Domain 2 - 10th

55. Which of the following measures would be MOST effective against insider threats to confidential information? A. Role-based access control B. Audit trail monitoring C. Privacy policy D. Defense in depth

A is the correct answer. . Justification: A. Roll based access control is a preventive control that provides access according to business needs; therefore it reduces unnecessary access rights and enforces accountability B. Audit trail monitoring is an after-the-fact detective control. C. Privacy policy is not relevant to this risk. D. Defense in depth primarily focuses on external threats and control layering.

117. Addressing risk at various life cycle stages is BEST supported by: /\. change management. B. release management. C. incident management. D. configuration management.

A is the correct answer. Justification: A. Change management is the overall process to assess and control risk introduced by changes. It is involved in the greatest range of the system life cycle. B. Release management is the specific process to manage risk of production system deployment. C. Incident management is not directly relevant to life cycle stages. D. Configuration management is the specific process to manage risk associated with systems configuration, but change management addresses a broader range of risk.

199. After a thorough analysis of a low-impact security issue, a security analyst has identified similar, historical issues that were undetected and did not cause any disruptions to business operations. What information would BEST help effectively document the next steps for senior management to make mitigation decisions? A. Cost-benefit analysis B. Incident metrics C. Gap analysis D. Vulnerability scan results

A is the correct answer. Justification: A. A cost-benefit analysis will reveal whether a control is worth the cost to implement. B. Incident metrics are useful, but a low-impact event is unlikely to help with decision-making. C. Gap analysis is a part of the risk assessment and analysis process, not a part of the risk treatment process D. Vulnerability scan results are a part of the risk monitoring process, not a part of the risk treatment process.

90. Which of the following environments represents the GREATEST risk to organizational security? A. Locally managed file server B. Enterprise data warehouse C. Load-balanced web server cluster D. Centrally managed data switch

A is the correct answer. Justification: A. A locally managed me server is the least likely to conform to organizational security policies because it is generally subject to less oversight and monitoring. B. Data warehouses are subject to scrutiny, good change control practices and monitoring. C. Web server clusters are located in data centers or warehouses and are subject to good management. D. Centrally managed switches are part of a data center or warehouse.

82. Which of the following controls is MOST effective in providing reasonable assurance of physical access compliance to an unmanned server room controlled with biometric devices? A. Regular review of access control lists B. Security guard escort of visitors C. Visitor registry log at the door D. A biometric coupled with a personal identification number

A is the correct answer. Justification: A. A review of access control lists is a detective control that will enable an information security manager to ensure that authorized persons are entering in compliance with corporate policy. B. Visitors accompanied by a guard will also provide assurance but that may not be cost-effective. C. A visitor registry is the next most cost-effective control but not as secure. D. A biometric coupled with a personal identification number will strengthen access control; however, compliance assurance logs will still have to be reviewed to ensure only authorized access.

155. Under what circumstances do good information security practices dictate a full reassessment of risk? A. After a material control failure B. When regular assessments show unremediated risk C. Subsequent to installing an updated operating system D. After emergency changes have been initiated

A is the correct answer. Justification: A. A significant control failure indicates that either the control was poorly designed or the risk was properly identified and classified. B. Depending on the nature and extent of unremediated risk, reassessment may be warranted; however, in some cases the process of change management while addressing the risk will have provided adequate understanding of the risk and adequacy of treatment. C. Updating an operating system under change management will include an incremental assessment of any new risk and full reassessment is not likely to be needed. D. Emergency changes usually require that the change management process be completed subsequently and any specific new risk addressed, making it unlikely that a full risk reassessment is required.

84. What activity needs to be performed for previously accepted risk? A. Risk should be reassessed periodically because risk changes over time. B. Accepted risk should be flagged to avoid future reassessment efforts. C. Risk should be avoided next time to optimize the risk profile. D. Risk should be removed from the risk log after it is accepted.

A is the correct answer. Justification: A. Acceptance of risk should be regularly reviewed to ensure that the rationale for the initial risk acceptance is still valid within the current business context. The rationale for initial risk acceptance may no longer be valid due to changes, and risk therefore cannot be accepted permanently. B. Even risk that has been accepted should be monitored for changing conditions that could alter the original decision. C. Risk is an inherent part of business and avoiding it to improve the risk profile would be misleading and dangerous. D. Even risk that has been accepted should be maintained in the risk log and monitored for changing conditions that could alter the original decision.

191. The information security manager realized that the proposed acquisition of a new IT application will change the risk levels for the business function. The FIRST course of action is to: A. report the changes in risk levels to the business function head. B. stop the acquisition until implementing mitigating controls. C. proactively design and implement controls to mitigate risk. D. Engage a third party to reassess the risk.

A is the correct answer. Justification: A. An information security manager should report the risk of the new system to the business unit and recommend controls to mitigate the risk. Then the business can make the appropriate risk-based decision. B. The decision to proceed with the acquisition or not would be outside the scope of the information security manager. C. An information security manager may design the controls and the proposal but may not be able to enforce implementation. This is usually the responsibility of the system owner/business function head. D. A security manager may engage a third party to reassess the risk to confirm earlier assessments but subsequently must report the possible changes in risk levels to decision makers.

202. Which of the following will be the MAJOR concern when an employee connects an unauthorized personal device to the enterprise's network? A. Unintended release of malware B. Inadvertent loss of the personal device C. Undetected messaging among staff D. Slowdown of network performance

A is the correct answer. Justification: A. An uncontrolled technical device owned by an employee usually contains fewer controls and protective security measures than an enterprise device and, therefore, might be infected with malware. Connecting this type of device to the enterprise's network is a major risk as malware will infiltrate the enterprise, bypassing firewalls. Employees need to be educated on the proper use of personal technical devices, and an acceptable use or Bring Your Own Device (BYOD) policy should be in place. B. The loss of the device would present an issue; however, this would be secondary to a potential malware infection. C. Messaging among staff using personal devices would not be as big of a concern as the release of malware into the network. D. It is unlikely that network performance slows down as the result of personal devices connecting to the enterprise network.

174. Which of the following would be the FIRST step in effectively integrating risk management into business processes? A. Workflow analysis B. Business impact analysis C. Threat and vulnerability assessment D. Analysis of the governance structure

A is the correct answer. Justification: A. Analyzing the workflow will be essential to understanding process vulnerabilities and where risk may exist in integrating risk management into business processes. B. A business impact analysis will be important once the workflow and processes are understood in order to understand unit inputs, outputs and dependencies and the potential consequences of compromise. C. Threat and vulnerability assessments are properly conducted after the relationship between risk management and business processes has been determined through workflow analysis. D. The governance structure may be one of the vulnerabilities that poses a potential risk but it should be analyzed after the workflow analysis. Ideally, the governance structure should reflect the workflow.

97. An information security manager is performing a security review and determines that not all employees comply with the access control policy for the data center. The FIRST step to address this issue should be to: A. assess the risk of noncompliance. B. initiate security awareness training. C. prepare a status report for management. D. increase compliance enforcement.

A is the correct answer. Justification: A. Assessing the risk of noncompliance will provide the information needed to determine the most effective remediation requirements. B. If awareness is adequate, training may not help and increased compliance enforcement may be indicated. C. A report may be warranted ·but will not directly address the issue that is normally a part of the information security manager's responsibilities. D. Increased enforcement is not warranted if the problem is a lack of effective communication about security policy.

137. Monitoring has flagged a security noncompliance. What is the MOST appropriate action? A. Validate the noncompliance. B. Escalate the noncompliance to management. C. Update the risk register. D. Fine-tune the key risk indicator threshold.

A is the correct answer. Justification: A. Before any other action is taken, the security manager should ensure that the noncompliance identified by monitoring is not a false positive. B. The escalation to management should not occur until more is known about the situation, and even then only if it is outside the security manager's scope to address the issue. C. Updating the risk register is one possible response to validated noncompliance. D. Key risk indicator threshold changes would occur only if subsequent investigation found them to be necessary.

113. Which of the following is the MOST important reason to include an effective threat and vulnerability assessment in the change management process? A. To reduce the need for periodic full risk assessments. B. To ensure that information security is aware of changes. C. To ensure that policies are changed to address new threats. D. To maintain regulatory compliance.

A is the correct answer. Justification: A. By assessing threats and vulnerabilities during the change management process, changes in risk can be determined and a risk assessment can be updated incrementally. This keeps the risk assessment current without the need to complete a full reassessment. B. Information security should have notification processes in place to ensure awareness of changes that might impact security other than threat and vulnerability assessments. C. Policies should rarely require adjustment in response to changes in threats or vulnerabilities. D. While including an effective threat and vulnerability assessment may assist in maintaining compliance, it is not the primary reason for the change management process.

185. Addressing risk scenarios at various information system life cycle stages is PRIMARILY a function of: A. change management. B. release management. C. incident management. D. configuration management.

A is the correct answer. Justification: A. Change management is the overall process to assess and control risk scenarios introduced by changes. B. Release management is the process to manage risk scenarios of production system deployment, and it is a component of change management. C. Incident management addresses impacts when or after they occur. D. Configuration management is the specific process to manage risk scenarios associated with systems configuration, and it is a component of change management.

126. Control baselines are MOST directly related to the: A. enterprise's risk appetite. B. external threat landscape. C. effectiveness of mitigation options. D. vulnerability assessment.

A is the correct answer. Justification: A. Control baselines are designed to mitigate risk and will depend on the enterprise's risk appetite. B. The viability and existence of threats will have a direct bearing on control baselines, but only to the extent that they can exploit vulnerabilities and create a risk of potential impact. C. In some cases, the effectiveness may modify the control objectives if it is not feasible to mitigate the risk, but generally that will not change the objectives. D. Vulnerability assessments are conducted against a control baseline.

50. Attackers who exploit cross-site scripting vulnerabilities take advantage of: A. a lack of proper input validation controls. B. weak authentication controls in the web application layer. C. flawed cryptographic Secure Sockets Layer implementations and short key lengths. D. implicit web application trust relationships.

A is the correct answer. Justification: A. Cross-site scripting attacks inject malformed input. B. Attackers who exploit weak application authentication controls can gain unauthorized access to applications, but this has little to do with cross-site scripting vulnerabilities. C. Attackers who exploit flawed cryptographic Secure Sockets Layer implementations and short key lengths can sniff network traffic and crack keys to gain unauthorized access to information. This has little to do with cross-site scripting vulnerabilities. D. Web application trust relationships do not relate directly to the attack.

145. Which of the following items determines the acceptable level of residual risk in an enterprise? A. Management discretion B. Regulatory requirements C. inherent risk D. Internal audit findings

A is the correct answer. Justification: A. Deciding what level of risk is acceptable to an enterprise is fundamentally a function of management. At its discretion, organizational management may decide to accept risk. The target risk level for a control is ultimately subject to management discretion. B. Failure to comply with regulatory requirements has consequences, but those consequences are considered in the context of organizational risk. ln some cases, the cost of failure to comply may be lower than the cost of compliance; in this case, management may decide to accept the risk. C. Inherent risk is the risk that exists before controls are applied. D. The results of an internal audit are used to determine the actual level of residual risk, but whether this level is acceptable is fundamentally a function of management.

101. When a proposed system change violates an existing security standard, the conflict would be BEST resolved by: A. calculating the risk. B. enforcing the security standard. C. redesigning the system change. D. implementing mitigating controls.

A is the correct answer. Justification: A. Decisions regarding security should always weigh the potential loss from a risk against the benefits derived from the change. B. It is a management decision to determine if the change in risk is worth the benefit. C. Redesigning the proposed change might not always be the best option because it might not meet the business needs. D. Implementing additional controls might be an option, but it would be done after the change in risk was own.

27. An information security manager receives a report showing an increase in the number of security events. The MOST likely explanation is: A. exploitation of a vulnerability in the information system. B. threat actors targeting the enterprise in greater numbers. C. failure of a previously deployed detective control. D. approval of a new exception for noncompliance by management.

A is the correct answer. Justification: A. Exploitation of a vulnerability is likely to generate an increase in the number of security events. B. Absent a change in vulnerability, an increase in the number of threat actors targeting the enterprise would not explain an increase in security events. C. An increase in the number of security events that appear on reports suggests that detective controls are likely working properly, since failure of the control would result in an absence of events in the report. D. Exceptions approved by management may result in a higher number of security events on reports if notice of the exceptions is not provided to information security to allow updates to monitoring. However, exceptions are typically communicated to the information security manager, so this is an unlikely explanation for the increase.

150. When considering the extent of protection requirements, which of the following choices would be the MOST important consideration affecting all the others? A. Exposure B. Threat C. Vulnerability D. Magnitude

A is the correct answer. Justification: A. Exposure is the quantified potential for loss that may occur due to an adverse event, calculated as the product of probability and magnitude (impact). Because probability is itself a function of threat and vulnerability, exposure takes into account all three of the other factors and, if known, is the most important consideration. B. A threat is anything ( e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm. Threats may cause harm only if they correspond to vulnerability, so the probability of an event can be calculated only when both are known. C. Vulnerability is a weakness in the design, implementation, operation or internal control that could expose the system to adverse threats from threat events. Vulnerability may lead to harm only when acted on by a corresponding threat, so the probability of an event can be calculated if both are known. D. Magnitude (or impact) measures the potential severity of loss from a realized event/scenario. Whether such an event will be realized depends on its probability (likelihood), which requires assessment of both threat and vulnerability.

103. What is the MOST cost-effective method of identifying new vendor vulnerabilities? A. External vulnerability reporting sources B. Periodic vulnerability assessments performed by consultants C. Intrusion prevention software D. Honeypots located in the demilitarized zone (DMZ)

A is the correct answer. Justification: A. External vulnerability sources are the most cost-effective method of identifying these vulnerabilities. B. The cost involved in periodic vulnerability assessments would be much higher. C. Intrusion prevention software would not identify new vendor vulnerabilities. D. Honeypots may or may not identify vulnerabilities and may create their own security risk.

45. A regulatory authority has just introduced a new regulation pertaining to the release of quarterly financial results. The FIRST task that the security officer should perform is to: A. identify whether current controls are adequate. B. communicate the new requirement to audit. C. implement the requirements of the new regulation. D. conduct a cost-benefit analysis of implementing the control.

A is the correct answer. Justification: A. If current security practices and procedures already meet the new regulation, then there is no need to implement new controls. B. It is likely that audit is already aware of the new regulation, and this is not the first thing to do. C. New controls to comply with the new regulation should only be implemented after determining existing controls do not meet requirements. D. A cost-benefit analysis would be useful after determining current controls are not adequate.

157. An enterprise has identified a major threat to which it is vulnerable. Which of the following choices is the BE.ST reason infom1ation security management would not be concerned with preventive remediation under these circumstances? A. The vulnerability is compartmentalized. B. Incident response procedures are in place. C. Compensating controls exist if there is any impact. D. The identified threat has only been found on another continent.

A is the correct answer. Justification: A. If the compartmentalization of the vulnerability results in the enterprise having no exposure, then there is no risk. B. Prevention is a more prudent approach to dealing with major threats than even the most capable incident response. C. Compensating controls are a less desirable approach to addressing a major threat than preventive remediation of its corresponding vulnerability. D. Distance is an inadequate barrier to compromise in the context of information systems.

75. Which of the following techniques MOST clearly indicates whether specific risk-reduction controls should be implemented? A. Cost-benefit analysis B. Penetration testing C. Frequent risk assessment programs D. Annual loss expectancy calculation

A is the correct answer. Justification: A. In a cost-benefit analysis, the annual cost of safeguards is compared with the expected cost of loss. This comparison can then be used to justify a specific control measure. B. Penetration testing may indicate the extent of a weakness but, by itself, will not establish the cost-benefit of a control. C. Frequent risk assessment programs will certainly establish what risk exists but will not determine the cost of controls. D. Annual loss expectancy is a measure that will contribute to the potential cost associated with the risk but does not address the benefit of a control.

67. When a major vulnerability in the security of a critical web server is discovered, immediate notification should be made to the: A. system owner to take corrective action. B. incident response team to investigate. C. data owners to mitigate damage. D. development team to remediate.

A is the correct answer. Justification: A. In order to correct the vulnerabilities, the system owner needs to be notified quickly before an incident can take place. B. Sending the incident response team to investigate is not correct because the incident has not taken place and notification could delay implementation of the fix data owners authorize to mitigate damage. C. Data owners would be notified only if the vulnerability could have compromised data. D. The development team may be called upon by the system owner to resolve the vulnerability.

48. Which of the following is a risk that would MOST likely be overlooked by an information security review during an onsite inspection of an offshore provider? A. Cultural differences B. Technical skills C. Defense in depth D. Adequate policies

A is the correct answer. Justification: A. Individuals in different cultures of ten have perspectives on what information is considered sensitive or confidential and how it should be handled that may be inconsistent with the enterprise's requirements. Cultural norms are not usually an area of consideration in a security review or during an onsite inspection. B. Technical skills are common scope areas for a security review to ensure that the offshore provider meets acceptable standards. C. Controls design and operational effectiveness are common scope areas for a security review to ensure that the offshore provider meets acceptable standards. D. Information security policies are common scope areas for a security review to ensure that the offshore provider meets acceptable standards.

25. information security managers should use risk assessment techniques to: A. justify selection of risk mitigation strategies. B. maximize the return on investment. C. provide documentation for auditors and regulators. D. quantify 1isk that would othe1wise be subjective.

A is the correct answer. Justification: A. Information security managers should use risk assessment techniques as one of the main bases to justify and implement a risk mitigation strategy as efficiently as possible. B. Risk assessment is only one part of determining return on investment. C. Providing documentation for auditors and regulators is a secondary aspect of using risk assessment techniques. D. If assessed risk is subjective, risk assessment techniques will not meaningfully quantify them.

184. An information security manager's MOST effective efforts to manage the inherent risk related to a third-party service provider will be the result of: A. limiting organizational exposure. B. a risk assessment and analysis. C. strong service level agreements. D. independent audits of third parties.

A is the correct answer. Justification: A. It is likely to be more effective to control the enterprise's vulnerabilities to third-party risk by limiting organizational exposure than to control the third party's actions. B. It is essential to know the risk but it does not manage the risk. C. Defining contractual responsibilities of third parties is important but it will not directly manage risk. D. Audits may indicate the threats posed by third parties but will not ensure that the risk is managed.

186. Which of the following is the FIRST action to be taken when the information security manager notes that the controls for a critical application are inadequate? A. Perform a risk assessment to determine the level of exposure. B. Classify the risk as acceptable to senior management. C. Deploy additional countermeasures immediately. D. Transfer the remaining risk to another enterprise.

A is the correct answer. Justification: A. It is most important to perform a risk assessment to determine the exposure if additional controls are not deployed. B. The exposure level needs to be redetermined and compared with the residual risk before this decision can be made. C. Additional countermeasures may be deployed after determining possible losses to avoid overprotecting or under protecting the asset. D. Risk transfer is an action that may be taken after reviewing the results of the risk assessment of the current situation.

87. What is the MOST effective way to ensure network users are aware of their responsibilities to comply with an enterprise's security requirements? A. Logon banners displayed at every logon B. Periodic security-related email messages C. An intranet website for information security D. Circulating the information security policy

A is the correct answer. Justification: A. Logon banners would appear every time the user logged on, and the user would be required to read and agree to terms before using the resources. Because the message would be conveyed in writing and would appear consistently, it could be easily enforceable in any enterprise. B. Security-related email messages are frequently considered spam by network users and would not, by themselves, ensure that the user agreed to comply with security requirements. C. The existence of an Intranet website would not force users to access it and read the information. D. Circulating the information security policy alone would not confirm that an individual user read, understood and agreed to comply with its requirements unless it was associated with a formal acknowledgment, such as a user's signature of acceptance.

189. During a third-party assessment of an information security system, the assessment team leader is informed that the vulnerability scanning team has not been providing information related to all critical and high vulnerabilities to system stakeholders. What is the FIRST action the assessment team leader should take? A. inform management of the finding B. Request a full vulnerability scan report from the vulnerability scanning team C. inform the vulnerability scanning team leader of the finding D. inform the system owner of the finding

A is the correct answer. Justification: A. Managers (i.e., risk manager, information security manager) need to be informed of this finding so they can take corrective actions related to missed critical and high vulnerabilities and inform senior management of the risk. B. Requesting a full vulnerability scan of the system may uncover problems with the scanning software, weaknesses in team processes and procedures, and misunderstandings in roles and responsibilities. However, management needs to be aware of the issue and determine the next steps. C. A meeting with the team leader may not be sufficient to address the risk as the problem may be with the manager, staff training, processes or other causes. D. Informing the system owner should occur, but it would not be the first step.

92. The return on investment of information security can BEST be evaluated through which of the following? A. Support of business objectives B. Security metrics C. Security deliverables D. Process improvement models

A is the correct answer. Justification: A. One way to determine the return on security investment is to illustrate how information security supports the achievement of business objectives. B. Security metrics measure improvement and effectiveness within the security practice but do not necessarily tie to business objectives. C. Listing deliverables does not necessarily tie to business objectives. D. Creating process improvement models does not necessarily tie directly to business objectives.

17. The decision whether an IT risk has been reduced to an acceptable level should be determined by: A. organizational requirements. B. information systems requirements. C. information security requirements. D. international standards.

A is the correct answer. Justification: A. Organizational requirements should determine when a risk has been reduced to an acceptable level. B. The acceptability of a risk is ultimately a management decision, which may or may not be consistent with information systems requirements. C. The acceptability of a risk is ultimately a management decision, which may or may not be consistent with information security requirements. D. Because each enterprise is unique, international standards may not represent the best solution for specific enterprises and are primarily a guideline.

200. An information security manager is tasked with initiating a risk assessment on controls focused on user access. Which of the following would be the MOST useful information to prepare for this assessment? A. Previous audit reports B. Current user access lists C. Access approval procedures D. Authentication log files

A is the correct answer. Justification: A. Previous audit reports will provide insight into trends and identified vulnerabilities that will greatly assist in a risk assessment. B. Current user access lists help with conducting the assessment, but the previous audit report may outline completed remediation actions. C. Access approval procedures help with conducting the assessment, but the previous audit report may outline completed remediation actions. D. Authentication log files help with conducting the assessment, but the previous audit report may outline completed remediation actions.

94. With which of the following business functions is integration of information security MOST likely to result in risk being addressed as a standard part of production processing? A. Quality assurance B. Procurement C. Compliance D. Project management

A is the correct answer. Justification: A. Quality assurance uses metrics as indicators to identify systemic problems in processes that may result in unacceptable levels of output quality. Because this monitoring is intended to be effectively continuous as a matter of statistical sampling, integrating information security with quality assurance helps to ensure that risk is addressed as a standard part of production processing. B. Procurement approves initial acquisitions, but it has no involvement in implementation or production monitoring. C. Compliance focuses on legal and regulatory requirements, which represent a subset of overall risk. D. The involvement of the project management office is typically limited to planning and implementation.

46. An online banking institution is concerned that a breach of customer personal information will have a significant financial impact due to the need to notify and compensate customers whose personal information may have been compromised. The institution determines that residual risk will always be too high and decides to: A. mitigate the impact by purchasing insurance. B. implement a circuit-level firewall to protect the network. C. increase the resiliency of security measures in place. D. implement a real-time intrusion detection system.

A is the correct answer. Justification: A. Residual risk is the remaining risk after management has implemented a risk response. Because residual risk will always be too high, the only practical solution is to mitigate the financial impact by purchasing insurance. Purchasing insurance is also known as risk transfer. B. The enterprise has determined the residual risk will always be too high and chosen to transfer the risk, so there is no need to attempt further mitigation. C. The enterprise has determined the residual risk will always be too high and chosen to transfer the risk, so there is no need to attempt further mitigation. D. The enterprise has determined the residual risk will always be too high and chosen to transfer the risk, so there is no need to attempt further mitigation.

3. Which of the following should a successful information security management program use to determine the amount of resources devoted to mitigating exposures? A. Risk analysis results B. Audit report findings C. Penetration test results D. Amount of IT budget available

A is the correct answer. Justification: A. Risk analysis results are the most useful and complete source of information for determining the amount of resources to devote to mitigating exposures. B. Audit report findings may not address all risk and do not address annual loss frequency. C. Penetration test results provide only a limited view of exposures. D. The IT budget is not tied to the exposures faced by the enterprise.

38. Which of the following steps in conducting a risk assessment should be performed FIRST? A. Identify business assets B. Identify business risk C. Assess vulnerabilities D. Evaluate key controls

A is the correct answer. Justification: A. Risk assessment requires that the business assets that need to be protected be identified before identifying the threats. B. The second step in risk assessment is to establish whether the threats represent business risk by identifying the likelihood and effect of occurrence. C. Assessing the vulnerabilities that may affect the security of the asset follows identifying business assets and risk. D. Risk evaluation after analysis is used to determine whether controls address the risk to meet the criteria for acceptability.

165. The PRIMARY purpose of risk evaluation is to: A. provide a basis on which to select risk responses. B. ensure that controls are deployed to mitigate risk. C. provide a means of targeting assessment activities. D. ensure that risk responses align with control objectives.

A is the correct answer. Justification: A. Risk evaluation provides management with the extent that the risk meets the acceptability criteria and options for response. Response to risk may come in the form of acceptance, transfer (sharing), mitigation or avoidance. B. Mitigation is only one possible response to risk. C. Risk evaluation is the final stage of an assessment activity. D. Control objectives align with the risk management strategy, which determines risk response.

7. During which phase of development is it MOST appropriate to begin assessing the risk of a new application system? A. Feasibility B. Design C. Development D. Testing

A is the correct answer. Justification: A. Risk should be addressed as early in the development of a new application system as possible. The projected risk associated with a new system may make it unfeasible. B. In some cases, identified risk could be mitigated through design changes. If needed changes are not identified until design has already commenced, such changes become more expensive. For this reason, beginning risk assessment during the design phase is not the best solution. C. The development phase is too late in the system development life cycle (SDLC) for effective risk mitigation. D. Waiting to assess risk until testing can result in having to start over on the project.

43. Which of the following choices would be the MOST significant key risk indicator? A. A deviation in employee turnover B. The number of packets dropped by the firewall C. The number of viruses detected D. The reporting relationship of IT

A is the correct answer. Justification: A. Significant changes in employee turnover indicate that something of consequence is impacting the workforce, which deserves the attention of the information security manager. If many senior developers are leaving the research and development group, for instance, it may indicate that a competitor is attempting to obtain the enterprise's development plans or proprietary technology. B. An increase in the number of packets being dropped may indicate a change in the threat environment, but there is no impact unless legitimate traffic is being impacted. Therefore, the number of packets dropped is not an effective key risk indicator (KRJ). C. An increase in the number of viruses detected may indicate a change in the threat environment, but the increase in detected viruses also indicates that the threat is adequately countered by existing controls. D. Changes in reporting relationships come about as a result of intentional business decisions, so the reporting relationship of IT is not a KRI.

108. To improve accuracy, which of the following is the MOST important action to take to account for the subjective nature of risk assessment? A. Train or calibrate the assessor. B. Use only standardized approaches. C. Ensure the impartiality of the assessor. D. Use multiple methods of analysis.

A is the correct answer. Justification: A. Studies show that training or calibrating the assessor improves accuracy and reduces the subjectivity of risk assessments. B. A standardized approach is less effective in preventing overestimation of risk. C. Assessor impartiality is important but does not compensate for the tendency to overestimate risk. D. Multiple methods of analysis may help accuracy but training risk assessors is the most effective.

194 An information security manager reviewing user access to a critical business application to ensure that users have rights aligned with their job responsibilities notes many instances of excessive access. Which of the fi.1llowing individuals would be the PRIMARY contact to inform regarding this risk? A. Application owner B. Users' manager C. Security manager D. Database administrator

A is the correct answer. Justification: A. The application owner should be informed about any potential risk to make appropriate decisions. B. The users' manager is responsible for access to the application; however, the application owner is the primary contact in this case. C. Security would not be immediately informed of this risk unless determined by the application owner. D. The database administrator is responsible for revoking access if determined by the application owner.

102. An internal review of a web-based application system reveals that it is possible to gain access to all employees' accounts by changing the employee's ID used for accessing the account on the uniform resource locator. The vulnerability identified is: A. broken authentication. B. unvalidated input. C. cross-site scripting. D. structured query language injection.

A is the correct answer. Justification: A. The authentication process is broken because, although the session is valid, the application should reauthenticate when the input parameters are changed. B. The review provided valid employee IDs, and valid input was processed. The problem here is the lack of reauthentication when the input parameters are changed. C. Cross-site scripting is not the problem in this case because the attack is not transferred to any other user's browser to obtain the output. D. Structured query language (SQL) injection is not a problem because input is provided as a valid employee ID and no SQL queries are injected to provide the output.

74. There is a delay between the time when a security vulnerability is first published, and the time when a patch is delivered. Which of the following should be carried out FJRST to mitigate the risk during this time period? A. Identify the vulnerable systems and apply compensating controls. B. Minimize the use of vulnerable systems. C. Communicate the vulnerability to system users. D. Update the signatures database of the intrusion detection system

A is the correct answer. Justification: A. The best protection is to identify the vulnerable systems and apply compensating controls until a patch is installed. B. Minimizing the use of vulnerable systems could be a compensating control but would not be the first course of action. C. Communicating the vulnerability to system users would not be of much benefit. D. Updating the signatures database of the intrusion detection system (IDS) would not address the timing of when the IDS signature list would be updated to accommodate the vulnerabilities that are not yet publicly known. Therefore, this approach should not always be considered as the first option.

182. An information security manager observed a high degree of noncompliance for a specific control. The business manager explained that noncompliance was necessary for operational efficiency. The information security manager should: A. evaluate the risk due to noncompliance and suggest an alternative control. B. ignore the issue of operational efficiency and insist on compliance for the control. C. change the security policies to reduce the amount of noncompliance risk. D. conduct an awareness session for the business manager to emphasize compliance.

A is the correct answer. Justification: A. The information security manager must consider the business requirements of the control and assess the risk of noncompliance. B. Information security cannot ignore issues related to operational efficiency. The business can decide to accept the risk. C. Changing the information security policies may not reduce the risk. D. Conducting an awareness session may be a good idea, but it may not resolve the issue in this situation.

193. Which of the following is the MOST important element to consider when planning what to report to senior management related to information security risk? A. Business objectives B. Program metrics C. Risk tolerance D. Control objectives

A is the correct answer. Justification: A. The link of the risk to business objectives is the most important element that would be considered b senior management. B. Information security program metrics should be provided in the context of impact to business objectives. C. Risk tolerance is a baseline established by senior management, but the business objectives provide scope to risk management activities. D. Control objectives are an input for assessing risk.

160. At what point in the risk management process is residual risk determined? A. When evaluating the results of the application of new or existing controls or countermeasures B. When identifying and classifying information resources or assets that need protection C. When assessing threats and the consequences of a compromise D. After the elements of risk have been established, when combining them to form an overall view of risk

A is the correct answer. Justification: A. The objective of information risk management is to bring the information security residual risk to an acceptable level, so residual risk is evaluated first on the basis of existing controls and again after any new controls are designed or implemented. B. Identification and classification of information resources or assets that need protection is the first step of risk management and is followed by assessment of threats and vulnerabilities to determine probability. Probability is an input to calculating initial risk, so there is no basis for calculating residual risk at this stage. C. Knowledge of the threat environment and consequences of a compromise is inadequate to determine residual risk because it does not take into account vulnerability and exposures. D. The overall view of risk reflects an initial risk level that has not yet been reduced by application of controls. After elements of risk are combined to form an overall view of risk, the next step is to identify existing controls or design new controls to bring risk to an acceptable level.

105. An enterprise has learned of a security breach at another company that uses similar technology. The FIRST thing the information security manager should do is: A. assess the likelihood of incidents from the reported cause. B. discontinue the use of the vulnerable technology. C. report to senior management that the enterprise is not affected. D. remind staff that no similar security breaches have taken place.

A is the correct answer. Justification: A. The security manager should first assess the likelihood of a similar incident occurring, based on available information. B. Discontinuing the use of the vulnerable technology would not necessarily be practical because it would likely be needed to support the business. C. Reporting to senior management that the enterprise is not affected due to controls already in place would be premature until the information security manager can first assess the impact of the incident. D. Until this has been researched, it is not certain that no similar security breaches have taken place.

133. Which of the following approaches is BEST for addressing regulatory requirements? A. Treat regulatory compliance as any other risk. B. Ensure that policies address regulatory requirements. C. Make regulatory compliance mandatory. D. Obtain insurance for noncompliance.

A is the correct answer. Justification: A. There are many regulatory requirements with varying degrees of enforcement and possible sanctions. These should be assessed and treated as any other risk. B. Policies addressing compliance with regulatory requirements are not by themselves sufficient to deal with regulatory requirements. C. Mandatory compliance with all regulatory mandates without determining the risk and potential impact may not be cost-effective. D. Insurance for regulatory noncompliance may not be available.

162. When conducting a risk assessment, which of the following elements is the MOST important? A. Consequences B. Threat C. Vulnerability D. Probability

A is the correct answer. Justification: A. Unless the exploitation of vulnerability by a threat has consequences, there is no risk to the enterprise. B. A threat poses no risk absent corresponding vulnerability. C. Vulnerability poses no risk absent a corresponding threat. D. Probability is a function of threat and vulnerability, but even a guaranteed event poses no risk to the enterprise unless there are consequences.

177. What is the PRIMARY deficiency in using annual loss expectancy to predict the annual extent of losses? A. It is based on at least some subjective information. B. The overall process and computations are time-consuming. C. Effective use of the approach takes specialized training. D. The approach is not recognized by international standards.

A is the correct answer. Justification: A. When used for information risk, the annual loss expectancy (ALE) is based on at least some subjective information. B. Information security does not possess sufficient historic data to complete actuarial tables and provide highly refined predictions of the occurrence of events (e.g., accident data for the automotive industry). C. Time and training requirements are less important factors than the subjectivity that is inherent to ALE when assessing IT risk. D. Some international standards do recognize ALE, and even if this were not the case, it would not be a primary concern in most instances.

143. To be effective. risk management should be applied to: A. all organizational activities. B. elements identified by a risk assessment. C. any area that exceeds acceptable risk levels. D. only areas that have potential impact.

A is the correct answer. Justification: A. While not all organizational activities will pose an unacceptable risk, the practice of risk management is still applied to determine which risk requires treatment. B. Risk assessment is part of the risk management function. Risk assessment does not precede inclusion of the activity in the risk management program. C. Whether a risk level is acceptable can be determined only when the risk is known. D. Potential impact can be evaluated only when the risk is known and the value of the asset is determined.

167. When the security risk assessment result was reviewed, it was found that the rationale for risk rating varied by department. Which of the following would BEST improve this situation? A. Apply common risk measurement criteria to each department B. Introduce risk appetite and risk tolerance at the policy level C. Place increased focus on quantitative risk assessment D. Implement routine peer review of the risk assessment results

A is the correct answer. Justification: A. if departments are reaching different risk ratings for the same outcomes, common risk measurement criteria that can be used across the enterprise are needed. B. Risk appetite and risk tolerance inform the acceptance of risk but do not affect the risk ratings. C. Quantitative risk assessments produces numeric results, but subjectivity in inputs may continue to yield varying risk ratings among departments unless common criteria are applied. D. Peer review of risk assessments between departments may be hampered by differing expertise among staff members in different job functions. Also, the results of risk assessments generally should not be shared more broadly than is necessary to meet business goals.

37. Risk assessments should be repeated at regular intervals because: A. business threats are constantly changing. B. omissions in earlier assessments can be addressed. C. repetitive assessments allow various methodologies. D. they help raise awareness of security in the business.

A is the correct answer. justification: A. As business objectives and methods change, the nature and relevance of threats change as well. B. Omissions in earlier assessments do not, by themselves, justify regular reassessment. C. Use of various methodologies is not a business reason for repeating risk assessments at regular intervals. D. Risk assessments may help raise business awareness, but there are better ways of raising security awareness than by performing a risk assessment.

9. Risk acceptance is a component of which of the following? A. Risk assessment B. Risk mitigation C. Risk identification D. Risk monitoring

B is the correct answer. Justification: A. Risk assessment includes identification and analysis to determine the likelihood and potential consequences of a compromise, which is not when risk is to be considered for acceptance or required mitigation. B. If after risk evaluation a risk is unacceptable, acceptability is determined following risk mitigation efforts. C. Risk identification is the assessment process that identifies viable risk through developing a series of potential risk scenarios. D. Monitoring is unrelated to risk acceptance.

39. What is a reasonable expectation to have of a risk management program? A. It removes all inherent risk. B. It maintains residual risk at an acceptable level. C. It implements preventive controls for every threat. D. It reduces control risk to zero.

B is the correct answer. Justification: A. Risk management is not intended to remove every identified risk because it may not be cost-effective. B. The goal of risk management is to ensure that all residual risk is maintained at a level acceptable to the business. C. Risk management is not intended to implement controls for every threat because not all threats pose a risk, and it would not be cost-effective. D. Control risk is the risk that a control may not be effective; it is a component of the program but it is unlikely to be reduced to zero.

119. The chief information security officer (CISO) has recommended several information security controls (such as antivirus) to protect the enterprise's information systems. Which one of the following risk treatment options is the CISO recommending? A. Risk transfer B. Risk mitigation C. Risk acceptance D. Risk avoidance

B is the correct answer. .Justification: A. Risk transfer involves transferring the risk to another entity such as an insurance company. B. By implementing security controls, the company is trying to decrease risk to an acceptable level, thereby mitigating risk. c. Risk acceptance involves accepting the risk in the system and doing nothing further. D. Risk avoidance stops the activity causing the risk.

86. Which of the following controls would BEST prevent accidental system shutdown from the console or operations area? A. Redundant power supplies B. Protective switch covers C. Shutdown alarms D. Biometric readers

B is the correct answer. Justification A. Redundant power supplies would not prevent an individual from powering down a device. B. Protective switch covers would reduce the possibility of an individual accidentally pressing the power button on a device, thereby turning off the device. C. Shutdown alarms would take effect after the fact. D. Biometric readers would be used to control access to the systems.

18. Which of the following is the PRIMARY reason for implementing a risk management program? A risk management program: A. allows the enterprise to eliminate risk. B. is a necessary part of management's due diligence. C. satisfies audit and regulatory requirements. D. assists in increasing the return on investment.

B is the correct answer. Justification: A. The elimination of risk is not possible. B. The key reason for performing risk management is that it is an essential part of management's due diligence. C. Satisfying audit and regulatory requirements is of secondary importance. D. A risk management program may or may not increase the return on investment.

57. An enterprise plans to outsource its customer relationship management to a third-party service provider. Which of the following should the enterprise do FIRST? A. Request that the third-party provider perform background checks on their employees. B. Perform an internal risk assessment to determine needed controls. C. Audit the third-party provider to evaluate their security controls. D. Perform a security assessment to detect security vulnerabilities.

B is the correct answer. Justification: A. A background check should be a standard requirement for the service provider. B. An internal risk assessment should be performed to identify the risk and determine needed controls. C. Audit objectives should be determined from the risk assessment results. D. Security assessment does not cover the operational risk.

47. What mechanism should be used to identify deficiencies that would provide attackers with an opportunity to compromise a computer system? A. Business impact analysis B. Security gap analysis C. System performance metrics D. Incident response processes

B is the correct answer. Justification: A. A business impact analysis docs not identify vulnerabilities. B. Security gap analysis is a process that measures all security controls in place against control objectives, which will identify gaps. C. System performance metrics may indicate security weaknesses, but that is not their primary purpose. D. Incident response processes exist for cases in which security weaknesses are exploited.

181. An enterprise's IT change management process requires that all change requests be approved by the asset owner and the information security manager. The PRIMARY objective of getting the information security manager's approval is to ensure that: A. changes comply with security policy. B. risk from proposed changes is managed. C. rollback to a current status has been considered. D. changes are initiated by business managers.

B is the correct answer. Justification: A. A change affecting a security policy is not handled by an IT change process. B. Changes in the IT infrastructure may have an impact on existing risk. An information security manager must ensure that the proposed changes do not adversely affect the security posture. C. Rollback to a current state may cause a security risk event and is normally part of change management, but it is not the primary reason that security is involved in the review. D. The person who initiates a change has no effect on the person who reviews and authorizes an actual change.

154. Which of the following choices would be the MOST useful in determining the possible consequences of a major compromise? A. Risk assessment B. Asset valuation C. Penetration testing D. Architectural review

B is the correct answer. Justification: A. A comprehensive risk assessment requires an assessment of probability and potential consequences, so it goes beyond what is required. B. Asset valuation provides a cost representation of what the enterprise stands to lose in the event of a major compromise. C. Penetration tests indicate vulnerability rather than the value of what may be affected if a vulnerability is exploited. D. Architectural review may indicate vulnerability, but like penetration testing, it will not reveal the value of what may be affected if a vulnerability is exploited.

88. What is the MOST important action prior to having a third party perform an attack and penetration test against an enterprise? A. Ensure that the third party provides a demonstration on a test system. B. Ensure that goals and objectives are clearly defined. C. Ensure that technical staff has been briefed on what to expect. D. Ensure that special backups of production servers are taken.

B is the correct answer. Justification: A. A demonstration of the test system will reduce the spontaneity of the test. B. The most important action is to clearly define the goals and objectives of the test. C. Technical staff should not be briefed as that would reduce the spontaneity of the test. D. Assuming that adequate backup procedures are in place, special backups should not be necessary.

61. What is the BEST strategy for risk management? A. Achieve a balance between risk and organizational goals. B. Reduce risk to an acceptable level. C. Ensure that policy development properly considers organizational risk. D. Ensure that all unmitigated risk is accepted by management.

B is the correct answer. Justification: A. Achieving balance between risk and organizational goals is not always practical. B. The best strategy for risk management Is to reduce risk to an acceptable level, taking into account the enterprise's appetite for risk and the fact that it is not possible to eliminate all risk. C. Policy development must consider organizational risk and business objectives but is not a strategy. D. ft may be prudent to ensure that management understands and accepts risk that it is not willing to mitigate, but th.at is a practice and is not sufficient to be considered a strategy.

121. The BEST process for assessing an existing risk level is: A. an impact analysis. B. a security review. C. a vulnerability assessment. D. a threat analysis.

B is the correct answer. Justification: A. An impact analysis is used to determine potential impact in the event of the loss of a resource. B. A security review is used to determine the current state of security for various program components. C. While vulnerability assessments help identify and classify weakness in the design, implementation, operation or internal control of a process, they are only one aspect of a security review. D. A threat analysis is not normally a part of a security review. Threat assessments evaluate the type, scope and nature of events or actions that can result in adverse consequences; identification is made of the threats that exist against enterprise assets.

16. Which of the following situations presents the GREATEST information security risk for an enterprise with multiple, but small, domestic processing locations? A. Systems operation guidelines are not enforced. B. Change management procedures are poor. C. Systems development is outsourced. D. Systems capacity management is not performed.

B is the correct answer. Justification: A. Because guidelines are generally not mandatory, their lack of enforcement is not a primary concern. B. The lack of effective oversight is likely to result in inconsistent change management activities, which can present a serious security risk. C. Systems that are developed by third-party vendors are becoming common and do not represent an increase in security risk as much as poor change management. D. Poor capacity management may not necessarily represent a major security risk.

208. Which of the following should be completed prior to a risk assessment? A. Control identification B. Asset identification C. Threat identification D. Risk register identification

B is the correct answer. Justification: A. Controls are evaluated after assets are identified as part of the risk assessment process. B. Asset identification must be completed prior to risk assessment because it is the basis of the risk assessment. C. Threats are identified after assets are identified as part of the risk assessment process. D. The risk register is a catalog of risk categories or an inventory of risks identified and is not part of the risk assessment process.

166 Which of the following is the MOST supportable basis for prioritizing risk for treatment? A. Cost and asset value B. Frequency and impact C. Frequency and scope D. Cost and cff011

B is the correct answer. Justification: A. Cost to remediate is a major factor relative to the value of the applicable assets (i.e., is remediation appropriate for this asset versus another risk treatment option?). It is ineffective as a means of prioritization across different assets, because it does not take into account their business value. B. The balance between impact and frequency captures the adjusted probability of loss to the enterprise associated with each risk. It provides an immediate and relevant basis for prioritization of treatment, with high-impact and high-frequency risk ranking highest on the list. C. Breadth of scope is not necessarily equivalent to impact. Prioritizing a risk that affects a broad range of relatively unimportant systems over a risk that impacts a single critical system would not be beneficial to the enterprise. D. Effort is a subset of overall cost representing time and expertise. Unto itself, cost is not a suitable basis for prioritization.

58. What is the root cause of a successful cross-site request forgery attack? A. The application uses multiple redirects for completing a data commit transaction. B. The application has implemented cookies as the sole authentication mechanism. C. The application has been installed with a non-legitimate license key. D. The application is hosted on a server along with other applications.

B is the correct answer. Justification: A. Cross-site request forgery (XSRF) is related to an authentication mechanism, not to redirection. B. XSRF exploits inadequate authentication mechanisms in web applications that rely only on elements such as cookies when performing a transaction. It is a type of website attack in which unauthorized commands are transmitted from a trusted user. C. Anon-legitimate license key is related to intellectual property rights, not to XSRF vulnerability. D. Merely hosting multiple applications on the same server is not the root cause of this vulnerability.

72. What activity should information security management perform FIRST when assessing the potential impact of new privacy legislation on the enterprise? A. Develop an operational plan for achieving compliance with the legislation. B. Identify systems and processes that contain privacy components. C. Restrict the collection of personal information until compliant. D. Identify privacy legislation in other countries that may contain similar requirements.

B is the correct answer. Justification: A. Developing an operational plan for achieving compliance with the legislation is incorrect because it is not the first step. B. Identifying the relevant systems and processes is the best first step. C. Restricting the collection of personal information comes later. D. Identifying privacy legislation in other countries would not add much value.

79. When performing a qualitative risk analysis, which of the following will BEST produce reliable results? A. Estimated productivity losses B. Possible scenarios with threats and impacts C. Value of information assets D. Vulnerability assessment

B is the correct answer. Justification: A. Estimated productivity losses are better suited to quantitative analysis but without threats being considered would not produce useful results. B. Listing all reasonable scenarios that could occur, along with threats and impacts, would best frame the range of risk and facilitate a more informed discussion and decision. C. Value of information assets would be part of a quantitative analysis requiring threat to be considered as well. D. Vulnerability assessments would be better analyzed as a part of a quantitative analysis when threat is considered.

100. Logging is an example of which type of defense against systems compromise? A. Containment B. Detection C. Reaction D. Recovery

B is the correct answer. Justification: A. Examples of containment defenses are awareness, training and physical security defenses. B. Detection defenses include logging, monitoring, measuring, auditing, detecting viruses and intrusion. C. Examples of reaction defenses are incident response, policy and procedure change, and control enhancement. D. Examples of recovery defenses are backups and restorations, failover and remote sites, and business continuity plans and disaster recovery plans.

163. Which of the following activities is the FIRST step toward implementing a bring your own device (BYOD) program? A. Allow or deny access to devices based on their approval status. B. Conduct a stringent assessment process prior to approving devices. C. Implement a plan-do-check-act approach. D. Review and approve applications in the enterprise's application store.

B is the correct answer. Justification: A. For device access to be determined on the basis of approval status, an assessment process must be in place to grant approval. B. A stringent assessment process is critical to comply with corporate and regulatory requirements around policies, encryption, detection of jailbreaking or rooted devices, etc. C. Implementing a plan-do-check-act approach is part of the monitoring and enforcement process, but it is not a prerequisite. D. Having a review and approval process for applications in the enterprise's application store applies only to devices granted approval to access the network.

98. How does knowledge of risk appetite help to increase security control effectiveness? A. It helps to gain required support from senior management for information security strategy. B. It provides a basis for redistributing resources to mitigate risk above the risk appetite. C. It requires continuous monitoring because the entire risk environment is constantly changing. D. It facilitates communication with management about the importance of security.

B is the correct answer. Justification: A. Having knowledge of the enterprise's risk appetite is not the sole requirement for gaining senior management support. B. Understanding risk appetite in key security control areas helps redirect resources from risk at or below acceptable levels to risk above the appetite. The result is improved control effectiveness at no additional cost. C. This answer does not address the value of understanding risk appetite. The risk environment and control effectiveness do change, but continuous monitoring applies more to rapidly changing controls and to areas of greatest risk. Risk appetite changes are usually more stable. D. Knowledge of risk appetite does help to facilitate communication with management but is only one small clement of effective communication with senior management.

31. Which of the following choices represents the BEST attribute of key risk indicators? A. High flexibility and adaptability B. Consistent methodologies and practices C. Robustness and resilience D. The cost-benefit ratio

B is the correct answer. Justification: A. High flexibility and adaptability are commendable attributes but do not provide a consistent baseline for determination of significant deviations. B. Effective key risk indicators are the result of deviation from baselines. Consistent methodologies and practices establish baselines that represent the best attribute as they provide a stable point of reference for reporting progress. C. Robustness and resilience are commendable attributes, but they do not provide a consistent baseline for determination of significant deviations. D. The cost-benefit ratio is not a risk indicator.

60. At what point should a risk assessment of a new process occur to determine appropriate controls? It should occur: A. only at the beginning and at the end of the new process. B. throughout the entire life cycle of the process. C. immediately after the business case for the process is approved. D. prior to approving specifications for the new process.

B is the correct answer. Justification: A. Risk changes at various stages of the life cycle. If the assessment occurs only at the beginning and end of the process, important issues will be missed. B. A risk assessment should be conducted throughout the entire life cycle of a new or changed process. This allows an understanding of how implementation of an early control will affect control needs later. C. The timing of assessments should occur at each stage of the life cycle regardless of the process. D. Laws and regulations are not relevant to when risk should be assessed.

188. Which of the following is the MOST appropriate to communicate to senior management to enable them to make ongoing, timely decisions on current information security risk? A. Information security risk assessment results B. Key risk indicators related to critical business assets C. Internal and external loss historical data D. Information security risk scenario analysis results

B is the correct answer. Justification: A. Information risk assessments mostly focus on an enterprise's future risk. Although the risk assessment compares current controls against future and current risk, risk assessments cannot be conducted continuously. B. Key risk indicators (KRls) focus on the current risk and serve as an early warning of a potential risk. Reporting KRis to senior management would help them make decisions on current risk, such as adjusting or replacing the controls that are mitigating them. KRis continuously alert senior management to make management risk decisions. C. Internal and external loss data show past information risk but not current risk. D. Risk scenario analysis data are based on future possibilities and do not accurately show the current state of risk.

118. The PRJMARY reason to consider information security during the first stage of a project life cycle is: A. the cost of security is higher in later stages. B. information security may affect project feasibility. C. information security is essential to project approval. D. it ensures proper project classification.

B is the correct answer. Justification: A. Introducing security at later stages can cause projects to exceed budgets and can create issues with project schedules and delivery dates, but these outcomes are generally avoided if security issues are assessed in feasibility. B. Project feasibility can be directly impacted by information security requirements and is the primary reason to introduce information security requirements at this stage. The cost of security must be factored into any business case that will support project feasibility, and sometimes the cost of doing something securely exceeds the benefits that the project is anticipated to produce. c. Project approval is a business decision that may be influenced by information security considerations, but they are not essential. D. Considering information security during the first stage will not ensure proper project classification.

210. A solution using an emerging security technology may allow an enterprise to increase its revenue, but the technology remains unproven. Which of the following is the BEST approach to take when considering use of the technology? A. Hold until competitors introduce the solution. B. Run a pilot project to assess potential risk. C. Build the solution in a vendor's environment. D. Obtain insurance to cover unexpected losses.

B is the correct answer. Justification: A. Management may advise holding off until a competitor implements the technology; however, the enterprise would then lose out on any potential revenue presented by the opportunity. This decision is best made once potential risk is assessed. B. When considering using unproven, emerging technologies, it is best to start small. A pilot project will be best suited for this purpose because risk can be assessed in a controlled manner as the business explores the viability of the technology and potential further deployment on a larger scale. C. Even when the solution is built in a service vendor's technical environment, the service requestor must own the risk stemming from the technical solution. Therefore, the enterprise will want to assess the potential risk first. D. It is not common practice to buy insurance in anticipation of failures may be caused by unproven technology.

171. High risk volatility would be a basis for the information security manager to: A. base mitigation measures solely on assessed impact. B. raise the assessed risk level and increase remediation priority. C. disregard volatility as irrelevant to assessed risk level. D. perform another risk assessment to validate results.

B is the correct answer. Justification: A. Mitigation should be based on likelihood, potential impact and cost benefit. B. High risk volatility means that the risk is higher during one period and lower in another. The appropriate response is to assess risk at its highest level and due to unpredictability, raise the priority of treatment. C. Volatility must be considered in terms of maximum risk potential. D. A second risk assessment would not be useful as a volatility assessment and it would be unnecessary.

28. In order to highlight to management the importance of integrating information security in the business processes, a newly hired information security officer should FIRST: A. prepare a security budget. B. conduct a risk assessment. C. develop an information security policy. D. obtain benchmarking information.

B is the correct answer. Justification: A. Preparing a security budget should follow risk assessment to determine activities that need to be undertaken to address areas of concern. B. Risk assessment, analysis, evaluation and impact analysis will be the starting point for driving management's attention to information security and for highlighting its importance with respect to business practices. C. Developing an information security policy is based on and follows risk assessment. D. Benchmarking information will only be relevant after a risk assessment has been performed for comparison purposes.

14. Quantitative risk analysis is MOST appropriate when assessment results: A. include customer perceptions. B. contain percentage estimates. C. lack specific details. D. contain subjective information.

B is the correct answer. Justification: A. Qualitative analysis is a more appropriate approach for customer perceptions, which are difficult to express in a purely quantitative manner. B. Percentage estimates are a characteristic of quantitative risk analysis. C. Qualitative analysis is a more appropriate approach when there is a lack of specific details. D. Qualitative analysis is a more appropriate approach for subjective information.

1. An effective risk management program should reduce risk lo: A. zero. B. an acceptable level. C. an acceptable percent of revenue. D. an acceptable probability of occurrence.

B is the correct answer. Justification: A. Reducing risk to zero is impossible, and the attempt would be cost-prohibitive. B. An effective risk management program reduces the risk to an acceptable level; this is achieved by reducing the probability of a loss event through preventive measures and by reducing the impact of a loss event through corrective measures. C. Tying risk to a percentage of revenue is inadvisable because there is no direct correlation between the two. D. Reducing the probability of risk occurrence may not always be possible, as in the case of natural disasters.

156. High risk tolerance is useful when: A. the enterprise considers high risk acceptable B. the uncertainty of risk shown by an assessment is high. C. the impact from compromise is very low. D. indicated by a business impact analysis.

B is the correct answer. Justification: A. Risk tolerance is the acceptable deviation from acceptable risk and is not related to whether the risk is high or low. B. High risk tolerance (i.e., a high degree of variability in acceptable risk) addresses the issue of uncertainty in the risk assessment process itself. C. Risk tolerance is unrelated to impact. D. The degree of risk tolerance is not indicated by a business impact analysis.

140. Which of the following approaches would be BEST to address significant system vulnerabilities that were discovered during a network scan? A. All significant vulnerabilities must be mitigated in a timely fashion. B. Treatment should be based on threat, impact and cost considerations. C. Compensating controls must be implemented for major vulnerabilities. D. Mitigation options should be proposed for management approval.

B is the correct answer. Justification: A. Some vulnerabilities may not have significant impact and may not require mitigation. B. The treatment should consider the degree of exposure and potential impact and the costs of various treatment options. C. Compensating controls are considered only when there is a viable threat and impact, and only if the primary control is inadequate. D. Management approval may not be required in all cases.

192. Who should the information security manger FIRST notify after the discovery of an information security threat that is likely to exploit an unpatched server holding critical information? A. System administrators B. The system owner C. The data owner D. Incident response manager

B is the correct answer. Justification: A. System administrators may be involved, but they will act at the guidance of the system owner. B. The first person to be notified when an exploit is found should be the system owner, who will determine the best mitigation strategy. C. Data owners can be notified later in the process if the vulnerability may compromise data. D. The incident response manager should be notified if an incident related to the vulnerability is confirmed.

53. A third party was engaged to develop a business application. Which of the following is the BEST test for the existence of back doors? A. System monitoring for traffic on network ports B. Security code reviews for the entire application C. Reverse engineering the application binaries D. Running the application from a high-privileged account on a test system

B is the correct answer. Justification: A. System monitoring for traffic on network ports would not be able to detect all instances of back doors and is time-consuming and would take much effort. B. Security code reviews for the entire application is the best measure and will involve reviewing the entire source code to detect all instances of back doors. C. Reverse engineering the application binaries may not provide any definite clues. D. Back doors will not surface by running the application on high-privileged accounts because back doors are usually hidden accounts in the applications.

78. The PRIMARY reason for classifying information resources according to sensitivity and criticality is to: A. determine inclusion of the information resource in the information security program. B. define the appropriate level of access controls. C. justify the costs of each information resource. D. determine the overall budget of the information security program.

B is the correct answer. Justification: A. The assignment of sensitivity and criticality takes place with the information assets that have already been included in the information security program. B. The assigned class of sensitivity and criticality of the information resource determines the level of access controls to be put in place. C. Classification is unrelated to the costs of the information resource. D. The overall security budget is not directly related to classification.

73. When should risk assessments be performed for optimum effectiveness? A. At the beginning of security program development B. On a continuous basis C. While developing the business case for the security program D. During the business change management process

B is the correct answer. Justification: A. The beginning of a security program is only one time a risk assessment should be performed. B. Risk assessment needs to be performed on a continuous basis because of organizational and technical changes. Risk assessment must take into account all significant changes in order to be effective. C. During development of the business case is another point when risk assessment should occur. D. Risk should be assessed during the change management process but that is only one point.

22. Which of the following is the MOST usable deliverable of an information security risk analysis? A. Business impact analysis report B. List of action items to mitigate risk C. Assignment of risk to process owners D. Quantification of organizational risk

B is the correct answer. Justification: A. The business impact analysis report is a useful report primarily for future incident response and business continuity purposes but does not mitigate current risk. B. List of action items to mitigate risk is the most useful in presenting direct, actionable items to address organizational risk. C. Assigning risk is useful but does not by itself result in risk mitigation activities. D. Quantification of risk does not directly result in risk mitigation activities.

20. Which of the following types of risk is BEST assessed using quantitative risk assessment techniques? A. Stolen customer data B. An electrical power outage C. A defaced website D. Loss of the software development team

B is the correct answer. Justification: A. The effect of the theft of customer data could lead to a permanent decline in customer confidence, which does not lend itself to measurement by quantitative techniques. B. The loss of electrical power for a short duration is more easily measurable than the other choices and can be quantified into monetary amounts that can be assessed with quantitative techniques. C. The risk of website defacement by hackers is nearly impossible to quantify but could lead to a permanent decline in customer confidence, which does not lend itself to measurement by quantitative techniques. D. Loss of a majority of the software development team would be impossible to quantify.

198. Which of the following situations would be the PRIMARY candidate for a risk reassessment in an enterprise? A. The antivirus management console has flagged two user laptops with outdated antivirus signatures. B. The key software solution vendor has been bought by an unknown enterprise. C. An incident of tailgating into the facility has been reported by an employee. D. The enterprise's email filters are picking up more spam in recent months.

B is the correct answer. Justification: A. The existing control (antivirus management console) is working effectively to identify the gaps, and it is alerting the relevant people. B. Given that not much is known about the enterprise acquiring the vendor, a risk reassessment is required to identify and manage any supply chain risk. Acquisition is considered a major change that would require risk reassessment. C. The reported incident would have been managed in keeping with the enterprise's incident management process. D. The existing control (email filter) is working effectively to identify the gaps and alerting the relevant people.

147. Reducing exposure of a critical asset is an effective mitigation measure because it reduces: A. the impact of a compromise. B. the likelihood of being exploited. C. the vulnerability of the asset. D. the time needed for recovery.

B is the correct answer. Justification: A. The impact of a successful exploit will not change. B. Reducing exposure reduces the likelihood of a vulnerability being exploited. C. The vulnerabilities of the asset will not change because exposure is reduced. D. The recovery time is not affected by a reduction in exposure.

89. What is the BEST action to undertake when a departmental system continues to be out of compliance with an information security policy's password strength requirement? A. Submit the issue to the steering committee. B. Conduct a risk assessment to quantify the risk. C. Isolate the system from the rest of the network. D. Request a risk acceptance waiver from senior management.

B is the correct answer. Justification: A. The issue should not be escalated before understanding the risk of noncompliance. B. A risk assessment is warranted to determine whether a risk acceptance should be granted and to demonstrate to the department the danger of deviating from he established policy. C. Isolating the system would not support the needs of the business. D. Any waiver should be granted only after performing a risk assessment.

128. Which of the following is the BEST indicator of the level of acceptable risk in an enterprise? A. The proportion of identified risk that has been remediated B. The ratio of business insurance coverage to its cost C. The percentage of the IT budget allocated to security D. The percentage of assets that have been classified

B is the correct answer. Justification: A. The proportion of unremediated risk may be an indicator, but there are many other factors unrelated to acceptable risk such as treatment feasibility, availability of controls, etc. B. The amount of business insurance coverage carried and the cost provide a directly quantifiable indication of the level of risk the enterprise will accept and at what cost. C. The percentage of the IT budget allocated to security is an indicator but does not quantify acceptable levels of risk. D. Classifying assets will indicate which assets are more important than others but does not quantify the acceptability of risk.

204. The human resources (HR) department is planning to introduce a procedure to deactivate an employee record within 24 hours of termination of employment. Which of the following would be of MOST concern to the information security manager when reviewing this procedure? A. Potential internal fraud to circumvent the controls in place B. Interdependencies between HR systems and business systems C. Integrity of the HR system record to produce a job assignment history D. Justification of 24 hours from risk management perspective

B is the correct answer. Justification: A. There is a possibility of internal fraud by a terminated employee, but this is a less severe threat than the interdependencies between HR systems and other business operations. B. Production systems will refer to the human resources (HR) database to check the identity of employees. If the reference to an employee attribute is lost during business transactions, it may affect business processes. (For instance, the financial ledger system may reject journal entries related to post-termination events pertaining to an employee, such as severance, tax adjustments, etc.) Thus, dependencies within the production systems need to be reviewed before this procedure is implemented. C. It is not common to generate a job assignment history of employees after ermination. Therefore, the integrity of a record is not a priority. D. Justification of timeframe (e.g., 24 hours) in a procedure may be evaluated by business and security management and then mutually signed off on. Unless there are any specific issues, this will not be a major concern.

136. What are the essential elements of risk? A. Impact and threat B. Likelihood and impact C. Threat and exposure D. Sensitivity and exposure

B is the correct answer. Justification: A. Threat is an element of risk only in combination with vulnerability. B. Risk is the combination of the probability of an event and its impact. C. Threat and exposure are insufficient to determine risk. D. Sensitivity is a measure of consequence but does not take into account probability.

144. Faced with numerous risk scenarios, the prioritization of treatment options will be MOST effective if based on the: A. existence of identified threats and vulnerabilities. B. likelihood of compromise and subsequent impact. C. results of vulnerability scans and remediation cost. D. exposure of corporate assets and operational risk.

B is the correct answer. Justification: A. Threats and vulnerabilities are the measure of risk, but without knowing potential impact, the most cost-effective treatment options will not be clear. B. Probability of compromise coupled with the likely impact will be the most important considerations for selecting treatment options. C. Vulnerabilities and the cost to remediate without considering impact do not provide enough information to make the best treatment selection. D. Exposure of assets will modify the effective risk by affecting the likelihood that a vulnerability will be exploited; however, it is insufficient information to choose the best treatment option. Operational risk is only one part of overall risk.

151. Which of the following should be understood before defining risk management strategies? A. Risk assessment criteria B. Organizational objectives and risk appetite C. IT architecture complexity D. Enterprise disaster recovery plans

B is the correct answer. Justification: A. Toe assessment criteria are not relevant to defining risk management strategies. B. The risk management strategy must be designed to achieve organizational objectives and to provide adequate controls to limit risk to be consistent with the risk appetite. C. IT architecture complexity may pose a challenge to the risk assessment process but should not affect the risk management strategy directly. D. Disaster recovery plans are an element of the risk management strategy but are addressed by organizational objectives and risk appetite.

207. Which of the following processes is PRIMARILY supported by information asset identification and classification? A. Risk register development B. Risk assessment C'. Cybersecurity training program D. Regulatory compliance requirement

B is the correct answer. Justification: A. Tracking risk in a register is important, but it is not solely based on the classification of the asset. B. Unless assets are identified and classified, it will not be possible to assess the risk associated with each asset. C. Cybersecurity training should be risk-based. However, user training is typically based on a scenario, such as phishing. D. While addressing compliance risk is valid, the key benefit goes beyond compliance because classification assists the enterprise in protecting the assets through incident response. If the incident response plan is lacking, the enterprise would consider additional policy statements to protect higher priority assets. Incident response plans are of ten safety nets for limiting damage when a control fails or does not exist.

132. Which of the following actions should the information security manager take FIRST on finding that current internals are not sufficient to prevent a serious compromise? A. Strengthen existing controls. B. Reassess the risk. C. Set new control objectives. D. Modify security baselines.

B is the correct answer. Justification: A. Unless a detailed assessment of the finding is completed, spending resources on strengthening the existing controls will not be an appropriate step. B. Control decisions are driven by risk. Risk should be carefully reassessed and analyzed to correct potential misjudgment in the original assessment. C. A control objective is a statement of the desired result or purpose to be achieved by implementing control procedures in a particular process. Changes to control objectives should be made after risk has been reassessed. D. Security baselines set by appropriate standards are the minimum security requirements for different trust domains across the enterprise. Baselines may need to be strengthened after risk has been reassessed.

112. Value at risk can be used: A. as a qualitative approach to evaluating risk. B. to determine maximum probable loss over a period of time. C. for risk analysis applicable only to financial enterprises. D. as a useful tool to expedite the assessment process.

B is the correct answer. Justification: A. Value at risk (VAR) is an analysis tool, not an assessment tool and is quantitative rather than qualitative. B. VAR provides a quantitative value of the maximum probable loss in a given time period-typically at 95 or 99 percent certainty. C. While primarily used by financial enterprises, applicability to information security has been demonstrated. D. VAR calculations are typically complex and time-consuming.

24. Which two components PRIMARILY must be assessed in an effective risk analysis? A. Visibility and duration B. Likelihood and impact C. Probability and frequency D. Financial impact and duration

B is the correct answer. Justification: A. Visibility and duration are not the primary elements of a risk analysis. B. Likelihood and impact are the primary elements that are determined in a risk analysis. C. Probability is the same as likelihood, and frequency is considered when determining annual loss expectancy, but it is a secondary analysis element. D. Financial impact is one of the primary considerations, but duration is a secondary element of the analysis.

56. After a risk assessment study, a bank with global operations decided to continue conducting business in certain regions of the world where identity theft is rampant. The information security manager should encourage the business to: A. increase its customer awareness cff01ts in those regions. B. implement monitoring techniques to detect and react to potential fraud. C. outsource credit card processing to a third party. D. make the customer liable for losses if they fail to follow the bank's advice.

B is the correct answer. Justification: A. While customer awareness helps mitigate risk, this is insufficient on its own to control fraud risk. B. Implementing monitoring techniques, which will detect and deal with potential fraud cases, is the most effective way to deal with this risk. C. If the bank outsources its processing, the bank still retains liability. D. While it is an unlikely possibility to make the customer liable for losses, the bank needs to be proactive in managing risk.

104. Which is the BEST way to assess aggregate risk derived from a chain of linked system vulnerabilities? A. Vulnerability scans B. Penetration tests C. Code reviews D. Security audits

B is the correct answer. justification: A. Security assessments, such as vulnerability scans, can help give an extensive and thorough risk and vulnerability overview but will not be able to test or demonstrate the final consequence of having several vulnerabilities linked together. B. A penetration test is normally the only security assessment that can link vulnerabilities together by exploiting them sequentially. This gives a good measurement and prioritization of risk. Penetration testing can give risk a new perspective and prioritization based on the result of a sequence of security problems. C. Code reviews are very time-consuming and unlikely to occur on different parts of a system at the same time, making the discovery of linked system vulnerabilities unlikely. D. Audits are unlikely to assess aggregate risk from linked system vulnerabilities.

149. Which of the following choices is MOST likely to achieve cost-effective risk mitigation across the enterprise? A. A chief risk officer B. Consistent risk assessments C. Assurance process integration D. Defined acceptable risk levels

C is the correct answer. Justification: A. A chief risk officer is usually helpful in identifying many types of risk faced by an enterprise, but remediation is a function of many organizational units, and unless their activities are integrated, there is the possibility of duplicated efforts or gaps in protection. B. Risk assessments are helpful in exposing risk but by themselves do not serve to mitigate the identified risk. C. Integrating the risk mitigation of the typical enterprise's many risk management and assurance functions will best ensure that there are no gaps in protection efforts and a minimum of duplicated efforts, which is likely to result in the best coverage at the lowest cost. D. Defining acceptable risk levels can provide guidance to the enterprise about the required levels of mitigation required but does not prevent duplication of efforts or gaps in protection.

34. Which of the following is MOST essential for a risk management program to be effective? A. Flexible security budget B. Sound risk baseline C. Detection of new risk D. Accurate risk reporting

C is the correct answer. Justification: A. A flexible security budget is essential for implementing risk management. However, without identify new risk, other procedures will only be useful for a limited period. B. A sound risk baseline is essential for implementing risk management. However, without identifying new risk, other procedures will only be useful for a limited period. C. All of these procedures are essential for implementing risk management. However, without identifying new risk, other procedures will only be useful for a limited period. D. Accurate risk reporting is essential for implementing risk management. However, without identifying new risk, other procedures will only be useful for a limited period.

123. Which of the following choices BEST reveals the evolving nature of attacks in an online environment? A. A high-interaction honeypot B. A rogue access point C. Industry tracking groups D. A vulnerability scanner

C is the correct answer. Justification: A. A honeypot is used to lure a hacker and learn the methods of attacks. However, an attacker may or may not use known methods of attacks. Also, the honeypot will only reveal attacks directed against the enterprise, not the overall nature of attacks occurring in the broader online environment. B. A rogue access point is put in place by an attacker to lure legitimate users to connect to it. C. Industry tracking groups, such as Infraguard, US Computer Emergency Readiness Team (CERT) and Internet Storm Center, provide insight into what sort of attacks are affecting enterprises on a national or global scale. D. Even if a vulnerability scanner is updated regularly, it will reveal vulnerabilities, not attacks.

54. A company's mail server allows anonymous File Transfer Protocol access, which could be exploited. What process should the information security manager deploy to determine the necessity for remedial action? A. A penetration test B. A security baseline review C. A risk assessment D. A business impact analysis

C is the correct answer. Justification: A. A penetration test may identify the vulnerability but not potential threats or the remedy. B. A security baseline review may identify the vulnerability but not the remedy. C. A risk assessment will identify the business impact of the vulnerability being exploited and the remedial options. D. A business impact analysis will identify the impact of the loss of the mail server and requirements for restoration.

91. Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system? A. User ad hoc reporting is not logged. B. Network traffic is through a single switch. C. Operating system security patches have not been applied. D. Database security defaults to ERP settings.

C is the correct answer. Justification: A. Although the lack of logging for user ad hoc reporting is not necessarily good, it does not represent as serious a security weakness as the failure to install security patches. B. Routing network traffic through a single switch is not unusual. C. The fact that operating system security patches have not been applied is a serious weakness. D. Database security defaulting to the enterprise resource planning system's settings is not significant.

120. The information security policies of an enterprise require that all confidential information must be encrypted while communicating to external entities. A regulatory agency insisted that a compliance report must be sent without encryption. The information security manager should: A. extend the information security awareness program to include employees of the regulatory authority. B. send the report without encryption on the authority of the regulatory agency. C. initiate an exception process for sending the report without encryption. D. refuse to send the report without encryption.

C is the correct answer. Justification: A. Although this choice may not be possible, the information security manager can discuss and understand the reason for insisting on an unencrypted report and try to convince the regulatory authority. B. If the information security manager chooses to ignore the regulatory authority's request (which may not be possible in many parts of the world), it is necessary that a comparative risk assessment be conducted. C. The information security manager should first assess the risk in sending the report to the regulatory authority without encryption. The information security manager can consider alternate communication channels that will address the risk and provide for the exception. D. The information security policy states that confidential information must be encrypted when sent to external entities. The information security manager's role is to find a way within the policy to complete the task. The best way to do this is to initiate an exception.

35 Which of the following metrics will provide the BEST indication of organizational risk? A. Annual loss expectancy B. The number of information security incidents C. The extent of unplanned business interruptions D. The number of high-impact vulnerabilities

C is the correct answer. Justification: A. Annual loss expectancy is the quantification of loss exposure based on probability and frequency of outages with a known or estimated cost. It is part of a business impact analysis and may be calculated at the enterprise or system level, but it is based on projections rather than on observed data. B. The number of recorded or recognized incidents does not reveal impact or indicate organizational risk. C. An unplanned business interruption will be the best indication of organizational risk as it provides a quantifiable measure of how much business may be lost due to the inability to acquire, process and produce results that affect customers. D. The number of high-impact vulnerabilities provides an indication of weakness within the information network and/or systems but is not by itself an indicator of risk.

32. What is the FIRST step of performing an information risk analysis? A. Establish the ownership of assets. B. Evaluate the risk to the assets. C. Take an asset inventory. D. Categorize the assets.

C is the correct answer. Justification: A. Assets must be inventoried before ownership of the assets can be established. B. Assets must be inventoried before risk to the assets can be evaluated. C. Assets must be inventoried before any of the other choices can be performed. D. Assets must be inventoried before they can be categorized.

178. Once the objective of performing a security review has been defined, the NEXT step for the information security manager is to determine: A. constraints. B. approach. C. scope. D. results.

C is the correct answer. Justification: A. Constraints must be determined to understand the limits of the review, but this is not the next step B. Approach must be defined after scope and constraints. C. Scope is defined after objectives are determined. D. Results are last after scope, constraints and approach.

29. When performing a quantitative risk analysis, which of the following is MOST important to estimate the potential loss? A. Evaluate productivity losses. B. Assess the impact of confidential data disclosure. C. Calculate the value of the information or asset. D. Measure the probability of occurrence of each threat.

C is the correct answer. Justification: A. Determining how much productivity could be lost and how much it would cost is a step in the potential risk estimation process. B. Knowing the impact if confidential information is disclosed is also a step in the estimation of potential risk. C. Calculating the value of the information or asset is the first step in a risk analysis process to determine the impact to the enterprise, which is the ultimate goal. D. Measuring the probability of occurrence for each threat identified is a step in performing a threat analysis and, therefore, a partial answer.

130. Highly integrated enterprise IT systems pose a challenge to the information security manager when attempting to set security baselines PRIMARILY from the perspective of: A. increased difficulty in problem management. B. added complexity in incident management. C. determining the impact of cascading risk. D. less flexibility in setting service delivery objectives.

C is the correct answer. Justification: A. Determining root causes in problem management may be more difficult in highly integrated systems because of the many interconnected functions, but that is not the primary risk concern. B. Incident management may be affected by the added complexity of highly integrated systems when attempting to quickly isolate and ascertain the source of a problem along a chain of tightly coupled functions; however, that is not the primary issue. C. Highly integrated systems are more susceptible to cascading risk where the failure or compromise of any one element could cause a domino effect of failures. D. Setting service delivery objectives will be constrained by the extent of the integration because most elements require the same level of functionality. This is due to a lower service level of any component reducing functionality of all dependent elements; however, this is not the primary consideration.

77. TI1e MOST important reason that statistical anomaly-based intrusion detection systems (stat IDSs) are less commonly used than signature-based IDSs, is that stat IDSs: A. create more overhead than signature-based IDSs. B. cause false positives from minor changes to system variables. C. generate false alarms from varying user or system actions. D. cannot detect new types of attacks.

C is the correct answer. Justification: A. Due to the nature of statistical anomaly-based intrusion detection system (stat IDS) operations (i.e., they must constantly attempt to match patterns of activity to the baseline parameters), a stat IDS requires much more overhead and processing than signature-based versions. However, this is not the most important reason. B. Due to the nature of a stat IDS-based on statistics and comparing data with baseline parameters-this type of IDS may not detect minor changes to system variables and may generate many false positives. However, this is not the most important reason. C. A stat IDS collects data from normal traffic and establishes a baseline. It then periodically samples the network activity based on statistical methods and compares samples to the baseline. When the activity is outside the baseline parameter (clipping level), the IDS notifies the administrator. The baseline variables can include a host's memory or central processing unit usage, network packet types and packet quantities. If actions of the users or the systems on the network vary widely with periods of low activity and periods of frantic packet exchange, a stat IDS may not be suitable, as the dramatic swing from one level to another almost certainly will generate false alarms. This weakness will have the largest impact on the operation of the IT systems. D. Because the stat IDS can monitor multiple system variables, it can detect new types of variables by tracing for abnormal activity of any kind.

99. A business unit intends to deploy a new technology in a manner that places it in violation of existing information security standards. What immediate action should an information security manager take? A. Enforce the existing security standard. B. Change the standard to permit the deployment. C. Perform a risk analysis to quantify the risk. D. Perform research lo propose use of a better technology.

C is the correct answer. Justification: A. Enforcing existing standards is a good practice; however, standards need to be continuously examined in light of new technologies and the risk they present and business requirements. B. Standards should not be changed without an appropriate risk assessment. C. Resolving conflicts of this type should be based on a sound risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. A blanket decision should never be made without conducting such an analysis. D. It would not be the job of the security manager to research alternative technologies.

65. A serious vulnerability is reported in the firewall software used by an enterprise. Which of the following should be the immediate action of the information security manager? A. Ensure that all operating system patches are up to date. B. Block inbound traffic until a suitable solution is found. C. Obtain guidance from the firewall manufacturer. D. Commission a penetration test.

C is the correct answer. Justification: A. Ensuring that all operating system patches are up to date is a good practice, in general, but it will not necessarily address the reported vulnerability in the firewall software. B. Blocking inbound traffic may not be practical or effective from a business perspective. C. The best source of information is the firewall manufacturer because the manufacturer may have a patch to fix the vulnerability or a workaround solution. D. Commissioning a penetration test will take too much time and will not necessarily provide a solution for corrective actions.

141. The information security manager has determined that a risk exceeds risk appetite, yet the manager does not mitigate the risk. What is the MOST likely reason that management would consider this course of action appropriate? A. The risk is the residual risk after controls are applied. B. The risk is expensive to mitigate. C. The risk falls within the risk tolerance level. D. The risk is of relatively low frequency.

C is the correct answer. Justification: A. Even if the risk is residual, if it exceeds the risk appetite, then it is acceptable only if it falls within the risk tolerance. The residual risk may or may not be considered appropriate depending on the level of acceptable risk and the tolerance for variation to that level. B. if mitigation is too expensive compared to the benefit, the information security manager should consider other treatment options. Just knowing the expense is not enough. C. Risk tolerance is the acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives. D. Low frequency alone does not warrant ignoring a risk.

76 Which of the following is the MAIN reason for performing risk assessment on a continuous basis? A. The security budget must be continually justified. B. New vulnerabilities are discovered every day. C. The risk environment is constantly changing. D. Management needs to be continually informed about emerging risk.

C is the correct answer. Justification: A. Justification of a budget should never be the main reason for performing a risk assessment. B. New vulnerabilities should be managed through a patch management process. C. The risk environment is impacted by factors such as changes in technology and business strategy. These changes introduce new threats and vulnerabilities to the enterprise. As a result, risk assessment should be performed continuously. D. lnforn1ing management about emerging risk is important but is not the main driver for determining when a risk assessment should be performed.

139. As part of system development, how should an enterprise determine which element of the confidentiality, integrity and availability triad requires the MOST protection? A. It should be based on the threat to each of the elements. B. Availability is most important. C. It should be based on the likelihood and impact to each element if compromised. D. All elements are equally important.

C is the correct answer. Justification: A. Even if the threat of compromise is high, the impact may be low; the best basis to determine where to implement the most protection is the risk to the specific element. B. While it may seem that availability is the most important, if the system is down, there is no access to the data. There are many cases in which the standard business processes can continue, even if the system is down, but stringent controls must be maintained around confidentiality and integrity of information. The level of control should be based on the risk to the specific element. C. The probability of compromise and the impact on the enterprise are combined to determine which clement requires the greatest protection, with emphasis on impact. D. It is very unlikely that all elements of the confidentiality, integrity or availability triad require equal levels of protection.

19. Which of the following groups would be in the BEST position to perform a risk analysis for a business? A. External auditors B. A peer group within a similar business C. Process owners D. A specialized management consultant

C is the correct answer. Justification: A. External parties, including auditors, do not have the necessary level of detailed knowledge of the inner workings of the business. B. Peer groups would not have a sufficiently detailed understanding of the business to be effective at analyzing a particular enterprise's risk. C. Process owners have the most in-depth knowledge of risk and compensating controls within their environment. D. Management consultants are expected to have the necessary skills in risk analysis techniques but would still have to rely on a group with intimate knowledge of the business.

51. Which of the following would BEST address the risk of data leakage? A. File backup procedures B. Database integrity checks C. Acceptable use policies D. Incident response procedures

C is the correct answer. Justification: A. File backup procedures ensure the availability of information in alignment with data retention requirements but do nothing to prevent leakage. B. Database integrity checks verify the allocation and structural integrity of all the objects in the specified database but do nothing to prevent leakage. C. An acceptable use policy establishes an agreement between users and the enterprise and defines for all parties the ranges of use that are approved before gaining access to a network or the Internet. D. Incident response procedures provide detailed steps that help an enterprise minimize the impact of an adverse event but do not directly address data leakage.

142. Why should the analysis of risk include consideration of potential impact? A. Potential impact is a central element of risk. B. Potential impact is related to asset value. C. Potential impact affects the extent of mitigation. D. Potential impact helps determine the exposure.

C is the correct answer. Justification: A. Impact is distinct and separate from risk and is not a central element of risk. B. Impact is related to the loss of the value that the asset provides but is not relevant to the question. C. The extent of the potential impact in the event of compromise coupled with the likelihood of occurrence will largely determine the extent of mitigation measures. D. Knowing the impact will not determine the extent to which an asset is exposed to a threat.

83. Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level? A. Implement countermeasures. B. Eliminate the risk. C. Transfer the risk. D. Accept the risk.

C is the correct answer. Justification: A. Implementing countermeasures may not be possible likely would not be the most cost-effective approach to security management. B. Eliminating the risk may not be possible C. Risk is typically transferred to lnsurance companies when the probability of-an incident.is low but the impact is high. Examples Include hurricanes, tornadoes and earthquakes. D. Accepting the risk would leave the enterprise vulnerable to a catastrophic disaster that might cripple or ruin the enterprise. It would be more-cost-effective to pay recurring insurance costs than to be affected by a disaster from which the enterprise could not financially recover.

106. When introducing public cloud computing technology to the business, which of the following situations would be a MAJOR concern? A. An upward curve in the running cost triggered by the scale expansion B. A difficulty in identifying the origination of business transactions C. An unawareness of risk scenarios that need to be included in the risk profile D. An increased chance to be hit by attacks to exploit vulnerabilities

C is the correct answer. Justification: A. In general, ease of scaling is the benefit of a cloud solution. Scaling is flexible with cloud computing technology at a predictable cost. B. Identification of the origination point of a transaction may be a separate issue from cloud technology. Therefore, it is unnecessary to raise this concern for a cloud computing solution. C. Cloud computing involves the interaction with a third party, as does any other outsourcing arrangement. Therefore, a cloud computing solution has a chance of introducing new risk that is not currently recognized by the enterprise's risk profile. It is essential for the review risk profile to cover new risk scenarios. D. The enterprise may come under attack regardless of the introduction of a cloud computing solution. If proper security management for cloud computing is in place, the chance of being compromised may be lower.

180. The PRIMARY objective of a vulnerability assessment is to: A. reduce risk to the business. B. ensure compliance with security policies. C. provide assurance to management. D. measure efficiency of services provided.

C is the correct answer. Justification: A. It is necessary to identify vulnerabilities in order to mitigate them. Actual reduction of risk is accomplished through deployment of controls and is a business decision based on a cost-benefit analysis. B. A security policy may mandate a vulnerability assessment program, but such a program is not established primarily to comply with policy. C. A vulnerability assessment identifies vulnerabilities so that they may be considered for mitigation. By giving management a complete picture of the vulnerabilities that exist, a vulnerability assessment program allows management to prioritize those vulnerabilities deemed to pose the greatest risk. D. Vulnerability assessment is not concerned with efficiency of services.

190. Which of the following BEST helps information security managers to report changes in risk levels based on compliance with controls implemented to mitigate risk? A. Lead indicators B. Predictive analysis C. Lag indicators D. Incident reports

C is the correct answer. Justification: A. Lead indicators analyze the existing level of compliance and predict future compliance levels based on the findings. This helps in decision-making, but predictions may change. B. Predictive analysis helps in determining lead indicators. C. Lag indicators provide information about the performance of controls after control execution. Noncompliance of controls indicates elevation in risk levels. Timely reporting of noncompliance helps risk owners in decision-making. D. Incident reports help in reporting noncompliance but they are useful only after risk has materialized.

125. Management decided that the enterprise will not achieve compliance with a recently issued set of regulations. Which of the following is the MOST likely reason for the decision? A. The regulations are ambiguous and difficult to interpret. B. Management has a low level of risk tolerance. C. The cost of compliance exceeds the cost of possible sanctions. D. The regulations are inconsistent with the organizational strategy.

C is the correct answer. Justification: A. Management should address ambiguous regulations by requesting clarification from the issuer or the legal department. B. Management decisions on compliance should be based on a cost-benefit analysis. C. Management may decide it is less expensive to deal with possible sanctions than to attempt to comply. D. The fact that the regulations are inconsistent with the organizational strategy is not a major factor in deciding not to comply.

59. Which of the following is the MOST important consideration when performing a risk assessment? A. Management supports risk mitigation efforts. B. Annual loss expectancies have been calculated for critical assets. C. Assets have been identified and appropriately valued. D. Attack motives. means and opportunities are understood.

C is the correct answer. Justification: A. Management support is always important but is not relevant when performing a risk assessment except to the extent that a lack of support may present a risk. B. The annual loss expectancy calculations can be used in risk analysis subsequent to assets first being identified and properly valued. C. Identification and valuation of assets provides the essential basis for risk assessment efforts. Without knowing an asset exists and its value to the enterprise, the risk and impact cannot be determined. D. Understanding motives, means and opportunities is a part of risk identification, but they must be considered in the context of identified and valued assets.

195. Which of the following would BEST provide insight into the potential for unauthorized access or malicious cybersecurity attacks on an enterprise? A. Network scanning B. Password management C. Ethical hacking D. Application database monitoring

C is the correct answer. Justification: A. Network scanning only looks for open ports and services at the network level and not at a systems level. B. Password management is focused on enforcing the password policy for minimum password criteria C. Ethical backing is supervised backing done to identify potential threats to a system or network. This helps to identify if unauthorized access or malicious attacks are possible. D. Application database monitoring focuses primarily on performance of the specific application and would not provide insight into the entire enterprise.

196. Which of the following authentication methods is MOST the secure when users require remote access to production systems? A. A one-time password B. A virtual private network C. Multifactor authentication D. Complex passwords

C is the correct answer. Justification: A. One-time passwords are more secure than static passwords, but alone, they are not the most secure method. B. A virtual private network is an encryption connection from a device to a network; it is not an authentication method. C. Multifactor authentication is the most secure way to authenticate users when remote access to production system is required. Multifactor authentication uses three common factors: something you know (e.g., passwords), something you have (e.g., tokens, smart cards) and something you are (e.g., biometric methods such as fingerprints or retina scans). A complex password includes two out of three common factors used for multifactor authentication. D. Requiring complex passwords is a good practice, but it is not the most secure method.

201. Which of the following will be the MOST likely exploitation target when looking at flaws in application controls? A. Password change options at the login stage B. Weak transaction monitoring controls C. Inadequate validation checks in entry forms D. Open ports available for external access

C is the correct answer. Justification: A. Password cracking by exploiting a password change option may not be easy unless the perpetrator obtains a valid password in advance. Hence, attackers prefer to look for weaknesses in validation checks in the application control layer. B. Weak or nonexistent transaction monitoring controls can be a target for exploitation; however, controls with nonexistent or inadequate validation checks are an easier target for attackers. C. Many attackers exploit weaknesses existing in the application layer. Aweak validation check-in entry screen may be vulnerable to structured query language (SQL) injection attacks. Hence, validation control is a key feature in application controls. D. Control of open ports may be handled by network administration, which is separate from the application control layer. Hence, it is unlikely that attackers exploiting application weaknesses will look for open ports.

168. Risk management needs to be approached as a regular, ongoing program or activity primarily because: A. people make mistakes. B. technology becomes obsolete. C. the environment changes. D. standards are updated or replaced.

C is the correct answer. Justification: A. People do make mistakes, but mistakes built into a risk management program might well be repeated any number of times in an ongoing program. Therefore, this is not a rationale for risk management as a regular program or activity. B. Technology is subject to obsolescence over time, but periodic assessment would likely be adequate if it were the primary rationale for risk management. C. Controls usually degrade over time and are subject to failure, and the threat landscape changes constantly. Therefore, it is important that risk management be performed as an ongoing program or activity in order to capture the implications of these changes and ensure that the enterprise continues to make risk-treatment decisions consistent with its objectives and risk appetite. D. Standards do change, and an enterprise that has identified conforming to a particular standard may be obligated to adjust its technology and processes to remain compliant. However, risk management addresses broader concerns than adherence to standards.

62. Which of the following is the MOST important factor to be considered in the loss of mobile equipment with encrypted data? A. Disclosure of personal information B. Sufficient coverage of the insurance policy for accidental losses C. Potential impact of the data loss D. Replacement cost of the equipment

C is the correct answer. Justification: A. Personal information is not defined in the question as the data that were lost. B. If insurance is available, it is unlikely to compensate for all potential impact. C. When mobile equipment is lost or stolen, the information contained on the equipment matters most in determining the impact of the loss. The more sensitive the information, the greater the liability. If staff carries mobile equipment for business purposes, an enterprise must develop a clear policy as to what information should be kept on the equipment and for what purpose. D. Cost of equipment would be a less important issue.

26. Which of the following is MOST essential when assessing risk? A. Providing equal coverage for all asset types B. Benchmarking data from similar enterprises C. Considering both monetary value and likelihood of loss D. Focusing on valid past threats and business losses

C is the correct answer. Justification: A. Providing equal coverage for all asset types when assessing risk may not be relevant, depending on the significance the asset type has to the enterprise ( e.g., the automobile fleet is not likely to have as much significance as the data center). B. Benchmarking other enterprises when assessing risk is of relatively little value. C. The likelihood of loss and the monetary value of those losses are the most essential elements to consider in assessing risk. D. Past threats and losses may be instructive of potential future events but are not the most essential considerations when assessing risk.

10. Risk management programs are designed to reduce risk to: A. a level that is too small to be measurable. B. the point at which the benefit exceeds the expense. C. a level that the enterprise is willing to accept. D. a rate of return that equals the current cost of capital.

C is the correct answer. Justification: A. Reducing risk to a level too small to measure is impractical and is of ten cost-prohibitive. B. Depending on the risk preference of an enterprise, it may or may not choose to pursue risk mitigation to the point at which the benefit equals or exceeds the expense. C. Risk should be reduced to a level that an enterprise is willing to accept. D. To tie risk to a specific rate of return ignores the qualitative aspects of risk that must also be considered.

129. Which of the following BEST assists the information security manager in identifying new threats to information security? A. Performing more frequent reviews of the enterprise's risk factors B. Developing more realistic information security risk scenarios C. Understanding the flow and classification of information used by the enterprise D. A process to monitor post-incident review reports prepared by IT staff

C is the correct answer. Justification: A. Risk factors determine the business impact or frequency of risk and are not related to the identification of threats. B. Risk scenarios are not used to identify threats as much as they are used to identify the impact and frequency of threats exploiting vulnerabilities within the information security architecture. C. Understanding the business objectives of the enterprise and how data are to be used by the business assists management in assessing whether an information security event should be considered a new information security threat. D. The analysis of post-incident reviews assists managers in identifying IS threats that have materialized into incidents and does not necessarily assist IT managers in identifying threats that pose a risk to information security.

152. Control objectives are MOST closely aligned with: A. risk tolerance. B. criticality. C. risk appetite. D. sensitivity.

C is the correct answer. Justification: A. Risk tolerance is the acceptable level of deviation from acceptable risk and is not directly affected by control objectives. B. Criticality is the importance to the business and is one of the considerations when control objectives are set in addition to potential impact, exposure, cost and feasibility of possible controls. However, criticality plays a lesser role in relationships between risk and control. Criticality is more a need for the business than a control to reduce risk for the environment. C. Risk appetite is the amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission. Control objectives are set so that controls can be designed on that basis. D. Sensitivity is the potential impact of unauthorized disclosure, which is one of the considerations in control objectives but is not a control itself. Sensitivity creates risk, which is weighed against the controls put in place to reduce that risk, but sensitivity is an identification marker or classification of data for a control and does not define acceptable risk.

49. Which of the following BEST supports continuous improvement of the risk management process? /\. Regular review of risk treatment options B. Classification of assets in order of criticality C. Adoption of a maturity model D. integration of assurance functions

C is the correct answer. Justification: A. Risk treatment is an element of the risk management process. Elements such as risk identification, risk communication and acceptance also need to be considered. B. Classification of assets is important but is an element of the risk management process and is not sufficient to ensure continuous improvement. C. A maturity model such as the capability maturity model (CMM) can be used to classify an enterprise as initial, repeatable, defined, managed or optimized. As a result, an enterprise can easily know where it falls and then start working to reach the optimized state. D. There are many benefits from integrating assurance functions. However, this is not a holistic approach because the best of assurance functions will be reactive if risk management does not cascade through the entire enterprise. Measures must be taken to ensure that all staff members, rather than only the assurance functions, are risk conscious.

70. Which of the following is the MOST important risk associated with middleware in a client-server environment? A. Server patching may be prevented. B. System backups may be incomplete. C. Data integrity may be affected D. End-user sessions may be hijacked.

C is the correct answer. Justification: A. Sever patching is not affected by the presence of middleware. B. System backups are not affected. C. The major risk associated with middleware in a client-server environment is that data integrity may be adversely affected if middleware should fail or become corrupted. D. Hijacked end-user sessions can occur but they can be detected by implementing security checks in the middleware.

159. Quantifying the level of acceptable risk can BEST be indicated by which of the following choices? A. Surveying business process owners and senior managers B. Determining the percentage of the IT budget allocated to security C. Determining the ratio of business interruption insurance to its cost D. Determining the number and severity of incidents impacting the enterprise

C is the correct answer. Justification: A. Surveying management typically provides a widely varying perspective on acceptable risk. B. The amount spent on security is an indicator but does not quantify acceptable levels of risk. c. The amount of business Interruption insurance carried and the cost specifics a directly quantifiable level of risk that the enterprise will accept, and at what cost. D. The history of incidents will show what risk was not addressed and elicit comments about acceptability but will not indicate what the enterprise is willing to spend on mitigation.

158. Finding that a lack of adequate compliance with a set of standards poses a significant risk, an information security manager should FIRST: A. review and modify policy to address the risk. B. create a new set of guidelines to reduce the risk. C. advise management of the risk and possible consequences. D. determine whether the standards are consistent with policy.

C is the correct answer. Justification: A. The extent of risk mitigation is a business decision, so any action taken to address or reduce risk must be based on input from the business. B. The extent of risk mitigation is based on policy, which is defined with input from the business. C. If a lack of compliance with standards creates a significant risk, the information security manager should assess possible consequences and advise appropriate managers to determine whether it is acceptable risk. D. It is generally useful to determine whether standards reflect the intent of policy, but the main purpose of policies is to address risk that might not be included in standards.

2. Which of the following BEST indicates a successful risk management practice? A. Overall risk is quantified. B. Inherent risk is eliminated. C. Residual risk is acceptable. D. Control risk is tied to business units.

C is the correct answer. Justification: A. The fact that overall risk has been quantified does not necessarily indicate the existence of a successful risk management practice. B. Eliminating inherent risk is virtually impossible. C. A successful risk management practice reduces residual risk to acceptable levels. D. Although the tying of control risk to business may improve accountability, it is not as desirable as achieving acceptable residual risk levels.

172. An enterprise is considering the purchase of a new technology that will facilitate better customer interactions and will be integrated into the existing customer relationship management system. Which of the following is the PRIMARY risk the information security manager should consider related to this purchase? A. The potential that the new technology will not deliver the promised functionality to support the business B. The availability of ongoing support for the technology and whether existing staff can provide the support C. The possibility of the new technology affecting the security or operation of other systems D. The downtime required to reconfigure the existing system to implement and integrate the new technology

C is the correct answer. Justification: A. The risk that the new technology will not support business needs is primarily a responsibility of the business manager rather than the information security manager. B. The availability of support is a concern, but it is primarily a responsibility of the IT operations manager. C. The greatest security risk is that the new technology may bypass existing security or impair the operation of existing systems. The security manager should examine the new system for these issues. D. The downtime required to implement the new technology is primarily a business and IT department factor.

42. Why would an enterprise decide not to take any action on a denial-of-service vulnerability found by the risk assessment team? A. There are sufficient safeguards in place to neutralize the risk. B. The needed countermeasures are too complicated to deploy. C. The cost of countermeasures outweighs the value of the asset and potential loss. D. The likelihood of the risk occurring is unknown.

C is the correct answer. Justification: A. The safeguards need to match the risk level. You can never be certain of having sufficient safeguards because threats are always evolving. B. While countermeasures could be too complicated to deploy, this is not the most compelling reason. C. An enterprise may decide to live with specific risk because it would cost more to protect the enterprise than to incur the potential loss. D. It is unlikely that a global financial institution would not be exposed to such attacks, and the likelihood could not be predicted.

85. An information security manager is advised by contacts in law enforcement that there is evidence that the company is being targeted by a skilled gang of hackers known to use a variety of techniques, including social engineering and network penetration. The FLRST step that the security manager should take is to: A. perform a comprehensive assessment of the enterprise's exposure to the hackers' techniques. B. initiate awareness training to counter social engineering. C. immediately advise senior management of the elevated risk. D. increase monitoring activities to provide early detection of intrusion.

C is the correct answer. Justification: A. The security manager should assess the risk, but senior management should be immediately advised. B. It may be prudent to initiate an awareness campaign after sounding the alarm if awareness training is not current. C. Information about possible significant new risk from credible sources should be provided to management along with advice on steps that need to be taken to counter the threat. D. Monitoring activities should be increased after notifying management.

176. Which of the following is the BEST resolution when a security standard conflicts with a business objective? A. Changing the security standard B. Changing the business objective C. Performing a risk analysis D. Authorizing a risk acceptance

C is the correct answer. Justification: A. The security standard may be changed once it is determined by analysis that the risk of doing so is acceptable. B. It is highly improbable that a business objective could be changed to accommodate a security standard. C. Conflicts between a security standard and a business objective should be resolved based on a risk analysis of the costs and benefits of allowing or disallowing an exception to the standard. o. Risk acceptance is a process that derives from the risk analysis once the risk is determined to be acceptable.

12. Which of the following risk scenarios would BEST be assessed using qualitative risk assessment techniques? A. Theft of purchased software B. Power outage lasting 24 hours C. Permanent decline in customer confidence D. Temporary loss of email services

C is the correct answer. Justification: A. Theft of software can be quantified into monetary amounts. B. Power outages can be quantified into monetary amounts more precisely than they can be assessed with qualitative techniques. C. A permanent decline in customer confidence does not lend itself well to measurement with quantitative techniques. Qualitative techniques are more effective in evaluating things such as customer loyalty and goodwill. D. Temporary loss of email can be easily quantified into monetary amounts.

33. A risk assessment and business impact analysis (BIA) have been completed for a major proposed purchase and new process for an enterprise. There is disagreement between the information security manager and the business department manager who will be responsible for evaluating the results and identified risk. Which of the following would be the BEST approach of the information security manager? A. Acceptance of the business manager's decision on the risk to the corporation B. Acceptance of the information security manager's decision on the risk to the corporation C. Review of the risk assessment with executive management for final input D. Create a new risk assessment and BIA to resolve the disagreement

C is the correct answer. Justification: A. This is not the best approach, as the business manager is likely to be focused on getting the business done as opposed to managing the risk posed to the enterprise. B. The typical information security manager is focused on risk and may overestimate risk by considering worst-case scenarios rather than the most probable events. C. Executive management will be in the best position to consider the big picture and the trade-offs between security and functionality for the entire enterprise. D. There is no indication that the assessments are inadequate or defective in some way; therefore, repeating the exercise is not warranted.

96. After residual risk has been determined, the enterprise should NEXT: A. transfer the remaining risk to a third party. B. acquire insurance against the effects of the residual risk. C. validate that the residual risk is acceptable. D. formally document and accept the residual risk.

C is the correct answer. Justification: A. Transfer of the risk is a step that might be taken after initial validation occurs. B. Acquiring insurance is a step taken after initial validation occurs. C. After residual risk has been determined, the next step should be to validate that the risk is acceptable (or not) and within the enterprise's risk tolerance. D. Formally documenting and accepting the residual risk is a step taken after initial validation occurs.

68. After a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. The information security manager should recommend to business management that the risk be: A. transferred. B. treated. C. accepted. D. terminated.

C is the correct answer. Justification: A. Transferring the risk is of limited benefit if the cost of the control is more than the potential cost of the risk manifesting. B. Treating the risk is of limited benefit if the cost of the control is more than the cost of the risk being exploited. C. When the cost of the control is more than the cost of the risk, the risk should be accepted. D. if the value of the activity is greater than the potential cost of compromise, then terminating the activity would not be the appropriate advice.

23. Ongoing tracking of remediation efforts to mitigate identified risk can BEST be accomplished through the use of which of the following approaches? A. Tree diagrams B. Venn diagrams C. Heat maps D. Bar charts

C is the correct answer. Justification: A. Tree diagrams are useful for decision analysis. B. Venn diagrams show the connection between sets but are not useful in indicating status. C. Heat maps, sometimes referred to as stoplight charts, quickly and clearly show the current status of remediation efforts. D. Bar charts show relative size but are a less direct presentation approach to tracking status of remediation efforts.

135. A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an information security officer. The officer should FIRST: A. meet with stakeholders to decide how to comply. B. analyze key risk in the compliance process. C. assess whether existing controls meet the regulation. D. update the existing security/privacy policy.

C is the correct answer. Justification: A. While meeting with stakeholders to decide how to comply is appropriate and important, this action comes after assessing whether existing controls meet the regulation and will depend on whether there is an existing control gap. B. While analyzing key risk in the compliance process is appropriate and important, this action comes after assessing whether existing controls meet the regulation and will depend on whether existing controls are adequate. C. if the enterprise is in compliance through existing controls, the need to perform other work related to the regulation is not a priority. D. While updating the existing security/privacy policy is appropriate and important, this action is appropriate only if the assessment indicates a requirement to change the existing security/privacy policy.

153. Determining the level of effort needed to meet particular improvement targets in risk management can BEST be determined using which of the following tools? A. A workflow diagram B. A Gantt chart C. A gap analysis D. A return on investment computation

C is the correct answer. Justification: A. Workflow diagrams document processes. Having a visual representation of how a risk management process works today versus how it would work in a desired state may be useful as part of proposing or implementing changes, but comparing the two states is not the same as knowing what tasks must be completed to move from the current state to the proposed future state, which is what is needed to determine the level of effort. B. Gantt charts are used to schedule activities (tasks) needed to complete a project. A fully constructed schedule includes all tasks that must be completed and times they will take, but building a schedule deals with prioritization and issues that go beyond what is needed to determine the level of effort. C. A gap analysis documents the tasks that must be completed to move from the current state to the desired state, and the level of effort may readily be determined. A gap analysis is required for various components of the strategy previously discussed, such as maturity levels, each control objective, and each risk and impact objective. D. Return on investment, computed in its simplest form by dividing net income by the total investment over the period being considered, is a measure of operating performance and efficiency. It does not measure levels of effort.

134. What is a PRIMARY advantage of performing a risk assessment on a consistent basis? A. It lowers costs of assessing risk. B. It provides evidence of attestation. C. It is a necessary part of third-party audits. D. It identifies trends in the evolving risk profile.

D is the correct answer . .Justification: A. There may be some minor cost benefits to performing risk assessments on a consistent basis, but that is not the main benefit. B. An assessment deals with a review of a process, not a person's claim of the process being in place. An attestation is a claim without the supporting evidence. C. External audits do not require risk assessments, although it is encouraged. D. Tracking trends In evolving risk Is of significant benefit to man11glng risk and ensuring that appropriate controls are In place.

15. Which of the following is the MOST appropriate use of gap analysis? A. Evaluating a business impact analysis B. Developing a business balanced scorecard C. Demonstrating the relationship between controls D. Measuring current state versus desired future state

D is the correct answer . Justification: A. A gap analysis is not most appropriate for evaluating a business impact analysis. B. A gap analysis is not most appropriate for developing a business balanced scorecard. C. A gap analysis is not most appropriate for demonstrating the relationship between controls. D. A gap analysis is most useful in addressing the differences between the current state and future state.

107. What is the TYPICAL output of a risk assessment? A. A list of appropriate controls for reducing or eliminating risk B. Documented threats to the enterprise C. Evaluation of the consequences to trye entity D. An inventory of risk that may impact the enterprise

D is the correct answer. .Justification: A. A list of appropriate controls for reducing risk follows the assessment. B. Documented threats are a part of the input for a risk assessment. C. Evaluation of the consequences follows the assessment. D. An inventory of rJ1k 11the output of a risk assessment.

95. The use of insurance is an example of which of the following? A. Risk mitigation B. Risk acceptance C. Risk elimination D. Risk transfer

D is the correct answer. .Justification: A. The effects of a potential event can be shared by procuring insurance, but the risk is not mitigated. B. Acceptance of risk is a decision by the enterprise to assume the impact of the effects of an event. c. Risk is never fully eliminated, unless the activity that causes the risk is stopped or avoided. D. Insurance Is a method of offsetting the financial loss that might be Incurred as a result of an adverse event. Some, but not all, of the potential costs are transferred to the insurance company.

52. Which of the following internal or external influences on an enterprise is the MOST difficult to estimate? A. Vulnerability posture B. Compliance requirements C. Outsourcing expenses D. Threat landscape

D is the correct answer. Justification: A. The vulnerability posture of an enterprise can be estimated with a high degree of accuracy through systematic, iterative review of systems, data flows, people and processes. B. Compliance requirements may be ambiguous at first, but as requirements are reviewed and narrowed, their influence on an enterprise becomes more predictable until the requirements change or expand over time. C. The long-term costs of outsourcing are difficult to predict, but the cost is generally clear for defined periods of time (e.g., contract periods). In contrast, the threat landscape is always difficult to estimate. D. Threats originate from independent sources that may be natural or human-directed. Neither can be positively predicted in all cases. Human-directed threats in particular are extremely difficult to estimate in an information security context because very small numbers of threat actors (including individuals with no assistance) may be ready and able to initiate threat events for any reason at all including reasons that are not sensible to the individual or an impartial observer.

44. What is the PRIMARY purpose of using risk analysis within a security program? A. The risk analysis helps justify the security expenditure. B. The risk analysis helps prioritize the assets to be protected. C. The risk analysis helps inform executive management of the residual risk. D. The risk analysis helps assess exposures and plan remediation.

D is the correct answer. Justification: A Risk analysis indirectly supports the security expenditure but justifying the security expenditure is not its primary purpose. B. Helping businesses prioritize the assets to be protected is an indirect benefit of risk analysis but not its primary purpose. C. Informing executive management of residual risk value is not directly relevant. D. Risk analysis explores the degree to which an asset needs protecting so remediation can be managed effectively.

206. What is the PRIMARY reason an enterprise would study cybersecurity threats? To establish: A. a threat library. B. a control baseline. C. incident response playbooks. D. a threat analysis.

D is the correct answer. Justification: A Threat libraries may be compiled in the course of threat analysis, but updating the threat library is not the. main reason to study cybersecurity threats. B. Although studying cybersecurity threats may help in designing and baselining controls, creating a control baseline is based on the overall risk (business impact), not threats alone. C. An incident response playbook is set of processes for responding and resolving incidents. Studying cyberthreats certainly adds to an incident response plan, but that is not the reason to conduct cybersecurity threat analysis. D. The main goal of threat analysis is to understand how the enterprise is positioned in the threat landscape. Threat analysis also supports decisions to prioritize control activities to mitigate the most critical risk. Threat analysis is an important factor in calculating risk value.

122. A cost-benefit analysis is performed on any proposed control to: A. define budget limitations. B. demonstrate due diligence to the budget committee. C. verify that the cost of implementing the control is within the security budget. D. demonstrate the costs are justified by the reduction in risk.

D is the correct answer. Justification: A. A cost-benefit analysis docs not define budget constraints; the board of directors or senior management of the enterprise will do that based on a variety of factors. B. The purpose of the analysis is not to show that due diligence was performed, but to establish a result that will show the cost of the control and the reduction in risk. C. A cost-benefit analysis does not help verify that the cost of a control is within the security budget; it may, however, help identify controls that require additional expenses that exceed the established security budget. D. Senior management can weigh the cost of the risk against the cost of the control and show that the control will reduce that risk by some measure.

36. Which of the following is an indicator of effective governance? A. A defined information security architecture B. Compliance with international security standards C. Periodic external audits D. An established risk management program

D is the correct answer. Justification: A. A defined information security architecture is helpful but by itself is not a strong indicator of effective governance. B. Compliance with international standards is not an indication of effective governance. C. Periodic external audits may serve to provide an opinion on effective governance. D. A dynamic risk management program is a key component, and an indicator, of effective governance.

110. Security risk assessments are MOST cost-effective to a software development enterprise when they are performed: A. before system development begins. B. at system deployment. C. before developing a business case. D. at each stage of the system development life cycle.

D is the correct answer. Justification: A. A risk assessment performed before system development will not find vulnerabilities introduced during development. B. Performing a risk assessment at system deployment is generally not cost-effective and can miss a key risk. C, if performed prior to business case development, a risk assessment will not discover risk introduced during the system development life cycle (SDLC). D. Performing risk assessments at each stage of the SDLC is the most cost-effective method because it ensure that vulnerabilities are discovered as soon as possible.

205. One of the MOST important internal critical factors that affects the information security strategy is: A. a well-defined organizational structure. B. widespread promoted IT security awareness. C. the organizational security culture. D. established enterprise· risk appetite and tolerance levels.

D is the correct answer. Justification: A. A well-defined organizational structure could be an enabler for an effective security strategy, but it is not the most important factor. B. A lack of internal IT security awareness could be part of the threat landscape, but it is not as important as the risk appetite and tolerance. C. Enterprise security culture may have an impact on the information security strategy; however, enterprise risk appetite still has the biggest impact. D. The security strategy is primarily led by an established enterprise risk appetite and levels.

179. To acquisition of new IT systems that are critical to an enterprise's core business can create significant risk. To effectively manage the risk, the information security manager should FIRST: A. ensure that the IT manager accepts the risk of the technology choices. B. require the approval of auditors prior to deployment. C. obtain senior management approval for IT purchases. D. ensure that appropriate procurement processes are employed.

D is the correct answer. Justification: A. Acceptance of identified risk associated with particular technologies is the responsibility of the business process owner, and possibly of senior management, but it would happen after the risk was identified during the procurement process. B. Auditors may identify risk but are not responsible for managing it. C. Senior management will typically be involved in IT acquisitions only from a budgetary perspective. D. Appropriate procurement processes will include processes to initially identify the risk that may be introduced by the new system.

109. Tightly integrated IT systems are MOST likely to be affected by: A. aggregated risk. B. systemic risk. C. operational risk. D. cascading risk.

D is the correct answer. Justification: A. Aggregated risk can occur in homogenous systems in which one threat vector can compromise many systems whether integrated or not. B. Systemic risk is unrelated to the degree of integration. C. Operational risk is unrelated to the degree of integration. D. Tightly integrated systems are more susceptible to cascading risk because the failure of one element causes a sequence of failures.

138. Which of the following components is established during the INITIAL steps of developing a risk management program? A. Management acceptance and support B. information security policies and standards C. A management committee to provide oversight for the program D. The context and purpose of the program

D is the correct answer. Justification: A. Although an important component in the development of any managed program, obtaining management acceptance and support ideally occurs well before the development of the program, in the plan and organize phase. B. information security policies and standards are a component of the risk management program but do not belong to the initial stages of its development. information security policies and standards are formed by the decisions made in the planning phase of the program and are developed based on the outcomes and business objectives established by the enterprise. C. Management and oversight of the risk management program is a monitoring control that is developed to ensure that the program is satisfying the outcomes and business objectives established by the business. This process is designed at the latter stages of development once the purpose of the program and the mechanics of its deployment have been established. This oversight process could be integrated with internal audit activities or other compliance program processes. D. An initial requirement is to determine the enterprise's purpose for creating an information security risk management program, determine the desired outcomes and define objectives.

40. In which phase of the development process should risk assessment be FIRST introduced? A. Programming B. Specification C. User testing D. Feasibility

D is the correct answer. Justification: A. Assessment would not be relevant in the programming phase. B. Risk should be considered in the specification phase, when the controls are designed, but this evaluation would still be based on the assessment carried out in the feasibility study. C. Assessment would not be relevant in the user testing phase. D. RJ1k should be addressed as early as possible in the development cycle. The feasibility study should include risk assessment so that the cost of controls can be estimated before the project proceeds.

6. Which of the following is MOST likely to initiate a review of an information security standard? Changes in the: A. effectiveness of security controls. B. responsibilities of department beads. C. information security procedures. D. results of periodic risk assessments.

D is the correct answer. Justification: A. Changes in the effectiveness of security controls will require a review of the controls, not necessarily the standards. B. Changes in the roles and responsibilities of department heads will not require a change to security standards, which will be captured during risk review. C. Standards set the requirements for procedures, so a change in procedures is not likely to affect the standard. D. Security policies need to be reviewed regularly in order to ensure they appropriately address the Enterprise's security objectives. A review of a security standard is prompted by changes in external and Internal risk factors that are captured during risk assessment.

148. What is the goal of risk aggregation? A. To combine homogeneous elements to reduce overall risk B. To influence the enterprise's risk acceptance methodologies C. To group individual acceptable risk events for simplified risk reporting D. To identify significant overall risk from a single threat vector

D is the correct answer. Justification: A. Combining homogeneous elements does not in itself reduce risk; it may actually increase risk. B. Aggregation does not affect the methodology used for risk acceptance. C. Risk reporting is not a primary consideration of risk aggregation. D. Individual risk with minimal impact may constitute a significant overall risk if each risk can be exploited from the same threat vector. The threat vector is the method used to exploit the target.

11. At what interval should a risk assessment TYPICALLY be conducted? A. Once a year for each business process and subprocess B. Every three to six months for critical business processes C. On a continuous basis D. Annually or whenever there is a significant change

D is the correct answer. Justification: A. Conducting a risk assessment once a year is insufficient if important changes take place. B. Conducting a risk assessment every three to six months for critical processes is not typical and may not be necessary, or it may not address important changes in a timely manner. C. Performing risk assessments on a continuous basis is generally financially not feasible; it is more cost-effective to conduct risk assessments annually or whenever there is a significant change. D. Risk is constantly changing. Conducting a risk assessment annually or whenever there is a significant change offers the best alternative because it takes into consideration a reasonable time frame and allows flexibility to address significant change.

115. Which one of the following factors of a risk assessment typically involves the GREATEST amount of speculation? A. Exposure B. Impact C. Vulnerability D. Likelihood

D is the correct answer. Justification: A. Exposure can be determined within a range. B. Impact can be determined within a range. C. Vulnerability can be determined within a range. D. The likelihood of a threat encountering a susceptible vulnerability can only be estimated statistically.

71. Which of the following security mechanisms is MOST effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the enterprise's network? A. Configuration of firewalls B. Strength of encryption algorithms C. Authentication within application D. Safeguards over keys

D is the correct answer. Justification: A. Firewalls can be perfectly configured, but if the keys make it to the other side, they will not prevent the document from being decrypted. B. Even easy encryption algorithms require adequate resources to break, whereas encryption keys can be easily used. C. The application front door controls may be bypassed by accessing data directly. D. Key management is the weakest link in encryption. If keys are in the wrong hands, documents can be read regardless of where they are on the network.

164. The effectiveness of managing business risk is BEST measured by the number of: A. significant IT-related incidents that were not identified during risk assessment. B. security assessments compliant with organizational standards and guidelines. C. vulnerabilities identified by risk assessment and not properly mitigated. D. security incidents causing significant financial loss or business disruption.

D is the correct answer. Justification: A. Identification of incidents is only one part of effective risk management. if impact is not limited to acceptable levels, the program is not effective. Merely identifying incidents through a risk assessment is insufficient to limit impact. B. While compliance is important, it is only one aspect of risk management. If impact is not limited to acceptable levels, the program is not effective. Demonstrating that a program is compliant is not a measure of the effectiveness of limiting impact. C. Identifying unmitigated vulnerabilities is insufficient without knowledge of potential threats, impacts and control measures to determine the potential effectiveness of the risk management program. D. The goal of risk management is to limit impact and minimize business disruptions. Each instance of a security incident that causes significant financial loss or business disruption is an indication of inadequate risk management.

111. Which of the following is the BEST quantitative indicator of an enterprise's current risk appetite? A. The number of incidents and the subsequent mitigation activities B. The number, type and layering of deterrent control technologies C. The extent of risk management requirements in policies and standards D. The ratio of cost to insurance coverage for business interruption protection

D is the correct answer. Justification: A. Incident history can provide only an approximation of the enterprise's efforts to mitigate further occurrences after consequences have been determined. Incident history may also indicate a lack of risk awareness. B. Controls deployment can provide a rough qualitative estimation of risk appetite as long as technologies are tested and effectiveness is determined. C. Requirements set in policies and standards can only serve as a qualitative approximation of risk appetite. D. The cost of a business interruption can be accurately determined. The comparison of this expense (added to any deductible) with the total cost of premiums paid for a specific amount of insurance can serve as an accurate indicator of how much the enterprise will spend to protect against a defined loss.

30. What is the PRIMARY objective of a risk management program? A. Minimize inherent risk. B. Eliminate business risk. C. Implement effective controls. D. Achieve acceptable risk.

D is the correct answer. Justification: A. Inherent risk may already be acceptable and require no remediation. Minimizing below the acceptable level is not the objective and usually raises costs. B. Elimination of business risk is not possible. C. Effective controls are naturally a clear objective of a risk management program with the primary goal of achieving acceptable risk across the enterprise. D. The goal of a risk management program is to ensure that acceptable risk levels are achieved and maintained.

209. Inherent cybersecurity risk is treated via: A. Internet firewalls. B. security awareness. C. risk assessment. D. controls.

D is the correct answer. Justification: A. Internet firewalls are only one kind of control and do not constitute a comprehensive approach to reducing risk in cybersecurity. B. In the absence of controls that mitigate risk, cybersecurity risk will remain the same regardless of awareness efforts. C. Risk assessments may be used to guide risk response, but on their own, they do not treat inherent risk. D. a risk prior to mitigation Is called Inherent risk. The risk that remains after countermeasures and controls have been Implemented ls residual risk. Controls are most of ten used to treat the risk after the risk ls analyzed.

114. The fact that an enterprise may suffer a significant disruption as the result of a distributed denial-of-service (DDoS) attack is considered: A. an intrinsic risk. B. a systemic risk. C. a residual risk. D. an operational risk.

D is the correct answer. Justification: A. Intrinsic risk is the result of underlying internal and external factors that are not readily subject to controls. B. Systemic risk refers to the collapse of an entire system as a result of the risk imposed by system interdependencies. C. Residual risk is the level of risk remaining after controls and countermeasures are implemented, and it may approach intrinsic risk. D. Operational risk is the risk to an enterprise as a result of its internal and external operations.

8. What is the MOST essential attribute of an effective key risk indicator (KRl)? The KRl: A. is accurate and reliable. B. provides quantitative metrics. C. indicates required action. D. is predictive of a risk event.

D is the correct answer. Justification: A. Key risk indicators (KRls) usually signal developing risk but do not indicate what the actual risk is. This option is not a most essential attribute since KRls are neither accurate nor reliable. B. KRls typically do not provide quantitative metrics about risk. C. KRls will not indicate that any particular action is required other than to investigate further. D. The most essential attribute is that a KRI should be predictive and indicate that a risk is developing or changing to show that investigation is needed to determine the nature and extent of a risk.

93. An entc1vrisc is transferring its IT operations to an offshore location. An information security manager should PRIMARILY focus on: A. reviewing new laws and regulations. B. updating operational procedures. C. validating staff qualifications. D. conducting a risk assessment.

D is the correct answer. Justification: A. Reviewing new laws and regulations may or may not be identified as a mitigating measure based on the risk determined by the assessment. B. Updating operational procedures may or may not be identified as a mitigating measure based on the risk determined by the assessment. C. Validating staff qualifications may or may not be identified as a mitigating measure based on the risk determined by the assessment. D. A risk assessment should be conducted to determine new risk introduced by the outsourced processes.

41. In conducting an initial technical vulnerability assessment, which of the following choices should receive top priority? A. Systems impacting legal or regulatory standing B. Externally facing systems or applications C. Resources subject to performance contracts D. Systems covered by business interruption insurance

D is the correct answer. Justification: A. Legal and regulatory considerations are evaluated in the same manner as other forms of risk. B. Externally facing systems or applications are not necessarily high-impact systems. The prioritization of a vulnerability assessment needs to be made on the basis of impact. C. Although the impact associated with the loss of any resource subject to a performance contract is clearly quantifiable, it may not necessarily be a critical resource. if the loss of a contract system poses a significant impact to the enterprise, additional measures such as business interruption insurance will be in place. D. Maintaining business operations is always the priority. If a system is covered by business interruption insurance, it is a clear indication that management deems it to be a critical system.

13. Acceptable levels of information security risk should be determined by: A. legal counsel. B. security management. C. external auditors. D. the steering committee.

D is the correct answer. Justification: A. Legal counsel is not the authority to determine the acceptable levels of information security risk for the enterprise. B. Security management is not the authority to determine the acceptable levels of information security risk for the enterprise. C. External auditors can point out areas of risk but are not the authority to determine the acceptable levels of information security risk for the enterprise. D. Senior management, represented in the steering committee, has ultimate responsibility for determining what levels of risk the enterprise is willing to accept.

183. Which of the following is the MOST cost-effective approach to test the security of a legacy application? A. Identify a similar application and refer to its security weaknesses. B. Recompile the application using the latest library and review the error codes. C. Employ reverse engineering techniques to derive functionalities. D. Conduct a vulnerability assessment to detect application weaknesses.

D is the correct answer. Justification: A. Many applications that appear to be functionally similar may be remarkably dissimilar at the code implementation level. Even a newer version of the same software may have been entirely rewritten, and any software developed in-house is necessarily unique to the environment. B. Recompiling a legacy application is possible only when source code is available. It may not function properly if underlying libraries or coding standards have changed. C. Reverse engineering a legacy application is likely to cost significantly more than a vulnerability assessment and deriving the functionalities of the application is not the goal. D. Identifying vulnerabilities will allow an enterprise to determine what compensating controls may be needed to continue operating a legacy application where replacement is not an option. Vulnerability assessments are not necessarily comprehensive in all cases, but they are generally effective when planned properly.

5. For risk management purposes, the value of a physical asset should be based on: A. original cost. B. net cash flow. C. net present value. D. replacement cost.

D is the correct answer. Justification: A. Original cost may be significantly different from the current cost of replacing the asset. B. Net cash flow does not accurately reflect the true value of the asset. C. Net present value does not accurately reflect the true value of the asset. D. The value of a physical asset should be based on its replacement cost because this is the amount that would be needed to replace the asset if it were to become damaged or destroyed.

146. a risk management process is MOST effective in achieving organizational objectives if: A. asset owners perform risk assessments. B. the risk register is updated regularly. C. the process is overseen by a steering committee. D. risk activities are embedded in business processes.

D is the correct answer. Justification: A. Performing a risk assessment does not ensure mitigation as part of the business process. B. Maintaining a risk register may be good for identifying issues but it does not mitigate risk. C. Centralizing risk management under a steering committee is less effective than integrating it into each business process. D. The primary objective of the risk management process is that risk is identified, assessed, communicated and addressed. This objective is most effectively achieved by embedding risk management activities in business processes (e.g., change management, incident response, new product design, sales campaign, etc.).

21. Which of the following BEST helps calculate the impact of losing frame relay network connectivity for 18 to 24 hours? A. Hourly billing rate charged by the carrier B. Value of the data transmitted over the network C. Aggregate compensation of all affected business users D. Financial losses incurred by affected business units

D is the correct answer. Justification: A. Presumably the carrier would not charge if connectivity were lost, and this would not be useful in calculating impact. B. The value of data is not affected by lost connectivity and would not help calculate impact. C. Compensation of affected business users is not based on connectivity and would be useless in calculating impact. D. Financial losses incurred by the business units would be a major factor in calculating the impact of lo1t connectivity.

169. The ULTIMATE purpose of risk response is to: A. reduce cost. B. lower vulnerability. C minimize threat. D. control impact.

D is the correct answer. Justification: A. Reducing cost in the short term is rarely the purpose of risk response. Reducing the overall impact associated with risk is only one approach that an enterprise may take; a level of risk that is already acceptable should generally be allowed regardless of whether it might be further reduced. B. Lowering vulnerability is only one approach that an enterprise may take to respond to risk. c. Risk response rarely seeks to reduce threat in the aggregate and is generally unable to minimize it. D. Enterprises respond to risk in ways that control impact by keeping it within acceptable (or tolerable) levels.

175. What is the PRIMARY basis for the selection and implementation of products to protect the IT infrastructure? A. Regulatory requirements B. Technical expert advisories C. State-of-the-art technology D. A risk assessment

D is the correct answer. Justification: A. Regulatory requirements drive business requirements. B. An expert advisory may not be aligned with business needs. C. A risk assessment is the main driver for selecting technologies. D. A risk assessment helps identify control gaps in the IT infrastructure and prioritize mitigation plans, which will help drive selection of security solutions.

203. An enterprise security risk assessment was conducted based on assumptions about enterprise risk. Which of the following would be the BEST course of action to improve the quality of the assessment? A. Recruit experienced interviewers to the assessment team B. Review past risk assessments for background information C. Request that business units classify information assets D. Include relevant stakeholders during assessment activities

D is the correct answer. Justification: A. Skilled interviewers may help in conducting risk assessments; however, interview skills alone may not resolve this type of problem. B. Past risk assessments may not be relevant to the current state of the enterprise. C. Classification of information assets is a part of an information security program conducted in the business area. It does not affect how an information security risk assessment is currently conducted. D. Including relevant stakeholders is an ideal way to move beyond a risk assessment based on assumptions, as they can provide essential insight that would otherwise be missed.

170. Why might an ente111rise rationally choose to mitigate a risk that is estimated to be at a level higher than its stated risk appetite but within its stated risk tolerance? /\. The board of directors may insist that all risk be mitigated if it exceeds the appetite. B. Senior executives may prefer to transfer risk rather than formally accepting it. C. There may be pressure from key stakeholders to avoid risk that exceeds the appetite. D. Senior management may have concern that the stated impact is underestimated.

D is the correct answer. Justification: A. The board of directors determines the risk appetite and tolerance, so there would be no tolerance in excess of the appetite if the board took this position. B. The purpose of determining levels of risk appetite and tolerance is to have clear thresholds for accepting risk without mitigation or transfer. C. Risk avoidance is the best choice for responding to a risk only when it exceeds both the appetite and the tolerance, despite all efforts at mitigation or transfer. D. Risk that exceeds organizational appetite but lies within tolerable levels is not risk the enterprise wants to accept. When there is concern that the impact has been underestimated, senior management may prefer to mitigate the risk to acceptable levels rather than unintentionally accept risk whose impact ends up exceeding the tolerance.

187. Which of the following is the GREATEST concern for an enterprise in which there is a widespread use of mobile devices? A. There is an undue reliance on public networks. B. Batteries require constant recharges. C. There is a lack of opera ting system standardization. D. Mobile devices can be easily lost or stolen.

D is the correct answer. Justification: A. The fact that mobile devices must be connected to public networks creates a security risk that can be exploited in the public space, but appropriate security controls can mitigate the risk. B. The need to constantly recharge batteries is not a significant security concern. C. While the lack of operating system standardization is a concern, it is not as great as the loss of devices. D. Because of their size, mobile devices can be easily lost or stolen and sensitive information disclosed.

4. What is the PRIMARY reason an information security manager should have a sound understanding of information technology? A. To prevent IT personnel from misleading the information security manager B. To implement supplemental information security technologies C. To understand requirements of a conceptual information security architecture D. To understand the IT risk related to achieving adequate information security

D is the correct answer. Justification: A. This is not the main reason for the information security manager to have technical knowledge, but it is helpful. B. The information security manager is not responsible for implementing IT security controls. C. Technical knowledge is not required for developing a conceptual information security architecture. D. The information security manager has to understand any risk related to IT systems that could affect the business objectives or affect the business strategy achievement in order to propose an appropriate level of controls.

197. Which of the following is KEY for selecting a third-party information security provider? A. Contract review B. Audit report review C. Projected cost of services D. Risk assessment

D is the correct answer. Justification: A. Toe contract review is important, but the risk assessment should provide guidance concerning whether enterprise should engage with the third party. B. Toe audit review is important after the risk assessment is complete. Some items identified in the assessment will determine if any of the findings are material to the enterprise. C. Projected cost of services is important, but the risk assessment will guide the enterprise concerning whether it should engage with the third party. D. The risk assessment is essential because it provides guidance to the enterprise concerning whether it should engage with the third party. The risk assessment should address strategic, operational, compliance and other key risk relevant to the enterprise.

161. Which of the following choices would be the BEST measure of the effectiveness of a risk assessment? A. The time, frequency and cost of assessing risk B. The scope and severity of new risk discovered C. The collective potential impact of defined risk D. The percentage of incidents from unknown risk

D is the correct answer. Justification: A. Toe time and cost of performing a risk assessment is not an indicator of its effectiveness in discover. new risk. B. Toe scope and severity of new risk discovered is a useful indicator, but it is not as good a measure of effectiveness as the risk that is not uncovered and leads to a security incident. C. Toe potential impact of defined risk is a secondary measure that may be useful in determining the extent remedial actions to consider. D. Incidents that result from unidentified risk are the best indicators of how well the risk assessment served to discover risk, thereby indicating effectiveness.

69. Which of the following would present the GREATEST risk to information security? A. Virus signature files updates are applied to all servers every day. B. Security access logs are reviewed within five business days. C. Critical patches are applied within 24 hours of their release. D. Security incidents are investigated within five business days.

D is the correct answer. Justification: A. Virus signature files updated every day do not pose a great risk. B. Reviewing security access logs within five days is not the greatest risk. C. Patches applied within 24 hours is not a significant risk. D. Waiting to investigate security incidents can pose a major risk.

131. Vulnerabilities discovered during an assessment should be: A. handled as a risk, even though there is no threat. B. prioritized for remediation solely based on impact. C. a basis for analyzing the effectiveness of controls. D. evaluated for threat, impact and cost of mitigation.

D is the correct answer. Justification: A. Vulnerabilities may not be exposed to potential threats. Also, there may be no threat or possibly little or no impact even if they are exploited. While threats are always evolving, without additional information, the appropriate treatment cannot be determined. B. Vulnerabilities should be prioritized for remediation based on probability of compromise (which is affected by the level of exposure), impact and cost of remediation. C. Vulnerabilities discovered will to some extent show whether existing controls are in place to address a potential risk but that does not indicate the control effectiveness. D. Vulnerabilities uncovered should be evaluated and prioritized based on whether there is a credible threat, the impact if the vulnerability is exploited, and the cost of mitigation. If there is a potential threat but little or no impact if the vulnerability is exploited, the risk is less and may not require controls to address it.

173. Which of the following BEST describes the outcome of effective risk management? A. Allows an enterprise to obtain a continuous overview of vulnerabilities B. Measures the feasibility of systems compromise and evaluates any related consequences C. Determines the gap between controls and controls objectives D. Reduces the incidence of significant adverse impact on an enterprise

D is the correct answer. Justification: A. Vulnerability management is a component of risk management. However, a risk management program that does not reduce significant adverse impacts is not effective. B. Penetration testing, which is a technique for vulnerability assessment, measures the feasibility of systems compromise and evaluates any related consequences. However, unless significant adverse impact to the enterprise is reduced, a risk management program is ineffective. C. Gap analysis determines the gap between controls and controls objectives. However, unless identified gaps are addressed in ways that result in reduced impact to the enterprise, the risk management program is ineffective. D. Effective risk management serves to reduce the incidence of significant adverse impacts on an enterprise either by addressing threats, mitigating exposure, or reducing vulnerability or impact.

124. The information security manager should treat regulatory compliance requirements as: A. an organizational mandate. B. a risk management priority. C. a purely operational issue. D. just another risk.

D is the correct answer. Justification: A. While it is generally preferable to be as compliant as reasonably possible, the extent and level of regulatory compliance is a management decision, not a mandate. B. All risk should be prioritized, and regulation may not be the highest priority. C. Regulatory compliance is not just an operational issue; it is primarily a management issue. D. Many regulations exist that must be considered. Priority should be given to those with the greatest Impact, just as other risk ls considered with priority given to feasibility, level of enforcement, possible sanctions and costs of compliance. CISM• Review Questions, Answers & Explanations Manual 10th Edition ISACA. All

63. A financial institution plans to allocate information security resources to each of its business divisions. What areas should security activities focus on? A. Areas where strict regulatory requirements apply B. Areas that require the shortest recovery time objective C. Areas that can maximize return on security investment D. Areas where threat likelihood and impact are greatest

D is the correct answer. Justification: A. While regulatory requirements may be a major consideration, there may be other areas of greater threat and impact to the enterprise. B. Watching the recovery time objective (RTO) requirement is very important from a business continuity perspective, but it only illustrates a part of the information security framework. Regulatory compliance may also touch upon RTO initiatives. C. It is difficult to set up a single formula so that the most profitable business line always has the most critical information security initiatives in the enterprise. D. Security activities should focus on the areas where threat, likelihood and impact are the greatest.

66. of the following, what does a network vulnerability assessment expect to identify? A. Zero-day vulnerabilities B. Malicious software and spyware C. Security design flaws D. Misconfiguration and missing updates

D is the correct answer. Justification: A. Zero-day vulnerabilities by definition are not previously known and, therefore, are undetectable. B. Malicious software and spyware are normally addressed through antivirus and antispyware are policies. C. Security design flaws require a deeper level of analysis. D. A network vulnerability assessment intends to identify known vulnerabilities based on common misconfigurations and missing updates.