest concern. B. Corporate information security policies are generally written at a level that does not require modification for specific, newer technologies and should not cause the greatest concern to the risk practitioner. C. Corporate information security policies are generally written at a level that incorporates multiple locations. Even if the new facilities are in different geographic locations, with potentially different legislatures, a well-written corporate information security policy should accommodate such changes in the enterprise's operating environment. D. Lack of control monitoring is a concern; however, the fact that the corporate information security policy itself was not reviewed on a regular basis is the greatest concern, particularly because policy reviews can be considered a part of continuous control monitoring at the highest level.

Which of the following information in the risk register BEST helps in developing proper risk scenarios? A list of: A. potential threats to assets. B. residual risk on individual assets. C. accepted risk. D. security incidents.

(A) A. Potential threats that may impact the various business assets will help in developing scenarios on how these threats can exploit vulnerabilities and cause a risk and therefore help in developing proper risk scenarios. B. Residual risk on individual assets does not help in developing a proper risk scenario. C. Accepted risk is generally a small subset of entries within the risk register. Accepted risk should be included in the risk register to ensure that events that may affect the current decision of the enterprise to accept the risk are monitored. D. Previous security incidents of the enterprise itself or entities with a similar profile may inspire similar risk scenarios to be included in the risk register. However, the best approach to create a meaningful risk register is to capture potential threats on tangible and intangible asset

Which of the following is the MOST important reason for conducting security awareness programs throughout an enterprise? A. Reducing the risk of a social engineering attack B. Training personnel in security incident response C. Informing business units about the security strategy D. Maintaining evidence of training records to ensure compliance

(A) A. Social engineering is the act of manipulating people into divulging confidential information or performing actions that allow an unauthorized individual to get access to sensitive information and/or systems. People are often considered the weakest link in security implementations and security awareness would help reduce the risk of successful social engineering attacks by informing and sensitizing employees about various security policies and security topics, thus ensuring compliance from each individual. B. Training individuals in security incident response targets is a corrective control action and not as important as proactively preventing an incident. C. Informing business units about the security strategy is best done through steering committee meetings or other forums. D. Maintaining evidence of training records to ensure compliance is an administrative, documentary task, but should not be the objective of training.

When leveraging a third party for the procurement of IT equipment, which of the following control practices is MOST closely associated with delivering value over time? A. Compare the cost and performance of current and alternate suppliers periodically. Incorrect B. Assign a relationship owner to the supplier and make him/her accountable. C. Monitor and review delivery to verify that the quality of service is acceptable. D. Establish service level agreements (SLAs) with clear financial penalties.

(A) A. Value is a function of cost and performance. Even if the current supplier is rigorously held to the standard established in an original contract and never raises prices, the value delivered by the contract over time will decline if competitors deliver better performance at lower prices over the same time frame. The only way to be sure that a current supplier continues to deliver value is to periodically compare its cost and performance to the cost and performance of alternate suppliers. B. Having a relationship owner who is accountable for performance is an excellent practice for holding the quality of performance in line with the agreed-on contract, but it cannot guarantee that the terms of that contract will deliver value over time. C. Monitoring and reviewing delivery to verify that the quality of service is acceptable is important to identify whether any penalties may be due under the terms of an established service level agreement (SLA), as well as to push for immediate corrective action. However, it cannot guarantee that the terms of the contract will deliver value over time. D. SLAs with clear financial penalties provide a mechanism for reimbursement of financial losses in the event that degraded performance has a financial cost, but this cannot guarantee that the terms of the contract will deliver value over time.

It is MOST important that risk appetite be aligned with business objectives to ensure that: A. resources are directed toward areas of low risk tolerance. B. major risk is identified and eliminated. C. IT and business goals are aligned. D. the risk strategy is adequately communicated.

(A) A. Risk appetite is the amount of risk that an enterprise is willing to take on in pursuit of value. Aligning it with business objectives allows an enterprise to evaluate and deploy valuable resources toward those objectives where the risk tolerance (for loss) is low. B. There is no link between aligning risk appetite with business objectives and identification and elimination of major risk. Moreover, risk cannot be eliminated; it can be reduced to an acceptable level using various risk response options. C. Alignment of risk appetite with business objectives does converge IT and business goals to a point, but alignment is not limited to these two areas. Other areas include organizational, strategic and financial objectives, among other objectives. D. Communication of the risk strategy does not depend on aligning risk appetite with business objectives.

Which of the following examples of risk should be addressed during application design? A. A lack of skilled resources B. The risk of migration to a new system C. Incomplete technical specifications D. Third-party supplier risk

(A) A. A lack of skilled resources implies that the project is beyond the skills of the personnel involved and is associated with the design phase. B. Migration risk is typically associated with the implementation phase. C. Technical risk is introduced when the technical requirements may be beyond the scope of the project. D. Risk that a third-party supplier would not be able to deliver on time or to requirements is associated with the implementation phase.

Which of the following BEST describes the information needed for each risk on a risk register? A. Various risk scenarios with their date, description, impact, probability, risk score, mitigation action and owner B. Various risk scenarios with their date, description, risk score, cost to remediate, communication plan and owner C. Various risk scenarios with their date, description, impact, cost to remediate and owner D. Various activities leading to risk management planning

(A) A. This choice is the best answer because it contains the necessary elements of the risk register that are needed to make informed decisions. B. This choice contains some elements of a risk register, but misses some important and key elements of a risk register (impact, probability, mitigation action) that are needed to make informed decisions and this choice lists some items that should not be included in the register (communication plan). C. This choice misses some important and key elements of a risk register (probability, risk score, mitigation action) needed to make informed decisions. D. A risk register is a result of risk management planning, not the other way around.

A lack of adequate controls represents: A. a vulnerability. B. an impact. C. an asset. D. a threat.

(A) Vulnerability A. The lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers. This could result in a loss of sensitive information, financial loss, legal penalties, etc. B. Impact is the measure of the financial loss that a threat event may have. C. An asset is something of either tangible or intangible value worth protecting, including people, systems, infrastructure, finances and reputation. D. A threat is a potential cause of an unwanted incident.

When assessing strategic IT risk, the FIRST step is: A. summarizing IT project risk. B. understanding organizational strategy from senior executives. C. establishing enterprise architecture (EA) strategy. D. reviewing IT incident reports from service delivery.

(B) A. Summarizing project risk does not necessarily lead to an understanding of all risk, e.g., not realizing the benefits or impact of project risk on programs and portfolios or business or strategic objectives. Unintended consequences, reputation and brand risk, and strategic objectives need to be considered in order to assess strategic IT risk. B. Strategic IT risk is related to the strategy and strategic objectives of the organization. Once this is understood, a conversation with senior executives will provide an enterprise view of the dependencies and expectations for IT, which leads to an understanding of the potential risk. C. Enterprise architecture (EA) is fundamentally about producing a view of the current state of IT, establishing a vision for a future state and generating a strategy to get there (preferably by optimizing resource risk while realizing benefits). This view of IT should demonstrate the linkage of IT to organizational objectives and produce a view of current risk, but the development of EA takes significant effort, resources and time. Enterprise architectures also benefit from being informed by an understanding of organizational strategy and the views of the senior executives, which change rapidly in the current business environment and, therefore, need to be regularly reviewed. D. Developing an understanding of current incidents will not directly provide a strategic view of the objectives of the organization and how the organization is dependent on IT to achieve those objectives.

Which of the following items is MOST important to consider in relation to a risk profile? A. A summary of regional loss events B. Aggregated risk to the enterprise C. A description of critical risk D. An analysis of historical loss events

(B) A. The risk profile will consider regional events that could impact the enterprise, and will also consider systemic and other risk. B. The risk profile is based on the aggregated risk to the enterprise, including historical risk, critical risk and emerging risk. C. The risk profile will consider all risk, not just critical risk. D. Analysis of historical loss events can assist in business continuity planning and risk assessment, but is incomplete for a risk profile.

Which of the following is the BEST indicator of an effective information risk management program? A. The security policy is made widely available. B. Risk is considered before all decisions. C. Security procedures are updated annually. D. Risk assessments occur on an annual basis.

(B) A. Making the security policy widely available will assist in ensuring the success, but is not as critical as making risk-based business decisions. B. Ensuring that risk is considered and determined before business decisions are made best ensures that risk tolerance is kept at the level approved by the organization. C. Updating security procedures annually is only necessary if policy changes. D. Ensuring that risk assessments occur annually will assist in ensuring success, but is not as critical as making risk-based business decisions.

Which of the following controls can be used to reduce the potential scope of impact associated with a malicious hacker gaining access to an administrator account? A. Multifactor authentication B. Audit logging C. Least privilege D. Password policy

(C) A. Multifactor authentication safeguards against an account being accessed without authorization. If a malicious hacker has gained access to the account, this control has already been bypassed. B. Audit logging may be useful in identifying activities undertaken using an administrator account, but it is a lagging indicator unlikely to be effective in time to limit the scope of impact associated with a compromise. C. Privileged accounts, such as those used by administrators, are typically sought after by malicious hackers because of the perception that they will be exempt from most controls and have permission to do everything. However, except in the smallest organizations, administrators tend to be specialized in particular areas (e.g., specific servers, specific databases, firewalls, etc.). Although employing least privilege will not reduce the potential impact of a compromised account within the scope of its intended use, having specialized administrator accounts can greatly limit the impact to the organization as a whole. Even in small organizations where one person holds all roles, establishing specialized administrator accounts subject to least-privilege restrictions limits the potential impact of loss associated with an account compromise. D. A password policy requiring frequent changes can limit the reuse value of a compromised account, but it is unlikely that changes will be sufficiently restrictive to affect an account before it has been used by a malicious hacker who controls it.

The FIRST step in identifying and assessing IT risk is to: A. confirm the risk tolerance level of the enterprise. B. identify threats and vulnerabilities. C. gather information on the current and future environment. D. review past incident reports and response activity.

(C) A. A risk practitioner must understand the risk appetite of senior management and the associated risk tolerance level. This is not the first step because risk tolerance becomes relevant during risk response. B. Identification of relevant threats and vulnerabilities is important, but is limited in its view. C. The first step in any risk assessment is to gather information about the current state and pending internal and external changes to the enterprise's environment (scope, technology, incidents, modifications, etc.). D. While the review of past incident reports may be an input for the identification and assessment of IT risk, focusing on these factors is not prudent.

When a start-up company becomes popular, it suddenly is the target of hackers. This is considered: A. an emerging vulnerability. B. a vulnerability event. C. an emerging threat. D. an environmental risk factor.

(C) A. A vulnerability is a weakness in the design, implementation, operation or internal control of a process that can expose the system to adverse threats from threat events, which is not described in the question stem. B. A vulnerability event is any event from which a material increase in vulnerability results from changes in control conditions or from changes in threat capability/force. C. A threat is any event in which a threat element/actor acts against an asset in a manner that has the potential to directly result in harm. The stem describes the emerging threat of hackers attacking the start-up company. D. Environmental risk factors can be split into internal and external environmental risk factors. Internal environmental factors are, to a large extent, under the control of the enterprise, although they may not always be easy to change. External environmental

What is a PRIMARY advantage of performing a risk assessment on a consistent basis? A. It lowers the costs of assessing risk. B. It provides evidence of threats. C. It indicates trends in the risk profile. D. It eliminates the need for periodic audits.

(C) A. There may be some minor cost benefits to performing risk assessments on a consistent basis, but that is not the main benefit. B. A risk assessment provides evidence of risk; however, it is not intended to provide evidence of threats. C. Tracking trends in evolving risk is of significant benefit to managing risk and ensuring that appropriate controls are in place. D. The performance of risk assessment on a consistent basis does not preclude the requirement to perform periodic independent audits.

At the end of which phase of risk management would information about newly discovered risk be communicated to decision makers and relevant stakeholders? A. Risk identification B. Risk response and mitigation C. Risk assessment D. Risk and control monitoring and reporting

(C) A. The risk identification phase determines what could happen to cause a potential loss and to gain insight into how, where and why the loss might happen. Until the risk has been analyzed, the likelihood and impact are unknown. Risk analysis occurs after risk identification and prior to risk communication. B. In the risk response and mitigation phase, controls to reduce, retain, avoid or transfer risk should be selected, and a risk treatment plan should be defined. The risk analysis must be communicated to the risk owners for them to select the proper risk response. C. During the risk assessment phase, identified risk is being analyzed and evaluated for likelihood and impact. Risk-based decision making is enabled through communication of the results of the risk assessment. D. In the risk and control monitoring and reporting phase, risk should be monitored and reviewed to identify any changes in the context of the organization at an early stage, and to maintain an overview of the complete risk picture.

Which of the following is true about IT risk? A. IT risk cannot be assessed and measured quantitatively. B. IT risk should be calculated separately from business risk. C. IT risk management is the responsibility of the IT department. D. IT risk exists whether or not it is detected or recognized by an enterprise

(D) A. IT risk, like any business risk, can be assessed both quantitatively and qualitatively. It is very difficult and incomplete to measure risk quantitatively. B. IT risk is one type of business risk. C. IT risk is the responsibility of senior management, not just the IT department. D. The enterprise must identify, acknowledge and respond to risk; ignorance of risk is not acceptable.

Investments in risk management technologies should be based on:

(D) A. Basing decisions on audit recommendations is reactive in nature and may not comprehensively address the key business needs. B. Vulnerability assessments are useful, but they do not determine whether the cost is justified. C. Demonstrated value takes precedence over the current business climate because the climate is ever changing. D. Investments in risk management technologies should be based on a value analysis and sound business case.

When developing risk scenarios for an enterprise, which of the following is the BEST approach? A. The top-down approach for capital-intensive enterprises B. The top-down approach because it achieves automatic buy-in C. The bottom-up approach for unionized enterprises D. The top-down and the bottom-up approach because they are complementary

(D) A. Both risk scenario development approaches should be considered simultaneously, regardless of the industry. B. Both risk scenario development approaches should be considered simultaneously, regardless of the risk appetite. C. Both risk scenario development approaches should be considered simultaneously, regardless of the industry. D. The top-down and bottom-up risk scenario development approaches are complementary and should be used simultaneously. In a top-down approach, one starts from the overall business objectives and performs an analysis of the most relevant and probable risk scenarios impacting the business objectives. In a bottom-down approach, a list of generic risk scenarios is used to define a set of more concrete and customized scenarios, applied to the individual enterprise's situation.

What is the formula to determine how many key pairs are need for a given number of people?

(N x (N-1) / 2 N = # of people

what are the 4 main types of roles with risk management?

(RACI) •The individuals responsible for managing the risk •The individuals accountable for the risk management effort •The individuals who are consulted and provide support and assistance to the risk management effort •The individuals who are informed of the risk management effort but may not necessarily be involved in its execution

Recovery time objective

(The amount of time allowed for the recovery of a business function or resource after a disaster occurs

What are some of the concerns that should be considered in relation to the risk of using an outsource supplier?

* Hiring and training practices of the supplier * Reporting and liaison between the outsourcing organization and supplier * Time to respond to any incident * Liability for non-compliance with terms of the contract * Non-Disclosure of data or business practices * Responding to requests from law enforcement * Length of contract and terms for dissolution/termination of contract * Location of data storage including backup * Separation between data and management of data of competing firms * Existence and regular testing of resiliency plans (e.g. business continuity and disaster recovery)

risk assessment report should include:

- identified gaps - in gaps are in acceptable levels - basis of the severity of these issues

What are the different DR strategies?

-Split processing -Data mirroring -Hot site -Warm Site -Cold site -Freezing site -Mobile site -Reciprocal agreement

What is a secure socket layer?

-aka TLS (transport layer security) -when http changes to https and shows a lock -purpose is to authenticate the server When you click on login, browser generated a random # (session key), browser then encrypted random number with banks public key and sent to the bank, if the website really belongs to bank, bank uses private key to find out what random # is. That random number becomes a symmetric key between you and bank and all communications use the random number (symmetric key) to encrypt transmissions. This is what Heart Bleed and Freak found vulnerabilities with.

What are characteristics of a Symmetric key?

-each key known to two people only -key management is the biggest issue -key distribution is also an issue -very fast compared to Asymmetric cryptography -each pair of 2 people need a key so you need an enormous number of keys for an organization - formula: if 2 people - they need 1 key if 3 people - they need 3 keys if 4 people - they need 6 keys if 100 people - they need 4,950 # of key pairs needed (N x (N-1) / 2 N = # of people

What are characteristics of a Symmetric key?

What are characteristics of Asymmetric Key cryptography?

-large prime #s (divisible by itself or 1) -slow -RSA -CA -RA -CRL

Symmetric key cryptography characteristics

-two people know the key -same key for encrypt and decrypt -need to change key frequently -secure distribution (alternate channel -based on publically known algorithm -only thing that is secret is the key -fast (10k X faster than Asymmetric) -no authentication -no non-repudiation -DES (oldest)

The Risk Response domain covers...

...the risk response definition, risk response prioritization, the Key Risk Indicators (KRIs)

5 Levels of CMM

0. Incomplete 1. Performed 2. Managed 3. Established 4. Predictable 5. Optimized

What are the levels of SDLC?

1) Initiation 2) Requirements 3) Design 4) Development/Acquisition 5) Implementation 6) Operations/Maintenance 7) Disposal/Retirement

What are a few business cases for controls?

1) Liability 2) Governance 3) Economy and Efficiency of Use

What are the elements of NIST 800-55?

1) Access Control 2) Awareness Training 3) Audit and Accountability 4) Certification, Accreditation, and Security Assessments 5) Configuration Management 6) Contingency Planning 7) Identification and Authentication 8) Incident Response 9) Maintenance 10) Media Protection 11) Physical and Environmental Protection 12) Planning 13) Personnel Security 14) Risk Assessment 15) System and Services Acquisition 16) System and Communications Protection 17) System and Information Integrity

Business-related IT risk types

1) Access risk 2) Availability risk 3) Infrastructure risk 4) Integrity risk 5) Investment or expense risk 6) Project ownership risk 7) Relevance risk 8) Schedule risk

What are the outputs of the SDLC Implementation phase?

1) Accreditation package 2) System authorization 3) System security plan

What are the three classifications for controls?

1) Administrative 2) Technical/Logical 3) Physical/Operational

What are the Management layers of COBIT?

1) Align, Plan, and Organize 2) Build, Acquire, and Implement 3) Deliver, Service, and Support 4) Monitor, Evaluate, and Assess

What are the 5 components of Governance?

1) Alignment 2) Value Delivery 3) Risk Management 4) Performance Measurement 5) Resource Management

What components of risk do Risk Scenarios include?

1) Asset 2)Threat 3) Threat Agent 4) Vulnerability 5) Time/Location They leave off likelihood and impact

List the KPI types

1) Availability 2) Configuration Management 3) System and Services Acquisition 4) Contingency Planning 5) Access Control 6) Awareness and Training 7) Audit and Accountability 8) Certification, Accreditation, and Security Assessments 9) Identification and Authentication 10) Incident Response 11) Maintenance 12) Media Protection 13) Physical and Environmental Protection 14) Planning 15) Personnel Security 16) Risk Assessment 17) System and Communications Protection 18) System and Information Integrity

Risk Assessment Techniques

1) Bayesian statistics and Bayes net 2) Bow tie analysis 3) Brainstorming/Structured or semi-structured interviews 4) BIAs 5) Cause and consequence analysis 6) Cause and effect analysis 7) Checklists 8) Delphi method 9) Environmental risk assessment 10) Event tree analysis 11) Fault tree analysis 12) Hazard analysis and critical control points (HACCP) 13) Hazard and operability study (HAZOP) 14) Human reliability analysis (HRA) 15) Layers of protection analysis (LOPA) 16) Markov analysis 17) Monte Carlo simulation 18) Preliminary hazard analysis 19) Reliability-centered maintenance 20) Root cause analysis (pre-mortems) 21) Scenario analysis 22) Sneak circuit analysis 23) Structured "what if" technique (SWIFT)

What are the PCI-DSS Control Objectives?

1) Build and Maintain a Secure Network and Systems 2) Protect Cardholder Data 3) Maintain a Vulnerability Management Program 4) Implement Strong Access Control Measures 5) Regularly Monitor and Test Networks 6) Maintain an Information Security Policy

Name some Cross-Boundary Functions

1) Business partner extranet 2) Customer support website (with connections to internal connections) 3) Third-party data exchange 4) VPN

Name steps of the NIST RMF

1) Categorize Info Systems 2) Select Security Controls 3) Implement Security Controls 4) Assess Security Controls 5) Authorize Info Systems 6) Monitor Security Controls

What are 6 types of controls (Improving vs Fixing vs Avoiding)

1) Compensating 2) Corrective 3) Detective 4) Deterrent 5) Directive 6) Preventative

Requirements for the IT Risk Management program

1) Comprehensive 2) Complete 3) Auditable 4) Justifiable 5) Compliant 6) Monitored 7) Enforced 8) Up to date 9) Managed

What are a few methods of data collection?

1) Conducting Interviews 2) Documentation Reviews 3) System Observation and Verification 4) System Testing

What is the order of Information Security Risk Management Process steps?

1) Context Establishment 2) Risk Identification 3) Risk Analysis 4) Risk Evaluation 5) Risk Treatment

What are some Risk Response Parameters?

1) Cost 2) Capability/Ability 3) Effectiveness/Efficiency

Name components of the Initiation phase of SDLC

1) Documentation of security roles and responsibilities 2) Documentation of controls required by regulation, law, or other guidance 3) Schedule of control activities or decisions throughout the project timeline

Four phases of OCTAVE Allegro

1) Establish Drivers 2) Profile Assets 3) Identify Threats 4) Identify and Mitigate Risks

What are the 3 objectives of Risk Governance?

1) Establish a common risk view 2) Integrate risk management into the enterprise 3) Make risk-aware business decisions

Methods of risk identification

1) Historical or evidence based reports (audits, public media, annual reports, etc.) 2) Systemic approaches (expert opinion) including vulnerability assessments, review of BC/DR plans, and interviews of key staff 3) Inductive methods such as penetration testing

What are the Four CRISC domains? (which also represent the cyclic process of IT Risk Management)

1) IT Risk Identification 2) IT Risk Assessment 3) Risk Response and Mitigation 4) Risk and Control Monitoring and Reporting

What does the Risk Identification Process involve?

1) Identify Assets 2) Identify Threats 3) Identify Existing Controls 4) Identify Vulnerabilities 5) Identify Consequences 6) Risk Estimation

What are the required components of a control analysis?

1) Identify controls 2) Determine their required function 3) Determine effectiveness 4) Determine gaps

What are the required criteria for selecting KRIs according to the ISACA Risk IT Framework?

1) Impact 2) Effort to Implement, Measure, and Report 3) Reliability 4) Sensitivity

Process Maturity

1) Initial (adhoc) 2) Repeatable (procedures) 3) Defined (policy) 4) Managed (manage policy compliance) 5) Optimized (continuous improvement)

What are the steps of project management according to PMBOK?

1) Initiating 2) Planning 3) Executing 4) Monitoring and Controlling 5) Closing

Typical risk assessment report components

1) Objectives of the assessment 2) Scope of the assessment 3) External factors affecting the risk 4) Internal factors affecting the risk 5) Risk assessment criteria 6) Resources and references used 7) Identification of risk, vulnerabilities, and threats 8) Assumptions used in the assessment 9) Potential of unknown factors affecting the risk assessment 10) Results of risk assessment 11) Recommendations and conclusions.

What are the 6 types of controls?

1) Policy 2) Standard 3) Procedure 4) Process 5) Org structure 6) Physical entity (e.g. security guard) (80% of controls are Procedures / Processes)

What are the distinctive processes of the NIST RMF?

1) Prepare for assessment 2) Conduct assessment 3) Communicate results 4) Maintain assessment

Three types of risk response

1) Quick Win 2) Business Case 3) Deferral

What are the layers of ISACA Risk IT Framework?

1) Risk Governance 2) Risk Evaluation 3) Risk Response

Give a verbal overview of each of the three domains of the ISACA Risk IT Framework

1) Risk Governance: Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return 2) Risk Evaluation: Ensure that IT-related risks and opportunities are identified, analyzed, and presented in business terms 3) Risk Response: Ensure that IT-related risk issues, opportunities, and events are addressed in a cost-effective manner and in line with business priorities

What are some types of risk mitigation?

1) Risk Sharing 2) Risk Acceptance 3) Risk Avoidance

What elements should a Risk Register include?

1) Risk factors 2) Threat agents, threats, and vulnerabilities 3) Risk scenarios 4) Criticality, severity, or priority of risk 5) Asset information 6) Impact of the risk on an asset 7) Likelihood of the threat exploiting the vulnerability 8) Current status of risk response actions 9) Resources that may be committed to respond to risk 10) Risk ownership information 11) Planned milestones toward risk response

What are the 5 components of a risk scenario?

1) Threat agent 2) Threat 3) Asset 4) Vulnerability 5) Time/location

What are the necessities when suggesting new or modified controls?

1) Try to leverage existing controls 2) Look for quick wins 3) Prioritize control recommendations with risk 4) Be realistic in your recommendations 5) Provide alternatives

What are the outputs of the SDLC Operations/Maintenance phase?

1) Updated plans of actions and milestones 2) Change control board documentation 3) Renewed accreditation and authorization documentation

Three Val IT domains

1) Value Governance 2) Portfolio Management 3) Investment Management

Specific factors that affect likelihood

1) Volatility 2) Velocity 3) Proximity 4) Interdependency 5) Motivation 6) Skill 7) Visibility

What are the 4 ways to deal with a risk?

1) avoid 2) mitigate 3) accept 4) transfer

Risk portfolio view

1. A method to identify interdependencies and interconnections among risk, as well as the effect of risk responses on multiple types of risk 2. A method to estimate the aggregate impact of multiple types of risk (e.g., cascading and coincidental threat types/scenarios, risk concentration/correlation across silos) and the potential effect of risk response across multiple types of risk

Risk analysis

1. A process by which frequency and magnitude of IT risk scenarios are estimated. 2. The initial steps of risk management: analyzing the value of assets to the business, identifying threats to those assets and evaluating how vulnerable each asset is to those threats Scope Note: It often involves an evaluation of the probable frequency of a particular event, as well as the probable impact of that event.

IT risk issue

1. An instance of IT risk 2. A combination of control, value and threat conditions that impose a noteworthy level of IT risk

Governance answers what four Questions

1. Are we doing the right thing? 2. Are we doing them the right way? 3. Are we going them well? 4. Are we getting the benefits?

Governance answers 4 questions

1. Are we doing the right things? 2. Are we doing them the right way? 3. Are we getting them done well 4. Are we getting the benefits?

Options to lower risk

1. Avoidance 2. Mitigation 3. Sharing 4. Acceptance

What are the SIX NIST Risk Management Framework Steps?

1. Categorize Information Systems 2. Select Security Controls 3. Implement Security Controls 4. Assess Security Controls 5. Authorize Information Systems 6. Monitor Security Control

Name the 6 steps of the NIST Risk Management Framework (RMF)

1. Categorize Information Systems 2. Select Security Controls 3. Implement Security Controls 4. Assess Security Controls 5. Authorize Information Systems 6. Monitor Security Controls

NIST 800-37 Guide for applying RMF to Federal Information Systems (6 steps)

1. Categorize information systems 2. Select security controls 3. Implement security controls 4. Assess security controls 5. Authorize information systems 6. Monitor security controls

Control Categories by Function

1. Compensating Controls 2. Corrective Controls 3. Detective Controls 4. Deterrent Controls 5. Directive Controls 6. Preventative Controls

What are the ELEMENTS of RISK?

1. Consequences associated with specific assets. 2. A threat to those assets, requiring both intent(motivation) and capability. 3. Vulnerability specify to the threat.

NIST Control Catalog is broken into how many security control families? Privacy families?

18 security, 8 privacy. They look like AC-6(10) etc.

Capability Maturity Model (CMM)

1. Contains the essential elements of effective processes for one or more disciplines. It also describes an evolutionary improvement path from ad hoc, immature processes to disciplined, mature processes with improved quality and effectiveness. 2. CMM for software, from the Software Engineering Institute (SEI), is a model used by many enterprises to identify best practices useful in helping them assess and increase the maturity of their software development processes. Scope Note: CMM ranks software development enterprises according to a hierarchy of five process maturity levels. Each level ranks the development environment according to its capability of producing quality software. A set of standards is associated with each of the five levels. The standards for level one describe the most immature or chaotic processes and the standards for level five describe the most mature or quality processes. A maturity model that indicates the degree of reliability or dependency the business can place on a process achieving the desired goals or objectives A collection of instructions that an enterprise can follow to gain better control over its software development process. Compensating control An internal control that reduces the risk of an existing or potential control weakness resulting in errors and omissions

4 main objectives of Risk Governance

1. Establish and maintain a common risk view 2. Integrate Risk Management into the enterprise 3. Make risk-aware business decisions 4. Ensure that risk management controls are implemented and operating correctly

What are the 4 phases of OCTAVE Allegro?

1. Establish drivers 2. Profile assets 3. Identify threats 4. Identify and mitigate risks

What are the 4 steps in the IT risk management life cycle?

1. IT Risk Identification 2. IT Risk Assessment 3. Risk Response and Mitigation 4. Risk and Control Monitoring and Reporting

The IT risk Management Life Cycle

1. Identification 2. Assessment 3. Response and Mitigation 4. Monitoring and Reporting

NIST's 5 key security functions

1. Identify 2. Protect 3. Detect 4. Respond 5. Recover

What are two forms of Likelihood?

1. Impact due to the loss or compromise of information. 2. Impact due to the loss or compromise of an information system.

Evidence

1. Information that proves or disproves a stated issue 2. Information that an auditor gathers in the course of performing an IS audit; relevant if it pertains to the audit objectives and has a logical relationship to the findings and conclusions it is used to support Scope Note: Audit perspective

PMI 5 phases

1. Initiating 2. Planning 3. Executing 4. Monitoring and Controlling 5. Closing

SDLC 5 phases

1. Initiation 2. Acquisition/Development 3. Implementation/Assessment 4. Operations/Maintenance 5. Sunset(Disposition)

Four main types of controls

1. Managerial 2. Technical 3. Operational 4. Preparedness

What are the two principles of Confidentiality?

1. Need-to-Know 2. Least Privilege

Ways to determine IT project failure

1. Over budget 2. over time allotted 3. failure to meet customer needs and expectations

Risk response prioritization options

1. Quick wins 2. Business case 3. Deferral

Risk Assessment Steps

1. Risk Identification 2. Evaluation 3. Analysis

the 4 CRISC domains

1. Risk Identification 2. Risk Assessment 3. Risk Response 4. Risk and Control Monitoring/Reporting

Authentication

1. The act of verifying identity (i.e., user, system) Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data 2. The act of verifying the identity of a user and the user's eligibility to access computerized information. Scope Note: Assurance: Authentication is designed to protect against fraudulent logon activity. It can also refer to the verification of the correctness of a piece of data.

Inherent risk

1. The risk level or exposure without taking into account the actions that management has taken or might take (e.g.,implementing controls) 2. The risk that a material error could occur, assuming that there are no related internal controls to prevent or detect the error. Scope Note: Audit perspective; also see Control risk

What are the three lines of defense companies should have with risk?

1. risk being managed by the front line 2. it is guided, directed, influenced and/or assessed by the second line 3. there is independent oversight, review and monitoring by the third line.

6 steps of Monitoring controls

1.Identify and confirm risk control owners and stakeholders. 2.Engage with stakeholders and communicate the risk and information security requirements and objectives for monitoring and reporting. 3.Align and continually maintain the information security monitoring and evaluation approach with the IT and enterprise approaches. 4.Establish the information security monitoring process and procedure. 5.Agree on a life cycle management and change control process for information security monitoring and reporting. 6.Request, prioritize and allocate resources for monitoring information security.

two forms of impact that the risk practitioner should consider

1.Impact due to the loss or compromise of information 2.Impact due to the loss or compromise of an information system

Which principles should a risk practitioner look at when examining confidentiality?

1.Need to know. 2.Least privilege.

How many symmetric key pairs are required for 6 people?

15 (N x (N-1)) / 2

Which line of defense is a CIO?

1st line

Asymmetric Key Cryptography

2 keys: 1) private key 2) public key Private key only known by you; public key is known to the world If you encrypt with one key you can only decrypt with the other key (i.e. if you encrypt with private then you need to decrypt with public and vice versa)

What is the best authentication?

2-factor (from IAAA model)

Which line of defense is a CRISC?

2nd line

How many steps in NIST RMF?

What is the NIST Business Continuity Document?

800-34 "Contingency Planning Guide for Federal Information Systems"

Which publication contains the NIST RMF?

800-37

A PRIMARY reason for initiating a policy exception process is when: A. the risk is justified by the benefit. B. policy compliance is difficult to enforce. C. operations are too busy to comply. D. users may initially be inconvenienced.

A database administrator notices that the externally hosted, web-based corporate address book application requires users to authenticate, but that the traffic between the application and users is not encrypted. The MOST appropriate course of action is to: A. notify the business owner and the security manager of the discovery and propose an addition to the risk register. B. contact the application administrators and request that they enable encryption of the application's web traffic. C. alert all staff about the vulnerability and advise them not to log on from public networks. D. accept that current controls are suitable for nonsensitive business data.

A lack of adequate controls represents: A. a vulnerability. B. an impact. C. an asset. D. a threat.

A risk practitioner has become aware of a potential merger with another enterprise. What action should the risk practitioner take? A. Evaluate how the changes in the business operations and culture could affect the risk assessment. B. Monitor the situation to see if any new risk emerges due to the proposed changes. C. Continue to monitor and enforce the current risk program because it is already tailored appropriately for the enterprise. D. Implement changes to the risk program to prepare for the transition.

A risk response report includes recommendations for: A. acceptance. B. assessment. C. evaluation. D. quantification.

A third party is engaged to develop a business application. Which of the following BEST measures for the existence of back doors? A. Security code reviews for the entire application B. System monitoring for traffic on network ports C. Reverse engineering the application binaries D. Running the application from a high-privileged account on a test system

After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft is widespread. To MOST effectively deal with the risk, the business should: A. implement monitoring techniques to detect and react to potential fraud. B. make the customer liable for losses if the customer fails to follow the bank's advice. C. increase its customer awareness efforts in those regions. D. outsource credit card processing to a third party.

An enterprise has just completed an information systems audit and a large number of findings have been generated. This list of findings is BEST addressed by: A. a risk mitigation plan. B. a business impact analysis (BIA). C. an incident management plan. D. revisions to information security procedures.

An enterprise has learned of a security breach at another entity that utilizes similar technology. The MOST important action a risk practitioner should take is to: A. assess the likelihood of the incident occurring at the risk practitioner's enterprise. B. discontinue the use of the vulnerable technology. C. report to senior management that the enterprise is not affected. D. remind staff that no similar security breaches have taken place.

An enterprise recently developed a breakthrough technology that could provide a significant competitive edge. Which of the following FIRST governs how this information is to be protected from within the enterprise? A. The data classification policy B. The acceptable use policy C. Encryption standards D. The access control policy

An operations manager assigns monitoring responsibility ofkey risk indicators (KRIs) to line staff. Which of the following is MOST effective in validating the effort? A. Reported results should be independently reviewed. B. Line staff should complete risk management training. C. The threshold should be determined by risk management. D. Indicators should have benefits that exceed their costs

Assuming that the CIO is unable to address all of the findings, how should the CIO deal with any findings that remain after available funds have been spent? A. Create a plan of actions and milestones for open vulnerabilities. B. Shut down the information systems with the open vulnerabilities. C. Reject the risk on the open vulnerabilities. D. Implement compensating controls on the systems with open vulnerabilities.

Deriving the likelihood and impact of risk scenarios through statistical methods is BEST described as: A. quantitative risk analysis. B. risk scenario analysis. C. qualitative risk analysis. D. probabilistic risk assessment.

Due to changes in the IT environment, the disaster recovery plan of a large enterprise has been modified. What is the GREATEST benefit of testing the new plan? A. To ensure that the plan is complete 8. To ensure that the team is trained C. To ensure that all assets have been identified D. To ensure that the risk assessment was validated

During a risk management exercise, an analysis was conducted on the identified risk and mitigations were identified. Which choice BEST reflects residual risk? A. Risk left after the implementation of new or enhanced controls B. Risk mitigated as a result of the implementation of new or enhanced controls C. Risk identified prior to implementation of new or enhanced controls D. Risk classified as high after the implementation of new or enhanced controls

During an organizational risk assessment it is noted that many corporate IT standards have not been updated. The BEST course of action is to: A. review the standards against current requirements and make a determination of adequacy. B. determine that the standards should be updated annually. c. report that IT standards are adequate and do not need to be updated. D. review the IT policy document and see how frequently IT standards should be updated.

During the initial phase of the system development life cycle (SDLC), the risk professional provided input on how to secure the proposed system. The project team prepared a list of requirements that will be used to design the system. Which of the following tasks MUST be performed before moving on to the system design phase? A. The risk associated with the proposed system and controls is accepted by management. B. Various test scenarios that will be used to test the controls are documented. C. The project budget is increased to include additional costs for security. D. Equipment and software are procured to meet the security requirements.

How can an enterprise determine the aggregated risk from several sources? A. Through a security information and event management (SIEM) system B. Through a fault tree analysis C. Through a failure modes and effects analysis D. Through a business impact analysis (BIA)

How often should risk be evaluated? A. Annually or when there is a significant change B. Once a year for each business process and subprocess C. Every three to six months for critical business processes D. Only after significant changes occur

In a large enterprise, system administrators may release critical patches into production without testing. Which of the following would BEST mitigate the risk of interoperability issues? A. Ensure that a reliable system rollback plan is in place. B. Test the patch on the least critical systems first. C. Only allow updates to occur after hours. D. Ensure that patches are approved by the chief information security officer (CISO).

In which phase of the system development life cycle (SDLC) should the process to amend the deliverables be defined to prevent the risk of scope creep? A. Feasibility B. Development C. User acceptance D. Design

Information security procedures should: A. be updated frequently as new software is released. B. underline the importance of security governance. C. define the allowable limits of behavior. D. describe security baselines for each platform.

Information that is no longer required to support the main purpose of the business from an information security perspective should be: A. analyzed under the retention policy. B. protected under the information classification policy. C. analyzed under the backup policy. D. protected under the business impact analysis (BIA).

It is MOST important for a risk evaluation to: A. take into account the potential size and likelihood of a loss. B. consider inherent and control risk. C. include a benchmark of similar companies in its scope. D. assume an equal degree of protection for all assets.

Management wants to ensure that IT is successful in delivering against business requirements. Which of the following BEST supports that effort? A. An internal control system or framework B. A cost-benefit analysis c. A return on investment (ROI) analysis D. A benchmark process

One way to determine control effectiveness is by determining: A. the test results of intended objectives. B. whether it is preventive, detective or compensatory. C. the capability of providing notification of failure. D. the evaluation and analysis of reliability.

Previously accepted risk should be: A. reassessed periodically because the risk can be escalated to an unacceptable level due to revised conditions. B. removed from the risk log once it is accepted. C. accepted permanently because management has already spent resources (time and labor) to conclude that the risk level is acceptable. D. avoided next time because risk avoidance provides the best protection to the enterprise.

Risk management strategic plans are MOST effective when developed for: A. the enterprise as a whole. B. each individual system based on technology utilized. C. every location based on geographic threats. D. end-to-end business processes.

Shortly after performing the annual review and revision of corporate policies, a risk practitioner becomes aware that a new law may affect security requirements for the human resources system. The risk practitioner should: A. analyze what systems and technology-related processes may be impacted. B. ensure necessary adjustments are implemented during the next review cycle. C. initiate an ad hoc revision of the corporate policy. D. notify the system custodian to implement changes.

Testing the compliance of a response and recovery plan should begin with conducting a: A. tabletop exercise. B. review of archived logs. C. penetration test. D. business impact analysis (BIA).

The MOST important objective of regularly testing information system controls is to: A. identify design flaws, failures and redundancies. B. provide the necessary evidence to support management assertions. C. assess the control risk and formulate an opinion on the level of reliability. D. evaluate the need for a risk assessment and indicate the corrective action(s) to be taken, where applicable

The PRIMARY advantage of creating and maintaining a risk register is to: A. ensure that an inventory of potential risk is maintained. B. record all risk scenarios considered during the risk identification process. C. collect similar data on all risk identified within the organization. D. run reports based on various risk scenarios.

The PRIMARY focus of managing IT-related business risk is to protect: A. information. B. hardware. C. applications. D. databases.

The PRIMARY reason for developing an enterprise security architecture is to: A. align security strategies between the functional areas of an enterprise and external entities. B. build a barrier between the IT systems of an enterprise and the outside world. C. help with understanding of the enterprise's technologies and the interactions between them. D. protect the enterprise from external threats and proactively monitor the corporate network.

The aggregated results of continuous monitoring activities are BEST communicated to: A. the risk owner. 8. technical staff. C. the audit department. D. the information security manager

The board of directors of a one-year-old start-up company has asked their chief information officer (CIO) to create all of the enterprise's IT policies and procedures. Which of the following should the CIO create FIRST? A. The strategic IT plan B. The data classification scheme C. The information architecture document D. The technology infrastructure plan

The cost of mitigating a risk should not exceed the: A. expected benefit to be derived. B. annual loss expectancy (ALE). C. value of the physical asset. D. cost to exploit the weakness.

The likelihood of an attack being launched against an enterprise is MOST dependent on: A. the skill and motivation of the potential attacker. B. the frequency that monitoring systems are reviewed. C. the ability to respond quickly to any incident. D. the effectiveness of the controls.

The risk action plan MUST include an appropriate resolution, a date for completion and: A. responsible personnel. B. mitigating factors. C. likelihood of occurrence. D. cost of completion.

The sales manager of a home improvement enterprise wants to expand the services available on the enterprise's web page to include sending free promotional samples of their products to prospective clients. What is the GREATEST concern the risk professional would have? A. Are there any data privacy concerns about storing client data? B. Are there any concerns about protecting credit card or payment data? C. Can the system be misused by a person to obtain multiple samples? D. Will the web site be able to handle the expected volume of traffic?

There is an increase in help desk call levels because the vendor hosting the human resources (RR) self-service portal has reduced the password expiration from 90 to 30 days. The corporate password policy requires password expiration after 60 days and RR is unaware of the change. The risk practitioner should FIRST: A. formally investigate the cause of the unauthorized change. B. request the service provider reverse the password expiration period to 90 days. c. initiate a request to strengthen the corporate password expiration requirement to 30 days. D. notify employees of the change in password expiration period.

What do different risk scenarios on the same bands/curve on a risk map indicate? A. All risk scenarios on the same curve of a risk map have the same level of risk. B. All risk scenarios on the same curve of a risk map have the same magnitude of impact. C. All risk scenarios on the same curve of a risk map require the same risk response. D. All risk scenarios on the same curve of a risk map are of the same type.

What is the BEST approach to determine whether existing security control management meets the organizational needs? A. Perform a process maturity assessment. B. Perform a control self-assessment (CSA). C. Review security logs for trends or issues. D. Compare current and historical security test results

What is the BEST risk response for risk scenarios where the likelihood is low and financial impact is high? A. Transfer the risk to a third party. B. Accept the high cost of protection. C. Implement detective controls. D. Implement compensating controls.

What is the MAIN objective of risk identification? A. To detect possible threats that may affect the business B. To ensure that risk factors and root causes are managed C. To enable the review of the key performance indicators (KPIs) D. To provide qualitative impact values to stakeholders

What is the purpose of system accreditation? A. To ensure that risk associated with implementation has been identified and explicitly accepted by a senior manager 8. To review all technical and nontechnical controls to ensure that the security risk has been reduced to acceptable levels C. To ensure that changes to the security controls are properly authorized, tested and documented D. To require the training and certification of staff that will be responsible for working on a system

What is the purpose of system accreditation? A. To ensure that risk associated with implementation has been identified and explicitly accepted by a senior manager B. To review all technical and nontechnical controls to ensure that the security risk has been reduced to acceptable levels C. To ensure that changes to the security controls are properly authorized, tested and documented D. To require the training and certification of staff that will be responsible for working on a system

When performing a risk assessment on the impact of losing a server, calculating the monetary value of the server should be based on the: A. cost to obtain a replacement. B. annual loss expectancy (ALE). C. cost of the software stored. D. original cost to acquire.

When the key risk indicator (KRI) for the IT change management process reaches its threshold, a risk practitioner should FIRST report this to the: A. business owner. B. chief information security officer (CISO). C. help desk. D. incident response team

When would a risk professional ideally perform a complete enterprisewide threat analysis? A. On a yearly basis B. When malware is detected C. When regulatory requirements change D. Following a security incident

Which of the folJowing activities should a risk professional perform to determine whether firewall deployments are deviating from the enterprise's information security policy? A. Review the firewall parameter settings. B. Review the firewall intrusion prevention system (IPS) logs. C. Review the firewall hardening procedures. D. Analyze the firewall log file for recent attacks.

Which of the following BEST assists a risk practitioner in measuring the existing level of development of risk management processes against their desired state? A. A capability maturity model (CMM) B. Risk management audit reports C. A balanced scorecard (BSC) D. Enterprise security architecture

Which of the following BEST ensures that identified risk is kept at an acceptable level? A. Reviewing of the controls periodically, according to the risk action plan B. Listing each risk as a separate entry in the risk register C. Creating a separate risk register for every department D. Maintaining a key risk indicator (KRI) for assets in the risk register

Which of the following BEST ensures that information systems control deficiencies are appropriately remediated? A. A risk mitigation plan B. Risk reassessment C. Control risk reevaluation D. Countermeasure analysis

Which of the following BEST helps identify information systems control deficiencies? A. Gap analysis B. The current IT risk profile C. The IT controls framework D. Countermeasure analysis

Which of the following BEST helps to respond to risk in a cost-effective manner? A. Prioritizing and addressing risk according to the risk management strategy B. Mitigating risk on the basis of risk likelihood and magnitude of impact C. Performing countermeasure analysis for each of the controls deployed D. Selecting controls that are at zero or near-zero costs

Which of the following BEST identifies changes in an enterprise's risk profile? A. The risk register B. Risk classification C. Changes in risk indicator thresholds D. Updates to the control inventory

Which of the following BEST identifies controls addressing risk related to cloud computing? A. Data encryption, tenant isolation, controlled change management B. Data encryption, customizing the application template, creating and importing custom widgets C. Selecting an open standards-based technology, data encryption, tenant isolation D. Tenant isolation, controlled change management, creating and importing custom widgets

Which of the following BEST improves decision making related to risk? A. Maintaining a documented risk register of all possible risk B. Risk awareness training in line with the risk culture C. Maintaining updated security policies and procedures D. Allocating accountability of risk to the department as a whole

Which of the following BEST mitigates control risk? A. Continuous monitoring B. An effective security awareness program C. Effective change management procedures D. Senior management support for control implementation

Which of the following BEST protects the confidentiality of data being transmitted over a network? A. Data are encapsulated in data packets with authentication headers. B. A digital hash is appended to all messages sent over the network. C. Network devices are hardened in compliance with corporate standards. D. Fiber-optic cables are used instead of copper cables.

Which of the following MUST be included when developing metrics to identify and monitor the control life cycle? A. Thresholds that identify when controls no longer provide the intended value B. Customized reports of the metrics for key stakeholders C. A description of the methods and practices used to develop the metrics D. Identification of a repository where metrics will be maintained and stored

Which of the following MUST be included when developing metrics to identify and monitor the controllife cycle? A. Thresholds that identify when controls no longer provide the intended value B. Customized reports of the metrics for key stakeholders C. A description of the methods and practices used to develop the metrics D. Identification of a repository where metrics will be maintained and stored

Which of the following approaches is the BEST approach to exception management? A. Escalation processes are defined. B. Process deviations are not allowed. C. Decisions are based on business impact. D. Senior management judgment is required

Which of the following choices will BEST protect the enterprise from financial risk? A. Insuring against the risk B. Updating the IT risk registry C. Improving staff training in the risk area D. Outsourcing the process to a third party

Which of the following combinations of factors help quantify risk? A. Probability and consequence B. Impact and threat C. Threat and exposure D. Sensitivity and exposure

Which of the following combinations of factors helps quantify risk? A. Probability and consequence B. Impact and threat C. Threat and exposure D. Sensitivity and exposure

Which of the following combinations of factors is the MOST important consideration when prioritizing the development of controls and countermeasures? A. Likelihood and impact B. Impact and exposure C. Criticality and sensitivity D. Value and classification

Which of the following criteria is MOST essential for the effectiveness of operational metrics? A. Relevance to the recipient B. Timeliness of the reporting C. Accuracy of the measurement D. Cost of obtaining the metrics

Which of the following factors determines the acceptable level of residual risk in an enterprise? A. Management discretion B. Regulatory requirements C. Risk assessment results D. Internal audit findings

Which of the following groups would be the MOST effective in managing and executing an organization's risk program? A. Midlevel management B. Senior management C. Frontline employees D. The incident response team

Which of the following information systems controls is the BEST way to detect malware? A. Reviewing changes to file size B. Reviewing administrative-level changes C. Reviewing audit logs D. Reviewing incident logs

Which of the following is BEST performed for business continuity management to meet external stakeholder expectations? A. Prioritize applications based on business criticality. B. Ensure that backup data are available to be restored. C. Disclose the crisis management strategy statement. D. Obtain risk assessment by an independent party.

Which of the following is MOST essential for a risk management program to be effective? A. New risk detection B. A sound risk baseline C. Accurate risk reporting D. A flexible security budget

Which of the following is MOST important for effective risk management? A. Assignment of risk owners to identified risk B. Ensuring compliance with regulatory requirements C. Integration of risk management into operational processes D. Implementation of a risk avoidance strategy

Which of the following is MOST important when selecting an appropriate risk management methodology? A. Risk culture B. Countermeasure analysis C. Cost-benefit analysis D. Risk transfer strategy

Which of the following is the BEST indicator of high maturity of an enterprise's IT risk management process? A. People have appropriate awareness of risk and are comfortable talking about it. B. Top management is prepared to invest more money in IT security. C. Risk assessment is encouraged in all areas of IT and business management. D. Business and IT are aligned in risk assessment and risk ranking.

Which of the following is the BEST option to ensure that corrective actions are taken after a risk assessment is performed? A. Conduct a follow-up review. B. Interview staffmember(s) responsible for implementing the corrective action. C. Ensure that an organizational executive documents that the corrective action was taken. D. Run a monthly report and verify that the corrective action was taken.

Which of the following is the BEST risk identification technique for an enterprise that allows employees to identify risk anonymously? A. The Delphi technique B. Isolated pilot groups C. A strengths, weaknesses, opportunities and threats (SWOT) analysis D. A root cause analysis

Which of the following is the BEST way to verify that critical production servers are utilizing up-to-date antivirus signature files? A. Check a sample of servers. B. Verify the date that signature files were last pushed out. C. Use a recently identified benign virus to test whether it is quarantined. D. Research the most recent signature file, and compare it to the console.

Which of the following is the BIGGEST concern for a CISO regarding interconnections with systems outside of the enterprise? A. Requirements to comply with each other's contractual security requirements B. Uncertainty that the other system will be available as needed C. The ability to perform risk assessments on the other system D. Ensuring that communication between the two systems is encrypted through a VPN

Which of the following is the BIGGEST concern for a chief information security officer (CISO) regarding interconnections with systems outside of the enterprise? A. Requirements to comply with each other's contractual security requirements B. Uncertainty that the other system will be available as needed C. The ability to perform risk assessments on the other system D. Ensuring that communication between the two systems is encrypted through a virtual private network (VPN) tunnel

Which of the following is the GREATEST benefit ofa risk-aware culture? A. Issues are escalated when suspicious activity is noticed. B. Controls are double-checked to anticipate any issues. C. Individuals communicate with peers for knowledge sharing. D. Employees are self-motivated to learn about costs and benefits.

Which of the following is the MOST desirable strategy when developing risk mitigation options associated with the unavailability of IT services due to a natural disaster? A. Assume the worst-case incident scenarios. B. Target low-cost locations for alternate sites. C. Develop awareness focused on natural disasters. D. Enact multiple tiers of authority delegation.

Which of the following is the PRIMARY objective of a risk management program? A. Maintain residual risk at an acceptable level B. Implement preventive controls for every threat C. Remove all inherent risk D. Reduce inherent risk to zero

Which of the following metrics is the MOST useful in measuring the monitoring of violation logs? A. Penetration attempts investigated B. Violation log reports produced C. Violation log entries D. Frequency of corrective actions taken

Which of the following provides the BEST view of risk management? A. An interdisciplinary team B. A third-party risk assessment service provider C. The enterprise's IT department D. The enterprise's internal compliance department

Which of the following provides the MOST valuable input to incident response efforts? A. Qualitative analysis of threats B. The annual loss expectancy (ALE) total C. A vulnerability assessment D. Penetration testing

Which of the following reviews will provide the MOST insight into an enterprise's risk management capabilities? A. A capability maturity model (CMM) review B. A capability comparison with industry standards or regulations C. A self-assessment of capabilities D. An internal audit review of capabilities

Which of the following risk response options is MOST likely to increase the liability of the enterprise? A. Risk acceptance B. Risk reduction C. Risk transfer D. Risk avoidance

Which of the following should be in place before a black box penetration test begins? A. A clearly stated definition of scope B. Previous test results C. Proper communication and awareness training D. An incident response plan

Which of the following tools aids management in determining whether a project should continue based on scope, schedule and cost? Analysis of: A. earned value management. 8. the function point. C. the Gantt chart. D. the program evaluation and review technique (PERT).

Which of the following vulnerabilities is the MOST serious and allows attackers access to data through a web application? A. Validation checks are missing in data input fields. B. Password rules do not enforce sufficient complexity. C. Application transaction log management is weak. D. The application and database share a single access ID.

Which of the following would PRIMARILY help an enterprise select and prioritize risk responses? A. A cost-benefit analysis of available risk mitigation options B. The level of acceptable risk per risk appetite C. The potential to transfer or eliminate the risk D. The number of controls necessary to reduce the risk

Which ofthe following practices BEST mitigates the risk associated with outsourcing a business function? A. Performing audits to verify compliance with contract requirements B. Requiring all vendor staff to attend annual awareness training sessions C. Retaining copies of all sensitive data on internal systems D. Reviewing the financial records of the vendor to verify financial soundness

Which type of cost incurred is used when leveraging existing network cabling for an IT project? A. Indirect cost B. Infrastructure cost C. Project cost D. Maintenance cost

3-1 When a risk cannot be sufficiently mitigated through manual or automatic controls, which of the following options will BEST protect the enterprise from the potential financial impact of the risk? A.Insuring against the risk B.Updating the IT risk register C.Improving staff training in the risk area D.Outsourcing the related business process to a third party

A A.An insurance policy can compensate the enterprise monetarily for the impact of the risk by transferring the risk to the insurance company. B.Updating the risk register (with lower values for impact and probability) will not actually change the risk, only management's perception of it. C.Staff capacity to detect or mitigate the risk may potentially reduce the financial impact, but insurance allows for the risk to be completely mitigated. D.Outsourcing the process containing the risk does not necessarily remove or change the risk.

1-3 Shortly after performing the annual review and revision of corporate policies, a risk practitioner becomes aware that a new law may affect security requirements for the human resources system. The risk practitioner should: A.analyze in detail how the law may affect the enterprise. B.ensure that necessary adjustments are implemented during the next review cycle. C.initiate an ad hoc revision of the corporate policy. D.notify the system custodian to implement changes.

A A.Assessing how the law may affect the enterprise is the best course of action. The analysis must also determine whether existing controls already address the new requirements. B.Ensuring that necessary adjustments are implemented during the next review cycle is not the best answer, particularly when the law does affect the enterprise. While an annual review cycle may be sufficient in general, significant changes in the internal or external environment should trigger an ad hoc reassessment. C.Corporate policy should be developed in a systematic and deliberate manner. An ad hoc amendment to the corporate policy is not warranted and may create risk rather than reducing it. D.Notifying the system custodian to implement changes is inappropriate. Changes to the system should be implemented only after approval by the process owner.

2-6 Which of the following choices BEST helps identify information systems control deficiencies? A.Gap analysis B.The current IT risk profile C.The IT controls framework D.Countermeasure analysis

A A.Controls are deployed to achieve the desired control objectives based on risk assessments and business requirements. The gap between desired control objectives and actual IS control design and operational effectiveness identifies IS control deficiencies. B.Without knowing the gap between desired state and current state, one cannot identify the control deficiencies. C.The IT controls framework is a generic document with no information such as desired state of IS controls and current state of the enterprise; therefore, it will not help in identifying IS control deficiencies. D.Countermeasure analysis only helps in identifying deficiencies in countermeasures, not in the full set of primary controls.

1-5 Which of the following choices provides the BEST view of risk management? A.An interdisciplinary team B.A third-party risk assessment service provider C.The enterprise's IT department D.The enterprise's internal compliance department

A A.Having an interdisciplinary team contribute to risk management ensures that all areas are adequately considered and included in the risk assessment processes to support an enterprise view of risk. B.Engaging a third party to perform a risk assessment may provide additional expertise to conduct the risk assessment; but without internal knowledge, it will be difficult to assess the adequacy of the risk assessment performed. C.A risk assessment performed by the enterprise's IT department is unlikely to reflect the view of the entire enterprise. D.The internal compliance department ensures the implementation of risk responses based on the requirement of management. It generally does not take an active part in implementing risk responses for items that do not have regulatory implications.

4-2 Which of the following choices is the BEST measure of the operational effectiveness of risk management process capabilities? A.Key performance indicators (KPIs) B.Key risk indicators (KRIs) C.Base practices D.Metric thresholds

A A.Key performance indicators (KPIs) are assessment indicators that support judgment regarding the performance of a specific process. B.Key risk indicators (KRIs) only provide insights into potential risk that may exist or be realized within a concept or capability that they monitor, not necessarily at the process level. C.Base practices are activities that, when consistently performed, contribute to achieving a specific process purpose. However, base practices need to be complemented by work products to provide reliable evidence about the performance of a specific process. D.Metric thresholds are decision or action points that are enacted when a KPI or KRI reports a specific value or set of values.

4-8 Which of the following methods is the MOST effective way to ensure that outsourced service providers comply with the enterprise's information security policy? A.Periodic audits B.Security awareness training C.Penetration testing D.Service level monitoring

A A.Regular audits can identify gaps in information security compliance. B.Training can increase user awareness of the information security policy but is not more effective than auditing. C.Penetration testing can identify security vulnerability but cannot ensure information compliance. D.Service level monitoring can only identify operational issues in the enterprise's operational environment.

3-7 Which of the following choices should be considered FIRST when designing information system controls? A.The organizational strategic plan B.The existing IT environment C.The present IT budget D.The IT strategic plan

A A.Review of the enterprise's strategic plan is the first step in designing effective IS controls that would fit the enterprise's long-term plans. B.Review of the existing IT environment, although useful and necessary, is not the first task that needs to be undertaken. C.The present IT budget is one of the components of the strategic plan. D.The IT strategic plan exists to support the enterprise's strategic plan.

What is the most important attribute of an effective key risk indicator?

A KRI should be linked to a specific risk

1-7 It is MOST important that risk appetite is aligned with business objectives to ensure that: A.resources are directed toward areas of low risk tolerance. B.major risk is identified and eliminated. C.IT and business goals are aligned. D.the risk strategy is adequately communicated.

A A.Risk appetite is the amount of risk that an enterprise is willing to take on in pursuit of value. Aligning it with business objectives allows an enterprise to evaluate and deploy valuable resources toward those objectives where the risk tolerance (for loss) is low. B.There is no link between aligning risk appetite with business objectives and identification and elimination of major risk, and although risk can typically be reduced to an acceptable level using various risk response options, its elimination is rarely cost-effective even when it is possible. C.Alignment of risk appetite with business objectives does converge IT and business goals to a point, but alignment is not limited to these two areas. Other areas include organizational, strategic and financial objectives, among other objectives. D.Communication of the risk strategy does not depend on aligning risk appetite with business objectives.

2-5 Which of the following choices BEST assists a risk practitioner in measuring the existing level of development of risk management processes against their desired state? A. A capability maturity model (CMM) B. Risk management audit reports C. A balanced scorecard (BSC) D. Enterprise security architectu

A A.The capability maturity model (CMM) grades processes on a scale of 0 to 5, based on their maturity. It is commonly used by entities to measure their existing state and then to determine the desired one. B.Risk management audit reports offer a limited view of the current state of risk management. C.A balanced scorecard (BSC) enables management to measure the implementation of strategy and assists in its translation into action. D.Enterprise security architecture explains the security architecture of an entity in terms of business strategy, objectives, relationships, risk, constraints and enablers and provides a business-driven and business-focused view of security architecture.

3-2 To be effective, risk mitigation MUST reduce the: A.residual risk. B.inherent risk. C.frequency of a threat. D.impact of a threat.

A A.The objective of risk reduction is to reduce the residual risk to levels below the enterprise's risk tolerance level. B.Reduction of inherent risk is not the goal of typical risk reduction/mitigation efforts. C.Risk reduction efforts can focus on reducing either frequency or impact. D.Risk reduction efforts can focus on reducing either frequency or impact.

4-7 Tools that correlate information from multiple systems to improve trend analysis are MOST likely to be applied to: A.transaction data. B.configuration settings. C.system changes. D.process integrity.

A A.Transaction data tends to be difficult to analyze at a personal level for trends across multiple systems because of sheer volume and level of detail. Therefore, correlation engines are often used to analyze the data to see trends that otherwise might not be apparent. B.Configuration settings are generally compared against predefined values rather than between systems, and trends in configuration are rarely of value. C.System changes are compared from a previous state to the current state, and only in certain limited circumstances would it be reasonable to subject system changes to trend analysis. D.Process integrity depends on system integrity and is not typically associated with trend analysis.

1-8 Weak passwords and transmission over unprotected communication lines are examples of: A.vulnerabilities. B.threats. C.probabilities. D.impacts.

A A.Vulnerabilities represent characteristics of information resources that may be exploited by a threat. B.Threats are circumstances or events with the potential to cause harm to information resources. C.Probabilities represent the likelihood of the occurrence of a threat. D.Impacts represent the outcome or result of a threat exploiting a vulnerability.

Risk map

A (graphic) tool for ranking and displaying risk by defined ranges for frequency and magnitude

Black-box test

A blind penetration test with no prior knowledge of the system design and architecture.

Event tree analysis

A bottom up model that uses deductive reasoning to assess the probability of different events resulting in possible outcomes

Assessment

A broad review of the different aspects of a company or function that includes elements not covered by a structured assurance initiative

Which of the following can best be used as a basis for recommending a (DLP) device as a security control?

A business case for DLP to protect data

Evaluate the impact of disruption on enterprises ability to operate overtime. Recovery times objectives and recovery point objective.

A business impact analysis is primarily used to:

Which of the following reviews will provide the most insight into an enterprise's risk management capabilities/

A capability maturity model review

Vulnerability Assessment

A careful examination of a target environment to discover any potential points of compromise or weakness.

Risk Profile

A collection of detailed data on identified IT risks, single system or enterprise wide.

What is risk factor?

A combination of several factors that interact to cause damage to assets of the organization

Risk factor

A condition that can influence the frequency and/or magnitude and, ultimately, the business impact of IT-related events/scenarios

What is a Corrective control?

A control for correcting after detection occurs (e.g. incident response)

Review

A critical evaluation of a process, project or work effort

Delphi Technique

A decision-making technique. Group members do not meet face-to-face but respond in writing to questions posed by the group leader. polling or information gathering is done either anonymously or privately between the interviewer and interviewee.

IT risk profile

A description of the overall (identified) IT risk to which the enterprise is exposed

Procedure

A document containing a detailed description of the steps necessary to perform specific operations in conformance with applicable standards

What is a digital signature?

A encrypted hash of message used to verify msg integrity / authenticity

Enterprise Resource Planning (ERP)

A enterprise to automate and integrate the majority of its planning. System packaged business software system that allows an business processes, share common data and practices across the entire enterprise, and produce and access information in a real-time environment. Scope Note: Examples of ERP include SAP, Oracle Financials and J.D. Edwards.

Business objective

A further development of the business goals into tactical targets and desired results and outcomes

Framework

A generally accepted business-process-oriented structure that established a common language and enables repeatable business processes.

Computer emergency response team (CERT)

A group of people integrated at the enterprise with clear lines of reporting and responsibilities for standby support in case of an information systems emergency. This group will act as an efficient corrective control, and should also act as a single point of contact for all incidents and issues related to information systems.

Semiquantitative Risk Assessment

A hybrid approach has the realistic input of a qualitative assessment combined with the numerical scale used to determine the impact of a quantitative risk assessment. combines the value of qualitative and quantitative risk assessment.

Assurance

A number of related activities designed to provide the reader or user of a report with a level of assurance or comfort over the subject matter

Disaster recovery plan (DRP)

A set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an emergency or disaster

Risk indicator

A metric capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite

Risk indicators

A metric capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite

A vulnerability

A small software company has been flooded an insurance does not pay out because premium has lapsed. In relation to risk management, the lapsed premium is considered:

The implementation of unjustified controls is most likely to result in:

A smaller return on IT investment

Risk indicator

A metric capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite Risk management 1. The coordinated activities to direct and control an enterprise with regard to risk Scope Note: In the International Standard, the term "control" is used as a synonym for "measure." (ISO/IEC Guide 73:2002) 2. One of the governance objectives. Entails recognizing risk; assessing the impact and likelihood of that risk; and developing strategies, such as avoiding the risk, reducing the negative effect of the risk and/or transferring the risk, to manage it within the context of the enterprise's risk appetite. Scope Note: COBIT 5 perspective

Which of the following provides the best capability to identify whether controls that are in place remain effective in mitigating their intended risk?

A key risk indicator

Vulnerability

A lack of adequate controls

Preliminary Hazard Analysis

A list of potential risks

Risk Register

A listing of all risks identified for the enterprise

Risk register

A listing of all risks identified for the enterprise

After a risk has been identified, who must be identified and why?

A manager or senior official in the organization must be identified as its owner.

Cryptography

A mathematical means of altering data from a readable plaintext (clear text) from that is easily readable into an unreadable format (cipher text) in a manner that can be reversed by someone who has access to the appropriate key.

Which of the following is most beneficial to improvement of an enterprise risk management process?

A maturity model

Magnitude

A measure of the potential severity of loss or the potential gain from realized events/scenarios

Frequency

A measure of the rate by which events occur over a certain period of time

Frequency

A measure of the rate by which events, occur over a certain period of time

Key performance indicator (KPI)

A measure that determines how well the process is performing in enabling the goal to be reached. Scope Note: A lead indicator of whether a goal will likely be reached, and a good indicator of capabilities, practices and skills. It measures an activity goal, which is an action that the process owner must take to achieve effective process performance.

Key performance indicator (KPI)

A measure that determines how well the process is performing in enabling the sought-after goal; measures an activity goal, which is an action that the process owner must take to achieve effective process performance

Control risk self-assessment

A method/process by which management and staff of all levels collectively identify and evaluate risk and controls with their business areas. This may be under the guidance of a facilitator such as an auditor or risk manager.

Feasibility study

A phase of a system development life cycle (SDLC) methodology that researches the feasibility and adequacy of resources for the development or acquisition of a system solution to a user need

Technology Infrastructure Plan

A plan for the technology, human resources and facilities that enable the current and future processing and use of applications

Fallback procedures

A plan of action or set of procedures to be performed if a system implementation, upgrade or modification does not work as intended Scope Note: May involve restoring the system to its state prior to the implementation or change. Fallback procedures are needed to ensure that normal business processes continue in the event of failure and should always be considered in system migration or implementation.

Business continuity plan (BCP)

A plan used by an enterprise to respond to disruption of critical business processes. Depends on the contingency plan for restoration of critical systems

What is the best example of a Directive control?

A policy

Acceptable Use Policy

A policy that establishes an agreement between users and the enterprise and defines for all parties' the ranges of use that are approved before gaining access to a network or the internet

Non-repudiation

A positive guarantee that a give action was carried out by a given individual or process and is an important part of tracing responsibility and enforcing accountability.

Threat

A potential cause of an unwanted incident

data analysis: cause and effect

A predictive or diagnostic analytical tool that is used to Explore the root causes & identify potential risks

Business risk

A probable situation with uncertain frequency and magnitude of loss (or gain)

Risk Analysis

A process by which the frequency and magnitude of risk scenarios are estimated

Root Cause Analysis

A process of diagnosis to establish the origins of events, which can be used for learning from consequences, typically from errors and problems

Vulnerability Analysis

A process of identifying and classifying vulnerabilities.

Risk Assessment

A process used to identify and evaluate risk and its potential effects.

Which of the following project management tools if most appropriate when managing a system development project of uncertain duration?

A project evaluation review technique (PERT)

Protocol Analyzer

A sniffer that collects network traffic for examination

IT risk register

A repository of the key attributes of potential and known IT risk issues. Attributes may include name, description, owner, expected/actual frequency, potential/actual magnitude, potential/actual business impact, disposition.

Impact Assessment

A review of the possible consequences of a risk.

Layers of protection analysis (LOPA)

A semi-quantatative risk analysis that uses aspects of HAZOP to determine risk associated with risk events. It also looks at controls and their effectiveness.

Security incident

A series of unexpected events involving an attack or series of attacks (compromise and/or breach of security) at one or more sites

Control framework

A set of fundamental controls that facilitates the discharge of business process owner responsibilities to prevent financial or information loss in an enterprise

Database Management System

A software system that controls the organization, storage and retrieval of data in a database

What is Enterprise Risk Management (ERM)?

A standard approach that can be applied across the enterprise

1.1.7 Which of the following describes a set of mandatory procedures or processes used by an organization? A. Standard B. Framework C. Practice D. Policy

A standard is a set of mandatory procedures or processes used by an organization.

Structured "What If" Technique (SWIFT)

A structured brainstorming activity to identify risks

Project Risk

A structured set of activities concerned with delivering a defined capability (that is necessary, but not sufficient, to achieve a required business outcome) to the enterprise, based on agreed-on schedule and budget.

Impact Analysis

A study to prioritize the costs to the organization based on costs of adverse events. M

Impact Analysis

A study to prioritize the criticality of information resources for enterprise based on cost (or consequences) of adverse events. In an impact analysis, threats are identified and potential business losses determined for different periods. This assessment us used to justify the extent of safeguards that are required and recovery time frames. This analysis is the basis for establishing the recovery strategy.

Impact analysis

A study to prioritize the criticality of information resources for the enterprise based on costs (or consequences) of adverse events In an impact analysis, threats to assets are identified and potential business losses determined for different time periods. This assessment is used to justify the extent of safeguards that are required and recovery time frames. This analysis is the basis for establishing the recovery strategy.

Key Risk Indicator

A subset of risk indicators that are highly relevant and possess a high probability of predicting or indicating important risk

Key risk indicator (KRI)

A subset of risk indicators that are highly relevant and possess a high probability of predicting or indicating important risk. Scope Note: See also Risk Indicator.

Tape Management System

A system software tool that logs, monitors and directs computer tape usage

Which of the following activities is the most important related to testing the IT continuity plan?

A test based on defined recovering priorities

INTEGRATED TEST FACILITIES (ITF)

A testing methodology in which test data are processed in production systems Scope Note: The data usually represent a set of fictitious entities such as departments, customers or products. Output reports are verified to confirm the correctness of the...

1.1.3 Which of the following terms DESCRIBES a weakness in a system? A. Threat B. Vulnerability C. Risk D. Threat Agent

A vulnerability is a weakness in a system

Vulnerability

A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events

Vulnerability

A weakness in the design, implementation, operation or internal control of the process that could expose the system to adverse threats from threat events.

2.2.7 Which of the following is a vulnerability that affects the business processes that deal with third-party providers? A. Lack of well-written service level agreement B. Failure to test new technologies as they are integrated into the existing infrastructure C. Lack of common data formats between internal systems d. Failure to conduct a business impact analysis

A. A lack of a well-written, comprehensive service level agreement is a vulnerability that affects the business processes that deal with third-party providers

2.2.3 Which of the following terms describes an entity that initiates a threat? A. Threat Agent B. Vulnerability C. Risk D. Risk Factor

A. A threat agent is an entity that initiates a threat

2.2.2 Which of the following collects information about different actors and negative events that could exploit the vulnerabilities in a system? A. Threat Assessment B. Vulnerability Assessment C. Compliance Assessment D. Penetration Test

A. A threat assessment collects information about different actors and negative events that could exploit the vulnerabilities in a system

3.1 When a risk cannot be sufficiently mitigated though manual or automatic controls, which of the following options will BEST protect the enterprise from the prtential financial impact of the risk? A. Insuring against the risk B. Updating the IT risk register C. Improving staff training in the risk area D. Outsourcing the related business process to a third party

A. An insurance policy can compensate the enterprise monetarily for the impact of the risk by transferring the risk to the insurance company.

Are specific security controls mandated in the outsourcing contract/agreement

An enterprise has outsourced several business functions to a firm in another country, including IT development, data hosting, and support. What is the most important question a risk professional will ask in relation to the outsourcing arrangements?

1.3 Shortly after preforming the annual review and revision of corporate policies, a risk practitioner becomes aware that a new law may affect security requirements for the human resources system. The risk practitioner should: A. analyze in detail how the law may affect the enterprise. B. ensure that necessary adjustments are implemented during the next review cycle. C. initiate the AD-HOC revision f the corporate policy. D. notify the system custodian to implement changes.

A. Assessing how the law may affect the enterprise is the best course of action. the analysis must also determine whether existing controls already address the new requirements.

Data Classification Scheme

An enterprise scheme for classifying data by factors such as criticality, sensitivity and ownership

management control

An enterprise security policy is an example of which control?

What are the PCI Data Security Standard 12 requirements?

A. Build & Maintain a Secure Network & System 1. Install & maintain a firewall configuration to protect cardholder data 2. Do NOT use vendor -supplied defaults for system passwords & other security parameters B. Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks C. Maintain a Vulnerability Management Program 5. Protect all systems against malware & regularly update anti-virus software or programs 6. Develop & maintain secure systems & applications D. Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify & authenticate access to system components 9. Restrict physical access to cardholder data E. Regularly Maintain & test Networks 10. Track & monitor all access to network resources & cardholder data 11. Regularly test security systems & processes F. Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel

Threat Analysis

An evaluation of the Type, Scope and Nature of event or actions that can result in adverse consequences, identification of the threat that exists against enterprise assets.

2.6 Which of the following choices BEST helps identify information system control deficiencies? A. gap analysis B. the current IT risk profile C. the IT controls framework D. countermeasure analysis

A. Controls are deployed to achieve desired control objectives based on risk assessments and business requirements. The gap between desired control objectives and actual IS control design and operational effectiveness identifies IS control deficiencies.

A. Data classification policy describes the data classification categories; levels of protection to be provided for each category of data; and roles and responsibilities of potential users, including data owners

1.5 Which of the following choices provides the BEST view of risk management? A. and interdisciplinary team B. a third-party risk assessment service provider C. The enterprise's IT department D. The enterprise's internal compliance department

A. Having an interdisciplinary team contributes to risk management ensures that all areas are adequately considered and included in the risk assessment process to support an enterprise view of risk.

What are the four common accepted options for risk response?

Acceptance Mitigation Sharing(transfer) Avoidance

4.2 Which of he following choices is the BEST measure of the operational effectiveness of risk management process capabilities? A. Key performance indicators (KPI) B. Key risk indicators (KRI) C. Base practice D. Metric thresholds

A. Key performance indicators (KPIs) are assessment indicators that support judgment regarding the performance of a specific process.

The PRIMARY advantage of creating and maintaining a risk register is to: A. ensure than an inventory of potential risk is maintained B. record all risk scenarios considered during the risk identification process C. collect similar data on all risk identified within the organization D. run reports based on various risk scenarios

A. Once important assets and the risk that may impact these assets are identified, the risk register is used as an inventory of that risk. The risk register can help enterprises accelerate their risk decision making and establish accountability for specific risk

3.7 Which of the following choices should be considered FIRST when designing information system controls? A. The organizational strategic plan B. The existing IT environment C. The present IT budget D. The IT strategic plan

A. Review of the enterprise's strategic plan is the first step in designing effective IS controls that would fit the enterprise's long-term plans.

1.7 It is MOST important that risk appetite is aligned with business objectives to ensure that: A. resources are directed toward areas of low risk tolerance. B. major risk is identified and eliminated. C. IT and business goals are aligned. D. the risk strategy is adequately communicated.

A. Risk appetite is the amount of risk that an enterprise is willing to take on in pursuit of value. Aligning it with business objectives allows an enterprise to evaluate and deploy valuable resources toward those objectives where the risk tolerance (for loss) is low.

A risk owner is accountable for what?

Accepting risk based on the organizational risk appetite and should be someone with the budget, authority, and mandate to select the appropriate risk response based on analyses and guidance provided by the risk practitioner.

Threat analysis

An evaluation of the type, scope and nature of events or actions that can result in adverse consequences; identification of the threats that exist against enterprise assets Scope Note: The threat analysis usually defines the level of threat and the likelihood of it materializing.

Which indicators ensures that the organization's risk is effectively treated?

An indicator used to defined the control environment and measure towards tolerance.

2.5 Which of the following choices BEST assist a risk practitioner in measuring the existing level of development of risk management processes against their desired state? A. a capability maturity model (CMM) B. risk management audit reports C. a balanced scorecard (BSC) D. enterprise security architecture

A. The capability maturity model (CMM) grades processes on a scale of 0 to 5, based on their maturity. It is commonly used by entities to measure their existing state and them to determine the desired one.

3.2 To be effective, risk mitigation MUST reduce the: A. residual risk. B. inherent risk. C. frequency of a threat. D. impact of a threat.

A. The objective of risk reduction is to reduce the residual risk to levels below the enterprise's risk tolerance level.

The Types of IT-related Risk

Access Risk Availability Risk Infrastructure Risk Integrity Risk Investment/Expense Risk Project Ownership Risk Relevance Risk Schedule Risk

The board of directors of a one-year-old start-up company has asked their CIO to create all of the enterprise's IT policies and procedures. Which of the following should the CIO create FIRST? A. The strategic IT plan B. The data classification scheme C. The information architecture document D. The technology infrastructure plan

A. The strategic IT plan is the first policy to be created when setting up an enterprise's governance model

1.8 Weak passwords and transmission over unprotected communication likes are examples of: A. vulnerabilities. B. threats. C. probabilities. D. impacts.

A. Vulnerabilities represent characteristics of information resources that may be exploited by a threat.

Annual loss expectancy calculation (ALE)

ALE = Single loss expectancy (SLE) x Annual rate of occurrence (ARO)

Name and define the types of risks

Access risk - The risk that information may be divulged or made available to recipients without authorized access by the information owner, reflecting a loss of confidentiality Availability risk- The risk that service may be lost or data are not accessible when needed Infrastructure risk- The risk that the IT infrastructure and systems may be unable to effectively support the current and future needs of the business in an efficient, cost-effective and well-controlled fashion (includes hardware, networks, software, people and processes) Integrity risk- The risk that data may be unreliable due to incompleteness or inaccuracy Investment or expense risk- The risk that the IT investment fails to provide value commensurate with its cost or is otherwise excessive or wasteful, including the overall IT investment portfolio Project ownership risk- The risk of IT projects failing to meet objectives through lack of accountability and commitment Relevance risk- The risk that the right information may not get to the right recipients at the right time to allow the right action to be taken or the right decisions to be made Schedule risk- The risk of IT projects taking longer than expected

Which of the following is most critical when system configuration files for critical enterprise system application are being reviewed?

Access to configuration files are not restricted

What SDLC phase contains the bulk of control development?

Acquisition/Development phase

Components of risk scenario include

Actors threat type event asset timing dimension

Governance

Addresses the oversight of the business risk management strategy of the enterprise. The domain of senior management and the shareholders of the enterprise. They establish the enterprise's risk culture and determine the acceptable level's of risk; set up the management framework, and ensure that the risk management function is operating effectively to identify, manage, monitor, and report on current and a potential risk facing the enterprise.

Which of the following best enables an enterprise to measure its risk management process against peers?

Adoption of a maturity model

The most important reason for reporting control effectiveness as part of risk reporting is that it:

Affects the risk profile

What are some of the affect risk factors related to Technology?

Age of equipment Expertise available for maintenance Variety of vendors/suppliers (are they still in business) Documentation of systems Availability of replacement parts ability to test systems or equipment Operating environment and user expertise Ability to patch/mitigate vulnerabilities

What do different risk scenarios on the same bands/curve on a risk map indicate?

All risk scenarios on the same curve of a risk map have the same level of risk.

The CIO should respond to the findings identified in the IT Security audit report by mitigating:

All vulnerabilities on business critical systems first

What is a protocol analyzer?

Also called a sniffer - A dedicated hardware or software that collects network traffic for the purposes of examination

Handbook may violate local laws/regulations

An enterprise expanded its operations into Europe, Asia, Latin America. Enterprise has employee handbook that was updated 3 years ago. What is the biggest concern?

What types of risk are there with Big Data?

Amplified Technical Impact Privacy (Data Collection) Privacy (Re-Identification)

NIST Special Publication 800-66

An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act

Managerial control

An acceptable use policy or a risk management program

Control category: Compensating

An alternate form of a control that corrects a deficiency or weakness in the control structure of the enterprise. (like network segmentation)

Capability

An aptitude, competency or resource that an enterprise may possess or require at an enterprise, business function or individual level that has the potential, or is required, to contribute to a business outcome and to create value

People

An asset that an organization considers as vulnerable to the loss of knowledge in a certain area or has has specific expertise.

Data

An asset that associates with the reputation and goodwill of the organization, that hold secrets, patents, trademarks and copyrights.

Technology

An asset that changes rapidly with new development and is vulnerable to the upgrades that are pushed.

Which of the following techniques best helps determine whether there have been authorized program changes since the last authorized program update?

An automated code comparison

Vulnerability Scanning

An automated process to proactively identify security weakness in a network or individual system.

Which of the following provide the best perspective of risk management to an enterprises employees and stockholders?

An interdisciplinary team within the enterprise helps provide enterprise wide perspective.

Management wants to ensure the IT is successful in delivering against business requirements. Which of the following best supports that effort?

An internal control system or framework

Preventive control

An internal control that is used to avoid undesirable events, errors and other occurrences that an enterprise has determined could have a negative material effect on a process or end product

Accreditation

An official, formal decision by a senior manager to approve or authorize the operation of an information system. Senior leader who authorizes the operation of a system.

Private Cloud

An organization is considering a cloud computing and accepts the risk of confidential info in the cloud. Which os the best cloud deployment model that offers the most safeguards for this information?

Fault-tree analysis

Analyst starts with a risk event and looks for all possible causes, diagrammed as a tree with the risk event at the root and causes at the branches in a top-down approach.

The organizational structure, policies, standards, technology architecture and controls criteria are used to:

Analyze risk scenarios

Reliability-centered maintenance

Analyzes the functions and potential failures of a device

Quantitative RA formula?

Annual Loss Expectancy ($) = Single Loss Expectancy ($) X Annual Risk Occurrence (Cost of controls should not exceed the ALE)

ALE

Annual Loss Expectancy (SLE x ARO)

ARO

Annualized Rate of Occurence

What is exception management?

Another way to say a gap in controls. Need to document a plan to deal with it.

The best way to treat internal security threats is to have regular:

Awareness training

The primary reason to have the risk management process review by an independent risk management professional is to:

Assess the validity of the end-to-end process

Risk and control analysis results are reviewed to:

Assessment the gap between current and desired states

Asset Value

As part of an ERM program a risk practitioner best leverages the work performed by an internal audit by having it:

Assist in monitoring, evaluating, examining and reporting on controls.

Vulnerability event

Any event during which a material increase in vulnerability results. Note that this increase in vulnerability can result from changes in control conditions or from changes in threat capability/force.

Threat event

Any event during which a threat element/actor acts against an asset in a manner that has the potential to directly result in harm

Loss event

Any event during which a threat event results in loss. Scope Note: From Jones, J.; "FAIR Taxonomy," Risk Management Insight, USA, 2008

Stakeholder

Anyone who has a responsibility for, an expectation from or some other interest in the enterprise; examples include shareholders, users, government, suppliers, customers and the public

Threat

Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm.

Threat

Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm. Scope Note: A potential cause of an unwanted incident (ISO/IEC 13335)

What are the four AREs?

Are we doing the right things? Are we doing them the right way? Are we getting them done well? Are we getting the benefits?

Risk governance

Are we doing the right things? Comes from executive management and directors Align strategy with organization goals

Which characteristic of a key performance indicator demonstrates that it is realist and based on important goals and values?

Attainable

Examples of continuous monitoring?

Audit Hook & IPS

Which automated monitoring technique provides in an application used to trigger to indicate a suspicious condition?

Audit hooks embedded hooks that act as triggers if certain conditions are met.

Examples of internal DATA SOURCES used for monitoring and reporting

Audit reports Incident reports User feedback Observation Interviews with management Security reports Logs

A BIA is primarily used to: A. estimate the resources required to resume and return to normal operations after a disruption B. evaluate the impact of a disruption to an enterprise's ability to operate over time C. calculate the likelihood and impact of known threats on specific functions D. evaluate high-level business requirements

A business impact analysis (BIA) is PRIMARILY used to: A. estimate the resources required to resume and return to normal operations after a disruption. B. evaluate the impact of a disruption to an enterprise's ability to operate over time. C. calculate the likelihood and impact of known threats on specific functions. D. evaluate high-level business requirements.

A chief information security officer (CISO) has recommended several controls such as anti-malware to protect the enterprise's information systems. Which approach to handling risk is the CIsa recommending? A. Risk transference B. Risk mitigation C. Risk acceptance D. Risk avoidance

A procurement employee notices that new printer models offered by the vendor keep a copy of all printed documents on a built-in hard disk. Considering the risk of unintentionally disclosing confidential data, the employee should: A. proceed with the order and configure printers to automatically wipe all the data on disks after each print job. B. notify the security manager to conduct a risk assessment for the new equipment. C. seek another vendor that offers printers without built-in hard disk drives. D. procure printers with built-in hard disks and notify staff to wipe hard disks when decommissioning the printer.

A review of an enterprise's IT projects find that projects frequently go over time or budget by nearly 10 percent. On review, management advises the risk practitioner that a deviation of 15 percent is acceptable. This is an example of: A. risk avoidance B. risk tolerance C. risk acceptance D. risk mitigation

A review of an enterprise's IT projects finds that projects frequently go over time or budget by nearly 10 percent. On review, management advises the risk practitioner that a deviation of 15 percent is acceptable. This is an example of: A. risk avoidance. B. risk tolerance. C. risk acceptance. D. risk mitigation.

A risk assessment indicates a risk to the enterprise that exceeds the risk acceptance level set by senior management. What is the BEST way to address this risk? A. Ensure that the risk is quickly brought within acceptable limits, regardless of cost. S. Recommend mitigating controls if the cost and/or benefit would justify the controls. C. Recommend that senior management revise the risk acceptance level. D. Ensure that risk calculations are performed to revalidate the controls.

A risk professional has been asked to determine which factors were responsible for a loss event. Which of the following methods should be used? A. Key risk indicators (KRJs) B. Cause-and-effect analysis C. Business process modeling (BPM) D. Business impact analysis (BIA)

A small start-up software development company has been flooded and the insurance does not payout because the premium has lapsed. In relation to risk management, the lapsed premium is considered a: A. risk. B. vulnerability. C. threat. D. negligence.

A substantive test to verify that tape library inventory records are accurate is: A. determining whether bar code readers are installed. B. conducting a physical count of the tape inventory. C. checking whether receipts and issues of tapes are accurately recorded. D. determining whether the movement of tapes is authorized.

An enterprise has outsourced personnel data processing to a supplier, and a regulatory violation occurs during processing. Who will be held legally responsible? A. The supplier, because it has the operational responsibility B. The enterprise, because it owns the data C. The enterprise and the supplier D. The supplier, because it did not comply with the contract

An enterprise has recently implemented a corporate bring your own device (BYOD) policy to reduce the risk of data leakage. Which of the following approaches MOST enables the policy to be effective? A. Obtaining signed acceptance from users on the BYOD policy B. Educating users on acceptable and unacceptable practices C. Requiring users to read the BYOD policy and any future updates D. Clearly stating disciplinary action for noncompliance

An enterprise is applying controls to protect its product price list from being exposed to unauthorized staff. These internal controls will include: A. identification and authentication. B. authentication and authorization. C. segregation of duties (SoD) and authorization. D. availability and confidentiality.

An enterprise is expanding into new nearby domestic locations (office park). Which of the following is MOST important for a risk practitioner to report on? A. Competitor analysis B. Legal and regulatory requirements C. Political issues D. The potential of natural disasters

An enterprise security policy is an example of which control? A. Operational control B. Management control C. Technical control D. Corrective control

An excessive number of standard workstation images can be categorized as a key risk indicator (KRI) for: A. change management. B. configuration management. C. IT operations management. D. data management.

Business continuity plans (BCPs) should be written and maintained by: A. the information security and information technology functions. 8. representatives from all functional units. C. the risk management function. D. executive management.

During a risk assessment of a start-up company with a bring your own device (BYOD) practice, a risk practitioner notes that the database administrator (DBA) minimizes a social media web site on hislher personal device before running a query of credit card account numbers on a third-party cloud application. The risk practitioner should recommend that the enterprise: A. develop and deploy an acceptable use policy for BYOD. B. place a virtualized desktop on each mobile device. C. blacklist social media web sites for devices inside the demilitarized zone (DMZ). D. provide the DBA with user awareness training.

Faced with numerous risk, the prioritization of treatment options will be MOST effective when based on: A. the existence of identified threats and vulnerabilities. B. the likelihood of compromise and subsequent impact. C. the results of vulnerability scans and exposure. D. the exposure of corporate assets and operational risk.

How does an enterprise BEST ensure that developers do not have access to implement changes to production applications? A. The enterprise must ensure that development staff does not have access to executable code. B. The enterprise must have segregation of duties between application development and operations. C. The enterprise system development life cycle (SDLC) must be enforced to require segregation of duties. D. The enterprise's change management process must be enforced for all but emergency changes.

IT risk is measured by its: A. level of damage to IT systems. B. impact on business operations. C. cost of countermeasures. D. annual loss expectancy (ALE).

Implementing continuous monitoring controls is the BEST option when: A. legislation requires strong information security controls. B. incidents may have a high impact and frequency. C. incidents may have a high impact, but low frequency. D. e-commerce is a primary business driver.

In a situation where the cost of anti-malware exceeds the loss expectancy of malware threats, what is the MOST viable risk response? A. Risk elimination B. Risk acceptance C. Risk transfer D. Risk mitigation

In the risk management process, a cost-benefit analysis is MAINLY performed: A. as part of an initial risk assessment. B. as part of risk response planning. C. during an information asset valuation. D. when insurance is calculated for risk transfer

Once a risk assessment has been completed, the documented test results should be: A. destroyed. B. retained. C. summarized. D. published.

Risk response should focus on which of the following? A. Destruction of obsolete computer equipment B. Theft of a smart phone from an office C. Sanitization and reuse of a flash drive D. Employee deletion of a file

Strong authentication is: A. an authentication technique formally approved by a standardization organization. B. the simultaneous use of several authentication techniques, e.g., password and badge. C. an authentication system that makes use of cryptography. D. an authentication system that uses biometric data to identify a person, e.g., a fingerprint

The BEST way to ensure that an information systems control is appropriate and effective is to verify: A. that the control is operating as designed. B. that the risk associated with the control is being mitigated. C. that the control has not been bypassed. D. the frequency at which the control logs are reviewed

The CIO should respond to the findings identified in the IT security audit report by mitigating: A. the most critical findings on both the business-critical and nonbusiness-critical systems. B. all vulnerabilities on business-critical information systems first. C. the findings that are the least expensive to mitigate first to save funds. D. the findings that are the most expensive to mitigate first and leave all others until more funds become available.

The GREATEST advantage of performing a business impact analysis (BIA) is that it: A. does not have to be updated because the impact will not change. B. promotes continuity awareness in the enterprise. C. can be performed using only qualitative estimates. D. eliminates the need to perform a risk analysis.

The GREATEST risk to token administration is: A. the ability to easily tamper with or steal a token. B. the loss of network connectivity to the authentication system. C. the inability to secure unassigned tokens. D. the ability to generate temporary codes to log in without a token

The IT department wants to use a server for an enterprise database, but the server hardware is not certified by the operating system (OS) or the database vendor. A risk practitioner determines that the use of the database presents: A. a minimal level of risk. B. an unknown level of risk. C. a medium level of risk. D. a high level of risk.

The MOST important reason for reporting control effectiveness as part of risk reporting is that it: A. enables audit reporting. B. affects the risk profile. C. requires mitigation. D. helps manage the control life cycle.

The PRIMARY benefit of using a maturity model to assess the enterprise's data management process is that it: A. can be used for benchmarking. B. helps identify gaps. C. provides goals and objectives. D. enforces continuous improvement.

The PRIMARY goal of a postincident review is to: A. gather evidence for subsequent legal action. B. identify ways to improve the response process. C. identify individuals who failed to take appropriate action. D. make a determination as to the identity of the attacker

The PRIMARY result of a risk management process is: A. a defined business plan. B. input for risk-aware decisions. C. data classification. D. minimized residual risk.

The board of directors of a one-year-old start-up company has asked their chief information officer (CIO) to create all of the enterprise's IT policies and procedures, which will be managed and approved by the IT steering committee. The IT steering committee will make all of the IT decisions for the enterprise, including those related to the technology budget. Which type of IT organizational structure does the enterprise have? A. Project-based B. Centralized C. Decentralized D. Divisional

The board of directors wants to know the financial impact of specific, individual risk scenarios. What type of approach is BEST suited to fulfill this requirement? A. Delphi method B. Quantitative analysis C. Qualitative analysis D. Financial risk modeling

The goal of IT risk analysis is to: A. enable the alignment of IT risk management with enterprise risk management (ERM). B. enable the prioritization of risk responses. C. satisfy legal and regulatory compliance requirements. D. identify known threats and vulnerabilities to information assets.

What indicates that an enterprise's risk practices need to be reviewed? A. The IT department has its own methodology of risk management. B. Manufacturing assigns its own internal risk management roles. C. The finance department finds exceptions during its yearly risk review. D. Sales department risk management procedures were last reviewed 11 months ago.

What is the MOST essential attribute of an effective key risk indicator (KRI)? A. The KRI is accurate and reliable. B. The KRI is predictive of a risk event. C. The KRI provides quantitative metrics. D. The KRI indicates required action.

What is the MOST important criterion when reviewing information security controls? A. To provide assurance to management of control monitoring B. To ensure that the controls are effectively addressing risk C. To review the impact of the controls on business operations and performance D. To establish a baseline as a benchmark for future tests

What is the MOST important factor in the success of an ongoing information security monitoring program? A. Logs that capture all network and application traffic for later analysis B. Staff who are qualified and trained to execute their responsibilities c. System components all have up-to-date patches D. A security incident and event management (SIEM) system is in place

What is the PRIMARY reason for reporting significant changes in information risk to senior management? A. To revise the key risk indicators (KRls) B. To enable educated decision making C. To gain support for new countermeasures D. To recalculate the value of existing information assets

Which of the following is used to determine whether unauthorized modifications were made to production programs? A. An analytical review B. Compliance testing C. A system log analysis D. A forensic analysis

When developing IT-related risk scenarios with a top-down approach, it is MOST important to identify the: A. information system environment. B. business objectives. C. hypothetical risk scenarios. D. external risk scenarios.

When proposing the implementation of a specific risk mitigation activity, a risk practitioner PRIMARILY utilizes a: A. technical evaluation report. B. business case. C. vulnerability assessment report. D. budgetary requirements.

When requesting information for an e-discovery, an enterprise learned that their email cloud provider was never contracted to back up the messages even though the company's email retention policy explicitly states that all emails are to be saved for three years. Which of the following would have BEST safeguarded the company from this outcome? A. Providing the contractor with the record retention policy up front B. Validating the company policies to the provider's contract C. Providing the contractor with the email retention policy up front D. Backing up the data on the company's internal network nightly

When would an enterprise project management department PRIMARILY use risk analysis? A. During preparation for natural disasters B. During go/no go decisions C. During workplace safety training development D. During regulation bulletin reviews

Where are key risk indicators (KRIs) MOST likely identified when initiating risk management across a range of projects? A. Risk governance B. Risk response C. Risk analysis D. Risk monitoring

Which of the following BEST describes the risk-related roles and responsibilities of an organizational business unit (BD)? The BD management team: A. owns the mitigation plan for the risk belonging to their BU, while board members are responsible for identifying and assessing risk as well as reporting on that risk to the appropriate support functions. B. owns the risk and is responsible for identifying, assessing and mitigating risk as well as reporting on that risk to the appropriate support functions and the board of directors. C. carries out the respective risk-related responsibilities, but ultimate accountability for the day-to-day work of risk management and goal achievement belongs to the board members. D. is ultimately accountable for the day-to-day work of risk management and goal achievement, and board members own the risk

Which of the following BEST describes the role of management in implementing a risk management strategy? A. Ensure that the planning, budgeting and performance of information security components are appropriate. B. Assess and incorporate the results of the risk management activity into the decision-making process. C. Identify, evaluate and minimize risk to IT systems that support the mission of the organization. D. Understand the risk management process so that appropriate training materials and programs can be developed.

Which of the following BEST helps the risk practitioner identify IS control deficiencies? A. An IT control framework B. Defined control objectives c. A countermeasure analysis D. A threat analysis

Which of the following MOST enables risk-aware business decisions? A. Robust information security policies B. An exchange of accurate and timely information C. Skilled risk management personnel D. Effective process controls

Which of the following MOST likely indicates that a customer data warehouse should remain in-house rather than be outsourced to an offshore operation? A. The telecommunications costs may be much higher in the first year. B. Privacy laws may prevent a cross-border flow of information. C. Time zone differences may impede communications between IT teams. D. Software development may require more detailed specifications.

Which of the following actions will an incident response plan activation MOST likely involve? A. Enabling logging to track what resources have been accessed B. Shutting down a server to patch defects in the operating system C. Implementing virus scanning tools to scan attachments in incoming email D. Assisting in the migration to an alphanumeric password authorization policy

Which of the following activities provides the BEST basis for establishing risk ownership? A. Documenting interdependencies between departments B. Mapping identified risk to a specific business process C. Referring to available RACI charts D. Distributing risk equally among all asset owners

Which of the following approaches BEST helps address significant system vulnerabilities that were discovered during a network scan? A. All significant vulnerabilities must be mitigated in a timely fashion. B. Treatment should be based on threat, impact and cost considerations. C. Compensating controls must be implemented for major vulnerabilities. D. Mitigation options should be proposed for management approval.

Which of the following approaches to corporate policy BEST supports an enterprise's expansion to other regions, where different local laws apply? A. A global policy that does not contain content that might be disputed at a local level B. A global policy that is locally amended to comply with local laws C. A global policy that complies with law at corporate headquarters and that all employees must follow D. Local policies to accommodate laws within each region

Which of the following can BEST be used as a basis for recommending a data leak prevention (DLP) device as a security control? A. Benchmarking with peers on DLP deployment S. A business case for DLP to protect data C. Evaluation report of popular DLP solutions D. DLP scenario in risk register

Which of the following can be expected when a key control is being maintained at an optimal level? A. The shortest lead time until the control breach comes to the surface B. Balance between control effectiveness and cost C. An adequate maturity level of the risk management process D. An accurate estimation of operational risk amounts

Which of the following choices is the MOST important part of any outsourcing contract? A. The right to audit the outsourcing provider B. Provisions to assess the compliance of the provider C. Procedures for dealing with incident notification D. Requirements to encrypt hosted data

Which of the following choices is the MOST important part of any outsourcing contract? A. The right to audit the outsourcing provider 8. Provisions to assess the compliance of the provider C. Procedures for dealing with incident notification D. Requirements to encrypt hosted data

Which of the following controls within the user provision process BEST enhances the removal of system access for contractors and other temporary users when it is no longer required? A. Log all account usage and send it to their manager. S. Establish predetermined, automatic expiration dates. C. Ensure that each individual has signed a security acknowledgement. D. Require managers to email security when the user leaves.

Which of the following devices should be placed within a demilitarized zone (DMZ)? A. An authentication server B. A mail relay C. A firewall D. A router

Which of the following documents BEST identifies an enterprise's compliance risk and the corrective actions in progress to meet these regulatory requirements? A. An internal audit report B. A risk register C. An external audit report D. A risk assessment report

Which of the following factors should be assessed after the likelihood of a loss event has been determined? A. Magnitude of impact B. Risk tolerance C. Residual risk D. Compensating controls

Which of the following factors should be included when assessing the impact of losing network connectivity for 18 to 24 hours? A. The hourly billing rate charged by the carrier B. Financial losses incurred by affected business units C. The value of the data transmitted over the network D. An aggregate compensation of all affected business users

Which of the following helps ensure that the cost is justifiable when selecting an IT control? A. The investment is within budget. B. The risk likelihood and its impact are reflected. C. The net present value (NPV) is high. D. Open source technology is used.

Which of the following is BEST suited for the review of IT risk analysis results before the results are sent to management for approval and use in decision making? A. An internal audit review B. A peer review C. A compliance review D. A risk policy review

Which of the following is MOST important for determining what security measures to put in place for a critical information system? A. The number of threats to the system B. The level of acceptable risk to the enterprise C. The number of vulnerabilities in the system D. The existing security budget

Which of the following is MOST important in determining the risk mitigation strategy? A. Review vulnerability assessment results. B. Conduct a likelihood and impact ranking. C. Perform a business impact analysis (BIA). D. Align it with the security controls framework.

Which of the following is MOST important when evaluating and assessing risk to an enterprise or business process? A. Identification of controls that are currently in place to mitigate identified risk B. Threat intelligence, including likelihood of identified threats C. Historical risk assessment data D. Control testing results

Which of the following is MOST useful in managing increasingly complex deployments? A. Policy development B. A security architecture C. Senior management support D. A standards-based approach

Which of the following is a PRIMARY consideration when developing an IT risk awareness program? A. Why technology risk is owned by IT B. How technology risk can impact each attendee's area of business C. How business process owners can transfer technology risk D. Why technology risk is more difficult to manage compared to other risk

Which of the following is a PRIMARY role of the system owner during the accreditation process? The system owner; A. reviews and approves the security plan supporting the system. B. selects and documents the security controls for the system. C. assesses the security controls in accordance with the assessment procedures. D. determines whether the risk to the business is acceptable.

Which of the following is an example of postincident response activity? A. Performing a cost-benefit analysis of corrective controls deployed for the incident B. Reassessing the risk to make necessary amendments to procedures and guidelines C. Removing the relevant security policies that resulted in increased incidents D. Inviting the internal audit department to review the corrective controls

NIST 800-39

Managing Information Security Risk. The basis of risk response.

Which of the following is the BEST approach when conducting an IT risk awareness campaign? A. Provide technical details on exploits. B. Provide common messages tailored for different groups. C. Target system administrators and help desk staff. D. Target senior managers and business process owners.

Which of the following is the BEST indicator of an effective information risk management program? A. The security policy is made widely available B. Risk is considered before all decisions C. Security procedures are updated annually D. Risk assessments occur on an annual basis

Which of the following is the BEST indicator that incident response training is effective? A. Decreased reporting of security incidents to the incident response team B. Increased reporting of security incidents to the incident response team C. Decreased number of password resets D. Increased number of identified system vulnerabilities

Which of the following is the BEST method to analyze risk, incidents and related interdependencies to determine the impact on organizational goals? A. Security information and event management (SIEM) solutions B. A business impact analysis (BIA) C. Enterprise risk management (ERM) steering committee meetings D. Interviews with business leaders to develop a risk profile

Which of the following is the BEST way to ensure that an accurate risk register is maintained over time? A. Monitor key risk indicators (KRJs), and record the findings in the risk register. B. Publish the risk register centrally with workflow features that periodically poll risk assessors. C. Distribute the risk register to business process owners for review and updating. D. Utilize audit personnel to perform regular audits and to maintain the risk register.

Which of the following is the BEST way to ensure that contract programmers comply with organizational security policies? A. Have the contractors acknowledge the security policies in writing. B. Perform periodic security reviews of the contractors. C. Explicitly refer to contractors in the security standards. D. Create penalties for noncompliance in the contracting agreement

Which of the following is the GREATEST risk of a policy that inadequately defines data and system ownership? A. Audit recommendations may not be implemented. B. Users may have unauthorized access to originate, modify or delete data. C. User management coordination does not exist. D. Specific user accountability cannot be established.

Which of the following is the MAIN outcome of a business impact analysis (BIA)? A. Project prioritization B. Criticality of business processes C. The root cause of IT risk D. Third-party vendor risk

Which of the following is the MOST effective measure to protect data held on mobile computing devices? A. Protection of data being transmitted B. Encryption of stored data C. Power-on passwords D. Biometric access control

Which of the following is the MOST important consideration when developing a record retention policy? A. Delete, as quickly as practical, all data that are not required. B. Retain data only as long as necessary for business or regulatory requirements. C. Keep data to ensure future availability. D. Archive old data without encryption as quickly as practical

Which of the following is the PRIMARY reason for conducting periodic risk assessments? A. Changes to the asset inventory B. Changes to the threat and vulnerability profile C. Changes in asset classification levels D. Changes in the risk appetite

Which of the following is the PRIMARY reason for having the risk management process reviewed by independent risk auditors/assessors? A. To ensure that the risk results are consistent B. To ensure that the risk factors and risk profile are well defined C. To correct any mistakes in risk assessment D. To validate the control weaknesses for management reporting

Which of the following is the PRIMARY reason that a risk practitioner determines the security boundary prior to conducting a risk assessment? A. To determine which laws and regulations apply B. To determine the scope of the risk assessment C. To determine the business owner(s) of the system D. To decide between conducting a quantitative or qualitative analysis

Which of the following leads to the BEST optimal return on security investment? A. Deploying maximum security protection across all of the information assets B. Focusing on the most important information assets and then determining their protection C. Deploying minimum protection across all the information assets D. Investing only after a major security incident is reported to justify investment

Which of the following provides the formal authorization on user access? A. Database administrator B. Data owner C. Process owner D. Data custodian

Which of the following resources has the GREATEST risk of failure while implementing any security solution? A. Security hardware B. Security staff C. Security processes D. Security software

Which of the following statements BEST describes the value of a risk register? A. It captures the risk inventory. B. It drives the risk response plan. C. It is a risk reporting tool. D. It lists internal risk and external risk.

Which of the following techniques BEST helps determine whether there have been unauthorized program changes since the last authorized program update? A. A test data run B. An automated code comparison C. A code review D. A review of code migration procedures

Which of the following types of risk is high for projects that affect multiple business areas? A. Control risk B. Inherent risk C. Compliance risk D. Residual risk

Which of the following will BEST prevent external security attacks? A. Securing and analyzing system access logs B. Network address translation C. Background checks for temporary employees D. Static Internet protocol (IP) addressing

Which of the following will produce comprehensive results when performing a qualitative risk analysis? A. A vulnerability assessment B. Scenarios with threats and impacts C. The value of information assets D. Estimated productivity losses

Which ofthe following resources has the GREATEST risk of failure while implementing any security solution? A. Security hardware B. Security staff C. Security processes D. Security software

Who is MOST likely responsible for data classification? A. The data user B. The data owner C. The data custodian D. The system administrator

Who should be accountable for the risk to an IT system that supports a critical business process? A. IT management B. Senior management C. The risk management department D. System users

risk professional has been asked to determine which factors were responsible for a loss event. Which of the following methods should be used? A. Key risk indicators (KRJs) B. Cause-and-effect analysis C. Business process modeling (BPM) D. Business impact analysis (BIA

1-2 Which of the following statements BEST describes the value of a risk register? A.It captures the risk inventory. B.It drives the risk response plan. C.It is a risk reporting tool. D.It lists internal risk and external risk.

B A.A risk register is used to provide detailed information on each identified risk such as risk owner, details of the scenario and assumptions, affected stakeholders, causes/indicators, information on the detailed scores (i.e., risk ratings) on the risk analysis, and detailed information on the risk response (e.g., action owner and the risk response status, time frame for action, related projects, and risk tolerance level). These components can also be defined as the risk universe. B.Risk registers serve as the main reference for all risk-related information, supporting risk-related decisions such as risk response activities and their prioritization. C.Risk register data are utilized to generate management reports, but are not in themselves a risk reporting tool. D.The risk register tracks all internal and external risk, the quality and quantity of the controls, and the likelihood and impact of the risk

3-8 Residual risk can be accurately calculated on the basis of: A.Threats and vulnerabilities B.Inherent risk and control risk C.Compliance risk and reputation D.Risk governance and risk response

B A.Although threat and vulnerability are elements of inherent risk, which is one factor needed to calculate residual risk, the risk practitioner does not necessarily need to have the components of inherent risk in order to know the inherent risk. B.Inherent risk multiplied by control risk is the formula to calculate residual risk. C.Compliance risk is the current and prospective risk to earnings or capital arising from violations of, or nonconformance with, laws, rules, regulations, prescribed practices, internal policies and procedures, or ethical standards. Compliance risk can lead to reputational damage, but having these factors does not provide a basis for calculating residual risk. D.Risk governance and risk response are risk domains, not risk elements.

2-8 Which of the following reviews is BEST suited for the review of IT risk analysis results before the results are sent to management for approval and use in decision making? A.An internal audit review B.A peer review C.A compliance review D.A risk policy review

B A.An internal audit review is not best suited for the review of IT risk analysis results. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an enterprise's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. B.It is effective, efficient and good practice to perform a peer review of IT risk analysis results before sending them to management. C.A compliance review is not best suited for the review of IT risk analysis results. Compliance reviews measure the conformance with a specific, measurable standard. D.A review of the risk policy will change the contents and methods of the risk analysis eventually, but this is not a way of reviewing IT risk analysis results before sending them to management.

1-6 Which of the following choices is a PRIMARY consideration when developing an IT risk awareness program? A.Why technology risk is owned by IT B.How technology risk can impact each attendee's area of business C.How business process owners can transfer technology risk D.Why technology risk is more difficult to manage compared to other risk

B A.IT does not own technology risk. An appropriate topic of IT risk awareness training may be the fact that many types of IT risk are owned by the business. One example may be the risk of employees exploiting insufficient segregation of duties (SoD) within an enterprise resource planning (ERP) system. B.Stakeholders must understand how the IT-related risk impacts the overall business. C.Transferring risk is not of primary consideration in developing a risk awareness program. It is a part of the risk response process. D.Technology risk may or may not be more difficult to manage than other types of risk. Although this is important from an awareness point of view, it is not as primary as understanding the impact in the area of business.

4-4 The BEST test for confirming the effectiveness of the system access management process is to map: A.access requests to user accounts. B.user accounts to access requests. C.user accounts to human resources (HR) records. D.the vendor database to user accounts.

B A.Mapping access requests to user accounts confirms that all access requests have been processed; however, the test does not consider user accounts that have been established without the supporting access request. B.Mapping user accounts to access requests confirms that all existing accounts have been approved. C.Mapping user accounts to human resources (HR) records confirms whether user accounts are uniquely tied to employees. D.Mapping vendor records to user accounts may confirm valid accounts on an e-commerce application but is flawed because it does not consider user accounts that have been established without the supporting access request.

2-3 The risk to an information system that supports a critical business process is owned by: A.the IT director. B.senior management. C.the risk management department. D.the system users.

B A.The IT director manages the IT systems on behalf of the business owners. B.Senior management is responsible for the acceptance and mitigation of all risk. C.The risk management department determines and reports on level of risk but does not own the risk. D.The system users are responsible for utilizing the system properly and following procedures, but they do not own the risk.

2-2 Risk scenarios are analyzed to determine: A.strength of controls. B.likelihood and impact. C.current risk profile. D.scenario root cause.

B A.The strength of controls is determined after the controls are in place to ensure they are adequate in addressing the risk. B.Risk scenarios are descriptions of events that can lead to a business impact and are evaluated to determine the likelihood and impact should the event occur. C.The current risk profile is the identification of risk currently of concern by the organization. D.The risk scenario process is used to identify plausible scenarios and from there determine likelihood and impact. Determining a root cause is not a part of the risk scenario process.

4-1 The MOST important reason to maintain key risk indicators (KRIs) is that: A.complex metrics require fine-tuning. B.threats and vulnerabilities change over time. C.risk reports need to be timely. D.they help to avoid risk.

B A.While most key risk indicator (KRI) metrics need to be optimized in respect to their sensitivity, the most important objective of KRI maintenance is to ensure that KRIs continue to effectively capture the changes in threats and vulnerabilities over time. B.Threats and vulnerabilities change over time, and KRI maintenance ensures that KRIs continue to effectively capture these changes. C.Risk reporting timeliness is a business requirement but is not a driver for KRI maintenance. D.Risk avoidance is one possible risk response. Risk responses are based on KRI reporting.

2.2.9 As a risk practitioner in a large organization, you have been asked to review the company's SDLC model for potential risk areas. The model includes the Requirements, Design, Development, Implementation, and Disposal phases. Software and systems are moved from the development environment immediate into the production environment and implementation. Which SDLC phase would you recommend tat the business add to reduce risk of integration or functionality issues as the system is implemented? A. Initiation B. Test C. Sustainment D. Maintenance

B. A test phase introduction in this model would reduce risk by ensuring that a system or software application meets performance and functionality standards before it is introduced into the production environment, potentially eliminating costly issues before they occure

Which of the following is the BEST way to ensure that an accurate risk register is maintained over time? A. Monitor KRIs and record findings in the risk register B. Publish the risk register centrally with workflow features that periodically poll risk assessors C. Distribute the risk register to business process owners for review and updating D. Utilize audit personnel to perform regular audits and to maintain the risk register

B. Centrally publishing the risk register and enabling periodic polling of risk assessors through workflow features will ensure accuracy of content. A knowledge management platform with workflow and polling features will automate the process of maintaining the risk register

2.2.1 For a negative event or action to materialize and cause risk to an organization or system, what other factor must be present? A. Risk Factor B. Vulnerability C. Threat Agent D. Threat

B. For a negative event or action (threat) to materialize and cause risk to an organization or system, a vulnerability must also be present

B. Increased reporting of incidents is a good indicator of user awareness, but increased reporting of valid incidents is the best indicator because it is a sign that users are aware of the security rules and know how to report incidents. It is the responsibility of the IT function to assess the information provided, identify false-positives, educate end users, and respond to potential problems.

3.8 Residual risk can be accurately calculated on the basis of: A. Threats and vulnerabilities B. Inherent risk and control risk C. Compliance risk and reputation D. Risk governance and risk response

B. Inherent risk multiplied by the control risk is the formula to calculate residual risk. Inherent × Control = Residual

2.8 Which of the following reivew is BEST suted for the reivew of IT risk analysis results before the results are sent to management for approval and use in decision making? A. an internal audit review B. a peer review C. a compliance review D. a risk policy review

B. It is effective, efficient and good practice to preform a per review of IT risk analysis results before sending them to management

4.4 The BEST test for confirming the effectiveness of the system access management process is to map: A. access request to users accounts. B. user accounts to access requests. C. user accounts to human resources (HR) records. D. The vendor database to user accounts.

B. Mapping user accounts to access requests confirms that all existing accounts have been approved.

1.2 Which of the following Statements BEST describes the value of a risk register? A. It captures the Risk inventory. B. It drives the risk response plan. C. It is a risk reporting tool. D. It lists internal and external risk

B. Risk registers serve as the main reference for all risk-related information, supporting risk-related decisions such as risk response activities and their prioritization.

2.2 Risk scenarios are analyzes to determine: A. strength of control B. likelihood and impact C. current risk profile D. scenario root cause

B. Risk scenarios are descriptions of events that can lead to a business impact and are evaluated to determine the likelihood and impact should the risk occur.

2.3 The risk to an information system that supports a critical business process is owned by: A. the IT director B. senior management C. the risk management department D. the system user

B. Senior Management is responsible for the acceptance and mitigation of all risk.

1.6 Which of the following choices is a PRIMARY consideration when developing an IO risk awareness program? A. Why Technology risk is owned by IT B. How technology risk can impact each attendee's area of business C. How business process owners can transfer Technology risk D., Why technology risk is more difficult to manage compared to other risk

B. Stakeholders must understand how the IT-related risk impacts overall business.

B. The primary reason for determining the security boundary is to establish what systems and components are included in the risk assessment

4.1 The MOST important reason to maintain key risk indicators (KRIs) is that: A. complex metrics require fine -tuning B. threats and vulnerabilities change over time C. risk reports need to be timely D. they help to avoid risk.

B. Threats and vulnerabilities change over time, the KRI maintenance ensures that KRIs continue to effectively capture these changes.

What is the best technique to measure IT performance?

Balanced Score Card

What is Quantum Cryptography?

Based on physics

What is Monte Carlo risk assessment?

Basel oriented computer testing

What are some of the risk assessment techniques?

Bayesian statistics and Bayes nets Bow tie analysis Brainstorming/Structured or semistructured interviews Business impact analysis (BIA) Cause and consequence analysis Cause-and-effect analysis Checklists Delphi method Environmental risk assessment Event tree analysis Fault tree analysis Hazard analysis and critical control points (HACCP) Hazard and operability study (HAZOP) Human reliability analysis (HRA) Layers of protection analysis (LOPA) Markov analysis Monte Carlo simulation Preliminary hazard analysis Reliability-centered maintenance Root cause analysis (pre-mortems) Scenario analysis Sneak circuit analysis Structured "what if" technique (SWIFT) -- Adapted from IEC 31010:2009 Risk management—Risk assessment techniques, Switzerland, 2009

Bow-Tie Analysis

Begins with an event and branches one direction to causes, and the other direction to consequences

Fault tree analysis

Begins with the event and uses a top down approach to determining results

Value creation, the main objective of risk governance consists of

Benefits realization Risk optimization Resource optimization

Back office

Book keeping

The CISO wants to provide a view of risk assessment results to the Board that highlights links between possible causes, controls, and consequences. Which risk assessment would provide the desired view?

Bow Tie Analysis

Brainstorming/Structured Interview

Brainstorming on potential risks

BSI

British Standards Institution

Why is it important to have Senor Management Support?

Budget, Authority, Personnel Access and Information, and Legitimacy that will provide successful results.

Who is responsible for application controls?

Business

BPR

Business Process Reengineering

Which of the following signifies the need to review an enterprise's risk practices?

Business owner regularly challenge risk assessment findings

How should IT risk be measured?

By its impact on IT services but also by the impact of risk on business operations

A company has set the unacceptable error level at 10 percent. Which of the following tools can be used to trigger a warning when the error level reaches eight percent? A. A fault tree analysis B. Statistical process control (SPC) C. A key performance indicator (KPI) D. A failure modes and effects analysis (FMEA)

A key objective when monitoring information systems control effectiveness against the enterprise's external requirements is to: A. design the applicable information security controls for external audits. B. create the enterprise's information security policy provisions for third parties. C. ensure that the enterprise's legal obligations have been satisfied. D. identify those legal obligations that apply to the enterprise's security practices.

A lack of adequate controls represents: A. an impact. B. a risk indicator. C. a vulnerability. D. a threat.

A network vulnerability assessment is intended to identify: A. security design flaws. B. zero-day vulnerabilities. C. misconfigurations and missing updates. D. malicious software and spyware.

After the completion of a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. A risk practitioner should recommend to business management that the risk be: A. treated. B. terminated. C. accepted. D. transferred.

An enterprise is hiring a consultant to help determine the maturity level of the risk management program. The MOST important element of the request for proposal (RFP) is the: A. sample deliverable. B. past experience of the engagement team. C. methodology used in the assessment. D. references from other organizations

As part of risk monitoring, the administrator of a two-factor authentication system identifies a trusted independent source indicating that the algorithm used for generating keys has been compromised. The vendor of the authentication system has not provided further information. Which of the following is the BEST initial course of action? A. Wait for the vendor to formally confirm the breach and provide a solution. B. Determine and implement suitable compensating controls. c. Identify all systems requiring two-factor authentication and notify their business owners. D. Disable the system and rely on the single-factor authentication until further information is received

What are considered as a risk factor?

External context Internal context Risk management capability IT-related capability

Assessing information systems risk is BEST achieved by: A. using the enterprise's past actual loss experience to determine current exposure. B. reviewing published loss statistics from comparable organizations. C. evaluating threats associated with existing information systems assets and information systems projects. D. reviewing information systems control weaknesses identified in audit reports.

Business stakeholders and decision makers reviewing the effectiveness of IT risk responses would PRlMARlL Y validate whether: A. IT controls eliminate the risk in question. B. IT controls are continuously monitored. C. IT controls achieve the desired objectives. D. IT risk indicators are formally documented.

Corporate information security policy development should PRIMARILY be based on: A. vulnerabilities B. threats C. assets D. impacts

Corporate information security policy development should PRIMARILY be based on: A. vulnerabilities. B. threats. C. assets. D. impacts.

Despite a comprehensive security awareness program annually undertaken and assessed for all staff and contractors, an enterprise has experienced a breach through a spear phishing attack. What is the MOST effective way to improve security awareness? A. Review the security awareness program and improve coverage of social engineering threats. B. Launch a disciplinary process against the people who leaked the information. c. Perform a periodic social engineering test against all staff and communicate summary results to the staff. D. Implement a data loss prevention system that automatically points users to corporate policies.

During a root cause analysis review of a recent incident it is discovered that the IT department is not tracking any metrics. A risk practitioner should recommend to management that they implement which of the following to reduce the risk? A. A new help desk system B. Change management C. Problem management D. New reports to track issues

During an internal assessment, an enterprise notes that only a couple dozen hard-coded individual transactions are being logged, which does not encompass what should be logged to meet regulatory requirements. The individual server log files use first in, first out (FIFO). Most files recycle in less than 24 hours. What is the MOST financially damaging vulnerability associated with the current logging practice? A. The log data stored recycles in less than 24 hours. B. The log files are stored on the originating servers. C. Regulation-related transactions may not be tracked. D. Transactions being logged are hard coded.

How can a risk professional calculate the total impact to operations if hard drives supporting a critical financial system fail? A. Calculate the replacement cost for failed equipment and the time needed for service restoration. B. Gather the cost estimates from the finance department to determine the cost. C. Use quantitative and qualitative methods to examine the effect on all affected business areas. D. Review regulatory and contractual requirements to quantify liabilities.

How can an enterprise prevent duplicate processing of a transaction? A. By encrypting the transaction to prevent copying B. By comparing hash values of each transaction C. By not allowing two identical transactions within a set time period D. By not allowing more than one transaction per account per login

What is the Deming Cycle?

Plan-Do-Check-Act ... Part of the risk response action plan

If risk has been identified, but not yet mitigated, the enterprise would: A. record and mitigate serious risk and disregard low-level risk B. obtain management commitment to mitigate all identified risk within a reasonable time frame C. document all risk in the risk register and maintain the status of the remediation D. conduct an annual risk assessment, but disregard previous assessments to prevent risk bias

If risk has been identified, but not yet mitigated, the enterprise would: A. record and mitigate serious risk and disregard low-level risk. B. obtain management commitment to mitigate all identified risk within a reasonable time frame. C. document all risk in the risk register and maintain the status of the remediation. D. conduct an annual risk assessment, but disregard previous assessments to prevent risk bias.

It is MOST important for risk mitigation to: A. eliminate threats and vulnerabilities. B. reduce the likelihood of risk occurrence. C. reduce risk within acceptable cost. D. reduce inherent risk to zero.

Cyber attacks occurring what provides management with information necessary to address and understand underlying issues?

External pen. testing results

Malware has been detected that redirects users' computers to web sites crafted specifically for the purpose of fraud. The malware changes domain name system (DNS) server settings, redirecting users to sites under the hackers' control. This scenario BEST describes a:

Overall business risk for a particular threat can be expressed as the: A. magnitude of the impact should a threat source successfully exploit the vulnerability. B. likelihood of a given threat source exploiting a given vulnerability. C. product of the probability and magnitude of the impact if a threat exploits a vulnerability. D. collective judgment of the risk assessment team.

Prior to releasing an operating system security patch into production, a leading practice is to have the patch: A. applied simultaneously to all systems. S. procured from an approved vendor. C. tested in a preproduction test environment. D. approved by business stakeholders.

Reliability of a key risk indicator (KRI) would indicate that the metric: A. performs within the appropriate thresholds. B. tests the target at predetermined intervals. c. flags exceptions every time they occur. D. initiates corrective action.

Risk assessment techniques should be used by a risk practitioner to: A. maximize the return on investment (ROI). B. provide documentation for auditors and regulators. C. justify the selection of risk mitigation strategies. D. quantify the risk that would otherwise be subjective.

Risk assessments are MOST effective in a software development organization when they are performed: A. before system development begins. B. during system deployment. C. during each stage of the system development life cycle (SDLC). D. before developing a business case.

Risk assessments should be repeated at regular intervals because: A. omissions in earlier assessments can be addressed. B. periodic assessments allow various methodologies. C. business threats are constantly changing. D. they help raise risk awareness among staff.

Risk scenarios should be created PRIMARILY based on which of the following? A. Input from senior management B. Previous security incidents C. Threats that the enterprise faces D. Results of the risk analysis

Risk scenarios should be created primarily based on which of the following: A. Input from senior management B. Previous security incidents C. Threats that the enterprise faces D. Results of the risk analysis

Security technologies should be selected PRIMARILY on the basis of their: A. evaluation in security publications. B. compliance with industry standards. C. ability to mitigate risk to organizational objectives. D. cost compared to the enterprise's IT budget.

Senior management has defined the enterprise risk appetite as moderate. A business critical application has been determined to pose a high risk. What is the BEST next course of action? A. Remove the high-risk application and replace it with another system. B. Request that senior management increase the level of risk they are willing to accept. C. Determine whether new controls to be implemented on the system will mitigate the high risk. D. Restrict access to the application to trusted users

System backup and restore procedures can BEST be classified as: A. Technical controls B. Detective controls C. Corrective controls D. Deterrent controls

The BEST method for detecting and monitoring a hacker's activities without exposing information assets to unnecessary risk is to utilize: A. firewalls. B. bastion hosts. C. honeypots. D. screened subnets.

The BEST time to perform a penetration test is after: A. a high turnover in systems staff. B. an attempted penetration has occurred. C. various infrastructure changes are made. D. an audit has reported control weaknesses

The MAIN purpose for creating and maintaining a risk register is to: A. ensure that all assets have low residual risk. B. define the risk assessment methodology. C. document all identified risk. D. study various risk scenarios in the threat landscape.

The MOST effective starting point to determine whether an IT system continues to meet the enterprise's business objectives is to conduct interviews with: A. executive management. B. IT management. C. business process owners. D. external auditors.

The MOST important task in system control verification is: A. monitoring password resets. B. detecting malware. C. managing alerts. D. performing log reviews.

The MOST likely trigger for conducting a comprehensive risk assessment is changes to: A. the asset inventory. B. asset classification levels. C. the business environment. D. information security policies.

The PRIMARY purpose of adopting an enterprisewide risk management framework is to: A. allow the flexibility to adjust the risk response strategy throughout the enterprise. B. centralize the responsibility for the maintenance of the risk response program. C. enable a consistent approach to risk response throughout the enterprise. D. avoid higher costs for risk reduction and audit strategies throughout the enterprise.

The PRIMARY reason an external risk assessment team reviews documentation before starting the actual risk assessment is to gain a thorough understanding of: A. the technologies utilized. B. gaps in the documentation. C. the enterprise's business processes. D. the risk assessment plan.

The PRIMARY reason to have the risk management process reviewed by independent risk management professional(s) is to: A. validate cost-effective solutions for mitigating risk. B. validate control weaknesses detected by the internal team. C. assess the validity of the end-to-end process. D. assess that the risk profile and risk factors are properly defined.

The annual expected loss of an asset-the annual loss expectancy (ALE)-is calculated as the: A. exposure factor (EF) multiplied by the annualized rate of occurrence (ARO). B. single loss expectancy (SLE) multiplied by the exposure factor (EF). C. single loss expectancy (SLE) multiplied by the annualized rate of occurrence (ARO). D. asset value (AV) multiplied by the single loss expectancy (SLE).

The capability maturity model (CMM) is based on: A. the training of staff to ensure consistent knowledge transfer. B. the development of new controls to replace aging or diminished controls. C. the application of standard, repeatable processes that can be measured. D. users developing new innovative solutions to problems.

The database administrator has decided to disable certain normalization controls in the database to provide users with increased query performance. This will MOST likely increase the risk of: A. loss of audit trails. B. duplicate indexes. C. data redundancy. D. unauthorized access to data.

The person responsible for ensuring that information is classified is the: A. security manager. B. technology group. C. data owner. D. senior management.

To be effective, risk management should be applied to: A. those elements identified by a risk assessment. B. any area that exceeds acceptable risk levels. C. all organizational activities. D. only those areas that have potential impact.

To determine the level of protection required for securing personally identifiable information, a risk practitioner should PRIMARILY consider the information: A. source. B. cost. C. sensitivity. D. validity.

When assessing the capability of the risk management process, a regulatory body would place the GREATEST reliance on: A. a peer review. B. an internal review. C. an external review. D. a process capability review.

What is the BEST action to take once a new control has been implemented to mitigate a previously identified risk? A. Update the risk register to show that the risk has been mitigated. B. Schedule a new risk review to ensure that no new risk is present. C. Test the control to ensure that the risk has been adequately mitigated. D. Validate the tests conducted by the implementation team and close out the risk.

What is the FIRST step for a risk practitioner when an enterprise has decided to outsource all IT services and support to a third party? A. Validate that the internal systems of the service provider are secure. B. Enforce the regulations and standards associated with outsourcing data management for restrictions on transborder data flow. C. Ensure that security requirements are addressed in all contracts and agreements. D. Build a business case to perform an onsite audit of the third-party vendor.

What is the MOST important reason for periodically testing controls? A. To meet regulatory requirements B. To meet due care requirements C. To ensure that control objectives are met D. To achieve compliance with standard policy

What is the ULTIMATE goal of risk aggregation? A. To prevent attacks from exploiting a combination of low-level types of risk that individually have not been properly mitigated B. To address the threat of an exploit that attacks a system through a series of individual attacks C. To ensure that the combined value oflow-level risk is not overlooked in the risk management process D. To stop attackers from gaining low-level access and then escalating their attack through access aggregation

When a significant vulnerability is discovered in the security of a critical web server, immediate notification should be made to the: A. development team to remediate. B. data owners to mitigate damage. C. system owner to take corrective action. D. incident response team to investigate.

When assessing the performance of a critical application server, the MOST reliable assessment results may be obtained from: A. activation of native database auditing. B. documentation of performance objectives. C. continuous monitoring. D. documentation of security modules.

When configuring a biometric access control system that protects a high-security data center, the system's sensitivity level should be set to: A. a lower equal error rate (EER). B. a higher false acceptance rate (FAR). C. a higher false reject rate (FRR). D. the crossover error rate exactly.

When transmitting personal information across networks, there MUST be adequate controls over: A. encrypting the personal information. B. obtaining consent to transfer personal information. C. ensuring the privacy of the personal information. D. change management.

When using a formal approach to respond to a security-related incident, which of the following provides the GREATEST benefit from a legal perspective? A. Proving adherence to statutory audit requirements 8. Proving adherence to corporate data protection requirements C. Demonstrating due care D. Working with law enforcement agencies

Which automated monitoring technique in an application uses triggers to indicate a suspicious condition? A. Snapshots B. An integrated test facility C. Monitor hooks D. Continuous and intermittent simulation

Which of the following BEST addresses the risk of data leakage? A. Incident response procedures B. File backup procedures C. Acceptable use policies (AUPs) D. Database integrity checks

Which of the following BEST describes the objective of a business impact analysis (BIA)? A. The identification of threats, risk and vulnerabilities that can adversely affect the enterprise B. The development of procedures for initial response and stabilization of situations during an emergency C. The identification of time-sensitive critical business functions and interdependencies D. The development of communication procedures in the case of a crisis impacting the business

Which of the following BEST determines compliance with the risk appetite of an enterprise? A. Balance between preventive and detective controls B. Inherent risk and acceptable risk level C. Residual risk level and acceptable risk level D. Balance between countermeasures and preventive controls

Which of the following BEST determines compliance with the risk appetite of an enterprise? A. Balance between preventive and detective controls B. Inherent risk and acceptable risk level C. Residual risk and acceptable risk level D. Balance between countermeasures and preventive controls

Which of the following BEST enables a peer review of an enterprise's risk management process? A. A balanced scorecard (BSC) B. An industry survey C. A capability maturity model (CMM) D. A framework

Which of the following BEST estimates the likelihood of significant events impacting an enterprise? A. Threat analysis B. Cost-benefit analysis C. Scenario analysis D. Countermeasure analysis

Which of the following BEST indicates a successful risk management practice? A. Control risk is tied to business units. B. Overall risk is quantified. C. Residual risk is minimized. D. Inherent risk is eliminated

Which of the following actions is the BEST when a critical risk has been identified and the resources to mitigate are not immediately available? A. Log the risk in the risk register and review it with senior management on a regular basis. B. Capture the risk in the risk register once resources are available to address the risk. C. Escalate the risk report to senior management to obtain the resources to mitigate the risk. D. Review the risk level with senior management and determine whether the risk calculations are correct.

Which of the following areas is MOST susceptible to the introduction of an information-security-related vulnerability? A. Tape backup management B. Database management C. Configuration management D. Incident response management

Which of the following assessments of an enterprise's risk monitoring process will provide the BEST information about its alignment with industry-leading practices? A. A capability assessment by an outside firm B. A self-assessment of capabilities C. An independent benchmark of capabilities D. An internal audit review of capabilities

Which of the following compensating controls should management implement when a segregation of duties conflict exists because an enterprise has a small IT department? A. Independent analysis of IT incidents B. Entitlement reviews C. Independent review of audit logs D. Tighter controls over user provisioning

Which of the following data is MOST useful for communicating enterprise risk to management? A. Control self-assessment results B. A controls inventory C. Key risk indicators (KRIs) D. Independent audit reports

Which of the following factors should be analyzed to help management select an appropriate risk response? A. The impact on the control environment B. The likelihood of a given threat C. The costs and benefits of the controls D. The severity of the vulnerabilities

Which of the following factors will have the GREATEST impact on the type of information security governance model that an enterprise adopts? A. The number of employees B. The enterprise's budget C. The organizational structure D. The type of technology that the enterprise uses

Which of the following is MOST critical when system configuration files for a critical enterprise application system are being reviewed? A. Configuration files are frequently changed. B. Changes to configuration files are recorded. C. Access to configuration files is not restricted. D. Configuration values do not impact system efficien

Which of the following is MOST effective in assessing business risk? A. A use case analysis B. A business case analysis C. Risk scenarios D. A risk plan

Which of the following is MOST important during the quantitative risk analysis process? A. Statistical analysis B. Decision trees C. Expected monetary value (EMV) D. Net present value (NPV)

Which of the following is MOST important when mitigating or managing risk? A. Vulnerability assessment results B. A business impact analysis (BIA) C. The risk tolerance level D. A security controls framework

Which of the following is a MAJOR risk associated with the use of governance, risk and compliance (GRC) tools? A. Misinterpretation of the dashboard's output B. Poor authentication mechanism C. Obsolescence of content D. Complex integration of the diverse requirements

Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level? A. Eliminate the risk. B. Accept the risk. C. Transfer the risk. D. Implement countermeasures.

Which of the following is minimized when acceptable risk is achieved? A. Transferred risk B. Control risk C. Residual risk D. Inherent risk

Which of the following is the BEST approach when malicious code from a spear phishing attack resides on the network and the finance department is concerned that scanning the network will slow down work and delay quarter-end reporting? A. Instruct finance to finalize quarter-end reporting, and then perform a scan of the entire network. B. Block all outgoing traffic to avoid outbound communication to the expecting command host. C. Scan network devices that are not supporting financial reporting, and then scan the critical finance drives at night. D. Perform a staff survey and ask staff to report if they are aware of the enterprise being a target of a spear phishing attack.

Which of the following is the BEST control for securing data on mobile universal serial bus (USB) drives? A. Requiring authentication when using USB devices B. Prohibiting employees from copying data to USB devices C. Encrypting USB devices D. Limiting the use of USB devices

Which of the following is the BEST method to ensure the overall effectiveness of a risk management program? A. Assignment of risk within the enterprise B. Comparison of the program results with industry standards C. Participation by applicable members of the enterprise D. User assessment of changes in risk

Which of the following is the BEST reason an enterprise would decide not to reduce an identified risk? A. There is no regulatory requirement to reduce the risk. S. The inherent risk of the related business process is low. C. The potential gain outweighs the risk. D. The cost of reducing the risk exceeds the budget.

Which of the following is the MAIN concern when two or more staff members are allowed to use the same generic account? A. Segregation of duties B. Inability to change the password C. Repudiation D. Inability to trace account activities

Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system? A. Performing a business impact analysis (BIA) B. Considering personal devices as part of the security policy C. Basing the information security infrastructure on a risk assessment D. Initiating IT security training and familiarization

Which of the following is the MOST significant risk associated with handling credit card data through a web application? A. Displaying both the first six and last four digits of the credit card, thus exposing sensitive information B. Allowing the transmission of credit card data over the Internet using an insecure channel such as Secure Sockets Layer (SSL) protocol or Transport Layer Security (TLS) protocol C. Failure to store credit card data in a secure area segregated from the demilitarized zone (DMZ) D. Installation of network devices with default access settings disabled or inoperable

Which of the following is the PRIMARY factor when deciding between conducting a quantitative or qualitative risk assessment? A. The corporate culture B. The amount of time available C. The availability of data D. The cost involved with risk assessment

Which of the following is the PRIMARY reason for periodically monitoring key risk indicators (KRTs)? A. The cost of risk response needs to be minimized. B. Errors in results of KRIs need to be minimized. c. The risk profile may have changed. D. Risk assessment needs to be continually improved.

Which of the following processes is CRITICAL for deciding prioritization of actions in a business continuity plan (BCP)? A. Risk assessment B. Vulnerability assessment C. A business impact analysis (BlA) D. Business process mapping

Which of the following provides the BEST capability to identify whether controls that are in place remain effective in mitigating their intended risk? A. A key performance indicator (KPI) B. A risk assessment C. A key risk indicator (KRI) D. An audit

Which of the following provides the GREATEST level of information security awareness? A. Job descriptions B. A security manual C. Security training D. An organizational diagram

Which of the following provides the GREATEST support to a risk practitioner recommending encryption of corporate laptops and removable media as a risk mitigation measure? A. Benchmarking with peers B. Evaluating public reports on encryption algorithm in the public domain C. Developing a business case D. Scanning unencrypted systems for vulnerabilities

Which of the following risk management activities initially identifies critical business functions and key business risk? A. Risk monitoring B. Risk analysis C. Risk assessment D. Risk evaluation

Which of the following risk response selection parameters results in a decrease in magnitude of an event? A. Efficiency of response B. Cost of response C. Effectiveness of response D. Capability to implement response

Which of the following should be of MOST concern to a risk practitioner? A. Failure to notify the public of an intrusion B. Failure to notify the police of an attempted intrusion C. Failure to internally report a successful attack D. Failure to examine access rights periodically

Which of the following should management use to allocate resources for risk response? A. Audit report findings S. Penetration test results C. Risk analysis results D. Vulnerability test results

Which of the following uses risk scenarios when estimating the likelihood and impact of significant risk to the organization? A. An IT audit B. A security gap analysis C. A threat and vulnerability assessment D. An IT security assessment

Which of the following will have the MOST significant impact on standard information security governance models? A. Number of employees B. Cultural differences between physical locations C. Complexity of the organizational structure D. Evolving legislative requirements

Which of the following would data owners be PRIMARILY responsible for? A. Intrusion detection B. Antivirus controls C. User entitlement changes D. Platform security

Which organizational function is accountable for risk policies, guidelines and standards? A. Operations B. IT C. Management D. Legal

Who MUST give the final sign-off on the IT risk management plan? A. IT auditors performing the risk assessment B. Business process owners C. Senior management D. IT security administrators

Administrative Controls

Policies or procedures serving to protect an asset.

Who grants formal authorization for user access to a protected file? A. The process owner B. The system administrator C. The data owner D. The security manager

Who is accountable for business risk related to IT? A. The chief information officer (CIO) B. The chief financial officer (CFO) C. Users of IT services-the business D. The chief architect

2-7 Deriving the likelihood and impact of risk scenarios through statistical methods is MOST LIKELY to be associated with which type of risk analysis? A.risk scenario B.qualitative C.quantitative D.semiquantitative

C A.A risk scenario analysis might include any of several risk analysis methods, including quantitative, semi-quantitative and qualitative; it is not reflective of a particular approach. B.A qualitative risk analysis uses experiential and subjective measures to estimate the likelihood and impact of adverse events according to ranges; these might include low, medium and high ratings for both likelihood and impact. C.The essence of quantitative risk assessment is to derive the likelihood and impact of risk scenarios based on statistical methods and data. D.Semi-quantitative analysis typically applies to a wider, numerically delineated range of values to a qualitative rating mechanism—for example, assigning values from 0 to 100. The assignment remains qualitative, and it is not associated with statistical analysis.

3-5 Which of the following defenses is BEST to use against phishing attacks? A.An intrusion detection system (IDS) B.Spam filters C.End-user awareness D.Application hardening

C A.An intrusion detection system (IDS) does not protect against phishing attacks because phishing attacks usually do not have the same patterns or unique signatures. B.While certain highly specialized spam filters can reduce the number of phishing emails that reach their addressees' inboxes, they are not as effective in addressing phishing attacks as end-user awareness. C.Phishing attacks are a type of social engineering attack and are best defended by end-user awareness training. D.Application hardening does not protect against phishing attacks because phishing attacks generally use email as the attack vector, with the end user, not the application, as the vulnerable point.

1-4 An information system that processes weather forecasts for public consumption is MOST likely to place its highest priority on: A.nonrepudiation. B.confidentiality. C.integrity. D.availability.

C A.Nonrepudiation refers to the ability to verifiably prove the originator of data, which is unlikely to be of importance for weather forecasts that are rendered accurately. B.Keeping data confidential would be at odds with the business purpose of a system designed to provide data for public use. C.A system that delivers weather forecasts is likely to place its highest priority on the integrity of the data. The risk practitioner should keep in mind that whether a forecast turns out to be accurate in its prediction is distinct from whether the data was accurately represented. D.Availability of data is likely to be a lower priority for a weather-forecasting system than the accuracy with which the data is presented.

2-4 The PRIMARY reason risk assessments should be repeated at regular intervals is: A.omissions in earlier assessments can be addressed. B.periodic assessments allow various methodologies. C.business threats are constantly changing. D.they help raise risk awareness among staff.

C A.Performing risk assessments on a periodic basis can find omissions in earlier assessments, but this is not the primary reason forconducting regular reassessments. B.Organizations strive to improve their risk management process to more quickly and accurately assess and address risk, and this may involve changing the methodology. However, it is not the primary reason for conducting regular assessments. C.As business objectives and methods change, the nature and relevance of threats also change. This is the primary reason to conduct periodic risk assessments. D.Risk assessments are conducted on a periodic basis to address new threats and changes in the business. Creating more risk awareness is a minor benefit of conducting periodic risk assessments.

4-5 Which of the following choices provides the BEST assurance that a firewall is configured in compliance with an enterprise's security policy? A.Review the actual procedures. B.Interview the firewall administrator. C.Review the parameter settings. D.Review the device's log file for recent attacks.

C A.While procedures may provide a good understanding of how the firewall is supposed to be managed, they do not reliably confirm that the firewall configuration complies with the enterprise's security policy. B.While interviewing the firewall administrator may provide a good process overview, it does not reliably confirm that the firewall configuration complies with the enterprise's security policy. C.A review of the parameter settings provides a good basis for comparison of the actual configuration to the security policy and reliable audit evidence documentation. D.While reviewing the device's log file for recent attacks may provide indirect evidence about the fact that logging is enabled, it does not reliably confirm that the firewall configuration complies with the enterprise's security policy.

Senior management will MOST likely have the highest tolerance for moving which of the following to a public cloud? A. Credit card processing B. Research and development C. The legacy financial system D. The corporate email system

diagrams to use to identify risk

Process flowchart Ishikawa diagram Influence diagram

Which of the following capability dimensions is MOST important when using a maturity model for assessing the risk management process? A. Effectiveness B. Efficiency C. Profitability D. Performance

4.5 Which of the following choices provides the BEST assurance that a firewall is configured in compliance with an enterprise's security policy? A. Review the actual procedure. B. Interview the firewall administrator. C. Review the parameter settings. D. Review the device's log file for recent attacks.

C. A review of the parameter settings provides a good basis for comparison of the actual configuration to the security policy and reliable audit evidence documentation.

1.4 An information system that processes weather forecasts for public consumption is MOST likely to place its highest priority on: A. non-repudiation B. confidentiality C. integrity D. availability

C. A system tat delivers weather forecasts is likely to place its highest priority on the integrity of the data. The risk practitioner should keep in mind that whether the forecast is turns out to be accurate in its prediction is distinct from whether the data is accurately represented.

2.4 Then PRIMARY reason risk assessments should be repeated are regular intervals is: A. omissions on earlier assessments cam be addressed B. periodic assessments allow various methodologies C. business threats are constantly changing D. they help raise risk awareness among staff

C. As business objectives and methods changes, the nature and relevance of threats also change. This is the primary reason to conduct periodic risk assessments.

2.2.5 All of the following are considered external risk factors affecting business processes, except which one? A. Economy B. Market Segment C. Organizational Structure D. Law and Regulation

C. The organization's structure would be considered an internal risk factor affecting its business processes

2.2.6 You are managing a project that involves the installation of a all new set of systems for the accounting division of your organization. You have just been told that there have been budget cuts and the project will not be able to purchase additional equipment needed for the installation. You now have to find other areas to cut in order to fund the extra equipment. Which element of project management is the most affected by this threat? A. Schedule B. Scope C. Cost D. Quality

C. Cost is the element of project management most affected by the threat of not enough funding

2.2.10 Lack of a will-written work breakdown structure document can contribute to a vulnerability that affects which aspect of project management? A. Cost B. Schedule C. Scope D. Quality

C. Lack of will-written work breakdown structure document can contribute to a vulnerability that affects a project's scope

3.5 Which of the following defenses is BEST to use against phishing atacks? A. An intrusion detection system (IDS) B. Spam filters C. End-user awareness D. Application hardening

C. Phishing attacks are a type of social engineering attack and are best defended by end-user awareness training.

C. The product of the probability and magnitude of the impact provides the best measure of the risk to an asset.

Which of the following is MOST effective in assessing business risk? A. A use case analysis B. A business case analysis C. Risk scenarios D. A risk plan

C. Risk scenarios are the most effective technique in assessing business risk.

2.7 Deriving the likelihood and impact of risk scenarios through statistical methods is MOST LIKELY to be associated with which type of risk analysis? A. risk scenario B. qualitative C. quantitative D. semiquantitative

C. The essence of quantitative risk assessment is to derive the likelihood and impact of risk scenarios based on statistical methods and data.

Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system? A. Performing a BIA B. Considering personal devices as part of the security policy C. Basing the information security infrastructure on a risk assessment D. Initiating IT security training and familiarization

C. The information security infrastructure should be based on a risk assessment

C. While not all organizational activities will pose an unacceptable risk, the practice of risk management is ideally applied to all organizational activities.

COBIT vs. NIST

COBIT originally released as an IT process and control framework linking IT to business requirements and later became a full IT Governance Framework. NIST represents the current state-of-the practice safeguards and countermeasures for US federal information systems. The 18 areas represent a broad-based, balanced information security program that addresses the management, operational, and technical aspects of protecting US federal information and information systems.

What is the framework that SOX controls are based on?

COSO 2013

Which of the following best enables a peer review of an enterprise risk management process?

Capability Maturity Model

CMMI 5 levels

Capability Maturity Model Integration, a standard for improving processes within organizations 1. Initial 2. Repeatable 3. Defined 4. Quantitatively Managed 5. Optimizing

CMU

Carnegie Mellon University

Who developed the OCTAVE Methodology?

Carnegie Mellon University

A risk professional has been asked to determine which factors were responsible for a loss event, which method should be used?

Cause and effect analysis

Risk Register

Centrally publishing the risk register and enabling periodic polling of risk assessors through workflow features will ensure accuracy of content. A knowledge management platform with workflow and polling features will automate the process of maintaining the risk register

Two common methods to ensure consistent and secure enterprise-wide controls

Change control Certification and accreditation (C and A)

Which of the following is the primary reason for conducting periodic risk assessments?

Changes to threat/vulnerability profile

Recovery testing

Checks the system's ability to recover after a software or hardware failure

The IT risk action plan is an output communication from?

Chief Risk Officer and the Enterprise Risk Management Committee

Cause and Consequence Analysis

Combines fault tree analysis with event tree analysis and allows for time delays

Name a way to identify availability risk.

Compare current levels of availability with required levels; where there is a gap, there is a risk

When leveraging a third party for the procurement of IT equipment, which of the following control practices is most closely associated with delivering value over time?

Compare the cost and performance of current suppliers periodically

Performance testing

Compares the system's performance to other equivalent systems using well-defined benchmar

Which of the following is used to determine whether unauthorized modifications were made for production program?

Compliance testing

What is Quality Assurance (QA) testing?

Compliance testing against organizational standards

Application

Computer program or a set of programs that performs the processing of records for a specific function

IEC 31010:2009

Concrete overview of risk assessment process detail detailing risk identification, analysis, and evaluation.

What does Digital Envelope support?

Confidentiality Only Not Integrity Not Authenticity Not Non-repudiation

Most important consideration for an organization structuring a contract with a 3rd party?

Confidentiality clause

An excessive number of standard workstation images can be categorized as a key risk indicator for:

Configuration management

Which of the following BEST assists in the development of the risk profile? A. The presence of preventive and detective controls S. Inherent risk and detection risk C. Cost-benefit analysis of controls D. Likelihood and impact of risk

Secure state

Consistent protection of a process to ensure that there is no time during a process in which data or a system are vulnerable

What is the Control Effectiveness formula?

Control Effectiveness = Design Effectiveness X Operational Effectiveness

Which of the following is the best way for a risk practitioner to ensure that controls are in place and effectively addressing the risk?

Control Monitoring

COBIT

Control Objectives for Information and Related Technology

Company has put anti malware system to reduce risk. Describe how control reduces risk?

Control eliminates the ability of malware files to execute or propagate outside of protected systems, thus reducing impact. System does not mitigate the sources of these files.

Which of the following options best ensures that an identified risk is mitigated?

Control testing

Technical controls

Controls that are implemented through the use of a technology, equipment or device.

Physical controls

Controls that are installed to physically restrict access to a facility or hardware.

Managerial or administrative controls

Controls that are related to the oversight, reporting or operations of a process.

Proactive controls

Controls that attempt to prevent an event; these are referred to as "safeguards."

Reactive controls

Controls that respond to an event that has occurred; these are referred to as "countermeasures."

Which of the following actions will most likely occur during an incident response plan activation?

Corrective control

COST-BENEFIT ANALYSIS considerations

Cost of acquisition and implementation Ongoing cost of maintenance Cost to remove or replace control

2 Common Risk Analysis Techniques

Cost-benefit Analysis Return on Investment

Risk Evaluation

Covers likelihood and impact calculations, resulting in risk values.

Ongoing evaluation should include:

Criteria used for monitoring Thresholds used for KPIs and KRIs Policies and strategies of risk The reporting schedule Key stakeholders (RACI)

CSF stands for

Critical Success Factor, such as the relationship between the Business Unit and Information Technology

factors that influence the choice of controls

Current risk level Regulations Strategic plans Budget, personnel and time constraints Public pressure Actions of competitors

factors that influence the choice of controls

Current risk level Regulations Strategic plans Budget, personnel and time constraints Public pressure Actions of competitors Not just if control is effective, how much disruption does the control cause? Effectiveness and even efficiency

A MAJOR risk of using single sign-on (SSO) is that it: A. uses complex technologies for password management. B. may potentially bypass the enterprise firewall. C. is prone to distributed denial-of-service (DDoS) attacks. D. may be a potential single point of compromise.

A business case developed to support risk mitigation efforts for a complex application development project should be retained until: A. the project is approved. B. user acceptance of the application. C. the application is deployed. D. the application's end of life

A company is confident about the state of its organizational security and compliance program. Many improvements have been made since the last security review was conducted one year ago. What should the company do to evaluate its current risk profile? A. Review previous findings and ensure that all issues have been resolved. B. Conduct follow-up audits in areas that were found deficient in the previous review. C. Monitor the results of the key risk indicators (KRJs) and use those to develop targeted assessments. D. Perform a new enterprise risk assessment using an independent expert.

A global enterprise that is subject to regulation by multiple governmental jurisdictions with differing requirements should: A. bring all locations into conformity with the aggregate requirements of all governmental jurisdictions. B. bring all locations into conformity with a generally accepted set of industry best practices. C. establish a baseline standard incorporating those requirements that all jurisdictions have in common. D. establish baseline standards for all locations and add supplemental standards as required.

A global financial institution has decided not to take any further action on a denial-of-service (DoS) vulnerability found by the risk assessment team. The MOST likely reason for making this decision is that: A. the needed countermeasure is too complicated to deploy. B. there are sufficient safeguards in place to prevent this risk from happening. C. the likelihood of the risk occurring is unknown. D. the cost of countermeasure outweighs the value of the asset and potential loss.

A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an IT manager. The manager should FIRST: A. meet with stakeholders to decide how to comply. B. analyze the key risk in the compliance process. C. update the existing security/privacy policy. D. assess whether existing controls meet the regulation

A process by which someone logs onto a web site, then receives a token via a short message service (SMS) message, is an example of what control type? A. Deterrent B. Directive C. Compensating D. Preventive

A risk assessment process that uses likelihood and impact in calculating the level of risk is a: A. qualitative process. B. failure modes and effects analysis (FMEA). C. fault tree analysis. D. quantitative process.

A risk practitioner has collected several IT-related key risk indicators (KRls) related for the core financial application. These would MOST likely be reported to: A. stakeholders. B. the IT administrator group. C. the finance department. D. senior management.

A risk practitioner receives a message late at night that critical IT equipment will be delivered several days late due to flooding. Fortunately, a reciprocal agreement exists with another company for a replacement until the equipment arrives. This is an example of risk: A. transfer. B. avoidance. C. acceptance. D. mitigation.

A well-known hacking group has publicly stated they will target a company. What is the risk professional's FIRST action? A. Advise IT management about the threat. B. Inform all employees about the threat. C. Contact law enforcement officials about the threat. D. Inform senior management about the threat.

Acceptable risk for an enterprise is achieved when: A. transferred risk is minimized. B. control risk is minimized. C. inherent risk is minimized. D. residual risk is within tolerance levels.

Accountability for risk ultimately belongs to the: A. chief risk officer (CRO). B. compliance officer. C. chieffinancial officer (CFO). D. board of directors.

An enterprise decides to address risk associated with an IT project by outsourcing part of the IT activities to a third party with a specialized skill set. In relation to the project itself, this is an example of: A. risk transfer. S. risk avoidance. C. risk acceptance. D. risk mitigation.

An enterprise expanded operations into Europe, Asia and Latin America. The enterprise has a single-version, multiple-language employee handbook last updated three years ago. Which of the following is of MOST concern? A. The handbook may not have been correctly translated into all languages. B. Newer policies may not be included in the handbook. C. Expired policies may be included in the handbook. D. The handbook may violate local laws and regulations.

An enterprise has outsourced several business functions to a firm in another country, including IT development, data hosting and support. What is the MOST important consideration the risk professional will examine in relation to the outsourcing arrangements? A. Are policies and procedures in place to handle security exceptions? B. Is the outsourcing supplier meeting the terms of the service level agreements (SLAs)? C. Is the security program of the outsourcing provider based on an international standard? D. Are specific security controls mandated in the outsourcing contract/agreement?

An enterprise has outsourced the majority of its IT department to a third party whose servers are in a foreign country. Which of the following is the MOST critical security consideration? A. A security breach notification may get delayed due to the time difference. B. Additional network intrusion detection sensors should be installed, resulting in additional cost. C. The enterprise could be unable to monitor compliance with its internal security and privacy guidelines. D. Laws and regulations of the country of origin may not be enforceable in the foreign country.

An enterprise is implementing controls to protect its product price list from being exposed to unauthorized individuals. The internal control requirements will come from: A. the risk management team. B. internal audit. C. IT management. D. process owners.

An enterprise's corporate policy specifies that only failed and successful access attempts are logged. What is the PRIMARY risk to the enterprise? A. The source IP address is not logged. B. The destination IP address is not logged. C. Login information can be lost if the data are not automatically moved to secondary storage. D. The details of what commands were executed is missing.

As part of an enterprise risk management (ERM) program, a risk practitioner BEST leverages the work performed by an internal audit function by having it: A. design, implement and maintain the ERM process. B. manage and assess the overall risk awareness. C. evaluate ongoing changes to organizational risk factors. D. assist in monitoring, evaluating, examining and reporting on controls

As part of fire driIJ testing, designated doors swing open, as planned, to allow employees to leave the building faster. An observer notices that this practice allows unauthorized personnel to enter the premises unnoticed. The BEST way to alter the process is to: A. stop the designated doors from opening automatically in case of a fire. B. include the local police force to guard the doors in case of fire. C. instruct the facilities department to guard the doors and have staff show their badge when exiting the building. D. assign designated personnel to guard the doors once the alarm sounds

Because of its importance-to the business, an enterprise wants to quickly implement a technical solution that deviates from the company's policies. The risk practitioner should: A. recommend against implementation because it violates the company's policies. B. recommend revision of the current policy. C. conduct a risk assessment and allow or disallow based on the outcome. D. recommend a risk assessment and subsequent implementation only if residual risk is accepted.

Control objectives are useful to risk professionals because they provide the basis for understanding the: A. techniques for securing information for a given risk. B. information security policies, procedures and standards. C. control best practices relevant to a specific entity. D. desired outcome of implementing specific control procedures.

Controls are most effective when they are designed to reduce: A. threats. B. likelihood. C. uncertainty. D. vulnerabilities.

During a quarterly interdepartmental risk assessment, the IT operations center indicates a heavy increase of malware attacks. Which of the following recommendations to the business is MOST appropriate? A. Contract with a new anti-malware software vendor because the current solution seems ineffective. B. Close down the Internet connection to prevent employees from visiting infected web sites. C. Make the number of malware attacks part of each employee's performance metrics. D. Increase employee awareness training, including end-user roles and responsibilities.

During an internal risk assessment in a global enterprise, a risk manager notes that local management has proactively mitigated some of the high-level risk related to the global purchasing process. This means that: A. the local management is now responsible for the risk. B. the risk owner is the corporate chief risk officer (CRO). C. the risk owner is the local purchasing manager. D. corporate management remains responsible for the risk.

During what stage of the overall risk management process is the cost-benefit analysis PRIMARILY performed? A. During the initial risk assessment B. During the information asset classification C. During the definition of the risk profile D. During the risk response selection

Investments in risk management technologies should be based on: A. audit recommendations. B. vulnerability assessments. C. business climate. D. value analysis.

Monitoring has flagged a security exception. What is the MOST appropriate action? A. Escalate the exception. B. Update the risk register. C. Activate the risk response plan. D. Validate the exception.

Obtaining senior management commitment and support for information security investments can BEST be accomplished by a business case that: A. explains the technical risk to the enterprise. B. includes industry best practices as they relate to information security. C. details successful attacks against a competitor. D. ties security risk to organizational business objectives

Purchasing insurance is a form of: A. risk avoidance. S. risk mitigation. C. risk acceptance. D. risk transfer.

Risk management programs are designed to reduce risk to: A. the point at which the benefit exceeds the expense. B. a level that is too small to be measurable. C. a rate of return that equals the current cost of capital. D. a level that the enterprise is willing to accept.

Risk monitoring provides timely information on the actual status of the enterprise with regard to risk. Which of the following choices provides an overall risk status of the enterprise? A. Risk management B. Risk analysis C. Risk appetite D. Risk profile

Risk scenarios enable the risk assessment process because they: A. cover a wide range of potential risk. B. minimize the need for quantitative risk analysis techniques. C. segregate IT risk from business risk for easier risk analysis. D. help estimate the frequency and impact of risk.

Security administration efforts are BEST reduced through the deployment of: A. access control lists (ACLs). B. discretionary access controls (OACs). C. mandatory access controls (MACs). D. role-based access controls (RBACs).

The BEST reason to implement a maturity model for risk management is to: A. permit alignment with business objectives. B. help improve governance and compliance. C. ensure that security controls are effective. D. enable continuous improvement.

The MAIN benefit of information classification is that it helps: A. determine how information can be further labeled. B. establish the access control matrices. C. determine the risk tolerance level. D. select security measures that are proportional to risk.

The MAIN objective of IT risk management is to: A. prevent loss of IT assets. B. provide timely management reports. C. ensure regulatory compliance. D. enable risk-aware business decisions.

The MOST effective method to conduct a risk assessment on an internal system in an organization is to start by understanding the: A. performance metrics and indicators. B. policies and standards. C. recent audit findings and recommendations. D. system and its subsystems.

The MOST important external factors that should be considered in a risk assessment effort are: A. proposed new security tools and technologies. B. the number of viruses and other mal ware being developed. C. international crime statistics and political unrest. D. supply chain and market conditions.

The PRIMARY concern of a risk practitioner reviewing a formal data retention policy is: A. storage availability. B. applicable organizational standards. C. generally accepted industry best practices. D. business requirements.

The PRIMARY goal of certifying a system prior to implementation is to: A. protect the enterprise from liability for releasing a substandard system. B. review the system controls to ensure that the controls are configured correctly. C. test the integrated system to detect any upstream or downstream liabilities. D. ensure that the system meets its specified security requirements at the time of testing.

The PRIMARY purpose of providing built-in audit trails in applications is to: A. support e-discovery. B. collect information for auditors. C. enable troubleshooting. D. establish accountability

The PRIMARY reason to report significant changes in IT risk to management is to: A. update the information asset inventory on a periodic basis. B. update the values of probability and impact for the related risk. C. reconsider the degree of importance of existing information assets. D. initiate a risk impact analysis to determine if additional response is required.

Which of the following capability dimensions is MOST important when using a maturity model for assessing the risk management process? A. Effectiveness B. Efficiency C. Profitability D. Performance

The board of directors of a one-year-old start-up company has asked their chief information officer (CIO) to create all of the enterprise's IT policies and procedures, which will be managed and approved by the IT steering committee. The IT steering committee will make all of the IT decisions for the enterprise, including those related to the technology budget. The IT steering committee will be BEST represented by: A. members of the executive board. B. high-level members of the IT department. C. IT experts from outside of the enterprise. D. key members from each department.

The preparation of a risk register begins in which risk management process? A. Risk response planning B. Risk monitoring and control C. Risk management planning D. Risk identification

What control focuses directly on preventing the risk of collusion? A. Mandatory access control B. Principle of least privilege C. Discretionary access control D. Mandatory job rotation

What is the BEST tool for documenting the status of risk mitigation and risk ownership? A. Risk action plans B. Risk scenarios C. Business impact analysis (BIA) documents D. A risk register

What is the MOST effective method to evaluate the potential impact of legal, regulatory and contractual requirements on business objectives? A. A compliance-oriented gap analysis B. Interviews with business process stakeholders C. A mapping of compliance requirements to policies and procedures D. A compliance-oriented business impact analysis (BIA)

What is the PRIMARY objective of conducting a peer review prior to implementing any changes to the firewall configuration? A. To assist in the detection of fraudulent or inappropriate activity B. To reduce the need for more technical testing since the changes have already been examined C. To facilitate ongoing knowledgeable transfer staff to learn by examining the work of senior staff D. To help detect errors in the proposed change prior to implementation

What role does the risk professional have in regard to the IS control monitoring process? The risk professional: A. maintains and operates IS controls. B. approves the policies for IS control monitoring. C. determines the frequency of control testing by internal audit. D. assists in planning, reporting and scheduling tests of IS controls.

When the risk related to a specific business process is greater than the potential opportunity, the BEST risk response is: A. transfer. B. acceptance. C. mitigation. D. avoidance.

Whether a risk has been reduced to an acceptable level should be determined by: A. IS requirements. B. information security requirements. C. international standards. D. organizational requirements.

Which of the following BEST assists in the proper design of an effective key risk indicator (KRI)? A. Generating the frequency of reporting cycles to report on the risk B. Preparing a business case that includes the measurement criteria for the risk C. Conducting a risk assessment to provide an overview of the key risk D. Documenting the operational flow of the business from beginning to end

Which of the following BEST enables an enterprise to measure its risk management process against peers? A. Adoption of an enterprise architecture (EA) model B. Adoption of a balanced scorecard (BSC) C. Adoption of a risk assessment methodology D. Adoption of a maturity model

Which of the following BEST ensures that appropriate mitigation occurs on identified information systems vulnerabilities? A. Presenting root cause analysis to the management of the organization B. Implementing software to input the action points C. Incorporating the findings into the annual report to shareholders D. Assigning action plans with deadlines to responsible personnel

Which of the following BEST ensures the overall effectiveness of a risk management program? A. Obtaining feedback from all end users B. Assigning a dedicated risk manager to run the program C. Applying quantitative risk methodologies D. Participating relevant stakeholders

Which of the following BEST provides message integrity, sender identity authentication and nonrepudiation? A. Symmetric cryptography B. Message hashing C. Message authentication code D. Public key infrastructure (PKl)

Which of the following MOST effectively ensures that service provider controls are within the guidelines set forth in the organization's information security policy? A. Service level monitoring B. Penetration testing C. Security awareness training D. Periodic auditing

Which of the following activities is an example of risk sharing? A. Moving a function to another department B. Selling a product or service to another company C. Deploying redundant firewalls D. Contracting with a third party

Which of the following approaches BEST helps an enterprise achieve risk-based organizational objectives? A. Ensure that asset owners perform annual risk assessments. B. Review and update the risk register regularly. C. Assign a steering committee to the risk management process. D. Embed risk management activities into business processes

Which of the following causes an internal ad hoc risk assessment to be performed before the annual occurrence? A. A new chief information officer (CIO) is hired. B. Senior management adjusts risk appetite. C. Risk changes on a frequent basis. D. A new system is introduced into the environment.

Which of the following choices is the MOST important critical success factor (CSF) of implementing a risk-based approach to the system development life cycle (SDLC)? A. Existence of a risk management framework B. Defined risk mitigation strategies C. Compliance with the change management process D. Adequate involvement of business representatives

Which of the following considerations is MOST important when implementing key risk indicators (KRIs)? A. The metric is easy to measure. B. The metric is easy to aggregate. C. The metric is easy to interpret. D. The metric links to a specific risk.

Which of the following environments typically represents the GREATEST risk to organizational security? A. An enterprise data warehouse B. A load-balanced, web server cluster C. A centrally managed data switch D. A locally managed file server

Which of the following is MOST beneficial to the improvement of an enterprise's risk management process? A. Key risk indicators (KRls) B. External benchmarking C. The latest risk assessment D. A maturity model

Which of the following is MOST important for measuring the effectiveness of a security awareness program? A. Increased interest in focus groups on security issues B. A reduced number of security violation reports C. A quantitative evaluation to ensure user comprehension D. An increased number of security violation reports

Which of the following is MOST important to determine when defining risk management strategies? A. Risk assessment criteria B. IT architecture complexity C. An enterprise disaster recovery plan (DRP) D. Organizational objectives

Which of the following is MOST important when considering the risk appetite of an enterprise? A. The capacity of the enterprise to absorb loss B. The definition of responsibilities for risk management C. The line of business and the typical risk of the industry D. The culture and predisposition toward risk taking

Which of the following is MOST relevant to include in a cost-benefit analysis of a two-factor authentication system? A. The approved budget of the project B. The frequency of incidents C. The annual loss expectancy (ALE) of incidents D. The total cost of ownership (TCO)

Which of the following is MOST suitable for reporting IT-related business risk to senior management? A. Balanced scorecards (BSCs) B. Gantt charts/PERT diagrams C. Technical vulnerability reports D. Dashboards

Which of the following is MOST useful in developing a series of recovery time objectives (RTOs)? A. Regression analysis B. Risk analysis C. Gap analysis D. Business impact analysis (BIA)

Which of the following is MOST useful when computing annual loss exposure? A. The cost of existing controls B. The number of vulnerabilities C. The net present value (NPV) of the asset D. The business value of the asset

Which of the following is a behavior of risk avoidance? A. Take no action against the risk. B. Outsource the related process. C. Insure against a specific event. D. Exit the process that gives rise to risk.

Which of the following is a control designed to prevent segregation of duties (SoD) violations? A. Enabling IT audit trails B. Implementing two-way authentication C. Reporting access log violations D. Implementing role-based access

Which of the following is of MOST concern in a review of a virtual private network (VPN) implementation? Computers on the network are located: A. al the enterprise's remote offices. B. on the enterprise's internal network. C. at the backup site. D. in employees' homes.

Which of the following is responsible for evaluating the effectiveness of existing internal information security (IS) controls within an enterprise? A. The data owner B. Senior management C. End users D. The system auditor

Which of the following is the BEST metric to manage the information security program? A. The number of systems that are subject to intrusion detection B. The amount of downtime caused by security incidents C. The time lag between detection, reporting and acting on security incidents D. The number of recorded exceptions from the minimum information security requirements

Which of the following is the BEST reason to perform a risk assessment? A. To satisfy regulatory requirements B. To budget appropriately for needed controls C. To analyze the effect on the business D. To help determine the current state of risk

Which of the following is the BEST way to ensure that a corporate network is adequately secured against external attack? A. Utilize an intrusion detection system (IDS). B. Establish minimum security baselines. C. Implement vendor recommended settings. D. Perform periodic penetration testing.

Which of the following is the FIRST step when developing a risk monitoring program? A. Developing key indicators to monitor outcomes B. Gathering baseline data on indicators C. Analyzing and reporting findings D. Conducting a capability assessment

Which of the following is the GREATEST challenge of performing a quantitative risk analysis? A. Obtaining accurate figures on the impact of a realized threat B. Obtaining accurate figures on the value of assets C. Calculating the annual loss expectancy (ALE) of a specific threat D. Obtaining accurate figures on the frequency of specific threats

Which of the following is the MOST appropriate metric to measure how well the information security function is managing the administration of user access? A. Elapsed time to suspend accounts of terminated users B. Elapsed time to suspend accounts of users transferring C. Ratio of actual accounts to actual end users D. Percent of accounts with configurations in compliance

Which of the following is the MOST effective way to ensure that third-party providers comply with the enterprise's information security policy? A. Security awareness training B. Penetration testing c. Service level monitoring D. Periodic auditing

Which of the following is the MOST important factor when designing IS controls in a complex environment? A. Development methodologies B. Scalability of the solution C. Technical platform interfaces D. Stakeholder requirements

Which of the following is the MOST important information to include in a risk management strategic plan? A. Risk management staffing requirements B. The risk management mission statement C. Risk mitigation investment plans D. The current state and desired future state

Which of the following is the MOST important reason for conducting periodic risk assessments? A. Risk assessments are not always precise. B. Reviewers can optimize and reduce the cost of controls. C. Periodic risk assessments demonstrate the value of the risk management function to senior management. D. Business risk is subject to frequent change.

Which of the following is the MOST prevalent risk in the development of end-user computing (EUC) applications? A. Increased development and maintenance costs B. Increased application development time C. Impaired decision making due to diminished responsiveness to requests for information D. Applications not subjected to testing and IT general controls

Which of the following objectives is the PRIMARY reason risk professionals conduct risk assessments? A. To maintain the enterprise's risk register B. To enable management to choose the right risk response C. To provide assurance on the risk management process D. To identify risk with the highest business impact

Which of the following outcomes of an outsourcing contract for non-core processes is of GREATEST concern to the management of an enterprise? A. Total cost of ownership (TCO) exceeds projections. B. Internal information systems experience has been lost. C. Employees of the vendor were disloyal to the client enterprise. D. Processing of critical data was subcontracted by the vendor.

Which of the following practices is MOST closely associated with risk monitoring? A. Assessment B. Mitigation c. Analysis D. Reporting

Which of the following requirements MUST be met during the initial stages of developing a risk management program? A. Management acceptance and support have been obtained. B. Information security policies and standards are established. C. A management committee to provide program oversight exists. D. The context and purpose of the program is defined.

Which of the following risk assessment outputs is MOST suitable to help justify an organizational information security program? A. An inventory of risk that may impact the enterprise B. Documented threats to the enterprise C. Evaluation of the consequences D. A list of appropriate controls for addressing risk

Which of the following situations is BEST addressed by transferring risk? A. An antiquated fire suppression system in the computer room B. The threat of disgruntled employee sabotage C. The possibility of the loss of a universal serial bus (USB) removable media drive D. A building located in a l Ou-year flood plain

Which of the following system development life cycle (SDLC) stages is MOST suitable for incorporating internal controls? A. Development B. Testing C. Implementation D. Design

Which of the following would BEST help an enterprise select an appropriate risk response? A. The degree of change in the risk environment B. An analysis of risk that can be transferred were it not eliminated C. The likelihood and impact of various risk scenarios D. An analysis of control costs and benefits

Which ofthe following is the FIRST step when developing a risk monitoring program? A. Developing key indicators to monitor outcomes B. Gathering baseline data on indicators C. Analyzing and reporting findings D. Conducting a capability assessment

Which type of risk assessment methods involves conducting interviews and using anonymous questionnaires by subject matter experts? A. Quantitative B. Probabilistic C. Monte Carlo D. Qualitative

3-6 When responding to an identified risk event, the MOST important stakeholders involved in reviewing risk response options to an IT risk are the: A.information security managers. B.internal auditors. C.incident response team members. D.business managers.

D A.Business managers are accountable for managing the associated risk and will determine what actions to take based on the information provided by others, which may include collaboration with and support from IT security managers. B.Risk response is not a function of internal audit. C.The incident response team must ensure open communication to management and stakeholders to ensure that business managers/leaders understand the associated risk and are provided enough information to make informed risk-based decisions. D.Business managers are accountable for managing the associated risk and will determine what actions to take based on the information provided by others.

1-1 Which of the following business requirements BEST relates to the need for resilient business and information systems processes? A.Effectiveness B.Confidentiality C.Integrity D.Availability

D A.Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner. While the lack of system resilience can in some cases affect effectiveness, resilience is more closely linked to the business information requirement of availability. B.Confidentiality deals with the protection of sensitive information from unauthorized disclosure. While the lack of system resilience can in some cases affect data confidentiality, resilience is more closely linked to the business information requirement of availability. C.Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations. While the lack of system resilience can in some cases affect data integrity, resilience is more closely linked to the business information requirement of availability. D.Availability relates to information being available when required by the business process—now and in the future. Resilience is the ability to provide and maintain an acceptable level of service during disasters or when facing operational challenges.

2-1 The MOST significant drawback of using quantitative risk analysis instead of qualitative risk analysis is the: A.lower objectivity. B.greater reliance on expertise. C.less management buy-in. D.higher cost.

D A.Neither of the two risk analysis methods is fully objective. While the qualitative method subjectively assigns high, medium and low frequency and impact categories to a specific risk, subjectivity within the quantitative method is often expressed in mathematical "weights." B.To be effective, both processes require personnel who have a good understanding of the business. C.Quantitative analysis generally has a better buy-in than qualitative analysis to the point where it can cause overreliance on the results. D.Quantitative risk analysis is generally more complex and, therefore, more costly than qualitative risk analysis.

4-6 One way to verify control effectiveness is by determining: A.its reliability. B.whether it is preventive or detective. C.the capability of providing notification of failure. D.the test results of intended objectives.

D A.Reliability is not an indication of control strength; weak controls can be highly reliable, even if they do not meet the control objective. B.The type of control (preventive or detective) does not help determine control effectiveness. C.Notification of failure does not determine control strength. D.Control effectiveness requires a process to verify that the control process worked as intended and meets the intended control objectives.

4-3 During a data extraction process, the total number of transactions per year was forecasted by multiplying the monthly average by twelve. This is considered: A.a controls total. B.simplistic and ineffective. C.a duplicates test. D.a reasonableness test.

D A.The described test does not ensure that all transactions have been extracted. B.While simplistic, the reasonableness test is a valid foundation for more elaborate data validation tests. C.The described test does not identify duplicate transactions. D.Reasonableness tests make certain assumptions about the information as the basis for more elaborate data validation tests.

3-3 The BEST control to prevent unauthorized access to an enterprise's information is user: A.accountability. B.authentication. C.identification. D.access rules.

D A.User accountability does not prevent unauthorized access; it maps a given activity or event back to the responsible party. B.Authentication verifies the user's identity and the right to access information according to the access rules. C.User identification without authentication does not grant access. D.Access rules without identification and authentication do not grant access.

3-4 Which of the following controls BEST protects an enterprise from unauthorized individuals gaining access to sensitive information? A.Using a challenge response system B.Forcing periodic password changes C.Monitoring and recording unsuccessful logon attempts D.Providing access on a need-to-know basis

D A.Verifying the user's identification through a challenge response does not completely address the issue of access risk if access was not appropriately designed in the first place. B.Forcing users to change their passwords does not guarantee that access control is appropriately assigned. C.Monitoring unsuccessful access logon attempts does not address the risk of appropriate access rights. D.Physical or logical system access should be assigned on a need-to-know basis (legitimate business requirements) and in ways that incorporate least privilege and segregation of duties (SoD).

used during the quantitative risk analysis

Decision tree diagram

What is Risk Aggregation?

SIEM / aggregation of different risks / event correlation

3.6 When responding to an identified risk event, the MOST important stakeholders involved in reviewing risk response options to an IT risk are: A. information security manager B. internal auditors C. incident response team members D. business managers

D. Business managers are accountable for managing the associated risk and will determine what actions to take based on the information provided by others.

The MOST important external factors that should be considered in a risk assessment effort are: A. proposed new security tools and technologies. B. the number of viruses and other malware being developed. C. international crime statistics and political unrest. D. supply chain and market conditions.

D. A. It is always good to watch for new technologies and tools that can help the enterprise, especially ones that staff may want to bring into the office. But a risk assessment should not be based on proposed new products. B. The number of new malware types being developed is something worth watching, but it is not a factor that the risk professional can use in the calculation of risk for a risk assessment report. C. International crime statistics and political unrest may cause problems, but these are not the most important factors to be considered in a risk assessment effort. D. Risk assessment should consider both internal and external factors, including supply chain and market conditions. Supply chain problems (e.g., lack of raw material, strikes at a transportation company or supplier) can severely interrupt operations. A new competitor in the market or even a new company opening up in the area may affect availability of trained staff or pose a risk to growth and profitability.

1.1 Which of the following business requirements BEST relates to the need for resilient business and information system processes? A. Effectiveness B. Confidentiality C. Integrity D. Availability

D. AVAILABILITY relates to information being available when required by the business process - now and in the future. Resilience is the ability to provide and maintain an acceptable level of service during disasters or when casing operational challenges.

3.3 The BEST control to prevent unauthorized access to an enterprise's information is user: A. accountability B. authentication C. identification D. access rules

D. Access rules without identification and authentication do not grant access

IT architecture

Description of the fundamental underlying design of the IT components of the business, the relationships among them, and the manner in which they support the enterprise's objectives

2.2.8 Failure to determine exactly what standards or needs a system must meet in terms of functionality, performance, and security is a vulnerability of which of the following phases of the system development life cycle? A. Implementation B. Development C. Design D. Requirements

D. Failure to determine accurate functional, performance, and security requirements for a system is a vulnerability inherent to the Requirements phase of the SDLC

The MAIN objective of IT risk management is to: A. prevent loss of IT assets B. provide timely management reports C. ensure regulatory compliance D. enable risk-aware business decisions

D. IT risk management should be conducted as part of enterprise risk management (ERM), the ultimate objective of which is to enable risk-aware business decisions

3.4 Which of the following controls BEST protect an enterprise from unauthorized individuals gaining access to sensitive information? A. Using a challenge response system B. Forcing periodic password changes C. Monitoring and recording unsuccessful logon attempts D. Providing access on a need-to-know basis

D. Physical or logical system access should be assigned ton a need-to-know basis (legitimate business requirements) and in ways that incorporated least privilege and segregation of duties (SoD).

2.1 The MOST significant drawback of using quantitative risk analysis instead of qualitative risk analysis is the: A. Lower objectivity B. Greater reliance on expertise C. Less management buy-in D. Higher cost

D. Quantitative risk analysis is generally more complex and , there fore, more costly than qualitative risk analysis

4.3 During a data extraction process, the total number of transactions per year was forecasted by multiplying the monthly average by twelve. This is considered: A. a controls total. B. simplistic and ineffective. C. a duplicates test. D. a reasonableness test.

D. Reasonableness tests make certain assumptions about the information as the basis for more elaborate data validation tests.

2.2.4 _____________ are elements that could influence the likelihood or impact of a threat exploiting a vulnerability or even influence the ability of the organization to withstand the effect of risk. A. Risk Agents B. Risk Indicators C. Threat Agents D. Risk Factors

D. Risk factors are elements that could influence the likelihood or impact of a threat exploiting a vulnerability or even influence the ability of the organization to withstand the effects of risk

Who grants formal authorization for user access to a protected file?

The data owner

What is the difference between Disaster Recovery (DR) and High Availability (HA)

DR is for after a disaster, HA is for without a disaster

Storage and security of data under conversion

Data are backed up before conversion for future reference or any emergency that may arise out of data conversion program management.

Which of the following best protects the confidentiality of data being transferred over a network?

Data is encapsulated in data-packets with authentication headers

Which of the following provides the formal authorization on user access?

Data owner

Which of the following role provides formal authorization on user access?

Data owner

Balance Score Card

Education - Innovation Improved - Processes Customer Satisfaction Financial Results eg gym membership to keep someone to stay

Data Classification Policy

Describes the data classification categories: (1) Level of protection to be provided for each category of data; (2) roles and responsibilities of potential users, including data owners

IT Architecture

Description of the fundamental underlying design of the IT components of the business, the relationships among them, and the manner in which they support the enterprise's objectives

Which of the following system development lifecycle stages is most suitable for incorporating internal controls?

Design- as early as possible

What is special about OCTAVE?

Designed for big businesses

What sets OCTAVE-S apart?

Designed for smaller organizations

What is the purpose of Post Implementation review?

Determine: 1) Have user expectations been met? 2) Has ROI been achieved?

What is the purpose of Post Implementation review?

Determine: 1) Have user expectations been met? 2) Has ROI been achieved?

Recovery point objective (RPO)

Determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption.

Describe the top-down approach to risk scenario generation

Develop risk scenarios from a specific business objective perspective

Capability Maturity Model Integration (CMMI)

Developed by Carnegie Mellon. Used to gauge the maturity level of organizations with regards to processes. Related to Lean and Agile.

Balanced scorecard (BSC)

Developed by Robert S. Kaplan and David P. Norton as a coherent set of performance measures organized into four categories that includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives.

Exposure Factor (Percentage loss of an asset with a given risk event)

Describe SDLC Phase 2

Development or Acquisition The IT system is designed, purchased, programmed, developed or otherwise constructed.

Bow-Tie Analysis

Diagrams relationships between elements of risk from causes to events and then to impacts, but looks at the pathway that the threat led to the consequence.

Can you do all 4 components of encryption?

Digital envelope and digital signature in same communication

Bow Tie Analysis

Displays links between possible causes, controls and consequences

Describe SDLC Phase 5

Disposal This phase may involve the disposition of information, hardware and software. Activities may include moving, archiving, discarding or destroying information and sanitizing the hardware and software.

Risk action plan

Documentation of decisions regarding the controls used in response to risk. a consideration of the chosen controls and their implementation.

Business Case

Documentation of the rationale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic cycle

Business case

Which of the following best assist in the proper design of an effective key risk indicator?

Documenting the operational flow of business from beginning to end

One way to determine control effectiveness is by determining the test results of intended objectives

Dual control

During which part of the overall risk management process is the cost-benefit analysis primarily performed?

During the risk response selection

What is leading indicator of Balance Scorecard?

Education lagging indicator is customer satisfaction

IS auditor objectives

Emphasizing the need for control enhancement Bringing risk to the attention of management

The goal of IT Risk analyst is to:

Enable the prioritization of risk response

What is Cyphertext?

Encrypted plaintext which you need the key for to read

After a laptop has been identified as lost of stolen, which of the following best mitigates the risk of unauthorized access to the info on the device?

Encryption

Which of the following is the best control for security data on mobile universal serial bus (USB) drives?

Encryption USB devices

A key objective when monitoring information systems control effectiveness against enterprise's external environment is to:

Ensure that the legal obligations have been satisfied

Governance

Ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives. Scope Note: Conditions can include the cost of capital, foreign exchange rates, etc. Options can include shifting manufacturing to other locations, sub-contracting portions of the enterprise to third-parties, selecting a product mix from many available choices, etc.

Availability

Ensuring timely and reliable access to and use of information. Balanced scorecard (BSC) Developed by Robert S. Kaplan and David P. Norton as a coherent set of performance measures organized into four categories that includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives

What are the risk factors for internal context?

Enterprise goals and objectives strategic importance of IT for the business Complexity of IT Complexity of the entity and degree of change Change management capability Operation model Strategic priorities Culture of the enterprise Financial capacity

Who is responsible for the control of risk?

Enterprise management (senior leaders), not the IT risk practitioner.

Common Controls Provider

Entity responsible for controls that span the enterprise

Common controls provider

Entity responsible for controls used across several different assets and systems.

What are some of the forms of External Threats?

Espionage Theft Sabotage Terrorism Criminal acts Software errors Hardware flaws Mechanical failures Loss of assets Data corruption Facility Flaws (freezing pipes/pipe burst) Fire Supply Chain interruption Industry accidents Disease (epidemic) Seismic activity Flooding Power surge/Utility failure Server storms

Root Cause Analysis

Establishes the origins of events

Business impact analysis/assessment (BIA)

Evaluating the criticality and sensitivity of information assets. An exercise that determines the impact of losing the support of any resource to an enterprise, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and the supporting system. Scope Note: This process also includes addressing: - Income loss - Unexpected expense - Legal issues (regulatory compliance or contractual) - Interdependent processes - Loss of public reputation or public confidence

Business Impact Analysis (BIA)

Evaluating the criticality and sensitivity of information assets. An exercise that determines the impact of losing the support of any resource to an enterprise, established the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and the supporting system

Business impact analysis/assessment (BIA)

Assessing an organization's context (environment) includes

Evaluating the intent and capability of threats The relative value of, and trust required in, assets (or resources) The respective relationship of vulnerabilities and threats could exploit to intercept, interrupt, modify, or fabricate data in information assets. The dependency on a supply chain financing debt partners vulnerability to changes in economic or political data Changes to market trends and patterns Emergence of new competition impact of new legislation existence of potential natural disaster constraints caused by legacy systems and antiquated technology strained labor relations and inflexible management

Threat Analysis

Evaluation of the type, scope and nature of events or actions that can result in adverse consequences.

What are the risk factors for IT-related capability?

Evaluation, direct monitor (EDM) Align, plan and organise (APO) Build, acquire and implement (BAI) Deliver, service and support (DSS) Monitor, evaluate and assess (MEA)

Event-tree vs. Fault-tree analysis

Event-tree the initiating event is at the root of the tree with all possible consequences at the branches, used in a bottom-up approach. Fault-tree focuses on an event and all its potential causes, starting with the risk event and then looks for causes.

About organizational assets and business processes, including enterprise risk management (ERM)

Every asset should have a defined risk owner who is consulted on assessment and monitoring results. The owner will assist in recommending responses that aide in achieving business objectives.

Human reliability analysis (HRA)

Examines the affect of human error on systems and their performance

What process would help you deal with risks that require an exemption to policy?

Exception management process

Preparedness

Execute tabletop exercises

Which level of Management accepts a risk?

Executive management (i.e. CEO)

Detective control

Exists to detect and report when errors, omissions and unauthorized uses or entries occur

what's the difference between these risks? very high high moderate low

Extremely high risk - the risks that has large impact on enterprise and are most likely results in failure with severe consequences. High risk - the significant failure impacting in certain goals not being met. Moderate risks - noticeable failure threatening the success of certain goals. Low risks - the risk that results in certain unsuccessful goals.

Which of the following should be of most concern to a risk practitioner?

Failure to internally report a successful attack

What is the #1 Project Risk?

Failure to meet expectations

T/F. risk practitioner do not need to be alert to the emergence of new technologies. But only need to be prepared for their introduction into the organization, particularly if these technologies promise cost savings or competitive advantage

False.

True or False. A problem found early is often costlier than a problem found later.

False. A problem found early is often less expensive and more effective than for a problem found later.

True or False. A system may be managed by the IT department and they are the only ones responsible for it.

False. A system may be managed by the IT department but the owner of the system is responsible for it.

True or False. Avoidance must often be implemented once deemed so by the risk practitioner.

False. Avoidance must often be implemented when no other cost-effective response is available for a risk deemed unacceptable by management.

True or False. If the pen tester is unable to break in, then the vulnerability is real and must be mitigated.

False. If the tester is unable to break in, then it is likely that the vulnerability does not require mitigation.

True or False. Responsibility and accountability can be delegated.

False. It is important for the risk practitioner to understand that transference of responsibility does not mean transference of accountability, except in rare cases in which a supplier might accept full legal accountability for damages and losses. Responsibility can be delegated; accountability cannot.

True or False. Poor communication may result in the following consequences: Balanced communication to the external stakeholders regarding risk, leading to the perception that the enterprise may be attempting to hide known risk from stakeholders.

False. Poor communication may result in: Unbalanced communication to the external stakeholders regarding risk, leading to the perception that the enterprise may be attempting to hide known risk from stakeholders

True or False. The monitoring and metrics of managing a control does not need data relevant to the risk.

False. The monitoring and metrics of managing a control must be based on data relevant to the risk and the overall performance of the device.

True or False. The ownership of risk must be with with a department or the organization as a whole.

False. The ownership of risk must be with an individual, not with a department or the organization as a whole

True or False. Risk acceptance is simply ignoring or remaining unaware of a risk.

False. Risk acceptance is NOT simply ignoring or remaining unaware of a risk

Which data analysis method would be most effective in a comprehensive review of both hardware and human failures to identify the sources of an incident?

Fault tree analysis

Which phase of SDLC should the process to amend the deliverables be defined to prevent risk of scope creep?

Feasibility

Which legal act requires U.S. Federal Govt agencies to establish an information security program?

Federal Information Security Management Act (FISMA)

Due Care

Fiduciary responsibility, governance, policy, oversight

Backup

Files, equipment, data and procedures available for use in the event of a failure or loss, if the originals are destroyed or out of service

What is the rough allocation of risk relevant to almost all organizations?

Financial Risk (35%) Strategic Risk (25%) Operational Risk (25%) Legal and Compliance Risk (15%)

What are the contributing factors for calculating asset value?

Financial penalties for legal non-compliance Impact on business processes Damage to reputation Additional Cost for repair/replacement Effect on third parties and business partners Injury to staff or other personnel Violations of privacy Breach of contracts Loss of Competitive advantage Legal costs

Port Scanner

Finds which ports on the system are listening

Technical control

Firewall or intrusion detection

Reliability of a KRI would indicate that the metric:

Flags exceptions every time they occur

While consulting with risk owner priori to implementing risk mitigation controls, the IT risk practitioner should primarily focus on?

Following the life cycle approach for control management

ISA control framework

For industrial control systems

What are the Risk Management controls to be implemented and operating correctly?

For oversight and due diligence. For mitigating risk and ensuring the protection of the organization with the implemented and monitoring controls that are effective.

Event type

For the purpose of IT risk management, one of three possible sorts of events: threat event, loss event and vulnerability event. Scope Note: Being able to consistently and effectively differentiate the different types of events that contribute to risk is a critical element in developing good risk-related metrics and well-informed decisions. Unless these categorical differences are recognized and applied, any resulting metrics lose meaning and, as a result, decisions based on those metrics are far more likely to be flawed.

Event type

Audit

Formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met; may be carried out by internal or external groups

What is SOD meant to prevent?

Fraud by one person; observation is required to prevent collusion

What is the Gramm-Leach-Bliley Act (GLBA)

GLBA requires periodic risk analysis performed on processes that deal with nonpublic financial information and personal financial data.

The first step in identifying and assessing IT risk is to:

Gather information on the current and future environment

Policy

Generally, a document that records a high-level principle of course of action that had been decided on The intended purpose is to influence & guide both present and future decision making to be in line with the philosophy, objectives, and Strategic plans established by he Enterprise's management teams

Policy

Generally, a document that records a high-level principle or course of action that has been decided on; intended to influence and guide both present and future decision making

In what ways does setting thresholds aid in the monitoring of KRI data?

Get alerted when you should be Don't need to see false alarms either

Risk appetite

Governance - Broad idea of the amount of risk that an organization is willing to accept - risk avert, aggressive, neutral

What is Governance all about?

Governance is about accountability of the board to stakeholders and investors

Integrity

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity

What is Integrity?

Guarding against improper information modification, exclusion, or destruction "authenticity"

Integrity

Guarding against improper modification, exclusion or destruction of information, which requires the protection of information from improper modification by unauthorized users and processes or activities operating on the system.

Organizational Structure

Has the greatest impact on the type of information security governance model the enterprise chooses

Interdisciplinary Team

Having a interdisciplinary team contribute to risk management ensures that all areas are adequately considered and included in the risk assessment processes to support an enterprise-wide view of risk

Which risk assessment technique would the practitioner use to analyze system exposure to personnel?

Human reliability analysis- focuses on human error in enterprise system

How is access control addressed?

IAAA better known as Identification, Authentication, Authorization, & Accountability

What are the control assessment types?

IS Audit Vulnerability assessment Pen Test 3rd party assurance

What are the Business Process Dependencies?

IT Manual External

A risk practitioner has collected several IT-related KRIs related for the core financial application. The would most likely be reported to:

IT Management

What is the process of he Risk Management Life Cycle?

IT Risk Identification IT Risk Assessment Risk Response & Mitigation Risk & Control Monitoring & Report

What is the IAAA model?

Identification Authentication Authorization Accountability/Auditing

About IAAA Model

Identification - unique identification of each person or process that uses a system allows tracking and logging of the activity by the user and the possibility to investigate a problem if it were to arise Authentication - process of validating an identity. After a person or process has claimed or stated his/her identity, the process of authentication verifies that the person is who they say they are. Authorization - the privileges or permissions the person will have, including read-only, write-only, read/write, create, update, delete, full control, etc. This is where the concept of least privilege applies. Accountability - logs or records all activity on a system and indicates the user ID responsible for the activity.

Control Analysis

Identify controls, determine their required function, determine if they are effective, and identifying gaps between desired and end states.

Threat Assessment

Identify matching threat and vulnerability pairings

What is the primary reason for conducting a Risk Assessment?

Identify risk with the highest business impact

What is the auditors concern for CRL?

If CRL is not updated frequently on the LDAP server

Risk & Business Continuity

If the BCP (Business Continuity Plan) is inadequate or inaccurate, the organization/enterprise may not meet their goals for recovery after an incident. This is where the IT Risk Management connections with Business Continuity. IT Risk Management and the Business ensure that all functions are organized and are meeting the firms missions and goals to reduces risk to an acceptable level and mitigate any failures that occur in timely fashion.

how do you use Cost-benefit analysis to choose a control?

If the expenditure on a control is greater than the benefit realized from the control, that control cannot be justified.

KRI selection criteria

Impact Effort Reliability Sensitivity Repeatable

If an organization does not have a formal policy in place regarding personal devices in the workplace, which of the following should the risk practitioner recommend?

Implement an exception process based on appropriate approvals

Describe SDLC Phase 3

Implementation The system security features should be configured, enabled, tested and verified.

What recommendations would a risk practitioner provide for noncompliance or unacceptable performance activities?

Implementation of new controls Adjustment or enforcement of existing controls Business process changes

During which phase of the system development lifecycle are security features configured, enabled, tested and verified?

Implementation phase

A backward looking key risk indicator is intended to:

Improve risk responses.

Top Down/Bottom Up Risk Approaches

In a top-down approach, one starts from the overall business objectives and performs an analysis of the most relevant and probable risk scenarios impacting the business objectives. In a bottom-down approach, a list of generic risk scenarios is used to define a set of more concrete and customized scenarios, applied to the individual enterprise's situation.

What is Due Care

In the field of information security, the following statements are useful: "Due care are steps that are taken to show that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees." And, "continual activities that make sure the protection mechanisms are continually maintained and operational." (Source: Harris, Shon; All-in-one CISSP Certification Exam Guide, 2nd Edition, McGraw-Hill/Osborne, USA, 2003.) Stockholders, customers, business partners and governments have the expectation that corporate officers will run the business in accordance with accepted business practices and in compliance with laws and other regulatory requirements. So while no entity can protect themselves completely from security incidents, in case of legal action, by demonstrating due care, these entities can make a case that they are actually doing things to monitor and maintain the protection mechanisms and that these activities are ongoing.

What sets OCTAVE Allegro apart?

Includes more business-centered and operation risk approaches

Which of the following compensating controls should management implement then an SOD exists because an enterprise has such a small IT department?

Independent review of audit logs

cost incurred when leveraging existing network cabling for an IT project

Indirect cost

Business Processes

Inefficient or outdated business processes may pose a risk by making organizations un-competitive. Business processes should be flexible enough to adapt to changes in the market or technology.

What is NSA's version of ISSE?

Information Assurance Technical Framework (IATF)

What does ISSE stand for, and what is it's purpose?

Information System Security Engineering Security should be included in all steps of SDLC

What is Need to Know?

Information that is accessed only to preform a specific duty/job function.

Retention Policy

Information that is no longer required should be analyzed under the retention policy to determine whether the organization is required to maintain the data for business, legal or regulatory reasons. Keeping data that are no longer required unnecessarily consumes resources; may be in breach of legal and regulatory obligations regarding retention of data; and, in the case of sensitive personal information, can increase the risk of data compromise

residual risk formula

Inherent Risk - Control Effectiveness = Residual Risk

Risk Types

Inherent risk Residual risk Current risk

Control category: Preventive

Inhibit attempts to violate security policy (like encryption)

The primary reason to report significant changes in IT risk management is to:

Initiate a risk impact analysis to determine if additional response is required

What are the phases of the SDLC model?

Initiation Requirements Design Development/Acquisition Implementation Disposal/Retirement

Describe SDLC Phase 1

Initiation The need for an IT system is expressed and the purpose and scope o the IT system is documented.

The primary result of a risk assessment process is:

Input for risk aware decisions

Which of the following choices will best protect the enterprise from financial risk:

Insuring against risk

Intellectual Property

Intangible assets that belong to an enterprise for its exclusive use.

If you don't have a hash then you don't have....

Integrity

1.1.1 Which of the following security goals is concerned with ensuring that data has not been modified or altered during transmission? A. Confidentiality B. Availability C. Integrity D. Non-repudiation

Integrity is concerned with ensuring that data has not been modified or altered during transmission or storage.

What is an Operational Level Agreement (OLA)?

Internal SLA

Vulnerability

Internal weakness External lack of protection

What is ISO 27002

International Control Catalog

What two things make the ISO/IEC Control Framework unique

Internationally developed and most of the control frameworks map to it

DNS (Domain Name Server)

Internet is two networks (servers and domain name servers): Servers (home addresses) vs DNS (post office)

What are the key areas of concern for emerging technologies?

Interoperability and Compatibility

Regression testing

Involves testing the changes to a program to discover any new problems in the operation of the program that were caused by the changes.

What is ISO/IEC 27005:2011?

It is a basic risk management standard that is totally geared towards Information Security

Challenges of Identity authentication - Characteristic (biometrics)

It is expensive, and some users find it to be intrusive and may be resistant to it.

KRIs should be:

It is linked to a specific risk. It is based on clear specifications to promote accuracy. It is easily measured. It is based on data that can be aggregated, compared and interpreted. It provides results that can be compared over time. It is linked to risk management goals.

About Organizational policies and standards

It should be owned. It is the owner's responsibility that these policies reflect current business objectives.

Which of the following causes the greatest concern to a risk practitioner reviewing a corporate information security policy that is out of date?

It was not reviewed within the last 3 years

Documented controls should include

Justification for the control Owner of the control Control reporting schedule

link between risk and controls

Justified and addresses risk All controls are justified by the risk that mandates the requirement for that control. All risk has been addressed through appropriate controls.

Risk Assessment techniques should be used by risk practitioner to:

Justify the selection of risk mitigation strategies

KRI or KPI? Time between data request and presentation

KPI

What does the acronym S.M.A.R.T deal with?

KPIs

KRI or KPI? Average time to deploy new security patches to servers

KRI

KRI or KPI? Number of instances of service level agreements (SLAs) exceeding thresholds

KRI

Shows a potential for risk outside of the organization's risk appetite.

KRIs

Who should the IT steering committee be comprised of?

Key members from each department

A highly probable indicator designed to accurately predict import levels of risk.

Key risk indicators (KRI)

3 methods used for IDENTITY AUTHENTICATION

Knowledge - Requires users to know a password, code phrase or other secret value to validate their identity Ownership (possession) - Requires the use of a smart card, token, ID badge or other similar item; a person validates their identity by possessing the item Characteristic (biometrics) - Uses either physiological (e.g., fingerprints, iris scan, palm scan) or behavioral (e.g., voice print, signature dynamics) elements to authenticate a person

timeframe KRIs

Lag indicators (indicating risk after events have occurred) Lead indicators (indicating which controls are in place to prevent events from occurring) Trends (analyzing indicators over time or correlating indicators to gain insights)

Delphi Method

Leverages opinions from experts in two or more rounds of questioning.

What are synonyms for Frequency and Magnitude?

Likelihood and Impact

Components that help develop a risk scenario

Likelihood and impact of risk

Which of the following risk assessment outputs is most suitable to help justify an organizational information security program?

List of appropriate controls for addressing risk

What is a CRL (Certification Revocation List)?

List of revoked keys (e.g maybe you didn't pay bill, spammed people, etc.)

Risk Response Action Plan

Lists the risk responses and charts their progress and associated timeline with the action owner.

Which of the following organizational function is accountable for risk policies, guidelines and standards?

Management- stipulated and carried out through operational procedures

Which of the following infosec controls manage behavior by specifying what is and is not permitted?

Managerial polices

Describe the bottom-up approach to risk scenario generation

Look at all potential scenarios beginning with what asset, process, or area of concern the risk scenarios might affect.

What should risk practitioners look at for nonrepudiation risk?

Look for evidence in situations in which actions may have significant impact on an organization, such as approval of production code, deletion of records or disbursement of funds.

Hazard and Operability Studies (HAZOP)

Looking for risk by looking at deviations within processes

Risk Analysis

Looks at application of risk identification and evaluation and control analysis.

Cause and effect Analysis

Looks at possible causes to certain results and groups them into categories

Scenario Analysis

Looks at possible scenarios determined during risk identification looking for possible risks

What is Lost Causal Analysis (LCA)

Loss Causal Analysis (to create a database of likelihood from past events)

Impact

Magnitude of loss resulting from a threat exploiting a Vulnerability.

Responsibilities management should be charged with:

Maintaining an awareness of the drivers of risk management Evaluating and responding to recommendations included in the risk assessment report Determining the best response to the risk Developing a response action plan and implementation strategy

What is Confidentiality?

Maintains the secrecy and privacy of data "need to know / least privilege"

What is Regression Testing?

Make sure new changes didn't undo something done before (e.g. changes made last month) - can have different layers (e.g. 2 layers of changing deep)

Risk management

Make sure processes and procedures to follow dictated risk strategy Planning, building, running and monitoring Are we doing things right?

Who is responsible for monitoring?

Management

3 lines of defense?

Management, Oversight, IAA

Control category: Directive

Mandate behavior by specifying what actions are and are not permitted, which may also have a deterrent effect. (like a policy)

What control focuses directly on preventing the risk of collusion

Mandatory job rotation

What are the risk factors for external context?

Market and economy factors Rate of change in the market/production life cycle Industry and competition Geopolitical solution Regulatory environment Technology status and evolution Threat landscape

War Chalking

Marking a location that has free internet. War chalking is marking areas, usually on sidewalks with chalk, that receive wireless signals that can be accessed.

CMMI

Maturity of process (not effectiveness)

Which of the following activities is related to the used of key performance indicators for management of technology controls?

Measurement of control effectiveness to determine the business requirements are being met

Examples of external DATA SOURCES used for monitoring and reporting

Media reports Computer emergency response team (CERT) advisories Security company reports Regulatory bodies Peer organizations Reports from antivirus and security companies Government sources and nonprofit organizations

What is another name for Hash?

Message Digest (no hash no Integrity) Hashing can be 128 or 160 bit.

MAGERIT

Methodology for Information Systems Risk Analysis and Management

Threat Agent

Methods and things used to exploit a vulnerability, such as determination, capability, motive and resources.

what is a larger concern for hardware than software.

Misconfiguration, which can lead to potential vulnerabilities, leaving the system open to external parties

How do you accommodate local regulation for a global company?

Modify policy to suit local regulatory requirements

What is Ceaser Cipher cryptography technique?

Moved Roman alphabet several characters

Senior Management

Must give the final sign off on the IT risk management plan

What is a Control Framework specifically geared towards Cyber controls?

NIST Cybersecurity Framework (2014)

lists of threats are available that can be used by a risk practitioner

NIST SP 800-30 Revision 1: Guide to Conducting Risk Assessments or ISO/IEC 27005:2008 Appendix C

What is NIST 800-160?

NIST's guide to ISSE. "Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems"

What some types of Vulnerabilities?

Network Physical Application & Web-facing Services Utilities Supply Chain Processes Equipment Cloud Computing Big Data

Factors that can change a Risk Profile

New technologies Changes to business procedures Changes in customer expectations Actions of competitors Mergers or acquisitions Effectiveness of risk awareness programs New or revised regulations Total cost of ownership (TCO) of assets Impact from external events Availability of staff/resources

Does Symmetric Key cryptography support non-repudiation?

You can outsource responsibility; can you outsource accountability?

The identification of IP addresses is a form of ___ authentication.

Node

1.1.2 Which of the following is MOST concerned with ensuring that users cannot deny that they took action? A. Accountability B. Non-repudiation C. Auditing D. Authorization

Non-repudiation is concerned with ensuring that users cannot deny that they took particular action.

Due Diligence

Not related to governance

ISO 31000:2009

Not specific to IT, focuses on business risk for organizations of any size.

Which risk assessment method was developed by Carnegie Mellon, using facilitated workshops to frame and assess risk based on internal organizational context?

OCTAVE

What is OR Governance all about?

OR Governance is about organizational structure of the firm and accountability of ORM

Which of the following is a major risk associated with the use of GRC tools?

Obsolesce of context. (Tool needs to updated regularly with current regulations.

Purpose of a governance/management framework

Obtain business value from IT investments and infrastructures

the challenge of managing access control

One of the most critical risks associated with information systems

Which encryption technique is foolproof?

One time pad (which uses XOR)

Alternative to 800-115

Open-Source Security Testing Methodology Manual (OSSTMM)

Which capability dimension is most important when using a maturity model for assessing the risk management process?

Performance

Describe SDLC Phase 4

Operation or Maintenance The system performs its functions. Typically the system will undergo periodic updates or changes to hardware and software; the system may also be altered in less obvious ways due to changes to organizational processes, policies and procedures.

What is OCTAVE?

Operationally Critical threat Asset and Vulnerability Evaluation

Leading Practice

Optimally applying knowledge

Project-based Organizational Structure

Organizational Structure where a group is formed temporarily to work on one particular project.

Centralized Organizational Structure

Organizational Structure where all decisions are made by one group for the entire enterprise

factors that can affect risk assessment

Organizational structure and culture Policies, standards and procedures Technology and technology architecture

Hazard analysis and critical control points (HACCP)

Originally developed for the food industry. A method of monitoring many characteristics and rating them within a predefined tolerance zone

Hazard Analysis and Critical Control Points (HACCP)

Originally developed for the food safety industry system for proactively preventing risk and assuring quality, reliability and safety of processes. The system monitors specific characteristics, which should fall within defined limits.

Considerations IT risk practitioner must consider for risk and controls

Other enterprise departments Business partners Business processes supported by IT systems

How do you apply Governance?

Oversight committees

What does Risk Governance address?

Oversight of the business risk strategy for the enterprise

Why use message digest for digital signature and not the whole msg?

PKI is 10k X slower regular private key cryptography

What is NIST 800-55?

Performance Measurement Guide for Information Security. Excellent basis for KPIs

The Delphi Technique

Polling or information gathering is done either anonymously or privately between the interviewer and interviewee

Common changeover (Go-Live) methods

Parallel changeover Phased changeover Abrupt changeover

What is PCI DSS?

Payment Card Industry Data Security Standard

Which of the following metric is most useful in measuring the monitoring of violation logs?

Penetration attempts investigated

A company has been improving its org. security/compliance program since the last security review was conducted one year ago What should the company do to evaluate its current risk profile?

Perform a new enterprise risk assessment using an independent expert.

A company is confident about the state of its organizational security and compliance program. Many improvements have been made since the last security review was conducted one year ago. What should the company do to evaluate its current risk profile? Review previous findings and ensure that all issues have been resolved. Conduct follow-up audits in areas that were found deficient in the previous review. Monitor the results of the key risk indicators (KRIs) and use those to develop targeted assessments. Perform a new enterprise risk assessment using an independent expert.

Perform a new enterprise risk assessment using an independent expert.

What is the best approach to determine if exiting security control management meets the organization needs?

Perform a process maturity assessment

Which of the following is the most effective way to ensure that third-party providers complex with the enterprise's information security policy?

Periodic auditing

Which of the following most effectively ensures that service providers controls are within the guidelines set forth in the organization's infosec policy?

Periodic auditing

What are the three phases of OCTAVE?

Phase 1: Build Asset-based threat profiles (organizational evaluation) Phase 2: Identify infrastructure vulnerabilities (technological evaluation) Phase 3: Develop security strategy and mitigation plans (strategy and plan development)

3 phase of OCTAVE process

Phase 1: Build asset-based threat profiles (organizational evaluation) Phase 2: Identify infrastructure vulnerabilities (technological evaluation) Phase 3: Develop security strategy and mitigation plans (strategy and plan development)

OCTAVE processes 3 phases

SDLC Phases

Phase 1— Initiation Phase 2— Development or Acquisition Phase 3— Implementation Phase 4— Operation or Maintenance Phase 5— Disposal

Checklists

Potential threats that can be checked off as they are handled by the organization

Confidentiality

Preserving authorized restrictions on access and disclosure, including means for protecting privacy and proprietary information

What type control categories should a risk practitioner consider to control any environment for an organization or enterprise?

Preventive Deterrent Directive Detective Corrective Compensating

IT Awareness Program

Primary consideration when developing a IT Risk Awareness program is how technology risk can impact each attendee's area of business

Which of the following best helps to respond to risk in a cost effective manner?

Prioritizing/addressing risk according to the risk management strategy

What types of Cloud Computing is there?

Private Public Community Hybrid

An enterprise is implementing controls to protect a list of employee details from being exposed to un-authorized individuals. Internal control requirements will come from:

Process owners

Risk Identification

Produces threat-vulnerability pairs, asset inventories, and risk scenarios

What is the worst SOD violation?

Programmer and Operator

What is a key tenets of Project Management document?

Project Management Body of Knowledge (PMBOK)

While prioritizing risk for treatment, the IT risk practitioner should consider the:

Risk rating

The primary objective of risk reporting is to:

Provide the risk owner with information to initiate the risk response

Control category: Detective

Provide warning of violations or attempted violations of security policy. (like audit trail)

Control category: Deterrent

Provide warnings that may dissuade threat agents from attempting compromise. (like a warning message)

Which of the following controls best reduces the residual risk that can result in the inadvertent disclosure of sensitive files stored on a laptop?

Providing staff awareness training to identify and encrypt files

Availability

Providing timely and reliable access information.

What is Availability?

Providing timely and reliable access to information

What is PKI?

Public Key Cryptography -Private key and public key pair -keys not derived from each other -very slow -usually use hybrid technique -RSA, Diffie-Hellman, El Gamal, Knapsack, ECC

Which of the following is the best way to ensure that an accurate risk register is maintained over time?

Publish the risk register centrally with workflow features that periodically poll risk assessors.

What is the RACI model, and how is it implemented in risk management?

RESPONSIBLE ACCOUNTABLE CONSULTED INFORMED These are the roles involved in the risk management process.

Risk IT Framework Risk Governance components

RG1: Establish and maintain a common risk view RG2: Integrate with ERM RG3: Make risk-aware business decisions

The Risk Governance (RG) domain of the Risk IT framework is comprised of what 3 processes?

RG1: Establish and maintain a common risk view RG2: Integrate with ERM RG3: Make risk-aware business decisions

How do you calculate a risk priority number (RPN)?

RPN = Severity * Occurrence * Detection

Risk IT Framework Risk Response components

RR1: Articulate risk RR2: Manage risk RR3: React to events

The Risk Response (RR) domain of the Risk IT framework is comprised of what 3 processes?

RR1: Articulate risk RR2: Manage risk RR3: React to events

What are the outcomes of a BIA? (BIA are performed for each Business Process)

RTO RPO SDO - Service Delivery Objective (Service level at RTO) MTO - Maximum Tolerable Outage (Services level at "Return")

Which of the following concert of data validation is most likely to be of value to organizations reviewing transactions for fraudulent activity?

Reasonableness

COST-BENEFIT ANALYSIS benefits

Reductions in risk impacts, liability and insurance premiums Increases in customer, stake- holder and creditor confidence Improved employee relations and safety

data sources that determine the current state of controls

Regular reports generated by controls Results of control testing activities Results of incident management programs

What is the primary force for driving privacy?

Regulation

After completion of risk assessment, it is determined the cost to mitigate the risk is much greater than the benefit to be derived, risk should be:

Rejected

Which of the following criteria is most essential for the effectiveness of operational metrics?

Relevance to the recipient

Control category: Corrective

Remediate errors, omissions, unauthorized uses and intrusions when detected. (like backups)

The risk practitioner is reviewing the effectiveness of a key risk indicator. Which of the following attribute is the most important part of this review?

Repeatable

An operations manager assigns monitoring responsibility of key risk indicators to line staff. Which of the following is most effective when validating the effort?

Reported results should be independently reviewed

Which of the following practices is most closely associated with risk monitoring?

Reporting

What is the negative aspect of Parallel testing?

Resource consumption will increase

During which phase of incident response should an attempt be made to limit the impact of an incident?

Response

What is the difference between Responsibility and Accountability?

Responsibility belong to those who must ensure that activities are completed successfully VS Accountability which applies to those who either own the required resource or those who have the authority to approve the execution and/or accept the outcome of an activity

RACI

Responsible - Individuals tasked with getting the job done, preforming the actual work effort to meet stated objectives. Accountable - Single person liable or answerable for the completion of the task, who oversees and manages the person(s) responsible for performing the work effort, who may also play a role in the project. Consulted - Individuals who provide input data, advise, feedback, or approvals. Informed - Individuals who are informed of the status, achievement and/or deliverables of the task by who are often not directly responsible for the work effort

Testing good practices

Review Source Code Practice Version Control Be Aware of Test Data risk Separate Development and Production Implement Quality Assurance Fallback or Rollback

Impact Assessment

Review of the possible consequences of a risk.

Where are key risk indicators most likely identified when initiating risk management across a range of projects?

Risk response

Which of the following information systems controls is the best way to detect malware?

Reviewing changes to file size

What is the risk formula?

Risk = Likelihood (of threat exploiting a vulnerability) X Impact (R = L x I)

What are the 3 domains of ISACA's Risk IT Framework?

Risk Governance (RG), Risk Evaluation (RE), Risk Response (RR)

Middle office

Risk Management

What is ISO 31000:2009?

Risk Management - Principles and Guidelines

An enterprise decides to address risk associated with an IT project by outsourcing part of the IT activities to a 3rd party with a specialized skillset. This is an example of:

Risk Mitigation

Risk Profile vs. Risk Register

Risk Profile is a detailed listing of attributes associated to risk. A Risk Register associates risk scenarios to assets and responses in a given context.

1.1.6 Which of the following terms describes the acceptable variations in risk that an organization is willing to deal with for a particular effort? A. Risk Acceptance B. Risk Appetite C. Risk Culture D. Risk Tolerance

Risk Tolerance is the acceptable variation in risk that an organization is willing to deal with for a particular effort.

Describe risk appetite vs. risk tollerance

Risk appetite is how much risk an organization is willing to endure; Risk Tolerance is how much variation from that amount is acceptable.

At which phase of risk management would information about the newly discover risk be communicated to decision makers and relevant stakeholders?

Risk assessment

Which of the following risk management activities initially identifies critical business function and key business risk?

Risk assessment

The best way to ensure that an information system control is appropriate and effective is to verify that the:

Risk associated with the control is being mitigated

Risk & Audit

Risk associates with Audit to ensure that the effectiveness of the Control Framework. This helps with Legislation, Government oversight and Media scrutiny. All IS (information systems) auditors are required to be: objective, skilled, and independent. They should be able to assess, identify, document and provide recommendations for risks, vulnerabilities and addressed issues.

Risk Response

Risk avoidance, risk acceptance, risk sharing/transfer, risk mitigation, leading to a situation that as much future residual risk (current risk with the risk response defined and implemented) as possible (usually depending on budgets available) falls within risk appetite limits.

Risk response

What is Operational Risk in a Bank?

Risk from: 1) People 2) Process 3) IT (IT Risk is a sub-category of Op Risk) 4) External Systems

What are the risk factors for risk management capabilities?

Risk governance Risk management

4 domains of CRISC

Risk identification Risk assessment Risk response and mitigation Risk monitoring and reporting

What is the MAIN objective of risk identification?

Risk identification is the process of determining and documenting the risk that an enterprise faces. The identification of risk is based on the recognition of threats, vulnerabilities, assets and controls in the enterprise's operational environment.

Risk Ownership

Risk is owned by management, but the risk practitioner has a key role in ensuring the following are true: * Management is aware of the current IT risk profile of the organization. * Risk is being managed in a way that meets management objectives.

a level that the enterprise is willing to accept.

Risk management are designed to reduce risk to:

Primary risk management is conducted by who?

Risk management board

Which of the following risk reposes is the best for an organization whose products and services are highly regulated?

Risk mitigation

Which of the following is the most important component when reporting the status of the IT control environment to management?

Risk profile of the enterprise

A new data protection regulation directly affects an organization, what should the risk practitioner gather to best ensure compliance?

Risk scenarios with potential impact on compliance

Change Risk

Risk that is not static, changes in the technology, regulations, business processes, functionality, architecture, users and other variables that affect the business and technical environments of the organization may affect the levels of risk associated with system operations.

What is Inherent Risk?

Risk without any controls

Which of the following measures is most effective against insider threats to confidential information?

Role based access control

After a security incident what technique associated with risk analysis would be there first step towards yielding an actionable plan that would mitigate risk?

Root case analysis

What is the formula to figure Security Categorization (SC)?

SC = {(Confidentiality, Impact), (Integrity, Impact), (Availibility, Impact)}

What are Digital Signatures?

SHA1 or MD5 (Hash) used to convert plain text to create string of 128 (MD5) or 160 (SHA1) bits Take hash output/msg digest and encrypt it with my own private key. Then I take encrypted hash and original plain text doc and send it to another person. Other person then uses my Public Key to decrypt the hash Then they use hash algorithm to calculate hash doc to confirm it wasn't altered during transmission (i.e. integrity) (both derived hash and reverse engineered hash) -this does not support Confidentiality (I sent person doc in plain text) -this DOES support Integrity -this DOES support Authenticity -this DOES support Non-repudiation (any time you encrypt with private key you are the only person who has it...) This is like a real signature because you cannot repudiate; purpose is non-repudiation and integrity

Single loss expectancy calculation (SLE)

SLE = Asset value (AV) x Exposure factor (EF)

What is best assurance given in order?

SOC 1 (WORST) SOC 2 ISO27001 (BEST)

Secret Key Cryptography (aka Symmetric Key, aka Session key)

Same key is used to encipher and decipher plain text

which analysis techniques best determines whether a particular risk is relevant to the enterprise and helps estimate the likelihood that significant events will affect the enterprise?

Scenario analysis along with vulnerability analysis

What is IT Risk Scenario Analysis?

Scenarios to explore extreme alternatives aka stress tests

Which of the following actions will best preserve availability of a service during a pen test?

Scheduling a testing of critical systems during maintenance windows

NIST 800-64

Security Considerations in the System Development Lifecycle

What is NIST 800-53?

Security and Privacy Controls for Federal Information Systems and Organizations

What has the Max ROI?

Security awareness training

Which of the following is a primary role of a system owner during the accreditation process?

Selects and documents the security controls for the system

Which is the following is most important prior to conducting a pen testing?

Senior management approval of exercise parameters

Corporate email system

Senior management will most likely have the highest tolerance for moving which of the following to public cloud?

Criterion to optimize KRIs

Sensitivity: Management has implemented an automated tool to analyze and report on access control logs based on severity, and the tool generates an excessive number of results. Management performs a risk assessment and decides to configure the monitoring tool to report only on alerts marked "critical." Timing: Management has implemented strong segregation of duties (SoD) within the enterprise resource planning (ERP) system. One monitoring process tracks system transactions that violate the defined SoD rules before month-end processing is completed so that suspicious transactions can be investigated before reconciliation reports are generated. Frequency: Management has implemented a key control that is performed multiple times a day. Based on a risk assessment, management decides that the monitoring activity can be performed weekly because this will capture a control failure in sufficient time for remediation. Corrective action: Management has implemented a remediation process to bring controls into alignment with the organizational risk appetite. Using existing problem management tools, management is able to integrate automated monitoring of the controls in the process to prioritize existing gaps, assign problem owners and track remediation efforts.

Operational control

Separation of duties or security training

Strategic IT Plan

Should be created first when developing an enterprise's IT policies and procedures

SLE

Single Loss Expectancy

What does SDLC stand for?

Software Development Life Cycle

SIE

Software Engineering Institute

Vulnerability Scanner

Software designed to scan for unnecessary services and back doors

Anyone who manages risk should not report to.....

Someone who delivers value

Asset

Something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation

Asset

Something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation.

Asset

Something of either tangible or intangible value worth protecting, including people, systems, infrastructure, finances, and reputation

Event

Something that happens at a specific place and/or time

S.M.A.R.T.

Specific Measurable Attainable Relevant Timely

What does S.M.A.R.T stand for?

Specific Measurable Attainable Relevant Timely

SMART

Specific, measurable, attainable, realistic and timely, generally used to describe appropriately set goals

Velocity

Speed of onset, a measure of how much prior warning and preparation time an organization may have between the event's occurrence and impact, which itself can be split into speed of reaction and speed of recovery.

What is the most important factor in the success in an ongoing information security monitoring program?

Staff who are qualified and trained to execute their responsibilities

greatest risk of failure

Staff, they are vulnerable to risk such as fraud and deliberate or accidental misconfiguration of software processes or hardware.

What is the difference between a standard and a policy?

Standard = A mandatory action, explicit rules, controls or configuration settings that are designed to support and conform to a policy. A standard should make a policy more meaningful and effective by including accepted specifications for hardware, software or behavior. Standards should always point to the policy to which they relate. Policy = IT policies help organizations to properly articulate the organization's desired behavior, mitigate risk and contribute to achieving the organization's goals.

Fault Tree Analysis

Start with a risk event, and branch out to all of the possible causes (Top-Down)

Event Tree Analysis

Start with an event, and branch to all of the possible consequences (Bottom-Up)

Examples of risk register updates

Status updates indicating the necessity for modification and review The progress of and results from control testing The attainment of milestones during the risk mitigation project The closing of some risk entries to show a completed risk mitigation project

NIST RMF

Step 1: Categorize Step 2: Select Step 3: Implement Step 4: Assess Step 5: Authorize Step 6: Monitor

Database

Stored collection of related data needed by enterprises and individuals to meet their information processing and retrieval requirements

What is another term for IT Risk Scenario Analysis?

Stress Test

Stress testing

Studies the impact on the application by testing with an incremental number of concurrent users/services on the application to determine the maximum number of concurrent users/services the application can process

Volume testing

Studies the impact on the application by testing with an incremental volume of records to determine the maximum volume of records (data) that the application can process

Australian Signals Directorate

Subjective effectiveness terms like Essential, Excellent, Good, and Average. Subjective maintenance cost terms like High, Medium, Low.

What does SDLC stand for?

System Development Life Cycle

What is cost benefit analysis based on?

TCO (i.e. Cost of Control)

Why is being aware of test data a good practice?

Test data should be complete and allow the testing of all possible process functions and error handling, but there is significant risk related to the disclosure to unauthorized personnel of sensitive information. obfuscate when needed

What is Fuzzing?

Testing a system with random data

Unit testing

Testing of each individual component or piece of a system. This is the most basic level of test and is the best way to find a problem within the piece of code or piece of equipment being tested.

Penetration Testing

Testing that is conducted by internal or external team, and rules can range from full knowledge of the infrastructure to a zero-based knowledge test. This will include several types of tests to ensure that as many attack vectors as possible have been tested and a report is generated to the risk practitioner can use the process of risk identification.

Stress/volume testing

Tests an application with large quantities of data to evaluate its performance during peak hours

Integration or system testing

Tests the system in relation to its overall environment to show how the components work when they are integrated or joined together along with the interfaces between the components and the overall operation of the system.

ISO/IEC 27005:2011

The 27000 series are all about information security and describes the qualitative and quantitative assessment methodologies.

Risk Tolerance

The ACCEPTABLE level of variation that management is willing to allow for any particular risk as the enterprise pursues its business objective.

Access control is usually addressed through

The IAAA Model

Skill

The ability brought to bear by the perpetrator of an active/sentient threat relative to other perpetrators

Resilience

The ability of a system or network to resist failure or to recover quickly from any disruption, usually with minimal recognizable effect

Objectivity

The ability to exercise judgment, express opinions and present recommendations with impartiality

Accountability

The ability to map a given activity or event back to the responsible party other examples) who's ultimately responsible, they are liable, they can even provide oversight

What is Risk Tolerance?

The acceptable level of variation that management is willing to allow for any particular risk as it pursues its objectives

Risk tolerance

The acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives

Risk Appetite

The amount of risk, on a board level, that an entity is willing to accept in pursuit of its mission

Risk appetite

The amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission

Risk Appetite

The amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission (or vision)

What is Risk Appetite?

The amount of risk, on a broad level, that an entity is willing tot accept in pursuit of its mission

What is KPI?

The answer to this question: How will you measure me?

A business case developed to support risk mitigation efforts for a complex application development project should be retained until:

The applications end of life

Man-in-the-Middle Attack

The attacker intercepts the communication between two parts of the victim system and then replaces the traffic between the two components with the intruder's own, eventually assuming control of the communication

Security Training

The best way to inform all employees about information security awareness

IT risk

The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise

IT RISK

The business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise.

Information systems (IS)

The combination of strategic, managerial and operational activities involved in gathering, processing, storing, distributing and using information and its related technologies Scope Note: Information systems are distinct from information technology (IT) in that an information system has an IT component that interacts with the process components.

To be effective, policies and procedures must describe:

The consequences of failing to comply with the policy The means for handling exceptions The manner in which compliance with the policy will be checked and measured

Configuration Management

The control of changes to a set of configuration items over a system life cycle

Risk Management

The coordinated activities to direct and control an enterprise with regard to risk

Challenges of Identity authentication - Ownership (possession)

The cost of installing this type of system, issuing the cards and operating and maintaining the system may be prohibitive. Also, in the event the authorized user loses his or her card, it may be used by an imposter if the card has not been reported as lost or stolen.

When performing a risk assessment of the impact of losing a server, calculating the monetary value of the server should be based on:

The cost to obtain a replacement

Reputation risk

The current and prospective effect on earnings and capital arising from negative public opinion. Scope Note: Reputation risk affects a bank's ability to establish new relationships or services, or to continue servicing existing relationships. It may expose the bank to litigation, financial loss or a decline in its customer base. A bank's reputation can be damaged by Internet banking services that are executed poorly or otherwise alienate customers and the public. An Internet bank has a greater reputation risk as compared to a traditional brick-and-mortar bank, because it is easier for its customers toleave and go to a different Internet bank and since it cannot discuss any problems in person with the customer.

Data integrity

The data are not altered manually, mechanically or electronically by a person, program or substitution or by overwriting in the new system.

Interdependence

The degree to which materialization of two or more types of risk might impact the organization differently, depending on whether the events occur simultaneously or consecutively.

IT risk scenario

The description of an IT-related event that can lead to a business impact IT-related incident An IT-related event that causes an operational, developmental and/or strategic business impact

What is the organization ensuring by using key performance indicators?

The desired metrics are achieved

Enterprise risk management (ERM)

The discipline by which an enterprise in any industry assesses, controls, exploits, finances and monitors risk from all sources for the purpose of increasing the enterprise's short- and long-term value to its stakeholders

Responsibility

The duty of ensuring that activities are completed successfully

What is a threat agent?

The entity causing or enacting a threat against a vulnerability.

Which of the following controls protects the integrity of the event logs in a stand-alone logging system?

The event logging systems are administered under dual control

What is the characteristic behind steganography?

The existence of the message is unknown to begin with

Visibility

The extent to which a vulnerability is known, which can make it a more likely target of attack.

Motivation

The extent to which the perpetrator of the threat wants to succeed, which may result in higher chances of success.

advice risk practitioner gives risk owner on risk action plan

The feasibility of project dates The expected workload associated with the project The costs of the project The overall success of the project according to risk management and business goals

Data consistency

The field/record called for from the new application should be consistent with that of the original application.

What is the primary purpose of the certification and accreditation process?

The goal is to deliver a system that meets the agreed-on set of security requirements and the operational conditions that were set for its implementation to ensure that it will be operated in a secure manner. The purpose of certification is to have an impartial third party review the security plans and risk assessments associated with the system and provide an objective recommendation to the business owner on whether he/she should approve the operation of the system.

improper oversight of IT investments

The greatest risk posed by an absence of strategic planning is:

What is risk Magnitude?

The impact to the enterprise when the event occurs

Business Process Owner

The individual responsible for identifying process requirements, approving process design and managing process performance

Business process owner

The individual responsible for identifying process requirements, approving process design and managing process performance. Scope Note: Must be at an appropriately high level in the enterprise and have authority to commit resources to process-specific risk management activities

Data custodian

The individual(s) and department(s) responsible for the storage and safeguarding of computerized data

Data Custodian

The individual(s) and department(s) responsible for the storage and safeguarding of computerized data.

Data owner

The individual(s), normally a manager or director, who has responsibility for the integrity, accurate reporting and use of computerized data

data owner

The individual(s), normally a manager or director, who has responsibility for the integrity, accurate reporting and use of computerized data

Data Owner

The individual(s), normally a manager or director, who has responsibility for the integrity, accurate reporting and use of computerized data.

Event-tree analysis

The initiating event is at the root of the tree with all possible consequences at the branches, used in a bottom-up approach.

What is Least Privilege?

The level of data access afforded to individuals or processes that are minimal to preform the job functions.

Exposure Factor

The level of loss that an asset could suffer

ROI and ROSI dependencies

The likelihood and impact of the risk event the control addresses The adequate level of protection should an event occur

1.1.5 The likelihood of a Threat exploiting a vulnerability, causing an impact on an asset, describes which of the following terms? A. Impact B. Threat Agent C. Exploit D. Risk

The likelihood of a threat exploiting a vulnerability, causing an impact to an asset, describes risk.

The skill and motivation of the potential attacker

The likelihood of an attack being launched against an enterprise is most dependent on:

Faced with numerous risk, the prioritization of treatment options will be most effective when based on:

The likelihood of compromise and subsequent impact

Risk mitigation

The management of risk through the use of countermeasures and controls

Impact

The measure of financial loss that a threat event may have

Likelihood

The measure of frequency of which an event may occur, which depends on whether there is a potential source for the event (threat) and the extent to which the particular type of event can affect its target (vulnerability), taking into account any controls or countermeasures that the organization has put in place to reduce its vulnerability.

What is IEC 31010:2009

The meat of the risk management part of ISO 31000:2009

Risk Communication

The method and openness of communication of risk plays a key role in defining and understanding the risk culture of the organization. Communication removes uncertainty and doubts concerning risk management.

What is the objective of testing (for risk of system controls)?

The objective of testing is to uncover any flaws or risk that may be hidden in the functionality or design of the application or system.

Threat Vector

The path or route use by the adversary to gain access to the target.

Access rights

The permission or privileges granted to users, programs or workstations to create, change, delete or view data and files within a system, as defined by rules established by data owners and the information security policy

Control owner

The person in whom the organization has invested the authority and accountability for making control- related decisions

Risk Owner

The person in whom the organization has invested the authority and accountability for making risk-based decisions and who owns the loss associated with a realized risk scenario Scope notes: The risk owner may not be responsible for the implementation of risk treatment.

System development life cycle (SDLC)

The phases deployed in the development or acquisition of a software system. Scope Note: SDLC is an approach used to plan, design, develop, test and implement an application system or a major modification to an application system. Typical phases of SDLC include the feasibility study, requirements study, requirements definition, detailed design, programming, testing, installation and post-implementation review, but not the service delivery or benefits realization activities.

Hardware

The physical components of a computer system

Application controls

The policies, procedures and activities designed to provide reasonable assurance that objectives relevant to a given automated solution (application) are achieved

Internal controls

The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business

Which of the following is the best reason an enterprise would decide not to reduce an identified risk?

The potential gain outweighs the risk

Likelihood

The probability of something happening.

Risk avoidance

The process for systematically avoiding risk, constituting one approach to managing risk

Risk transfer

The process of assigning risk to another enterprise, usually through the purchase of an insurance policy or by outsourcing the service

Risk Evaluation

The process of comparing the estimated risk against given risk criteria to determine the significance of the risk

Strategic Planning

The process of deciding on the enterprise's objectives, on changes in these objectives, and policies to govern their acquisition and use

Risk Identification

The process of determining and documenting the risk that an enterprise faces. The identification of risk is based on the recognition of threats, vulnerabilities, assets, and controls in the enterprise's operational environment.

Risk Identification

The process of determining risks that could potentially prevent the program, enterprise, or investment from achieving its objectives. It includes documenting and communicating the concern

Risk Aggregation

The process of integrating risk assessments at a corporate level to obtain a complete view of the overall risk for the enterprise

Risk aggregation

The process of integrating risk assessments at a corporate level to obtain a complete view on the overall risk for the enterprise

What is identity management?

The process of managing the identities of users, processes, etc. that require access to information

Certification

The process of reviewing information systems with regard to their secure design, development, testing, deployment and operations. Checking the boxes that requirements are fulfilled (business or technical)

Access Control

The processes, rules and deployment mechanisms that control access to information systems, resources and physical access to premises

Access control

The processes, rules and deployment mechanisms that control access to information systems, resources and physical access to premises

Asset Valuation

The protection of the assets within the organization that is paying more than the net worth in protection than the asset is worth. Base on the impact of loss of confidentiality, integrity and availability (CIA).

What is the purpose of "System Certification"?

The purpose of certification is to have an impartial third party review the security plans and risk assessments associated with the system and provide an objective recommendation to the business owner on whether he/she should approve (authorize) the operation of the system.

Effectiveness

The quality of producing a planned-for outcome

Efficiency

The quality of producing desired results without waste

Residual Risk

The remaining risk after management has implemented a risk response

Residual risk

The remaining risk after management has implemented a risk response

What is residual risk?

The remaining risk after management has implemented risk response / controls.

Incident Response

The response of an enterprise to a disaster or other significant event that may significantly affect the enterprise, its people, or its ability to function productively.

Challenges of Identity authentication - Knowledge

The risk in this method of authentication is that learning the password of another person allows an individual other than the password owner to log in.

Inherent Risk

The risk level or exposure without taking into account the actions that management has taken or might take

Which of the following helps ensure that the cost is justifiable when selecting an IT control?

The risk likelihood and its impacts are reflected

About Risk response options and criteria for selection

The risk owner will consider the business objectives in the determination of whether to accept, mitigate, avoid or transfer a risk.

What document would list the different risk scenarios?

The risk register could include: Risk factors Threats & vulnerabilities Scenarios Severity or Priority Asset information Impact Likelihood Risk ownership

Control Risk

The risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal control.

IT infrastructure

The set of hardware, software and facilities that integrates an enterprise's IT assets. Scope Note: Specifically, the equipment (including servers, routers, switches and cabling), software, services and products used in storing, processing, transmitting and displaying all forms of information for the enterprise's users

Project portfolio

The set of projects owned by a company. Scope Note: It usually includes the main guidelines relative to each project, including objectives, costs, time lines and other information specific to the project.

Risk Culture

The set of shared values and beliefs that governs attitudes toward risk-taking, are and integrity, and determines how openly risk and losses are reported and discussed.

Risk culture

The set of shared values and beliefs that governs attitudes toward risk-taking, care and integrity, and determines how openly risk and losses are reported and discussed

Risk Culture

The shared values and beliefs that govern the attitudes and behaviors toward risk taking, care and integrity, and determines how openly risk and losses are reported and discussed.

Strong authentication is:

The simultaneous used of several authentication techniques (Pw, badge)

The most effective method to conduct a risk assessment on an internal system in an organization is to start by understanding the:

The system and its subsystems

Risk scenario

The tangible and assessable representation of risk

Risk Scenario

The tangible and assessable representation of risk. One of the key information items needed to identify, analyze and respond to risk

White-box test

The tester has full knowledge of the system

Gray-box test

The tester has some limited knowledge of the system

For 3rd party assurance, who is responsible for evaluating the processes of the subject organization and validating compliance?

The third party is responsible for evaluating the processes of the subject organization and validating compliance with the requirements of a given standard.

Proximity

The time from the event occurring and the impact on the organization.

Completeness of data conversion

The total number of records from the source database is transferred to the new database (assuming the number of fields is the same).

Business goal

The translation of the enterprise's mission from a statement of intention into performance targets and results

third-party assurances

The use of a third party to provide assurance of the effectiveness of the IS program of the organization can be valuable in earning the confidence of stakeholders, customers and shareholders.

Risk response should focus on which of the following:

Theft of a smart phone from the office

What does a CA (Certification Authority) do?

They will certify your public key (e.g. VeriSign) When https shows up in browser you can click on lock and see who certified the public key (if you click on the public key you can open it)

What does a RA (Registration Authority) do?

They will issue a key to someone after identifying them

Emerging Threats

This any threat that may include unusual activity on the system, repeated alarms, slow systems or network performance, or new or excessive activity in logs.

Risk & Information Security

This drives the selection of controls and justifies the initial and continued operations. Every control should be traceable back to specific risk that the control is designed to mitigate. Types of risk: Control, Project & Change

Why should you integrate risk management into the Enterprise?

This enforces holistic ERM (Enterprise Risk Management) approach. This includes: all departments, functions, systems and GEO locations. This is the authority that is required for all business processes that undergo analysis or when a change is made whether internal or external.

Establish and Maintain a common risk view is for what and why?

This is done for the Enterprise to determine the controls needed to mitigate risk and integrate in the the business process. This sets the tone of the business regarding how to determine and accepted level of tolerance. This is the life cycle for regular reporting and review process and oversees the operations of risk management

Double Blind Test

Those charged with defending the network don't know the testing is happening

1.1.4 Which of the following are BOTH necessary for risk to exist and are often paired together? (Choose Two) A. Impact B. Threat C. Vulnerability D.v Likelihood

Threat and Vulnerabilities are both necessary for risk and are often paired together in assessments since you cannot have risk if you have one without the other.

Which of the following activities is most important when evaluating and assessment the risk to an enterprise or business process?

Threat intelligence, including likelihood of identified threats

Threat Modeling vs. Threat Assessment

Threat modeling looks at every possible threat agent, action or event, attack vector and vulnerability for a system, asset or process then models. Threat assessment examines how these threats could affect the particular asset, organization or system.

What are the 4 risk elements?

Threats, Vulnerabilities, Likelihood, and Impact. Threats exploit vulnerabilities and the level of risk is based on likelihood and the impact to the system.

Components that depend on the effectiveness of control monitoring

Timeliness of the reporting: Are data received in time to take corrective action? Skill of the data analyst: Does the analyst have the skills to properly evaluate the controls? Quality of monitoring data available: Are the monitoring data accurate and complete? Quantity of data to be analyzed: Can the risk practitioner isolate the most important data within the total body of data available?

What's the purpose of Risk monitoring and evaluation?

To collect, validate and evaluate business, IT and process goals and metrics To monitor that processes are performing against agreed-on performance and conformance goals and metrics To provide reporting that is systematic and timely

What is the purpose of system accreditation?

To ensure that risk associated with implementation has been identified and explicitly accepted by senior manager.

Which of the following is the primary reason for subjecting the risk management process to review by independent risk auditors/assessors?

To ensure that the risk factors and risk profile are well defined

Why do you make risk aware business decisions?

To ensure the full function of governance and range of opportunities with the consequences for each decision that will impact the enterprise or the environment.

Due to changes within the IT environment the disaster recovery plan of a large enterprise have been modified, what is the greatest benefit of testing the new plan?

To ensure the plan is complete

What is the purpose of logging in?

To establish a accountability

What is the purpose of a Proxy?

To hide the identity of user in the Intranet from the Internet (takes IP address and gives it a different name - non routable address)

Which of the following objectives is the PRIMARY reason risk professionals conduct risk assessments? To maintain the enterprise's risk register To enable management to choose the right risk response To provide assurance on the risk management process To identify risk with the highest business impact

To identify risk with the highest business impact

What reasons are Risk indicators are used for?

To measure levels or risk in comparison to defined risk thresholds To alert the organization when a risk level approaches a high or unacceptable level of risk

What is the primary reason that an enterprise would establish segregation of duty controls?

To prevent errors of fraudulent activity on high risk transactions

Why is reviewing source code a good practice?

To validate compliance with standards and good coding practices To detect unauthorized changes made by the programmer To evaluate error handing, input validation or documentation

SANS Critical Security Controls

Top 20 Critical Security Controls (CSC) list based upon recommendations from government and industry.

What is intellectual property?

Trademark Copyright Patent Trade Secret

Front office

Trader

T/F. At the time of hiring, the employee should be required to sign a nondisclosure agreement and be advised of the ethics and policies of the organization, and a review of references and performance of background checks may be worthwhile where permitted by law.

True

True or False. A company should review their risk management practices if business owners frequently challenge the risk assessment findings.

True

True or False. Report all risk. All risk should be noted in the risk assessment report inducing issues that have been resolved.

True, risk assessment reports should report all risk.

T/F? Mitigation and avoidance risk response is used in case of negative risk events, and not in positive risk events.

True.

True or False. Risk is often caused through misuse of access.

True. Especially in cases where an individual has a level of access that is not appropriate for his or her current job responsibilities.

True or False. If the penetration tester is able to break in, then the vulnerability is real and must be mitigated.

True. If the penetration tester is able to break in, then the vulnerability is real and must be mitigated.

True or False. Reducing a risk to acceptable alignment with risk appetites may require the use of multiple controls.

True. Reducing a risk to acceptable alignment with risk appetites may require the use of multiple controls.

True or False. systems development process should ensure that security controls are built into the system and tested prior to deployment

True. Testing is the final opportunity to prevent a failure related to a poorly written program or improperly designed application.

True or False. The risk practitioner should always keep in mind that compliance is a risk decision, even when it is imposed by force of law.

True. The risk practitioner should always keep in mind that compliance is a risk decision, even when it is imposed by force of law. As discussed earlier, risk is addressed in the most cost-effective manner possible based on the risk appetite set by senior management. Depending on the penalties attached to noncompliance, an organization may choose not to be compliant with certain laws or regulations if the cost of compliance is greater than the fine or consequences imposed for failure to comply.

Pharming Attack

Type of MITM attack that changes the pointers on a domain name system (DNS) server and redirects a user's session to a masquerading web site

Social Engineering Attack

Type of attack that deceives users or administrators at the target site into revealing confidential or sensitive information. They can be executed person-to-person, over the telephone or via email

Phishing Attack

Type of email attack that attempts to convince the user that the originator is genuine but with the intention of obtaining information for use in social engineering

Responsibility for Risk Governance

Ultimately the responsibility of the board of directors and senior management. They establish the enterprise's risk culture and acceptable levels of risk; set up the management framework; and ensure that the risk management function is operating effectively to identify, manage, monitor, and report on current and potential risk facing the enterprise.

Risk Management starts with

Understanding the organization which serves the environment or context in which it operates.

Volatility

Unpredictability, also referred to as dynamic range; the degree to which conditions vary from once moment to another, making projections difficult.

Hybrid Cryptography

Use Symmetric key (fast) to encrypt a msg and then you use Asymmetric key to encrypt Symmetric key and include it with the msg

What is a digital envelope?

Use private key to encode a msg, then use public key to carry the private key (more efficient than using public key for everything)

Markov Analysis

Used to analyze systems that can exist in multiple states. Assumes that future events are independent of past event

What is a digital certificate (aka identity certificate)?

Used to bind public keys to persons or entities. If there were no certificates, the signature could be easily be forged, as the recipient could not check if the public key belongs to the sender.The certificate itself is signed by a trusted third party, a Certificate Authority like VeriSign. The certificate can be used to verify that a public key belongs to an individual.

Sneak circuit analysis

Used to determine pieces of equipment that may fail

Which of the following would data owners be primarily responsible for?

User entitlement changes

In an operational review of the processing environment which indicator would be most beneficial?

User satisfaction

Bayesian Analysis

Uses prior distribution data to determine the probability of a result

How do you classify assets?

Using an Information/Data Classification Policy

When should production data be used to test?

Using distinct test data rather than production data is preferable in order to prevent the disclosure of sensitive data to unauthorized personnel. Production data should be used as test data only in exceptional cases and with specific management approval.

Monitoring has flagged a security exception. What is the most appropriate action:

Validate the exception

ultimate objective of risk governance

Value creation, it is achieved when the three underlying objectives (benefits realization, risk optimization and resource optimization) are balanced.

A risk register contains

Various risk scenarios with their date, description, impact, probability, risk score, mitigation action and owner

Security testing

Verifies that the modified/new system includes provisions for appropriate access controls and does not introduce any security holes that may compromise other systems

What the factors that affect Likelihood?

Volatility Velocity Proximity Interdependence Motivation Skill Visibility

What is the best standard for wireless communication?

WPA2 - can use AES for encryption

what is wardriving

Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer, smartphone or personal digital assistant (PDA).

A compliance oriented BIA

What is the most effective technique to evaluate the potential impact of legal, regulatory, and contractual requirements on business objectives?

Asset Value

What the organization or another party would pay to take possession of an asset or deny access to it by others. Assets are typically valued on monetary basis.

What is a Risk?

When a threat exploits a vulnerability which damages an asset which breaks a business process

A way to determine integrity risk?

When a user or process has the power to change or delete data, the ways in which it interacts with data.

Business Opportunity

When an organization is will to take a risk.

Validating the companies policies to providers contract

When requesting info to comply with discovery, and enterprise lead learned that its cloud provider was not contracted to backup messages. What is the greatest concern?

What is Control Risk?

When the controls chosen to mitigate risk are incorrect

IPSEC

When you log in remotely you need to go through the Internet to reach the Intranet safe and sound. You can make this public Internet a virtual private network through encryption (i.e. VPN). You can either encrypt header (AH) or payload (ESP). Which is more secure? Tunnel

provisions to assess the compliance of the provider

Which of the following choices is the most important part of outsourcing a contract?

A community cloud deployment model

Which of the following cloud computing models is most appropriate for a collaborative research between universities?

Probability and Consequence

Which of the following combinations of factors helps quantify risk?

Lack of skilled resources

Which of the following examples fo risk should be addressed during application design?

A new risk detection

Which of the following is most essential for a risk management program to be effective?

Backdoors

Which of the following is of most concern for the risk practitioner regarding applications running in production?

It is the utmost importance to assign risk to individual owners to maximize accountability

Which of the following is the most important for effective risk management.

Failure et subject applications to testing and general IT controls

Which of the following is the most prevalent risk in the development of end-user computing applications?

An actor

Which of the following most affects a risk scenario?

Processing of sensitive data was subcontracted by the vendor

Which of the following outcomes of outsourcing noncore processes is of greatest concern to the management of an enterprise?

It drives the risk response plan

Which of the following statements best describes the value of a risk register?

Organizational Objectives

While defining risk management strategies, a risk practitioner needs to analyze the organization's objectives and risk tolerance and define a risk management framework based on this analysis. Some organizations may accept known risk, while others may invest in and apply mitigating controls to reduce risk

two types of unit testing:

White box testing, in which the develop has full access and visibility to the code itself Black box testing, in which the tester cannot see into the code module, application, or product to see how it works; typical of a device or executable purchased from a vendor

Users of IT services

Who is accountable for business risk related to IT?

Board of Directors

Who is accountable for the overall enterprise strategy for risk governance?

Senior Management

Who must give final sign off on the IT Risk management plan?

Compliance-oriented Business Impact Analysis (BIA)

Will identify all of the compliance requirements to which the enterprise has to align and their impacts on business objectives and activities

Compliance-oriented Gap Analysis

Will identify the gaps in compliance to current requirements, but will not identify impacts to business objectives or activities

What is Work Function / Work Factor?

Work factor must be proportional to the value of the data (value of data is determined by a information security classification policy)

Is IT Risk part of Op Risk?

Yes

data you would update in a risk register

emerging risk changes in existing risk resolution or completion of a risk response status updates changes in risk ownership and accountability

When transmitting personal information across networks, there must be adequate control owners:

ensuring the privacy of personal information

Risk Analysis

estimates the frequency and magnitude of IT risk scenarios

system owner

every system is the responsibility of a system owner usually a senior manager in the department for which the system was built

case modeling

examines how a system will function to deliver value to its users

Scenario Analysis

examines possible future scenarios that were identified during risk identification, looking for risk associated with the scenario should it occur

Vulnerability-based scenario

examines the organization's known vulnerabilities and then attempts to anticipate threats that could exploit those vulnerabilities, projecting from these the consequences and magnitude of impact

risk assessment reports should have a consistent method for reporting risk that includes:

facilitating comparisons across time ensuring that report data is fully understood

FMEA

failure modes effects analysis

T/F the purpose of control monitoring is to verify if the control works

false control monitoring verifies the effectiveness of the addressing the risk

When would you use qualitative techniques?

for surveys and focus groups

Rank the order policy, standards, etc.

framework policy standard procedures - technical controls

framework publisher of: enterprise risk management - integrated framework

framework published by: COSO

framework publisher of: COBIT

framework published by: ISACA

framework publisher of: Enterprise value - govit valit

framework published by: ISACA

framework publisher of: Risk IT Framework

framework published by: ISACA

framework publisher of: Risk management framework

framework published by: NIST

2 key elements of risk assessment process

frequency and impact of risk

business process review requires input from...

knowledgeable representatives from all affected departments External experts who may also provide advice and assistance

what are risk culture reactions towards negative outcomes

learning culture vs blaming culture

Risk Tolerance

the acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objective.

Capability Maturity Model (CMM)

from ISACA's COBIT 5 a five-level model laying out a generic path to process improvement (maturity) for software development in organizations with level zero—undefined and ad hoc activities and progresses—through the steps of defining and following a program; learning and enhancement of the program; and finally, a mature program that represents stable, quality processes and reliable, accurate information.

risk profile

the aggregated risk to the enterprise, including historical risk, critical risk and emerging risk.

An enterprise implements lagging (backward looking) key risk indicators in order to:

gather data to report to management

Brainstorming/Structured Interview

gathers a large group of types of potential risk or ideas to be ranked by a team. The initial analysis may be completed using prompts or interviews with an individual or small group

how does an implemented control relate to risk appetite?

goal of control design and implementation is to reduce residual risk to the level that management is willing to bear or accept, referred to as management's risk appetite or risk tolerance

Cost-benefit analysis uses what type of anlaysis? (quantitative, ...)

the analysis may be calculated using both qualitative and quantitative measures

why does inherent risk grow when other businesses areas are included?

it grows as the number of users and business areas that may be affected increases. Inherent risk reflects risk or exposure without accounting for mitigating action by management. It is often higher whenever multiple parties may have conflicting responsibilities for a business process

What is IT risk?

the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise

The selection of key risk indicators for monitoring the risk management program should be based on selecting:

a balance between leading and lagging indicators

what should a scenario include?

a business objective or impact

risk ranking

a combination of all the components of risk including the recognition of the threats and the characteristics and capabilities of a threat source, the severity of a vulnerability, the likelihood of attack success when considering effectiveness of controls, and the impact to the organization of a successful attack.

Internal threats

the cause of a significant number of business impacts, which can be intentional and unintentional Malicious, intentional, unintentional, disgruntled,

DYNAMIC RISK PROFILE

a continuous cycle that recognizes the need to continuously monitor and assess the always-changing nature of risk. measures the effectiveness of the risk management program, and incorporates the following actions: Measuring compliance with laws and policies Reporting on the status of risk mitigation projects Identifying and addressing emerging threats

RISK MANAGEMENT is...

the coordinated activities to direct and control an enterprise with regard to risk

Bow Tie Analysis

a diagram to communicate risk assessment results by displaying links between possible causes, controls and consequences. The cause of the event is depicted in the middle of the diagram (the "knot" of the bow tie) and triggers, controls, mitigation strategies and consequences branch off of the "knot."

Human Reliability Analysis (HRA)

the effect of human error on systems and their performance

Bow Tie Analysis

RISK AVOIDANCE

the enterprise exits the activities or conditions that give rise to the risk.

greatest risk in third-party relationships

the fact that the enterprise is ceding direct control of it's IS processes

Event Tree Analysis

a forward-looking, bottom-up model that uses inductive reasoning to assess the probability of different events resulting in possible outcomes.

Checklists

a list of potential or typical threats or other considerations that should be of interest to the organization, whose items can be checked off one at a time as they are completed. The risk practitioner may use previously developed lists, codes or standards to assess the risk using this method.

risk register

a living document that needs to be continuously updated with new data

System ownership

a senior manager in the department for which the system was built ensures an enterprisewide approach to security to ensure consistency, reliable and secure operations, and integrated risk management

Hazard and Operability Studies (HAZOP)

a structured means of identifying and evaluating potential risk by looking at possible deviations from existing processes.

Elements of a risk register

a summarized account of the assessment process and is updated at regularly, including upon completion of the risk assessment

Vulnerability assessment

a valuable tool used to identify any gaps in the security profile of the organization should provide a thorough and complete review of all security controls, including both technical and nontechnical controls.

Risk appetite bands

acceptable - within risk appetite unacceptable - not within risk appetite, but within tolerance really unacceptable - not within risk appetite or tolerance

RISK MITIGATION

action must be taken to reduce the likelihood or the impact of the risk.

Why is Version Control a good practice?

addresses the risk that a change to a system will overwrite or bypass functionality that was changed in an earlier version.

Total Cost of Ownership (TCO)

all of the costs incurred before, during, and after a purchase to cover total cost spread across the life cycle of control implementation generally used in association with cost benefit analysis

SDLC (Software Development Life Cycle)

all phases of the systems development process ensure that a system is designed, developed, tested, implemented and operated with adequate controls and protection

Minimizing single points of failure of a widespread natural disaster can be controlled by:

allocating resources geographically

Likelihood

also called probability

NDA

provides confidentiality of shared materials and information. It does not apply to work performed under contract by one party for the other.

Scope Creep

also called requirement creep, refers to uncontrolled changes in a project's scope. Unless the scope of the project is controlled, its duration and budget cannot be effectively held to account, resulting in a high probability that the project will go over budget as it seeks to meet changing requirements.

Operationally Critical Threat Asset and Vulnerability Evaluation® (OCTAVE®) approach

an approach to risk assessment and ranking that is used to assist an organization in understanding, assessing and addressing its information security risk from the perspective of the organization. it is process driven and used to identify, prioritize and manage information security risk.

common element between Risk assessment standards, frameworks and techniques

an emphasis on ensuring that risk is appropriately documented in order to convey the current state.

Cross site scripting

an injection attack in which malicious scripts are injected into otherwise benign and trusted web sites. XSS results from insufficient input validation where a user can add malicious content to a web application.

Supply Chain vulnerability

an interruption that may affect their ability to function or delivery a product

Cause and Consequence Analysis

analysis combines techniques of a fault tree analysis and an event tree analysis and allows for time delays to be considered.

Risk Sharing (transfer)

the transfer of some or all of the impact of the risk with another organization.

Fault Tree Analysis

analysis that starts with an event and examines possible means for the event to occur (top-down) and displays these results in a logical tree diagram. This diagram can be used to generate ways to reduce or eliminate potential causes of the event.

Reliability-centered Maintenance

analyzes the functions and potential failures of a specific asset, particularly a physical asset such as equipment.

Physical Access to a system

provides the potential to bypass nearly every other type of control

Risk monitoring

provides timely information on the actual status of risk in the enterprise

quantitative or qualitative experience and expert knowledge

qualitative

quantitative or qualitative cost-benefit analysis

quantitative

Equipment vulnerability

as it ages, it becomes less efficient, effective, and able to support business functions. provided at the time of production with MTBF rating that indicates its anticipated life span and when it should be scheduled for removal or replacement

What happened in an IS audit?

assigned teams provide an independent and objective review of the effectiveness and appropriateness of the control environment

Qualitative Risk Assessment

assigns values on a comparative or ordinal basis (such as high, medium and low or a scale of 1 to 10) relies heavily on experience and expert knowledge

An enterprise is applying controls to protect its product price list from being exposed to un-authorized stuff. These internal controls include:

authentication and authorization

Likelihood x impact =

quantitative process

Which of the following is an example of a KPI?

average network availability uptime

Describe the bottom-up approach to developing risk scenarios

based on describing risk events that are specific to individual enterprise situations, typically hypothetical situations envisioned by the people performing the job functions in specific processes. The risk practitioner and assessment team start with one or more generic risk scenarios then refine them to meet their individual organizational needs including building complex scenarios to account for coinciding events

The best time to perform a pen-test is after:

various infrastructure changes are made

information security policy

based on management's commitment to protect the assets of the enterprise (and relevant information of its business partners) from threats, risk and exposures that could occur

Quantitative Risk Assessment

based on numerical calculations, such as monetary values Its reliance on numbers makes it precise

asset/impact approach scenario

based on the identification of critical and sensitive assets and the potential ways that these could be damaged

describe a top-down approach to scenario development

based on understanding business goals and how a risk event could affect the achievement of those goals. the risk practitioner looks for the outcome of events that may hamper business goals identified by senior management

cost-benefit analysis

basis for choosing control options If the expenditure on a control is greater than the benefit realized from the control, then that control cannot be justified. may be calculated using both qualitative and quantitative measures

What's a consideration for organizations that operate globally or even within different regions of one country?

build a global program of policies and a control suite to handle the common regulations and then have a regional or nation-specific addendum to handle the exceptions and their controls

BCP

business continuity planning

Risk assessments should be repeated at regular intervals because:

business threats are constantly changing.

how does KRI's support risk culture?

by helping the organization focus on important, relevant areas

how does KRIs support the risk management's Risk mitigation?

by providing a trigger for investigating an event or providing corrective action

how does KRIs support the risk management's Risk identification?

by providing an objective means for identifying risk

How does KRI's support Regulatory compliance?

by providing data that can be used as an input for operation risk capital calculations

how does KRI's support Risk measurement and reporting?

by providing objective and quantitative risk information

how does KRIs support the risk management's risk appetite?

by validating the organization's risk appetite and risk tolerance levels

Which framework is developed by ISACA and integrates other frameworks? a) (Val) IT b) IT Assurance Framework (ITAF) c) COBIT 5 d) Risk IT

c. COBIT 5

Risk appetite and tolerance

can change for a variety of reasons. This change can in turn necessitate updates to the risk register.

global policy benefit

can have local amendments to ensure alignment with local laws and regulations

CRISC

certified in risk and information systems control

pharming attack

changes the pointers on a domain name system server and redirects a user's session to a masquerading website

COSO

committee of sponsoring organizations treadway commission

Operational level agreement

comparable to an SLA but involves different departments within an organization. IP ownership is usually not disputed among departments within the same organization.

Risk evaluation

compares estimated risk against given risk criteria to determine the significance of the risk

what are risk culture reactions towards policy compliance

compliance vs non-compliance

Relevance Risk

composite form of business risk, requiring both integrity and availability to be addressed in order for it to be reasonably controlled. Transmitting information to the necessary recipients in a timely manner also creates tension with access (security) risk by increasing the potential for unintended release of information to unauthorized third parties.

What does encryption support?

confidentiality integrity authenticity of sender and non-repudiation by the sender (remember: no hashing = no integrity)

What are the tenets of risk management?

confidentiality, integrity, and availability

Security categorization equation

confidentiality,impact,integrity,impact,availability,impact

what are risk culture reactions towards taking risk

conservative (risk adverse) vs aggressive (risk taking)

BUSINESS PROCESS REVIEW

considers the impact of controls on the ability of the business to meet its objectives and the ability of users to accomplish their tasks in a simple, logical manner.

what a risk practitioner responsible for?

consulting about risk and recommending possible solutions for risk responses

IT risk drives the selection of ____ and justitifies the choice and operation of a _________.

control(s)

NIST states that an organization must provide risk-based cost effective ...

controls

IS audit is an important part of

corporate governance

CSF

critical success factor

cusum

cumulative summary. each value is added for a cummulative total.

Security Information and Event Management (SIEM)

data correlation tools that capture data from multiple sources

The DBA has decided to disable certain normalization control in the database to provide users with increased query control performance. This increases the risk of:

data redundancy

local policy disadvantage

decentralizes it. having one for each region will require the enterprise to maintain and test documentation and processes separately for each region. This approach can become extremely expensive, and may fail to leverage common practices entailed in a global policy that is amended locally

SLA

defines minimum performance targets; mechanisms for performance measurement; and, typically, penalties for noncompliance. It does not address matters of intellectual property (IP) ownership

Why is Quality Assurance a good practice?

it is a planned and systematic pattern of all actions necessary to provide adequate confidence that an item or product conforms to established technical requirements. ensures that the final version of the program cannot be modified inadvertently after it has been approved for implementation or during the final testing process.

SOW

defines terms of governance, conditions for third-party engagement and delineates IP ownership of products developed under the contract. Failure to include adequate language for IP may result in limited or no rights to resulting deliverables. Therefore, it is critical to review language rather than rely on boilerplate clauses to optimize ownership of deliverables and assess vulnerability associated with third-party engagements.

Communications Management Plan

defines who will be available to share information on risks and responses throughout the project

gap analysis

dentify the existence of a risk gap and the scope of actions that may be needed to close the gap

Monitoring is essential, but its effectiveness depends in large part on what?

its successful integration with reporting

root cause analysis

diagnosis to establish the origins of events so that these can be used for learning from consequences (typically errors and problems)

risk assessment report

documentation of results of the process used to identify and evaluate risk and it potential effects. naming those areas that present the highest risk, vulnerability or exposure, also used to manage the project delivery and project benefit risk.

The MOST important information to include in a risk management strategic plan

drawing a road map from the starting point; including the current state and desired future state

Risk assessments are MOST effective in a software development organization when they are performed:

during each stage of the system development life cycle (SDLC).

Principles of risk and control ownership

each risk scenario needs a risk owner to make sure the assessment results are analyzed and corrective actions are taken as necessary

How does a VLAN help with data sensitivity

You can use VLANs to separate data of varying sensitivity

What is the purpose of a digital envelope?

You use a digital envelope to protect a digital document from being visible to anyone other than the intended recipient.

Rootkits

____ are software suites that help intruders gain un-authorized admin access to a computer system.

Return on investment (ROI)

a measure of operating performance and efficiency, computed in its simplest form by dividing net income by the total investment over the period being considered. (Net Income/Total investment)/Period of time

Bayesian analysis

a method of statistical inference that uses prior distribution data to determine the probability of a result. Relies on the prior distribution data to be accurate in order to be effective and to produce accurate results

Bayesian analysis

a method of statistical inference that uses prior distribution data to determine the probability of a result. This technique relies on the prior distribution data to be accurate in order to be effective and to produce accurate results.

hardening

a methodical review of security to ensure that systems have no unnecessary open ports or services available that could be used as an attack vector by an adversary or misused by an internal employee.

Root Cause Analysis

a process of diagnosis to establish the origins of events, which can be used for learning from consequences, typically from errors and problems.

Gap analysis

a process of reviewing data sources to learn about the current state of IT risk, the results are compared to the desired states

Business Impact Analysis

a process to determine the impact of losing the support of any resource. In addition to identifying initial impact, a comprehensive BIA seeks to establish the escalation of loss over time. The goal of BIA is to provide reliable data on the basis of which senior management can make the appropriate decision.

Business Impact Analysis

a process to determine the impact of losing the support of any resource. goal is to provide reliable data on the basis of which senior management can make the appropriate decision.

define threat-based scenario

a risk event on the basis of threat agents and seeks to identify potential methods of attack

Layers of Protection Analysis (LOPA)

a semi-quantitative risk analysis technique that uses aspects of HAZOP data to determine risk associated with risk events. It also looks at controls and their effectiveness.

how do you achieve risk-based organizational objectives?

embed risk management activities into business processes

A Statement of work (SOW) defines what

governance terms and conditions for a third-party engagement and contains language that delineates the IP ownership of anything developed under the contract. An organization that fails to include adequate language regarding IP may find that it has paid for the labor to develop an application only to have limited rights to the resulting product (or even none at all). Therefore, reviewing this language for sufficiency under the circumstances of the engagement rather than relying on boilerplate clauses at the corporate level is an important part of assessing the vulnerability associated with a third-party engagement.

NIST RMF 7 steps

https://csrc.nist.gov/projects/risk-management/rmf-overview categorize select controls implement controls assess controls authorize systems monitor controls ("prepare" is in the middle)

Risk Assessment

identifies and evaluates risk and its potential effects. It includes recognizing and assessing critical functions and processes necessary for an enterprise to continue operating, defines the controls in place to reduce exposure, and evaluates the cost for such controls.

compliance-oriented business impact analysis (BIA)

identifies compliance factors against systems identified in BIA

compliance-oriented business impact analysis

identifies the compliance requirements to which the enterprise is subject and will assess their effect on business objectives and activities

The most important part objective of regularly testing information systems controls is to:

identify design flaws, failures, redundancies.

purpose of the business process review (7 reasons)

identify ways to: •Identify problems or issues with the current process •Gather information toward improving processes •Prepare a road map to implement required changes •Assign responsibility and accountability for projects •Schedule individual projects according to priority •Monitor project progress for attainment of milestones and production of deliverables •Review and obtain feedback on project results

Processes vulnerability

if deployed haphazardly or an inconsistent manner across the organization, the organization may be at risk of inconsistent management and results, lack of governance and reporting, and failure to ensure compliance with regulations.

Does this situation reduce impact or probability of an event? Backup procedures that include storage of multiple iterations in place for critical application files.

impact

CMM level 1

implemented process achieves its process purpose

Risk assessment report components

includes results of risk assessment process, includes the recommended responses to the risk, and recommendation may not be followed during the response and mitigation phases. must be clear, considering, accurate use terminology that is easily understood

What is one of the best employee-based controls?

interacting with employees to understand any frustrations, complaints or issues that they may be facing and to seek to resolve those issue

IEC

international electrotechnical commission

ISO

international organization for standards

Brainstorming/Structured Interview

interview and brainstorming model gathers a large group of types of potential risk or ideas to be ranked by a team. The initial interview or brainstorming may be completed using prompts or interviews with an individual or small group.

SMART

is a way of setting goals • Specific: Based on a clearly understood goal, clear and concise • Measureable: Able to be measured, quantifiable and objective • Attainable: Realistic and based on important goals and values • Relevant: Directly related to a specific activity or goal • Timely: Grounded in a specific time frame

Delphi Method

leverages expert opinion received using two or more rounds of questionnaires. After each round of questioning, the results are summarized and communicated to the experts by a facilitator. This collaborative technique is often used to build a consensus among experts.

Key Risk Indicator

linked to specific risks and provide an early warning alarm that a risk is emerging, criteria including Effort to Implement, Measure, and report.

risk action plan components

lists the chosen controls and outlines their implementation Enumeration of control and business goals Project dates and timelines Expected workforce requirements The costs associated with the project

misuse case modeling

looks at all the possible errors a system may endure

Cause-and-effect Analysis

looks at the factors that contributed to a certain effect and groups the causes into categories (using brainstorming), which are then displayed using a diagram, typically a tree structure or a fishbone diagram.

Preliminary Hazard Analysis

looks at what threats or hazards may harm an organization's activities, facilities or systems. The result is a list of potential risk.

interdisciplinary teams

manage risk to ensure that all areas are adequately considered in risk assessment and helps provide an enterprisewide perspective on risk

Change control

managed through a change control committee responsible for overseeing all IS operations and approving changes to those systems

RISK ACCEPTANCE

management must make a decision to allow or assume a risk without trying to reduce its likelihood or impact

threat modeling

mapping the methods to perpetrate an attack

Key performance indicators (KPIs)

measure how well a process is performing in terms of its stated goal. Like risk indicators, performance indicators are put in place in order to provide insight into whether action may be required. looks backward

vulnerability assessment

methodical review of security to ensure that there are no predictable and unaddressed attack vectors

Deterministic risk assessment

methods use point estimates which are often (but not necessarily always) worst-case estimates

Which of the following groups would be most effective in managing an executing an organization's risk program?

mid-level management

Based on a risk assessment, the primary objective for any enterprise is to protect...

mission-critical information

How do you calculate an asset's annual loss expectancy?

multiply the SLE by the ARO (the number of times the enterprise expects the loss to occur)

Relevance risk

not getting the right information to the right person at the right time for the correct action to be taken.

what do you need to have a risk scenario

not only a threat/ vulnerability + impact = a valid risk

moderate risk

noticeable failure threatening the success of certain goals

related risk events

often have common causal factors that can be addressed with a single risk response

Network vulnerabilities

often related to misconfiguration of equipment, poor architecture or traffic interception

Identity management

one of the most difficult challenges for system administrators

legal obligation

one of the principle external requirements for compliance

Parallel Changeover

operating both the new system and the old system simultaneously pros - minimizes the risk of a failed changeover to the new systems and allows staff to train on and become familiar with the new system before it is in full production cons - cost of maintaining both systems, ensuring that the data are consistent between both systems

Problem management

part of the Information Technology Information Library (ITIL) and is a process that is used to minimize the impact of problems in an enterprise. Metrics, known errors and incidents are all tracked to minimize problems.

fuzzing

testing the limit of the acceptable range of values and values beyond the allowable range in order to verify the functionality of input validation and process integrity controls. testing the field limits

Which of the following is the most appropriate metric to measure how well the information security function is administration of user access?

percentage of accounts with configuration in compliance

What are examples of Threats?

personnel, natural events, theft, terrorism, criminal acts, software errors, mechanical failure, accidents

how does an organizational structure play a role in risk?

plays role in how an organization communicates about risk assessment results

Utilities vulnerability

power failure or other environmental conditions that may lead to system failure

What controls should be used for logs?

prevents alteration or deletion. accessible to authorized personnel retain the most pertinent information for an adequate period of time Capture event data close to the source of an event to ensure that the activities of a process or person are more easily associated with the recorded event Contain data from a smaller rather than larger number of sources

Segregation of duties

principle of ensuring that no one person controls an entire transaction or operation that could result in fraudulent acts or errors

goal of IT risk analysis

prioritize areas with greatest risk likelihood and impact above those with lower likelihood and impact.

safegaurd

proactive controls

Does this situation reduce impact or probability of an event? A firewall that is implemented at the network perimeter and configured to block all unauthorized inbound traffic.

probability

Does this situation reduce impact or probability of an event? A personnel policy dictating that employees must complete compliance awareness training.

probability

Does this situation reduce impact or probability of an event?Processing facility entrances controlled using card readers and attendants.

probability

CMM level 5

process is continuously improved to meet relevant current and projected business goals

CMM level 2

process is now implemented in a managed fashion (planned, monitored and adjusted) and its work products are appropriately established, controlled and maintained

CMM level 3

process is now implemented using a defined process that is capable of achieving its process outcomes

CMM level 4

process now operates within defined limits to achieve its process outcomes

Risk treatment

process of selection and implementation of measures to modify risk (ISO/IEC Guide 73:2002)

risk assessment

process used to identify and evaluate risk and its potential effects. It includes assessing the critical functions necessary for an enterprise to continue business operations, defining the controls in place to reduce enterprise exposure and evaluating the cost for such controls.

data analysis: sensitivity analysis

quantitative risk analysis technique that: •Helps to determine which risk factors potentially have the most impact •Examines the extent to which the uncertainty of each element affects the target object when all other uncertain elements are held at their baseline values tornado diagram

counter-measures

reactive controls

It is MOST important for risk mitigation to:

reduce the likelihood of risk occurrence.

Return on security investment (ROSI)

refers specifically to the ROI for security controls

Phased Changeover

replacing individual components or modules of the old system with new or modified components pros - reduces the risk by gradually rolling out the new modules without impacting the entire system. cons - IT resource challenges arising from having to maintain two unique environments, Operational resource challenges, maintaining consistency of data, Extension of the project life cycle, Change management for requirements and customizations to maintain ongoing support of the older system

Documenting threats

requires using resources should also include examining the cause of past failures, audit reports, media reports, information from national computer emergency response teams (CERTs), data from security vendors and communication with internal groups

Once a risk assessment has been completed, the documented test results should be:

retained.

Which of the following activities should a risk professional perform to determine whether firewall deployments are deviating from the enterprise's infused policy?

review the firewall's parameter setting

four commonly accepted categories of risk responses or "treatments."

risk acceptance risk mitigation risk avoidance risk sharing

Operationally Critical Threat Asset and Vulnerability Evaluation® (OCTAVE®)

risk assessment and ranking system focuses on critical assets and the risk to those assets

RCSA

risk control self assessment

Inherent risk

risk level or exposure without taking into account the actions that management has taken or might take (e.g., implementing controls) untreated risk or minimally treated

Risk appetite bands

risk levels that are within the boundaries of acceptable risk as defined by senior management through the setting of the organizational risk appetite and risk tolerance. ex) acceptable, unacceptable, really unacceptable

RMF

risk management framework

RMIS

risk management information systems

Which of the following information system controls practices would be most effective against internal threats to confidentiality information stored within an application?

role-based access control

difference between Security incident vs security event

security event does not do harm, once it has the indication it does, it's considered a potential security incident (level of severity)

What are the Control assessment types

self-assessments audit vulnerability assessment penetration tests third-party assurance

Why is having a separate Development and Production a good practice?

separation of the networks and physical areas used by developers can protect the organization from unauthorized or inadequately tested changes.

the role of IT is to

serve the business

Abrupt Changeover

single-instant movement from the old system to the new system, with the old system immediately taken offline pros - useful when impact of lost processing is minor cons - potential for lost opportunities in business processing if it becomes necessary to roll back to the earlier system

Factors that affect the likelihood of an attack being launched against an enterprise.

skill and motivation of a hacker knowledge of vulnerabilities use of popular hardware or software value of the asset (which varies directly with motivation) environmental factors such as politics activists and disgruntled employees or dissatisfied customers.

Why is having a Fallback or Rollback a good practice?

so that it is possible to roll back to the earlier program or configuration if the new system does not work successfully.

standards publisher of: IT Audit and Assurance Standards

standards published by: ISACA

fault tree analysis

starts with an event and examines possible means for the event to occur (top-down) and displays these results in a logical tree diagram. This diagram can be used to generate ways to reduce or eliminate potential causes of the event.

What document does an organization refer to in order to determine the intellectual property ownership of an application built by a third party service provider?

statement of work

SPC

statistical process control

Structured "What If" Technique (SWIFT)

structured brainstorming to identify risk, typically within a facilitated workshop. It uses prompts and guide words and is typically used with another risk analysis and evaluation technique.

The success of the IT risk management effort is usually based on having an organization wide perspective of risk following a ________________________

structured methodology and gathering correct information

penetration test

targeted attempt to break into a system or application, or, in a physical test, to break into a building or secured area

Risk Owner

tasked with making the decision of what the best response is to the identified risk and must be at a level in the organization where he or she is authorized to make decisions on behalf of the organization and can be held accountable for those decisions.

data analysis: fault tree

technique that provides a systematic description of the combination of possible occurrences in a system, which can result in an undesirable outcome (top-level event) and Combines hardware failures and human failures

methods to test physical security vulnerabilities

testing locks, security guards, fire suppression systems, heating ventilation and air conditioning controls, lighting, cameras, and motion sensors

control owner

the manager or senior official in the organization who will bear the responsibility for determining the risk response. determines the level of control required to provide assurance of the effective management of the risk for which he or she is responsible

Applications and Web-facing Services

the most common entry points currently used by attackers

Risk Capacity

the objective amount of loss an enterprise can tolerate without its continued existence being called into question.

Cloud computer

the outsourcing of data processing does not remove the liability of the outsourcing organization to ensure proper data protection

factors that qualify risk

the probability (likelihood) of a threat exploiting a vulnerability resulting in a damaging consequence (impact) to an asset.

business risk for a particular threat can be expressed as

the probability of exploitation and magnitude of the impact

automated code comparison

the process of comparing two versions of the same program to determine whether the two correspond. It is an efficient technique because it is an automated procedure.

Job rotation

the process of cross-training and developing personnel with various skills that can step in where needed

risk communication

the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions

Define IDENTITY MANAGEMENT

the process of managing the identities of the entities (users, processes, etc.) that require access to information or information systems.

Update the risk register with

the results of the risk assessment

Residual risk

the risk that remains after management implemented a risk response, like internal controls or some other response to risk

low risk

the risk that results in certain unsuccessful goals

Extremely high risk

the risks that has large impact on enterprise and are most likely results in failure with severe consequences.

High risk

the significant failure impacting in certain goals not being met

factors to consider when moving a system to the public cloud

the system that has the least competitive distinction, complexity and sensitive/highly classified information

Current Risk

the term for risk as it exists in the moment, taking into account those actions that have already been taken but not actions that are anticipated or have been proposed. usually i have some controls are they sufficient or not? Current state, desired state, future state it can have a little bit of residual risk in it

External threats

threats to information systems from outside Natural disasters, hackers

What is the simple risk formula?

threats x vulnerabilities = risk

What is the purpose of a risk register?

to consolidate risk data into one place and permit the tracking of risk

what's the purpose of a risk register?

to consolidate risk data into one place and permit the tracking of risk it serves as the main reference for all risk-related information, supporting risk-related decisions such as risk response activities and their prioritization

What is the underlying importance of risk management in relation to business goals and strategy?

to ensure that the risk is closely aligned with, and integrated into, the strategy, vision and direction of the organization

business impact analysis

to evaluate the impact of disruption over time to an enterprise's ability to operate. It determines the urgency of each business activity. Key deliverables include recovery time objectives and recovery point objectives.

What is the purpose of vulnerability identification?

to find the problems before they are found by an adversary and exploited, which is why an organization should conduct regular vulnerability assessments and penetration tests to identify, validate and classify its vulnerabilities

primary goal of an organization's IT risk management process

to protect the organization and its ability to perform its mission.

CMM Level 0

undefined and ad hoc activities and progresses

Indications of an emerging threats

unusual activity on a system, repeated alarms, slow system or network performance, or new or excessive activity in logs

Probabilistic Risk Assessment

use a mathematical model to construct the qualitative risk assessment approach while using the quantitative risk assessment techniques and principles.

Mandatory vacation

used in some organizations as a means to deter and detect fraud; these are often required by law

Markov Analysis

used to analyze systems that can exist in multiple states assumes that future events are independent of past events

Monte-Carlo Analysis

used to establish the aggregate variation in a system resulting from variations in the system, for a number of inputs, where each input has a defined distribution and the inputs are related to the output via defined relationships. For risk assessment, triangular distributions or beta distributions are commonly used.

Sneak Circuit Analysis

used to identify design errors or sneak conditions such as latent hardware, software or integrated conditions that are often undetected by system tests and may result in improper operations, loss of availability, program delays or injury to personnel

Key Risk Indicator (KRI)

used to measure risk levels in comparison to defined risk thresholds, so that the organization receives an alert when a risk level approaches an unacceptable level a subset of risk indicators that are highly relevant and possess a high probability of predicting or indicating important risk should be selected carefully and sparingly looks forward, predictive

why is a postimplementation review useful?

useful for the following purposes: Deriving lessons learned and enabling more effective results for future projects Determining whether the project was properly designed, developed, implemented and managed Confirming that the appropriate controls have been built into the system

quantitative assessment

uses likelihood and impact to calculate the monetary value of risk.

qualitative assessment

uses scenarios and ranking of risk levels in calculating the level of risk.

The goal of a penetration test

validate a vulnerability assessment

Controls are most effective when they are designed to reduce:

vulnerabilities

in relation to risk, a lapsed premium is an example of

vulnerability = a weakness in the design, implementation, operation or internal control of a process that could expose the enterprise to adverse threats from threat events

Vulnerabilities

weaknesses, gaps or holes in security that provide an opportunity for a threat or create consequences that may impact the organization

Control failure is

when a control is not operating correctly, is the wrong control, is configured incorrectly, or inadequate to address new threats.

Business continuity starts

where risk management ends

ompliance-oriented gap analysis

will only identify the gaps in compliance to current requirements and will not identify impacts to business objectives or activities

CIA Triad

• Confidentiality: Pertains to the requirement to maintain the secrecy and privacy of data • Integrity: The guarding against improper information modification, exclusion or destruction; includes ensuring information nonrepudiation and authenticity • Availability: Availability refers to ensuring timely and reliable access to and use of information

Hybrid cloud

•A composition of two or more clouds (private, community or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds)

5 Components of a risk scenario:

•Agent: The internal or external party or entity that generates the threat •Threat type: The nature of the threat event (malicious or accidental; a natural event; an equipment or process failure) •Event: The security incident, such as the disclosure of information, the interruption of a system or project, including: -Theft -Improper modification of data or a process -Inappropriate use of resources -Changes to regulations -Lack of change management •Asset: The entity affected by the risk event, including: -People -Organizational structure -IT processes -Physical infrastructure -IT infrastructure -Information, applications •Time: If relevant to the scenario, including: -Duration (extended outage) -Timing (at a critical moment) -Detection (immediate detection or not) -Time lag between the event and consequence (immediate impact of an network failure versus long term problems from poor infrastructure)

Why is Risk monitoring and evaluation performed?

•Collect, validate and evaluate business, IT and process goals and metrics •Monitor processes to ensure that they are performing in line with established performance metrics •Provide reports that are systematic and timely

CRISC

Set pelajaran terkait

National Topic Tester Property Ownership

Final Exam-Skills Lab

Pharm Exam 2

Astronomy 1010 - Chapter #5

Art Test II

Crim investigation

Chapter 9

Principles of Marketing - Petersons Test 1

HRM 1102 Jeopardy Questions - Petrucci

Domain 1: Competency 004 (PPR)

MKTG 4280 Exam 2

Ch. 9 Defective Agreements Review

Sociology 101 Ch.2 Research Methods, Advantages, Disadvantages

Gender

CYU - Exam 2 (Dr.Ly)

Chapter 9: Covalent Bonding and Molecules

Proteins

Micro Exam

Primerica - General Insurance Chapter Quiz (AZ)

Jbbb