CRISC FULL

Ace your homework & exams now with Quizwiz!

Which of the following risk response options is MOST likely to increase the liability of the enterprise? A. Risk acceptance B. Risk reduction C. Risk transfer D. Risk avoidance

A PRIMARY reason for initiating a policy exception process is when: A. the risk is justified by the benefit. B. policy compliance is difficult to enforce. C. operations are too busy to comply. D. users may initially be inconvenienced.

A database administrator notices that the externally hosted, web-based corporate address book application requires users to authenticate, but that the traffic between the application and users is not encrypted. The MOST appropriate course of action is to: A. notify the business owner and the security manager of the discovery and propose an addition to the risk register. B. contact the application administrators and request that they enable encryption of the application's web traffic. C. alert all staff about the vulnerability and advise them not to log on from public networks. D. accept that current controls are suitable for nonsensitive business data.

A lack of adequate controls represents: A. a vulnerability. B. an impact. C. an asset. D. a threat.

A risk practitioner has become aware of a potential merger with another enterprise. What action should the risk practitioner take? A. Evaluate how the changes in the business operations and culture could affect the risk assessment. B. Monitor the situation to see if any new risk emerges due to the proposed changes. C. Continue to monitor and enforce the current risk program because it is already tailored appropriately for the enterprise. D. Implement changes to the risk program to prepare for the transition.

A risk response report includes recommendations for: A. acceptance. B. assessment. C. evaluation. D. quantification.

A third party is engaged to develop a business application. Which of the following BEST measures for the existence of back doors? A. Security code reviews for the entire application B. System monitoring for traffic on network ports C. Reverse engineering the application binaries D. Running the application from a high-privileged account on a test system

After a risk assessment study, a bank with global operations decided to continue doing business in certain regions of the world where identity theft is widespread. To MOST effectively deal with the risk, the business should: A. implement monitoring techniques to detect and react to potential fraud. B. make the customer liable for losses if the customer fails to follow the bank's advice. C. increase its customer awareness efforts in those regions. D. outsource credit card processing to a third party.

An enterprise has just completed an information systems audit and a large number of findings have been generated. This list of findings is BEST addressed by: A. a risk mitigation plan. B. a business impact analysis (BIA). C. an incident management plan. D. revisions to information security procedures.

An enterprise has learned of a security breach at another entity that utilizes similar technology. The MOST important action a risk practitioner should take is to: A. assess the likelihood of the incident occurring at the risk practitioner's enterprise. B. discontinue the use of the vulnerable technology. C. report to senior management that the enterprise is not affected. D. remind staff that no similar security breaches have taken place.

An enterprise recently developed a breakthrough technology that could provide a significant competitive edge. Which of the following FIRST governs how this information is to be protected from within the enterprise? A. The data classification policy B. The acceptable use policy C. Encryption standards D. The access control policy

An operations manager assigns monitoring responsibility ofkey risk indicators (KRIs) to line staff. Which of the following is MOST effective in validating the effort? A. Reported results should be independently reviewed. B. Line staff should complete risk management training. C. The threshold should be determined by risk management. D. Indicators should have benefits that exceed their costs

Assuming that the CIO is unable to address all of the findings, how should the CIO deal with any findings that remain after available funds have been spent? A. Create a plan of actions and milestones for open vulnerabilities. B. Shut down the information systems with the open vulnerabilities. C. Reject the risk on the open vulnerabilities. D. Implement compensating controls on the systems with open vulnerabilities.

Deriving the likelihood and impact of risk scenarios through statistical methods is BEST described as: A. quantitative risk analysis. B. risk scenario analysis. C. qualitative risk analysis. D. probabilistic risk assessment.

Due to changes in the IT environment, the disaster recovery plan of a large enterprise has been modified. What is the GREATEST benefit of testing the new plan? A. To ensure that the plan is complete 8. To ensure that the team is trained C. To ensure that all assets have been identified D. To ensure that the risk assessment was validated

During a risk management exercise, an analysis was conducted on the identified risk and mitigations were identified. Which choice BEST reflects residual risk? A. Risk left after the implementation of new or enhanced controls B. Risk mitigated as a result of the implementation of new or enhanced controls C. Risk identified prior to implementation of new or enhanced controls D. Risk classified as high after the implementation of new or enhanced controls

During an organizational risk assessment it is noted that many corporate IT standards have not been updated. The BEST course of action is to: A. review the standards against current requirements and make a determination of adequacy. B. determine that the standards should be updated annually. c. report that IT standards are adequate and do not need to be updated. D. review the IT policy document and see how frequently IT standards should be updated.

During the initial phase of the system development life cycle (SDLC), the risk professional provided input on how to secure the proposed system. The project team prepared a list of requirements that will be used to design the system. Which of the following tasks MUST be performed before moving on to the system design phase? A. The risk associated with the proposed system and controls is accepted by management. B. Various test scenarios that will be used to test the controls are documented. C. The project budget is increased to include additional costs for security. D. Equipment and software are procured to meet the security requirements.

How can an enterprise determine the aggregated risk from several sources? A. Through a security information and event management (SIEM) system B. Through a fault tree analysis C. Through a failure modes and effects analysis D. Through a business impact analysis (BIA)

How often should risk be evaluated? A. Annually or when there is a significant change B. Once a year for each business process and subprocess C. Every three to six months for critical business processes D. Only after significant changes occur

The aggregated results of continuous monitoring activities are BEST communicated to: A. the risk owner. 8. technical staff. C. the audit department. D. the information security manager

In a large enterprise, system administrators may release critical patches into production without testing. Which of the following would BEST mitigate the risk of interoperability issues? A. Ensure that a reliable system rollback plan is in place. B. Test the patch on the least critical systems first. C. Only allow updates to occur after hours. D. Ensure that patches are approved by the chief information security officer (CISO).

In which phase of the system development life cycle (SDLC) should the process to amend the deliverables be defined to prevent the risk of scope creep? A. Feasibility B. Development C. User acceptance D. Design

Information security procedures should: A. be updated frequently as new software is released. B. underline the importance of security governance. C. define the allowable limits of behavior. D. describe security baselines for each platform.

Information that is no longer required to support the main purpose of the business from an information security perspective should be: A. analyzed under the retention policy. B. protected under the information classification policy. C. analyzed under the backup policy. D. protected under the business impact analysis (BIA).

It is MOST important for a risk evaluation to: A. take into account the potential size and likelihood of a loss. B. consider inherent and control risk. C. include a benchmark of similar companies in its scope. D. assume an equal degree of protection for all assets.

It is MOST important that risk appetite be aligned with business objectives to ensure that: A. resources are directed toward areas of low risk tolerance. B. major risk is identified and eliminated. C. IT and business goals are aligned. D. the risk strategy is adequately communicated.

Management wants to ensure that IT is successful in delivering against business requirements. Which of the following BEST supports that effort? A. An internal control system or framework B. A cost-benefit analysis c. A return on investment (ROI) analysis D. A benchmark process

One way to determine control effectiveness is by determining: A. the test results of intended objectives. B. whether it is preventive, detective or compensatory. C. the capability of providing notification of failure. D. the evaluation and analysis of reliability

Previously accepted risk should be: A. reassessed periodically because the risk can be escalated to an unacceptable level due to revised conditions. B. removed from the risk log once it is accepted. C. accepted permanently because management has already spent resources (time and labor) to conclude that the risk level is acceptable. D. avoided next time because risk avoidance provides the best protection to the enterprise.

Risk management strategic plans are MOST effective when developed for: A. the enterprise as a whole. B. each individual system based on technology utilized. C. every location based on geographic threats. D. end-to-end business processes.

The risk action plan MUST include an appropriate resolution, a date for completion and: A. responsible personnel. B. mitigating factors. C. likelihood of occurrence. D. cost of completion.

Shortly after performing the annual review and revision of corporate policies, a risk practitioner becomes aware that a new law may affect security requirements for the human resources system. The risk practitioner should: A. analyze what systems and technology-related processes may be impacted. B. ensure necessary adjustments are implemented during the next review cycle. C. initiate an ad hoc revision of the corporate policy. D. notify the system custodian to implement changes.

Testing the compliance of a response and recovery plan should begin with conducting a: A. tabletop exercise. B. review of archived logs. C. penetration test. D. business impact analysis (BIA).

The MOST important objective of regularly testing information system controls is to: A. identify design flaws, failures and redundancies. B. provide the necessary evidence to support management assertions. C. assess the control risk and formulate an opinion on the level of reliability. D. evaluate the need for a risk assessment and indicate the corrective action(s) to be taken, where applicable

The PRIMARY advantage of creating and maintaining a risk register is to: A. ensure that an inventory of potential risk is maintained. B. record all risk scenarios considered during the risk identification process. C. collect similar data on all risk identified within the organization. D. run reports based on various risk scenarios.

The PRIMARY focus of managing IT-related business risk is to protect: A. information. B. hardware. C. applications. D. databases.

The PRIMARY reason for developing an enterprise security architecture is to: A. align security strategies between the functional areas of an enterprise and external entities. B. build a barrier between the IT systems of an enterprise and the outside world. C. help with understanding of the enterprise's technologies and the interactions between them. D. protect the enterprise from external threats and proactively monitor the corporate network.

The board of directors of a one-year-old start-up company has asked their chief information officer (CIO) to create all of the enterprise's IT policies and procedures. Which of the following should the CIO create FIRST? A. The strategic IT plan B. The data classification scheme C. The information architecture document D. The technology infrastructure plan

The cost of mitigating a risk should not exceed the: A. expected benefit to be derived. B. annual loss expectancy (ALE). C. value of the physical asset. D. cost to exploit the weakness.

The likelihood of an attack being launched against an enterprise is MOST dependent on: A. the skill and motivation of the potential attacker. B. the frequency that monitoring systems are reviewed. C. the ability to respond quickly to any incident. D. the effectiveness of the controls.

The sales manager of a home improvement enterprise wants to expand the services available on the enterprise's web page to include sending free promotional samples of their products to prospective clients. What is the GREATEST concern the risk professional would have? A. Are there any data privacy concerns about storing client data? B. Are there any concerns about protecting credit card or payment data? C. Can the system be misused by a person to obtain multiple samples? D. Will the web site be able to handle the expected volume of traffic?

There is an increase in help desk call levels because the vendor hosting the human resources (RR) self-service portal has reduced the password expiration from 90 to 30 days. The corporate password policy requires password expiration after 60 days and RR is unaware of the change. The risk practitioner should FIRST: A. formally investigate the cause of the unauthorized change. B. request the service provider reverse the password expiration period to 90 days. c. initiate a request to strengthen the corporate password expiration requirement to 30 days. D. notify employees of the change in password expiration period.

What do different risk scenarios on the same bands/curve on a risk map indicate? A. All risk scenarios on the same curve of a risk map have the same level of risk. B. All risk scenarios on the same curve of a risk map have the same magnitude of impact. C. All risk scenarios on the same curve of a risk map require the same risk response. D. All risk scenarios on the same curve of a risk map are of the same type.

What is the BEST approach to determine whether existing security control management meets the organizational needs? A. Perform a process maturity assessment. B. Perform a control self-assessment (CSA). C. Review security logs for trends or issues. D. Compare current and historical security test results

What is the BEST risk response for risk scenarios where the likelihood is low and financial impact is high? A. Transfer the risk to a third party. B. Accept the high cost of protection. C. Implement detective controls. D. Implement compensating controls.

Which of the following criteria is MOST essential for the effectiveness of operational metrics? A. Relevance to the recipient B. Timeliness of the reporting C. Accuracy of the measurement D. Cost of obtaining the metrics

What is the MAIN objective of risk identification? A. To detect possible threats that may affect the business B. To ensure that risk factors and root causes are managed C. To enable the review of the key performance indicators (KPIs) D. To provide qualitative impact values to stakeholders

What is the purpose of system accreditation? A. To ensure that risk associated with implementation has been identified and explicitly accepted by a senior manager B. To review all technical and nontechnical controls to ensure that the security risk has been reduced to acceptable levels C. To ensure that changes to the security controls are properly authorized, tested and documented D. To require the training and certification of staff that will be responsible for working on a system

When performing a risk assessment on the impact of losing a server, calculating the monetary value of the server should be based on the: A. cost to obtain a replacement. B. annual loss expectancy (ALE). C. cost of the software stored. D. original cost to acquire.

When the key risk indicator (KRI) for the IT change management process reaches its threshold, a risk practitioner should FIRST report this to the: A. business owner. B. chief information security officer (CISO). C. help desk. D. incident response team

When would a risk professional ideally perform a complete enterprisewide threat analysis? A. On a yearly basis B. When malware is detected C. When regulatory requirements change D. Following a security incident

Which of the folJowing activities should a risk professional perform to determine whether firewall deployments are deviating from the enterprise's information security policy? A. Review the firewall parameter settings. B. Review the firewall intrusion prevention system (IPS) logs. C. Review the firewall hardening procedures. D. Analyze the firewall log file for recent attacks.

Which of the following BEST assists a risk practitioner in measuring the existing level of development of risk management processes against their desired state? A. A capability maturity model (CMM) B. Risk management audit reports C. A balanced scorecard (BSC) D. Enterprise security architecture

Which of the following BEST describes the information needed for each risk on a risk register? A. Various risk scenarios with their date, description, impact, probability, risk score, mitigation action and owner B. Various risk scenarios with their date, description, risk score, cost to remediate, communication plan and owner C. Various risk scenarios with their date, description, impact, cost to remediate and owner D. Various activities leading to risk management planning

Which of the following BEST ensures that identified risk is kept at an acceptable level? A. Reviewing of the controls periodically, according to the risk action plan B. Listing each risk as a separate entry in the risk register C. Creating a separate risk register for every department D. Maintaining a key risk indicator (KRI) for assets in the risk register

Which of the following BEST ensures that information systems control deficiencies are appropriately remediated? A. A risk mitigation plan B. Risk reassessment C. Control risk reevaluation D. Countermeasure analysis

Which of the following BEST helps identify information systems control deficiencies? A. Gap analysis B. The current IT risk profile C. The IT controls framework D. Countermeasure analysis

Which of the following BEST helps to respond to risk in a cost-effective manner? A. Prioritizing and addressing risk according to the risk management strategy B. Mitigating risk on the basis of risk likelihood and magnitude of impact C. Performing countermeasure analysis for each of the controls deployed D. Selecting controls that are at zero or near-zero costs

Which of the following BEST identifies changes in an enterprise's risk profile? A. The risk register B. Risk classification C. Changes in risk indicator thresholds D. Updates to the control inventory

Which of the following BEST identifies controls addressing risk related to cloud computing? A. Data encryption, tenant isolation, controlled change management B. Data encryption, customizing the application template, creating and importing custom widgets C. Selecting an open standards-based technology, data encryption, tenant isolation D. Tenant isolation, controlled change management, creating and importing custom widgets

Which of the following BEST improves decision making related to risk? A. Maintaining a documented risk register of all possible risk B. Risk awareness training in line with the risk culture C. Maintaining updated security policies and procedures D. Allocating accountability of risk to the department as a whole

Which of the following BEST mitigates control risk? A. Continuous monitoring B. An effective security awareness program C. Effective change management procedures D. Senior management support for control implementation

Which of the following BEST protects the confidentiality of data being transmitted over a network? A. Data are encapsulated in data packets with authentication headers. B. A digital hash is appended to all messages sent over the network. C. Network devices are hardened in compliance with corporate standards. D. Fiber-optic cables are used instead of copper cables.

Which of the following MUST be included when developing metrics to identify and monitor the controllife cycle? A. Thresholds that identify when controls no longer provide the intended value B. Customized reports of the metrics for key stakeholders C. A description of the methods and practices used to develop the metrics D. Identification of a repository where metrics will be maintained and stored

Which of the following approaches is the BEST approach to exception management? A. Escalation processes are defined. B. Process deviations are not allowed. C. Decisions are based on business impact. D. Senior management judgment is required

Which of the following causes the GREATEST concern to a risk practitioner reviewing a corporate information security policy that is out of date? The policy: A. was not reviewed within the last three years. B. is missing newer technologies/platforms. C. was not updated to account for new locations. D. does not enforce control monitoring.

Which of the following choices will BEST protect the enterprise from financial risk? A. Insuring against the risk B. Updating the IT risk registry C. Improving staff training in the risk area D. Outsourcing the process to a third party

Which of the following combinations of factors helps quantify risk? A. Probability and consequence B. Impact and threat C. Threat and exposure D. Sensitivity and exposure

Which of the following combinations of factors is the MOST important consideration when prioritizing the development of controls and countermeasures? A. Likelihood and impact B. Impact and exposure C. Criticality and sensitivity D. Value and classification

Which of the following examples of risk should be addressed during application design? A. A lack of skilled resources B. The risk of migration to a new system C. Incomplete technical specifications D. Third-party supplier risk

Which of the following factors determines the acceptable level of residual risk in an enterprise? A. Management discretion B. Regulatory requirements C. Risk assessment results D. Internal audit findings

Which of the following groups would be the MOST effective in managing and executing an organization's risk program? A. Midlevel management B. Senior management C. Frontline employees D. The incident response team

Which of the following information in the risk register BEST helps in developing proper risk scenarios? A list of: A. potential threats to assets. B. residual risk on individual assets. C. accepted risk. D. security incidents.

Which of the following information systems controls is the BEST way to detect malware? A. Reviewing changes to file size B. Reviewing administrative-level changes C. Reviewing audit logs D. Reviewing incident logs

Which of the following is BEST performed for business continuity management to meet external stakeholder expectations? A. Prioritize applications based on business criticality. B. Ensure that backup data are available to be restored. C. Disclose the crisis management strategy statement. D. Obtain risk assessment by an independent party.

Which of the following is MOST essential for a risk management program to be effective? A. New risk detection B. A sound risk baseline C. Accurate risk reporting D. A flexible security budget

Which of the following is MOST important for effective risk management? A. Assignment of risk owners to identified risk B. Ensuring compliance with regulatory requirements C. Integration of risk management into operational processes D. Implementation of a risk avoidance strategy

Which of the following is MOST important when selecting an appropriate risk management methodology? A. Risk culture B. Countermeasure analysis C. Cost-benefit analysis D. Risk transfer strategy

Which of the following is the BEST indicator of high maturity of an enterprise's IT risk management process? A. People have appropriate awareness of risk and are comfortable talking about it. B. Top management is prepared to invest more money in IT security. C. Risk assessment is encouraged in all areas of IT and business management. D. Business and IT are aligned in risk assessment and risk ranking.

Which of the following is the BEST option to ensure that corrective actions are taken after a risk assessment is performed? A. Conduct a follow-up review. B. Interview staffmember(s) responsible for implementing the corrective action. C. Ensure that an organizational executive documents that the corrective action was taken. D. Run a monthly report and verify that the corrective action was taken.

Which of the following is the BEST risk identification technique for an enterprise that allows employees to identify risk anonymously? A. The Delphi technique B. Isolated pilot groups C. A strengths, weaknesses, opportunities and threats (SWOT) analysis D. A root cause analysis

Which of the following is the BEST way to verify that critical production servers are utilizing up-to-date antivirus signature files? A. Check a sample of servers. B. Verify the date that signature files were last pushed out. C. Use a recently identified benign virus to test whether it is quarantined. D. Research the most recent signature file, and compare it to the console.

Which of the following is the BIGGEST concern for a chief information security officer (CISO) regarding interconnections with systems outside of the enterprise? A. Requirements to comply with each other's contractual security requirements B. Uncertainty that the other system will be available as needed C. The ability to perform risk assessments on the other system D. Ensuring that communication between the two systems is encrypted through a virtual private network (VPN) tunnel

Which of the following is the GREATEST benefit ofa risk-aware culture? A. Issues are escalated when suspicious activity is noticed. B. Controls are double-checked to anticipate any issues. C. Individuals communicate with peers for knowledge sharing. D. Employees are self-motivated to learn about costs and benefits.

Which of the following is the MOST desirable strategy when developing risk mitigation options associated with the unavailability of IT services due to a natural disaster? A. Assume the worst-case incident scenarios. B. Target low-cost locations for alternate sites. C. Develop awareness focused on natural disasters. D. Enact multiple tiers of authority delegation.

Which of the following is the MOST important reason for conducting security awareness programs throughout an enterprise? A. Reducing the risk of a social engineering attack B. Training personnel in security incident response C. Informing business units about the security strategy D. Maintaining evidence of training records to ensure compliance

Which of the following is the PRIMARY objective of a risk management program? A. Maintain residual risk at an acceptable level B. Implement preventive controls for every threat C. Remove all inherent risk D. Reduce inherent risk to zero

Which of the following metrics is the MOST useful in measuring the monitoring of violation logs? A. Penetration attempts investigated B. Violation log reports produced C. Violation log entries D. Frequency of corrective actions taken

Which of the following provides the BEST view of risk management? A. An interdisciplinary team B. A third-party risk assessment service provider C. The enterprise's IT department D. The enterprise's internal compliance department

Which of the following provides the MOST valuable input to incident response efforts? A. Qualitative analysis of threats B. The annual loss expectancy (ALE) total C. A vulnerability assessment D. Penetration testing

Which of the following reviews will provide the MOST insight into an enterprise's risk management capabilities? A. A capability maturity model (CMM) review B. A capability comparison with industry standards or regulations C. A self-assessment of capabilities D. An internal audit review of capabilities

Which of the following should be in place before a black box penetration test begins? A. A clearly stated definition of scope B. Previous test results C. Proper communication and awareness training D. An incident response plan

Which of the following tools aids management in determining whether a project should continue based on scope, schedule and cost? Analysis of: A. earned value management. 8. the function point. C. the Gantt chart. D. the program evaluation and review technique (PERT).

Which of the following vulnerabilities is the MOST serious and allows attackers access to data through a web application? A. Validation checks are missing in data input fields. B. Password rules do not enforce sufficient complexity. C. Application transaction log management is weak. D. The application and database share a single access ID.

Which of the following would PRIMARILY help an enterprise select and prioritize risk responses? A. A cost-benefit analysis of available risk mitigation options B. The level of acceptable risk per risk appetite C. The potential to transfer or eliminate the risk D. The number of controls necessary to reduce the risk

Which ofthe following practices BEST mitigates the risk associated with outsourcing a business function? A. Performing audits to verify compliance with contract requirements B. Requiring all vendor staff to attend annual awareness training sessions C. Retaining copies of all sensitive data on internal systems D. Reviewing the financial records of the vendor to verify financial soundness

Which type of cost incurred is used when leveraging existing network cabling for an IT project? A. Indirect cost B. Infrastructure cost C. Project cost D. Maintenance cost

A business impact analysis (BIA) is PRIMARILY used to: A. estimate the resources required to resume and return to normal operations after a disruption. B. evaluate the impact of a disruption to an enterprise's ability to operate over time. C. calculate the likelihood and impact of known threats on specific functions. D. evaluate high-level business requirements.

A chief information security officer (CISO) has recommended several controls such as anti-malware to protect the enterprise's information systems. Which approach to handling risk is the CIsa recommending? A. Risk transference B. Risk mitigation C. Risk acceptance D. Risk avoidance

A procurement employee notices that new printer models offered by the vendor keep a copy of all printed documents on a built-in hard disk. Considering the risk of unintentionally disclosing confidential data, the employee should: A. proceed with the order and configure printers to automatically wipe all the data on disks after each print job. B. notify the security manager to conduct a risk assessment for the new equipment. C. seek another vendor that offers printers without built-in hard disk drives. D. procure printers with built-in hard disks and notify staff to wipe hard disks when decommissioning the printer.

A review of an enterprise's IT projects finds that projects frequently go over time or budget by nearly 10 percent. On review, management advises the risk practitioner that a deviation of 15 percent is acceptable. This is an example of: A. risk avoidance. B. risk tolerance. C. risk acceptance. D. risk mitigation.

A risk assessment indicates a risk to the enterprise that exceeds the risk acceptance level set by senior management. What is the BEST way to address this risk? A. Ensure that the risk is quickly brought within acceptable limits, regardless of cost. S. Recommend mitigating controls if the cost and/or benefit would justify the controls. C. Recommend that senior management revise the risk acceptance level. D. Ensure that risk calculations are performed to revalidate the controls.

A small start-up software development company has been flooded and the insurance does not payout because the premium has lapsed. In relation to risk management, the lapsed premium is considered a: A. risk. B. vulnerability. C. threat. D. negligence.

A substantive test to verify that tape library inventory records are accurate is: A. determining whether bar code readers are installed. B. conducting a physical count of the tape inventory. C. checking whether receipts and issues of tapes are accurately recorded. D. determining whether the movement of tapes is authorized.

An enterprise has outsourced personnel data processing to a supplier, and a regulatory violation occurs during processing. Who will be held legally responsible? A. The supplier, because it has the operational responsibility B. The enterprise, because it owns the data C. The enterprise and the supplier D. The supplier, because it did not comply with the contract

An enterprise has recently implemented a corporate bring your own device (BYOD) policy to reduce the risk of data leakage. Which of the following approaches MOST enables the policy to be effective? A. Obtaining signed acceptance from users on the BYOD policy B. Educating users on acceptable and unacceptable practices C. Requiring users to read the BYOD policy and any future updates D. Clearly stating disciplinary action for noncompliance

An enterprise is applying controls to protect its product price list from being exposed to unauthorized staff. These internal controls will include: A. identification and authentication. B. authentication and authorization. C. segregation of duties (SoD) and authorization. D. availability and confidentiality.

An enterprise is expanding into new nearby domestic locations (office park). Which of the following is MOST important for a risk practitioner to report on? A. Competitor analysis B. Legal and regulatory requirements C. Political issues D. The potential of natural disasters

An enterprise security policy is an example of which control? A. Operational control B. Management control C. Technical control D. Corrective control

An excessive number of standard workstation images can be categorized as a key risk indicator (KRI) for: A. change management. B. configuration management. C. IT operations management. D. data management.

Business continuity plans (BCPs) should be written and maintained by: A. the information security and information technology functions. 8. representatives from all functional units. C. the risk management function. D. executive management.

During a risk assessment of a start-up company with a bring your own device (BYOD) practice, a risk practitioner notes that the database administrator (DBA) minimizes a social media web site on hislher personal device before running a query of credit card account numbers on a third-party cloud application. The risk practitioner should recommend that the enterprise: A. develop and deploy an acceptable use policy for BYOD. B. place a virtualized desktop on each mobile device. C. blacklist social media web sites for devices inside the demilitarized zone (DMZ). D. provide the DBA with user awareness training.

Faced with numerous risk, the prioritization of treatment options will be MOST effective when based on: A. the existence of identified threats and vulnerabilities. B. the likelihood of compromise and subsequent impact. C. the results of vulnerability scans and exposure. D. the exposure of corporate assets and operational risk.

How does an enterprise BEST ensure that developers do not have access to implement changes to production applications? A. The enterprise must ensure that development staff does not have access to executable code. B. The enterprise must have segregation of duties between application development and operations. C. The enterprise system development life cycle (SDLC) must be enforced to require segregation of duties. D. The enterprise's change management process must be enforced for all but emergency changes.

IT risk is measured by its: A. level of damage to IT systems. B. impact on business operations. C. cost of countermeasures. D. annual loss expectancy (ALE).

Implementing continuous monitoring controls is the BEST option when: A. legislation requires strong information security controls. B. incidents may have a high impact and frequency. C. incidents may have a high impact, but low frequency. D. e-commerce is a primary business driver.

In a situation where the cost of anti-malware exceeds the loss expectancy of malware threats, what is the MOST viable risk response? A. Risk elimination B. Risk acceptance C. Risk transfer D. Risk mitigation

In the risk management process, a cost-benefit analysis is MAINLY performed: A. as part of an initial risk assessment. B. as part of risk response planning. C. during an information asset valuation. D. when insurance is calculated for risk transfer

Once a risk assessment has been completed, the documented test results should be: A. destroyed. B. retained. C. summarized. D. published.

Risk response should focus on which of the following? A. Destruction of obsolete computer equipment B. Theft of a smart phone from an office C. Sanitization and reuse of a flash drive D. Employee deletion of a file

Strong authentication is: A. an authentication technique formally approved by a standardization organization. B. the simultaneous use of several authentication techniques, e.g., password and badge. C. an authentication system that makes use of cryptography. D. an authentication system that uses biometric data to identify a person, e.g., a fingerprint

The BEST way to ensure that an information systems control is appropriate and effective is to verify: A. that the control is operating as designed. B. that the risk associated with the control is being mitigated. C. that the control has not been bypassed. D. the frequency at which the control logs are reviewed

The CIO should respond to the findings identified in the IT security audit report by mitigating: A. the most critical findings on both the business-critical and nonbusiness-critical systems. B. all vulnerabilities on business-critical information systems first. C. the findings that are the least expensive to mitigate first to save funds. D. the findings that are the most expensive to mitigate first and leave all others until more funds become available.

The GREATEST advantage of performing a business impact analysis (BIA) is that it: A. does not have to be updated because the impact will not change. B. promotes continuity awareness in the enterprise. C. can be performed using only qualitative estimates. D. eliminates the need to perform a risk analysis.

The GREATEST risk to token administration is: A. the ability to easily tamper with or steal a token. B. the loss of network connectivity to the authentication system. C. the inability to secure unassigned tokens. D. the ability to generate temporary codes to log in without a token

The IT department wants to use a server for an enterprise database, but the server hardware is not certified by the operating system (OS) or the database vendor. A risk practitioner determines that the use of the database presents: A. a minimal level of risk. B. an unknown level of risk. C. a medium level of risk. D. a high level of risk.

The MOST important reason for reporting control effectiveness as part of risk reporting is that it: A. enables audit reporting. B. affects the risk profile. C. requires mitigation. D. helps manage the control life cycle.

The PRIMARY benefit of using a maturity model to assess the enterprise's data management process is that it: A. can be used for benchmarking. B. helps identify gaps. C. provides goals and objectives. D. enforces continuous improvement.

The PRIMARY goal of a postincident review is to: A. gather evidence for subsequent legal action. B. identify ways to improve the response process. C. identify individuals who failed to take appropriate action. D. make a determination as to the identity of the attacker

The PRIMARY result of a risk management process is: A. a defined business plan. B. input for risk-aware decisions. C. data classification. D. minimized residual risk.

The board of directors of a one-year-old start-up company has asked their chief information officer (CIO) to create all of the enterprise's IT policies and procedures, which will be managed and approved by the IT steering committee. The IT steering committee will make all of the IT decisions for the enterprise, including those related to the technology budget. Which type of IT organizational structure does the enterprise have? A. Project-based B. Centralized C. Decentralized D. Divisional

The board of directors wants to know the financial impact of specific, individual risk scenarios. What type of approach is BEST suited to fulfill this requirement? A. Delphi method B. Quantitative analysis C. Qualitative analysis D. Financial risk modeling

The goal of IT risk analysis is to: A. enable the alignment of IT risk management with enterprise risk management (ERM). B. enable the prioritization of risk responses. C. satisfy legal and regulatory compliance requirements. D. identify known threats and vulnerabilities to information assets

What indicates that an enterprise's risk practices need to be reviewed? A. The IT department has its own methodology of risk management. B. Manufacturing assigns its own internal risk management roles. C. The finance department finds exceptions during its yearly risk review. D. Sales department risk management procedures were last reviewed 11 months ago.

What is the MOST essential attribute of an effective key risk indicator (KRI)? A. The KRI is accurate and reliable. B. The KRI is predictive of a risk event. C. The KRI provides quantitative metrics. D. The KRI indicates required action

What is the MOST important criterion when reviewing information security controls? A. To provide assurance to management of control monitoring B. To ensure that the controls are effectively addressing risk C. To review the impact of the controls on business operations and performance D. To establish a baseline as a benchmark for future tests

What is the MOST important factor in the success of an ongoing information security monitoring program? A. Logs that capture all network and application traffic for later analysis B. Staff who are qualified and trained to execute their responsibilities c. System components all have up-to-date patches D. A security incident and event management (SIEM) system is in place

What is the PRIMARY reason for reporting significant changes in information risk to senior management? A. To revise the key risk indicators (KRls) B. To enable educated decision making C. To gain support for new countermeasures D. To recalculate the value of existing information assets

When developing IT-related risk scenarios with a top-down approach, it is MOST important to identify the: A. information system environment. B. business objectives. C. hypothetical risk scenarios. D. external risk scenarios.

When proposing the implementation of a specific risk mitigation activity, a risk practitioner PRIMARILY utilizes a: A. technical evaluation report. B. business case. C. vulnerability assessment report. D. budgetary requirements.

When requesting information for an e-discovery, an enterprise learned that their email cloud provider was never contracted to back up the messages even though the company's email retention policy explicitly states that all emails are to be saved for three years. Which of the following would have BEST safeguarded the company from this outcome? A. Providing the contractor with the record retention policy up front B. Validating the company policies to the provider's contract C. Providing the contractor with the email retention policy up front D. Backing up the data on the company's internal network nightly

When would an enterprise project management department PRIMARILY use risk analysis? A. During preparation for natural disasters B. During go/no go decisions C. During workplace safety training development D. During regulation bulletin reviews

Where are key risk indicators (KRIs) MOST likely identified when initiating risk management across a range of projects? A. Risk governance B. Risk response C. Risk analysis D. Risk monitoring

Which of the following BEST describes the risk-related roles and responsibilities of an organizational business unit (BD)? The BD management team: A. owns the mitigation plan for the risk belonging to their BU, while board members are responsible for identifying and assessing risk as well as reporting on that risk to the appropriate support functions. B. owns the risk and is responsible for identifying, assessing and mitigating risk as well as reporting on that risk to the appropriate support functions and the board of directors. C. carries out the respective risk-related responsibilities, but ultimate accountability for the day-to-day work of risk management and goal achievement belongs to the board members. D. is ultimately accountable for the day-to-day work of risk management and goal achievement, and board members own the risk

Which of the following is used to determine whether unauthorized modifications were made to production programs? A. An analytical review B. Compliance testing C. A system log analysis D. A forensic analysis

Which of the following BEST describes the role of management in implementing a risk management strategy? A. Ensure that the planning, budgeting and performance of information security components are appropriate. B. Assess and incorporate the results of the risk management activity into the decision-making process. C. Identify, evaluate and minimize risk to IT systems that support the mission of the organization. D. Understand the risk management process so that appropriate training materials and programs can be developed.

Which of the following BEST helps the risk practitioner identify IS control deficiencies? A. An IT control framework B. Defined control objectives c. A countermeasure analysis D. A threat analysis

Which of the following MOST enables risk-aware business decisions? A. Robust information security policies B. An exchange of accurate and timely information C. Skilled risk management personnel D. Effective process controls

Which of the following MOST likely indicates that a customer data warehouse should remain in-house rather than be outsourced to an offshore operation? A. The telecommunications costs may be much higher in the first year. B. Privacy laws may prevent a cross-border flow of information. C. Time zone differences may impede communications between IT teams. D. Software development may require more detailed specifications.

Which of the following actions will an incident response plan activation MOST likely involve? A. Enabling logging to track what resources have been accessed B. Shutting down a server to patch defects in the operating system C. Implementing virus scanning tools to scan attachments in incoming email D. Assisting in the migration to an alphanumeric password authorization policy

Which of the following activities provides the BEST basis for establishing risk ownership? A. Documenting interdependencies between departments B. Mapping identified risk to a specific business process C. Referring to available RACI charts D. Distributing risk equally among all asset owners

Which of the following approaches BEST helps address significant system vulnerabilities that were discovered during a network scan? A. All significant vulnerabilities must be mitigated in a timely fashion. B. Treatment should be based on threat, impact and cost considerations. C. Compensating controls must be implemented for major vulnerabilities. D. Mitigation options should be proposed for management approval.

Which of the following approaches to corporate policy BEST supports an enterprise's expansion to other regions, where different local laws apply? A. A global policy that does not contain content that might be disputed at a local level B. A global policy that is locally amended to comply with local laws C. A global policy that complies with law at corporate headquarters and that all employees must follow D. Local policies to accommodate laws within each region

Which of the following can BEST be used as a basis for recommending a data leak prevention (DLP) device as a security control? A. Benchmarking with peers on DLP deployment S. A business case for DLP to protect data C. Evaluation report of popular DLP solutions D. DLP scenario in risk register

Which of the following can be expected when a key control is being maintained at an optimal level? A. The shortest lead time until the control breach comes to the surface B. Balance between control effectiveness and cost C. An adequate maturity level of the risk management process D. An accurate estimation of operational risk amounts

Which of the following choices is the MOST important part of any outsourcing contract? A. The right to audit the outsourcing provider 8. Provisions to assess the compliance of the provider C. Procedures for dealing with incident notification D. Requirements to encrypt hosted data

Which of the following controls within the user provision process BEST enhances the removal of system access for contractors and other temporary users when it is no longer required? A. Log all account usage and send it to their manager. S. Establish predetermined, automatic expiration dates. C. Ensure that each individual has signed a security acknowledgement. D. Require managers to email security when the user leaves.

Which of the following devices should be placed within a demilitarized zone (DMZ)? A. An authentication server B. A mail relay C. A firewall D. A router

Which of the following documents BEST identifies an enterprise's compliance risk and the corrective actions in progress to meet these regulatory requirements? A. An internal audit report B. A risk register C. An external audit report D. A risk assessment report

Which of the following factors should be assessed after the likelihood of a loss event has been determined? A. Magnitude of impact B. Risk tolerance C. Residual risk D. Compensating controls

Which of the following factors should be included when assessing the impact of losing network connectivity for 18 to 24 hours? A. The hourly billing rate charged by the carrier B. Financial losses incurred by affected business units C. The value of the data transmitted over the network D. An aggregate compensation of all affected business users

Which of the following helps ensure that the cost is justifiable when selecting an IT control? A. The investment is within budget. B. The risk likelihood and its impact are reflected. C. The net present value (NPV) is high. D. Open source technology is used.

Which of the following is BEST suited for the review of IT risk analysis results before the results are sent to management for approval and use in decision making? A. An internal audit review B. A peer review C. A compliance review D. A risk policy review

Which of the following is MOST important for determining what security measures to put in place for a critical information system? A. The number of threats to the system B. The level of acceptable risk to the enterprise C. The number of vulnerabilities in the system D. The existing security budget

Which of the following is MOST important in determining the risk mitigation strategy? A. Review vulnerability assessment results. B. Conduct a likelihood and impact ranking. C. Perform a business impact analysis (BIA). D. Align it with the security controls framework.

Which of the following is MOST important when evaluating and assessing risk to an enterprise or business process? A. Identification of controls that are currently in place to mitigate identified risk B. Threat intelligence, including likelihood of identified threats C. Historical risk assessment data D. Control testing results

Which of the following is MOST useful in managing increasingly complex deployments? A. Policy development B. A security architecture C. Senior management support D. A standards-based approach

Which of the following is a PRIMARY consideration when developing an IT risk awareness program? A. Why technology risk is owned by IT B. How technology risk can impact each attendee's area of business C. How business process owners can transfer technology risk D. Why technology risk is more difficult to manage compared to other risk

Which of the following is a PRIMARY role of the system owner during the accreditation process? The system owner; A. reviews and approves the security plan supporting the system. B. selects and documents the security controls for the system. C. assesses the security controls in accordance with the assessment procedures. D. determines whether the risk to the business is acceptable.

Which of the following is an example of postincident response activity? A. Performing a cost-benefit analysis of corrective controls deployed for the incident B. Reassessing the risk to make necessary amendments to procedures and guidelines C. Removing the relevant security policies that resulted in increased incidents D. Inviting the internal audit department to review the corrective controls

Which of the following is the BEST approach when conducting an IT risk awareness campaign? A. Provide technical details on exploits. B. Provide common messages tailored for different groups. C. Target system administrators and help desk staff. D. Target senior managers and business process owners.

Which of the following is the BEST indicator of an effective information risk management program? A. The security policy is made widely available. B. Risk is considered before all decisions. C. Security procedures are updated annually. D. Risk assessments occur on an annual basis.

Which of the following is the BEST indicator that incident response training is effective? A. Decreased reporting of security incidents to the incident response team B. Increased reporting of security incidents to the incident response team C. Decreased number of password resets D. Increased number of identified system vulnerabilities

Which of the following is the BEST method to analyze risk, incidents and related interdependencies to determine the impact on organizational goals? A. Security information and event management (SIEM) solutions B. A business impact analysis (BIA) C. Enterprise risk management (ERM) steering committee meetings D. Interviews with business leaders to develop a risk profile

Which of the following is the BEST way to ensure that an accurate risk register is maintained over time? A. Monitor key risk indicators (KRJs), and record the findings in the risk register. B. Publish the risk register centrally with workflow features that periodically poll risk assessors. C. Distribute the risk register to business process owners for review and updating. D. Utilize audit personnel to perform regular audits and to maintain the risk register.

Which of the following is the BEST way to ensure that contract programmers comply with organizational security policies? A. Have the contractors acknowledge the security policies in writing. B. Perform periodic security reviews of the contractors. C. Explicitly refer to contractors in the security standards. D. Create penalties for noncompliance in the contracting agreement

Which of the following is the GREATEST risk of a policy that inadequately defines data and system ownership? A. Audit recommendations may not be implemented. B. Users may have unauthorized access to originate, modify or delete data. C. User management coordination does not exist. D. Specific user accountability cannot be established.

Which of the following is the MAIN outcome of a business impact analysis (BIA)? A. Project prioritization B. Criticality of business processes C. The root cause of IT risk D. Third-party vendor risk

Which of the following is the MOST effective measure to protect data held on mobile computing devices? A. Protection of data being transmitted B. Encryption of stored data C. Power-on passwords D. Biometric access control

Which of the following is the MOST important consideration when developing a record retention policy? A. Delete, as quickly as practical, all data that are not required. B. Retain data only as long as necessary for business or regulatory requirements. C. Keep data to ensure future availability. D. Archive old data without encryption as quickly as practical

Which of the following is the PRIMARY reason for conducting periodic risk assessments? A. Changes to the asset inventory B. Changes to the threat and vulnerability profile C. Changes in asset classification levels D. Changes in the risk appetite

Which of the following is the PRIMARY reason for having the risk management process reviewed by independent risk auditors/assessors? A. To ensure that the risk results are consistent B. To ensure that the risk factors and risk profile are well defined C. To correct any mistakes in risk assessment D. To validate the control weaknesses for management reporting

Which of the following is the PRIMARY reason that a risk practitioner determines the security boundary prior to conducting a risk assessment? A. To determine which laws and regulations apply B. To determine the scope of the risk assessment C. To determine the business owner(s) of the system D. To decide between conducting a quantitative or qualitative analysis

Which of the following items is MOST important to consider in relation to a risk profile? A. A summary of regional loss events B. Aggregated risk to the enterprise C. A description of critical risk D. An analysis of historical loss events

Which of the following leads to the BEST optimal return on security investment? A. Deploying maximum security protection across all of the information assets B. Focusing on the most important information assets and then determining their protection C. Deploying minimum protection across all the information assets D. Investing only after a major security incident is reported to justify investment

Which of the following provides the formal authorization on user access? A. Database administrator B. Data owner C. Process owner D. Data custodian

Which of the following statements BEST describes the value of a risk register? A. It captures the risk inventory. B. It drives the risk response plan. C. It is a risk reporting tool. D. It lists internal risk and external risk.

Which of the following techniques BEST helps determine whether there have been unauthorized program changes since the last authorized program update? A. A test data run B. An automated code comparison C. A code review D. A review of code migration procedures

Which of the following types of risk is high for projects that affect multiple business areas? A. Control risk B. Inherent risk C. Compliance risk D. Residual risk

Which of the following will BEST prevent external security attacks? A. Securing and analyzing system access logs B. Network address translation C. Background checks for temporary employees D. Static Internet protocol (IP) addressing

Which of the following will produce comprehensive results when performing a qualitative risk analysis? A. A vulnerability assessment B. Scenarios with threats and impacts C. The value of information assets D. Estimated productivity losses

Which ofthe following resources has the GREATEST risk of failure while implementing any security solution? A. Security hardware B. Security staff C. Security processes D. Security software

Who is MOST likely responsible for data classification? A. The data user B. The data owner C. The data custodian D. The system administrator

Who should be accountable for the risk to an IT system that supports a critical business process? A. IT management B. Senior management C. The risk management department D. System users

risk professional has been asked to determine which factors were responsible for a loss event. Which of the following methods should be used? A. Key risk indicators (KRJs) B. Cause-and-effect analysis C. Business process modeling (BPM) D. Business impact analysis (BIA

A company has set the unacceptable error level at 10 percent. Which of the following tools can be used to trigger a warning when the error level reaches eight percent? A. A fault tree analysis B. Statistical process control (SPC) C. A key performance indicator (KPI) D. A failure modes and effects analysis (FMEA)

A key objective when monitoring information systems control effectiveness against the enterprise's external requirements is to: A. design the applicable information security controls for external audits. B. create the enterprise's information security policy provisions for third parties. C. ensure that the enterprise's legal obligations have been satisfied. D. identify those legal obligations that apply to the enterprise's security practices.

A lack of adequate controls represents: A. an impact. B. a risk indicator. C. a vulnerability. D. a threat.

A network vulnerability assessment is intended to identify: A. security design flaws. B. zero-day vulnerabilities. C. misconfigurations and missing updates. D. malicious software and spyware.

After the completion of a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. A risk practitioner should recommend to business management that the risk be: A. treated. B. terminated. C. accepted. D. transferred.

An enterprise is hiring a consultant to help determine the maturity level of the risk management program. The MOST important element of the request for proposal (RFP) is the: A. sample deliverable. B. past experience of the engagement team. C. methodology used in the assessment. D. references from other organizations

As part of risk monitoring, the administrator of a two-factor authentication system identifies a trusted independent source indicating that the algorithm used for generating keys has been compromised. The vendor of the authentication system has not provided further information. Which of the following is the BEST initial course of action? A. Wait for the vendor to formally confirm the breach and provide a solution. B. Determine and implement suitable compensating controls. c. Identify all systems requiring two-factor authentication and notify their business owners. D. Disable the system and rely on the single-factor authentication until further information is received

Assessing information systems risk is BEST achieved by: A. using the enterprise's past actual loss experience to determine current exposure. B. reviewing published loss statistics from comparable organizations. C. evaluating threats associated with existing information systems assets and information systems projects. D. reviewing information systems control weaknesses identified in audit reports.

Business stakeholders and decision makers reviewing the effectiveness of IT risk responses would PRlMARlL Y validate whether: A. IT controls eliminate the risk in question. B. IT controls are continuously monitored. C. IT controls achieve the desired objectives. D. IT risk indicators are formally documented.

Corporate information security policy development should PRIMARILY be based on: A. vulnerabilities. B. threats. C. assets. D. impacts.

Despite a comprehensive security awareness program annually undertaken and assessed for all staff and contractors, an enterprise has experienced a breach through a spear phishing attack. What is the MOST effective way to improve security awareness? A. Review the security awareness program and improve coverage of social engineering threats. B. Launch a disciplinary process against the people who leaked the information. c. Perform a periodic social engineering test against all staff and communicate summary results to the staff. D. Implement a data loss prevention system that automatically points users to corporate policies.

During a root cause analysis review of a recent incident it is discovered that the IT department is not tracking any metrics. A risk practitioner should recommend to management that they implement which of the following to reduce the risk? A. A new help desk system B. Change management C. Problem management D. New reports to track issues

During an internal assessment, an enterprise notes that only a couple dozen hard-coded individual transactions are being logged, which does not encompass what should be logged to meet regulatory requirements. The individual server log files use first in, first out (FIFO). Most files recycle in less than 24 hours. What is the MOST financially damaging vulnerability associated with the current logging practice? A. The log data stored recycles in less than 24 hours. B. The log files are stored on the originating servers. C. Regulation-related transactions may not be tracked. D. Transactions being logged are hard coded.

How can a risk professional calculate the total impact to operations if hard drives supporting a critical financial system fail? A. Calculate the replacement cost for failed equipment and the time needed for service restoration. B. Gather the cost estimates from the finance department to determine the cost. C. Use quantitative and qualitative methods to examine the effect on all affected business areas. D. Review regulatory and contractual requirements to quantify liabilities.

How can an enterprise prevent duplicate processing of a transaction? A. By encrypting the transaction to prevent copying B. By comparing hash values of each transaction C. By not allowing two identical transactions within a set time period D. By not allowing more than one transaction per account per login

If risk has been identified, but not yet mitigated, the enterprise would: A. record and mitigate serious risk and disregard low-level risk. B. obtain management commitment to mitigate all identified risk within a reasonable time frame. C. document all risk in the risk register and maintain the status of the remediation. D. conduct an annual risk assessment, but disregard previous assessments to prevent risk bias.

It is MOST important for risk mitigation to: A. eliminate threats and vulnerabilities. B. reduce the likelihood of risk occurrence. C. reduce risk within acceptable cost. D. reduce inherent risk to zero.

Malware has been detected that redirects users' computers to web sites crafted specifically for the purpose of fraud. The malware changes domain name system (DNS) server settings, redirecting users to sites under the hackers' control. This scenario BEST describes a:

Overall business risk for a particular threat can be expressed as the: A. magnitude of the impact should a threat source successfully exploit the vulnerability. B. likelihood of a given threat source exploiting a given vulnerability. C. product of the probability and magnitude of the impact if a threat exploits a vulnerability. D. collective judgment of the risk assessment team.

Prior to releasing an operating system security patch into production, a leading practice is to have the patch: A. applied simultaneously to all systems. S. procured from an approved vendor. C. tested in a preproduction test environment. D. approved by business stakeholders.

Reliability of a key risk indicator (KRI) would indicate that the metric: A. performs within the appropriate thresholds. B. tests the target at predetermined intervals. c. flags exceptions every time they occur. D. initiates corrective action.

Risk assessment techniques should be used by a risk practitioner to: A. maximize the return on investment (ROI). B. provide documentation for auditors and regulators. C. justify the selection of risk mitigation strategies. D. quantify the risk that would otherwise be subjective.

Risk assessments are MOST effective in a software development organization when they are performed: A. before system development begins. B. during system deployment. C. during each stage of the system development life cycle (SDLC). D. before developing a business case.

Risk assessments should be repeated at regular intervals because: A. omissions in earlier assessments can be addressed. B. periodic assessments allow various methodologies. C. business threats are constantly changing. D. they help raise risk awareness among staff.

Risk scenarios should be created PRIMARILY based on which of the following? A. Input from senior management B. Previous security incidents C. Threats that the enterprise faces D. Results of the risk analysis

Security technologies should be selected PRIMARILY on the basis of their: A. evaluation in security publications. B. compliance with industry standards. C. ability to mitigate risk to organizational objectives. D. cost compared to the enterprise's IT budget.

Senior management has defined the enterprise risk appetite as moderate. A business critical application has been determined to pose a high risk. What is the BEST next course of action? A. Remove the high-risk application and replace it with another system. B. Request that senior management increase the level of risk they are willing to accept. C. Determine whether new controls to be implemented on the system will mitigate the high risk. D. Restrict access to the application to trusted users

System backup and restore procedures can BEST be classified as: A. Technical controls B. Detective controls C. Corrective controls D. Deterrent controls

The BEST method for detecting and monitoring a hacker's activities without exposing information assets to unnecessary risk is to utilize: A. firewalls. B. bastion hosts. C. honeypots. D. screened subnets.

The BEST time to perform a penetration test is after: A. a high turnover in systems staff. B. an attempted penetration has occurred. C. various infrastructure changes are made. D. an audit has reported control weaknesses

The FIRST step in identifying and assessing IT risk is to: A. confirm the risk tolerance level of the enterprise. B. identify threats and vulnerabilities. C. gather information on the current and future environment. D. review past incident reports and response activity.

The MAIN purpose for creating and maintaining a risk register is to: A. ensure that all assets have low residual risk. B. define the risk assessment methodology. C. document all identified risk. D. study various risk scenarios in the threat landscape.

The MOST effective starting point to determine whether an IT system continues to meet the enterprise's business objectives is to conduct interviews with: A. executive management. B. IT management. C. business process owners. D. external auditors.

The MOST important task in system control verification is: A. monitoring password resets. B. detecting malware. C. managing alerts. D. performing log reviews.

The MOST likely trigger for conducting a comprehensive risk assessment is changes to: A. the asset inventory. B. asset classification levels. C. the business environment. D. information security policies.

The PRIMARY purpose of adopting an enterprisewide risk management framework is to: A. allow the flexibility to adjust the risk response strategy throughout the enterprise. B. centralize the responsibility for the maintenance of the risk response program. C. enable a consistent approach to risk response throughout the enterprise. D. avoid higher costs for risk reduction and audit strategies throughout the enterprise.

The PRIMARY reason an external risk assessment team reviews documentation before starting the actual risk assessment is to gain a thorough understanding of: A. the technologies utilized. B. gaps in the documentation. C. the enterprise's business processes. D. the risk assessment plan.

The PRIMARY reason to have the risk management process reviewed by independent risk management professional(s) is to: A. validate cost-effective solutions for mitigating risk. B. validate control weaknesses detected by the internal team. C. assess the validity of the end-to-end process. D. assess that the risk profile and risk factors are properly defined.

The annual expected loss of an asset-the annual loss expectancy (ALE)-is calculated as the: A. exposure factor (EF) multiplied by the annualized rate of occurrence (ARO). B. single loss expectancy (SLE) multiplied by the exposure factor (EF). C. single loss expectancy (SLE) multiplied by the annualized rate of occurrence (ARO). D. asset value (AV) multiplied by the single loss expectancy (SLE).

The capability maturity model (CMM) is based on: A. the training of staff to ensure consistent knowledge transfer. B. the development of new controls to replace aging or diminished controls. C. the application of standard, repeatable processes that can be measured. D. users developing new innovative solutions to problems.

The database administrator has decided to disable certain normalization controls in the database to provide users with increased query performance. This will MOST likely increase the risk of: A. loss of audit trails. B. duplicate indexes. C. data redundancy. D. unauthorized access to data.

The person responsible for ensuring that information is classified is the: A. security manager. B. technology group. C. data owner. D. senior management.

To be effective, risk management should be applied to: A. those elements identified by a risk assessment. B. any area that exceeds acceptable risk levels. C. all organizational activities. D. only those areas that have potential impact.

To determine the level of protection required for securing personally identifiable information, a risk practitioner should PRIMARILY consider the information: A. source. B. cost. C. sensitivity. D. validity.

What is a PRIMARY advantage of performing a risk assessment on a consistent basis? A. It lowers the costs of assessing risk. B. It provides evidence of threats. C. It indicates trends in the risk profile. D. It eliminates the need for periodic audits.

What is the BEST action to take once a new control has been implemented to mitigate a previously identified risk? A. Update the risk register to show that the risk has been mitigated. B. Schedule a new risk review to ensure that no new risk is present. C. Test the control to ensure that the risk has been adequately mitigated. D. Validate the tests conducted by the implementation team and close out the risk.

What is the FIRST step for a risk practitioner when an enterprise has decided to outsource all IT services and support to a third party? A. Validate that the internal systems of the service provider are secure. B. Enforce the regulations and standards associated with outsourcing data management for restrictions on transborder data flow. C. Ensure that security requirements are addressed in all contracts and agreements. D. Build a business case to perform an onsite audit of the third-party vendor.

What is the MOST important reason for periodically testing controls? A. To meet regulatory requirements B. To meet due care requirements C. To ensure that control objectives are met D. To achieve compliance with standard policy

What is the ULTIMATE goal of risk aggregation? A. To prevent attacks from exploiting a combination of low-level types of risk that individually have not been properly mitigated B. To address the threat of an exploit that attacks a system through a series of individual attacks C. To ensure that the combined value oflow-level risk is not overlooked in the risk management process D. To stop attackers from gaining low-level access and then escalating their attack through access aggregation

When a significant vulnerability is discovered in the security of a critical web server, immediate notification should be made to the: A. development team to remediate. B. data owners to mitigate damage. C. system owner to take corrective action. D. incident response team to investigate.

When a start-up company becomes popular, it suddenly is the target of hackers. This is considered: A. an emerging vulnerability. B. a vulnerability event. C. an emerging threat. D. an environmental risk factor.

When assessing the capability of the risk management process, a regulatory body would place the GREATEST reliance on: A. a peer review. B. an internal review. C. an external review. D. a process capability review.

When assessing the performance of a critical application server, the MOST reliable assessment results may be obtained from: A. activation of native database auditing. B. documentation of performance objectives. C. continuous monitoring. D. documentation of security modules.

When configuring a biometric access control system that protects a high-security data center, the system's sensitivity level should be set to: A. a lower equal error rate (EER). B. a higher false acceptance rate (FAR). C. a higher false reject rate (FRR). D. the crossover error rate exactly.

When transmitting personal information across networks, there MUST be adequate controls over: A. encrypting the personal information. B. obtaining consent to transfer personal information. C. ensuring the privacy of the personal information. D. change management.

When using a formal approach to respond to a security-related incident, which of the following provides the GREATEST benefit from a legal perspective? A. Proving adherence to statutory audit requirements 8. Proving adherence to corporate data protection requirements C. Demonstrating due care D. Working with law enforcement agencies

Which automated monitoring technique in an application uses triggers to indicate a suspicious condition? A. Snapshots B. An integrated test facility C. Monitor hooks D. Continuous and intermittent simulation

Which of the following BEST addresses the risk of data leakage? A. Incident response procedures B. File backup procedures C. Acceptable use policies (AUPs) D. Database integrity checks

Which of the following BEST describes the objective of a business impact analysis (BIA)? A. The identification of threats, risk and vulnerabilities that can adversely affect the enterprise B. The development of procedures for initial response and stabilization of situations during an emergency C. The identification of time-sensitive critical business functions and interdependencies D. The development of communication procedures in the case of a crisis impacting the business

Which of the following BEST determines compliance with the risk appetite of an enterprise? A. Balance between preventive and detective controls B. Inherent risk and acceptable risk level C. Residual risk and acceptable risk level D. Balance between countermeasures and preventive controls

Which of the following BEST enables a peer review of an enterprise's risk management process? A. A balanced scorecard (BSC) B. An industry survey C. A capability maturity model (CMM) D. A framework

Which of the following BEST estimates the likelihood of significant events impacting an enterprise? A. Threat analysis B. Cost-benefit analysis C. Scenario analysis D. Countermeasure analysis

Which of the following BEST indicates a successful risk management practice? A. Control risk is tied to business units. B. Overall risk is quantified. C. Residual risk is minimized. D. Inherent risk is eliminated

Which of the following actions is the BEST when a critical risk has been identified and the resources to mitigate are not immediately available? A. Log the risk in the risk register and review it with senior management on a regular basis. B. Capture the risk in the risk register once resources are available to address the risk. C. Escalate the risk report to senior management to obtain the resources to mitigate the risk. D. Review the risk level with senior management and determine whether the risk calculations are correct.

Which of the following areas is MOST susceptible to the introduction of an information-security-related vulnerability? A. Tape backup management B. Database management C. Configuration management D. Incident response management

Which of the following assessments of an enterprise's risk monitoring process will provide the BEST information about its alignment with industry-leading practices? A. A capability assessment by an outside firm B. A self-assessment of capabilities C. An independent benchmark of capabilities D. An internal audit review of capabilities

Which of the following compensating controls should management implement when a segregation of duties conflict exists because an enterprise has a small IT department? A. Independent analysis of IT incidents B. Entitlement reviews C. Independent review of audit logs D. Tighter controls over user provisioning

Which of the following data is MOST useful for communicating enterprise risk to management? A. Control self-assessment results B. A controls inventory C. Key risk indicators (KRIs) D. Independent audit reports

Which of the following factors should be analyzed to help management select an appropriate risk response? A. The impact on the control environment B. The likelihood of a given threat C. The costs and benefits of the controls D. The severity of the vulnerabilities

Which of the following factors will have the GREATEST impact on the type of information security governance model that an enterprise adopts? A. The number of employees B. The enterprise's budget C. The organizational structure D. The type of technology that the enterprise uses

Which of the following is MOST critical when system configuration files for a critical enterprise application system are being reviewed? A. Configuration files are frequently changed. B. Changes to configuration files are recorded. C. Access to configuration files is not restricted. D. Configuration values do not impact system efficien

Which of the following is MOST effective in assessing business risk? A. A use case analysis B. A business case analysis C. Risk scenarios D. A risk plan

Which of the following is MOST important during the quantitative risk analysis process? A. Statistical analysis B. Decision trees C. Expected monetary value (EMV) D. Net present value (NPV)

Which of the following is MOST important when mitigating or managing risk? A. Vulnerability assessment results B. A business impact analysis (BIA) C. The risk tolerance level D. A security controls framework

Which of the following is a MAJOR risk associated with the use of governance, risk and compliance (GRC) tools? A. Misinterpretation of the dashboard's output B. Poor authentication mechanism C. Obsolescence of content D. Complex integration of the diverse requirements

Which of the following is minimized when acceptable risk is achieved? A. Transferred risk B. Control risk C. Residual risk D. Inherent risk

Which of the following is the BEST approach when malicious code from a spear phishing attack resides on the network and the finance department is concerned that scanning the network will slow down work and delay quarter-end reporting? A. Instruct finance to finalize quarter-end reporting, and then perform a scan of the entire network. B. Block all outgoing traffic to avoid outbound communication to the expecting command host. C. Scan network devices that are not supporting financial reporting, and then scan the critical finance drives at night. D. Perform a staff survey and ask staff to report if they are aware of the enterprise being a target of a spear phishing attack.

Which of the following is the BEST control for securing data on mobile universal serial bus (USB) drives? A. Requiring authentication when using USB devices B. Prohibiting employees from copying data to USB devices C. Encrypting USB devices D. Limiting the use of USB devices

Which of the following is the BEST method to ensure the overall effectiveness of a risk management program? A. Assignment of risk within the enterprise B. Comparison of the program results with industry standards C. Participation by applicable members of the enterprise D. User assessment of changes in risk

Which of the following is the BEST reason an enterprise would decide not to reduce an identified risk? A. There is no regulatory requirement to reduce the risk. S. The inherent risk of the related business process is low. C. The potential gain outweighs the risk. D. The cost of reducing the risk exceeds the budget.

Which of the following is the MAIN concern when two or more staff members are allowed to use the same generic account? A. Segregation of duties B. Inability to change the password C. Repudiation D. Inability to trace account activities

Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level? A. Eliminate the risk. B. Accept the risk. C. Transfer the risk. D. Implement countermeasures.

Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system? A. Performing a business impact analysis (BIA) B. Considering personal devices as part of the security policy C. Basing the information security infrastructure on a risk assessment D. Initiating IT security training and familiarization

Which of the following is the MOST significant risk associated with handling credit card data through a web application? A. Displaying both the first six and last four digits of the credit card, thus exposing sensitive information B. Allowing the transmission of credit card data over the Internet using an insecure channel such as Secure Sockets Layer (SSL) protocol or Transport Layer Security (TLS) protocol C. Failure to store credit card data in a secure area segregated from the demilitarized zone (DMZ) D. Installation of network devices with default access settings disabled or inoperable

Which of the following is the PRIMARY factor when deciding between conducting a quantitative or qualitative risk assessment? A. The corporate culture B. The amount of time available C. The availability of data D. The cost involved with risk assessment

Which of the following is the PRIMARY reason for periodically monitoring key risk indicators (KRTs)? A. The cost of risk response needs to be minimized. B. Errors in results of KRIs need to be minimized. c. The risk profile may have changed. D. Risk assessment needs to be continually improved.

Which of the following processes is CRITICAL for deciding prioritization of actions in a business continuity plan (BCP)? A. Risk assessment B. Vulnerability assessment C. A business impact analysis (BlA) D. Business process mapping

Which of the following provides the BEST capability to identify whether controls that are in place remain effective in mitigating their intended risk? A. A key performance indicator (KPI) B. A risk assessment C. A key risk indicator (KRI) D. An audit

Which of the following provides the GREATEST level of information security awareness? A. Job descriptions B. A security manual C. Security training D. An organizational diagram

Which of the following provides the GREATEST support to a risk practitioner recommending encryption of corporate laptops and removable media as a risk mitigation measure? A. Benchmarking with peers B. Evaluating public reports on encryption algorithm in the public domain C. Developing a business case D. Scanning unencrypted systems for vulnerabilities

Which of the following risk management activities initially identifies critical business functions and key business risk? A. Risk monitoring B. Risk analysis C. Risk assessment D. Risk evaluation

Which of the following risk response selection parameters results in a decrease in magnitude of an event? A. Efficiency of response B. Cost of response C. Effectiveness of response D. Capability to implement response

Which of the following should be of MOST concern to a risk practitioner? A. Failure to notify the public of an intrusion B. Failure to notify the police of an attempted intrusion C. Failure to internally report a successful attack D. Failure to examine access rights periodically

Which of the following should management use to allocate resources for risk response? A. Audit report findings S. Penetration test results C. Risk analysis results D. Vulnerability test results

Which of the following uses risk scenarios when estimating the likelihood and impact of significant risk to the organization? A. An IT audit B. A security gap analysis C. A threat and vulnerability assessment D. An IT security assessment

Which of the following will have the MOST significant impact on standard information security governance models? A. Number of employees B. Cultural differences between physical locations C. Complexity of the organizational structure D. Evolving legislative requirements

Which of the following would data owners be PRIMARILY responsible for? A. Intrusion detection B. Antivirus controls C. User entitlement changes D. Platform security

Which organizational function is accountable for risk policies, guidelines and standards? A. Operations B. IT C. Management D. Legal

Who MUST give the final sign-off on the IT risk management plan? A. IT auditors performing the risk assessment B. Business process owners C. Senior management D. IT security administrators

Who grants formal authorization for user access to a protected file? A. The process owner B. The system administrator C. The data owner D. The security manager

Who is accountable for business risk related to IT? A. The chief information officer (CIO) B. The chief financial officer (CFO) C. Users of IT services-the business D. The chief architect

Security administration efforts are BEST reduced through the deployment of: A. access control lists (ACLs). B. discretionary access controls (OACs). C. mandatory access controls (MACs). D. role-based access controls (RBACs).

Which of the following capability dimensions is MOST important when using a maturity model for assessing the risk management process? A. Effectiveness B. Efficiency C. Profitability D. Performance

Senior management will MOST likely have the highest tolerance for moving which of the following to a public cloud? A. Credit card processing B. Research and development C. The legacy financial system D. The corporate email system

Accountability for risk ultimately belongs to the: A. chief risk officer (CRO). B. compliance officer. C. chieffinancial officer (CFO). D. board of directors.

A MAJOR risk of using single sign-on (SSO) is that it: A. uses complex technologies for password management. B. may potentially bypass the enterprise firewall. C. is prone to distributed denial-of-service (DDoS) attacks. D. may be a potential single point of compromise.

A business case developed to support risk mitigation efforts for a complex application development project should be retained until: A. the project is approved. B. user acceptance of the application. C. the application is deployed. D. the application's end of life

A company is confident about the state of its organizational security and compliance program. Many improvements have been made since the last security review was conducted one year ago. What should the company do to evaluate its current risk profile? A. Review previous findings and ensure that all issues have been resolved. B. Conduct follow-up audits in areas that were found deficient in the previous review. C. Monitor the results of the key risk indicators (KRJs) and use those to develop targeted assessments. D. Perform a new enterprise risk assessment using an independent expert.

A global enterprise that is subject to regulation by multiple governmental jurisdictions with differing requirements should: A. bring all locations into conformity with the aggregate requirements of all governmental jurisdictions. B. bring all locations into conformity with a generally accepted set of industry best practices. C. establish a baseline standard incorporating those requirements that all jurisdictions have in common. D. establish baseline standards for all locations and add supplemental standards as required.

A global financial institution has decided not to take any further action on a denial-of-service (DoS) vulnerability found by the risk assessment team. The MOST likely reason for making this decision is that: A. the needed countermeasure is too complicated to deploy. B. there are sufficient safeguards in place to prevent this risk from happening. C. the likelihood of the risk occurring is unknown. D. the cost of countermeasure outweighs the value of the asset and potential loss.

A new regulation for safeguarding information processed by a specific type of transaction has come to the attention of an IT manager. The manager should FIRST: A. meet with stakeholders to decide how to comply. B. analyze the key risk in the compliance process. C. update the existing security/privacy policy. D. assess whether existing controls meet the regulation

A process by which someone logs onto a web site, then receives a token via a short message service (SMS) message, is an example of what control type? A. Deterrent B. Directive C. Compensating D. Preventive

A risk assessment process that uses likelihood and impact in calculating the level of risk is a: A. qualitative process. B. failure modes and effects analysis (FMEA). C. fault tree analysis. D. quantitative process.

A risk practitioner has collected several IT-related key risk indicators (KRls) related for the core financial application. These would MOST likely be reported to: A. stakeholders. B. the IT administrator group. C. the finance department. D. senior management.

A risk practitioner receives a message late at night that critical IT equipment will be delivered several days late due to flooding. Fortunately, a reciprocal agreement exists with another company for a replacement until the equipment arrives. This is an example of risk: A. transfer. B. avoidance. C. acceptance. D. mitigation.

A well-known hacking group has publicly stated they will target a company. What is the risk professional's FIRST action? A. Advise IT management about the threat. B. Inform all employees about the threat. C. Contact law enforcement officials about the threat. D. Inform senior management about the threat.

Acceptable risk for an enterprise is achieved when: A. transferred risk is minimized. B. control risk is minimized. C. inherent risk is minimized. D. residual risk is within tolerance levels.

An enterprise decides to address risk associated with an IT project by outsourcing part of the IT activities to a third party with a specialized skill set. In relation to the project itself, this is an example of: A. risk transfer. S. risk avoidance. C. risk acceptance. D. risk mitigation.

An enterprise expanded operations into Europe, Asia and Latin America. The enterprise has a single-version, multiple-language employee handbook last updated three years ago. Which of the following is of MOST concern? A. The handbook may not have been correctly translated into all languages. B. Newer policies may not be included in the handbook. C. Expired policies may be included in the handbook. D. The handbook may violate local laws and regulations.

An enterprise has outsourced several business functions to a firm in another country, including IT development, data hosting and support. What is the MOST important consideration the risk professional will examine in relation to the outsourcing arrangements? A. Are policies and procedures in place to handle security exceptions? B. Is the outsourcing supplier meeting the terms of the service level agreements (SLAs)? C. Is the security program of the outsourcing provider based on an international standard? D. Are specific security controls mandated in the outsourcing contract/agreement?

An enterprise has outsourced the majority of its IT department to a third party whose servers are in a foreign country. Which of the following is the MOST critical security consideration? A. A security breach notification may get delayed due to the time difference. B. Additional network intrusion detection sensors should be installed, resulting in additional cost. C. The enterprise could be unable to monitor compliance with its internal security and privacy guidelines. D. Laws and regulations of the country of origin may not be enforceable in the foreign country.

An enterprise is implementing controls to protect its product price list from being exposed to unauthorized individuals. The internal control requirements will come from: A. the risk management team. B. internal audit. C. IT management. D. process owners.

An enterprise's corporate policy specifies that only failed and successful access attempts are logged. What is the PRIMARY risk to the enterprise? A. The source IP address is not logged. B. The destination IP address is not logged. C. Login information can be lost if the data are not automatically moved to secondary storage. D. The details of what commands were executed is missing.

Monitoring has flagged a security exception. What is the MOST appropriate action? A. Escalate the exception. B. Update the risk register. C. Activate the risk response plan. D. Validate the exception.

As part of an enterprise risk management (ERM) program, a risk practitioner BEST leverages the work performed by an internal audit function by having it: A. design, implement and maintain the ERM process. B. manage and assess the overall risk awareness. C. evaluate ongoing changes to organizational risk factors. D. assist in monitoring, evaluating, examining and reporting on controls

As part of fire driIJ testing, designated doors swing open, as planned, to allow employees to leave the building faster. An observer notices that this practice allows unauthorized personnel to enter the premises unnoticed. The BEST way to alter the process is to: A. stop the designated doors from opening automatically in case of a fire. B. include the local police force to guard the doors in case of fire. C. instruct the facilities department to guard the doors and have staff show their badge when exiting the building. D. assign designated personnel to guard the doors once the alarm sounds

Because of its importance-to the business, an enterprise wants to quickly implement a technical solution that deviates from the company's policies. The risk practitioner should: A. recommend against implementation because it violates the company's policies. B. recommend revision of the current policy. C. conduct a risk assessment and allow or disallow based on the outcome. D. recommend a risk assessment and subsequent implementation only if residual risk is accepted.

Control objectives are useful to risk professionals because they provide the basis for understanding the: A. techniques for securing information for a given risk. B. information security policies, procedures and standards. C. control best practices relevant to a specific entity. D. desired outcome of implementing specific control procedures.

Controls are most effective when they are designed to reduce: A. threats. B. likelihood. C. uncertainty. D. vulnerabilities.

During a quarterly interdepartmental risk assessment, the IT operations center indicates a heavy increase of malware attacks. Which of the following recommendations to the business is MOST appropriate? A. Contract with a new anti-malware software vendor because the current solution seems ineffective. B. Close down the Internet connection to prevent employees from visiting infected web sites. C. Make the number of malware attacks part of each employee's performance metrics. D. Increase employee awareness training, including end-user roles and responsibilities.

During an internal risk assessment in a global enterprise, a risk manager notes that local management has proactively mitigated some of the high-level risk related to the global purchasing process. This means that: A. the local management is now responsible for the risk. B. the risk owner is the corporate chief risk officer (CRO). C. the risk owner is the local purchasing manager. D. corporate management remains responsible for the risk.

During what stage of the overall risk management process is the cost-benefit analysis PRIMARILY performed? A. During the initial risk assessment B. During the information asset classification C. During the definition of the risk profile D. During the risk response selection

Investments in risk management technologies should be based on: A. audit recommendations. B. vulnerability assessments. C. business climate. D. value analysis.

Obtaining senior management commitment and support for information security investments can BEST be accomplished by a business case that: A. explains the technical risk to the enterprise. B. includes industry best practices as they relate to information security. C. details successful attacks against a competitor. D. ties security risk to organizational business objectives

Purchasing insurance is a form of: A. risk avoidance. S. risk mitigation. C. risk acceptance. D. risk transfer.

Risk management programs are designed to reduce risk to: A. the point at which the benefit exceeds the expense. B. a level that is too small to be measurable. C. a rate of return that equals the current cost of capital. D. a level that the enterprise is willing to accept.

Risk monitoring provides timely information on the actual status of the enterprise with regard to risk. Which of the following choices provides an overall risk status of the enterprise? A. Risk management B. Risk analysis C. Risk appetite D. Risk profile

Risk scenarios enable the risk assessment process because they: A. cover a wide range of potential risk. B. minimize the need for quantitative risk analysis techniques. C. segregate IT risk from business risk for easier risk analysis. D. help estimate the frequency and impact of risk.

The BEST reason to implement a maturity model for risk management is to: A. permit alignment with business objectives. B. help improve governance and compliance. C. ensure that security controls are effective. D. enable continuous improvement.

The MAIN benefit of information classification is that it helps: A. determine how information can be further labeled. B. establish the access control matrices. C. determine the risk tolerance level. D. select security measures that are proportional to risk

The MAIN objective of IT risk management is to: A. prevent loss of IT assets. B. provide timely management reports. C. ensure regulatory compliance. D. enable risk-aware business decisions.

The MOST effective method to conduct a risk assessment on an internal system in an organization is to start by understanding the: A. performance metrics and indicators. B. policies and standards. C. recent audit findings and recommendations. D. system and its subsystems.

The MOST important external factors that should be considered in a risk assessment effort are: A. proposed new security tools and technologies. B. the number of viruses and other mal ware being developed. C. international crime statistics and political unrest. D. supply chain and market conditions.

The PRIMARY concern of a risk practitioner reviewing a formal data retention policy is: A. storage availability. B. applicable organizational standards. C. generally accepted industry best practices. D. business requirements.

The PRIMARY goal of certifying a system prior to implementation is to: A. protect the enterprise from liability for releasing a substandard system. B. review the system controls to ensure that the controls are configured correctly. C. test the integrated system to detect any upstream or downstream liabilities. D. ensure that the system meets its specified security requirements at the time of testing.

The PRIMARY purpose of providing built-in audit trails in applications is to: A. support e-discovery. B. collect information for auditors. C. enable troubleshooting. D. establish accountability

The PRIMARY reason to report significant changes in IT risk to management is to: A. update the information asset inventory on a periodic basis. B. update the values of probability and impact for the related risk. C. reconsider the degree of importance of existing information assets. D. initiate a risk impact analysis to determine if additional response is required.

The board of directors of a one-year-old start-up company has asked their chief information officer (CIO) to create all of the enterprise's IT policies and procedures, which will be managed and approved by the IT steering committee. The IT steering committee will make all of the IT decisions for the enterprise, including those related to the technology budget. The IT steering committee will be BEST represented by: A. members of the executive board. B. high-level members of the IT department. C. IT experts from outside of the enterprise. D. key members from each department.

The preparation of a risk register begins in which risk management process? A. Risk response planning B. Risk monitoring and control C. Risk management planning D. Risk identification

What control focuses directly on preventing the risk of collusion? A. Mandatory access control B. Principle of least privilege C. Discretionary access control D. Mandatory job rotation

What is the BEST tool for documenting the status of risk mitigation and risk ownership? A. Risk action plans B. Risk scenarios C. Business impact analysis (BIA) documents D. A risk register

What is the MOST effective method to evaluate the potential impact of legal, regulatory and contractual requirements on business objectives? A. A compliance-oriented gap analysis B. Interviews with business process stakeholders C. A mapping of compliance requirements to policies and procedures D. A compliance-oriented business impact analysis (BIA)

What is the PRIMARY objective of conducting a peer review prior to implementing any changes to the firewall configuration? A. To assist in the detection of fraudulent or inappropriate activity B. To reduce the need for more technical testing since the changes have already been examined C. To facilitate ongoing knowledgeable transfer staff to learn by examining the work of senior staff D. To help detect errors in the proposed change prior to implementation

What role does the risk professional have in regard to the IS control monitoring process? The risk professional: A. maintains and operates IS controls. B. approves the policies for IS control monitoring. C. determines the frequency of control testing by internal audit. D. assists in planning, reporting and scheduling tests of IS controls.

When developing risk scenarios for an enterprise, which of the following is the BEST approach? A. The top-down approach for capital-intensive enterprises B. The top-down approach because it achieves automatic buy-in C. The bottom-up approach for unionized enterprises D. The top-down and the bottom-up approach because they are complementary

When the risk related to a specific business process is greater than the potential opportunity, the BEST risk response is: A. transfer. B. acceptance. C. mitigation. D. avoidance.

Whether a risk has been reduced to an acceptable level should be determined by: A. IS requirements. B. information security requirements. C. international standards. D. organizational requirements.

Which of the following BEST assists in the development of the risk profile? A. The presence of preventive and detective controls S. Inherent risk and detection risk C. Cost-benefit analysis of controls D. Likelihood and impact of risk

Which of the following BEST assists in the proper design of an effective key risk indicator (KRI)? A. Generating the frequency of reporting cycles to report on the risk B. Preparing a business case that includes the measurement criteria for the risk C. Conducting a risk assessment to provide an overview of the key risk D. Documenting the operational flow of the business from beginning to end

Which of the following BEST enables an enterprise to measure its risk management process against peers? A. Adoption of an enterprise architecture (EA) model B. Adoption of a balanced scorecard (BSC) C. Adoption of a risk assessment methodology D. Adoption of a maturity model

Which of the following BEST ensures that appropriate mitigation occurs on identified information systems vulnerabilities? A. Presenting root cause analysis to the management of the organization B. Implementing software to input the action points C. Incorporating the findings into the annual report to shareholders D. Assigning action plans with deadlines to responsible personnel

Which of the following BEST ensures the overall effectiveness of a risk management program? A. Obtaining feedback from all end users B. Assigning a dedicated risk manager to run the program C. Applying quantitative risk methodologies D. Participating relevant stakeholders

Which of the following BEST provides message integrity, sender identity authentication and nonrepudiation? A. Symmetric cryptography B. Message hashing C. Message authentication code D. Public key infrastructure (PKl)

Which of the following MOST effectively ensures that service provider controls are within the guidelines set forth in the organization's information security policy? A. Service level monitoring B. Penetration testing C. Security awareness training D. Periodic auditing

Which of the following activities is an example of risk sharing? A. Moving a function to another department B. Selling a product or service to another company C. Deploying redundant firewalls D. Contracting with a third party

Which of the following approaches BEST helps an enterprise achieve risk-based organizational objectives? A. Ensure that asset owners perform annual risk assessments. B. Review and update the risk register regularly. C. Assign a steering committee to the risk management process. D. Embed risk management activities into business processes

Which of the following causes an internal ad hoc risk assessment to be performed before the annual occurrence? A. A new chief information officer (CIO) is hired. B. Senior management adjusts risk appetite. C. Risk changes on a frequent basis. D. A new system is introduced into the environment.

Which of the following choices is the MOST important critical success factor (CSF) of implementing a risk-based approach to the system development life cycle (SDLC)? A. Existence of a risk management framework B. Defined risk mitigation strategies C. Compliance with the change management process D. Adequate involvement of business representatives

Which of the following considerations is MOST important when implementing key risk indicators (KRIs)? A. The metric is easy to measure. B. The metric is easy to aggregate. C. The metric is easy to interpret. D. The metric links to a specific risk.

Which of the following environments typically represents the GREATEST risk to organizational security? A. An enterprise data warehouse B. A load-balanced, web server cluster C. A centrally managed data switch D. A locally managed file server

Which of the following is MOST beneficial to the improvement of an enterprise's risk management process? A. Key risk indicators (KRls) B. External benchmarking C. The latest risk assessment D. A maturity model

Which of the following is MOST important for measuring the effectiveness of a security awareness program? A. Increased interest in focus groups on security issues B. A reduced number of security violation reports C. A quantitative evaluation to ensure user comprehension D. An increased number of security violation reports

Which of the following is MOST important to determine when defining risk management strategies? A. Risk assessment criteria B. IT architecture complexity C. An enterprise disaster recovery plan (DRP) D. Organizational objectives

Which of the following is MOST important when considering the risk appetite of an enterprise? A. The capacity of the enterprise to absorb loss B. The definition of responsibilities for risk management C. The line of business and the typical risk of the industry D. The culture and predisposition toward risk taking

Which of the following is MOST relevant to include in a cost-benefit analysis of a two-factor authentication system? A. The approved budget of the project B. The frequency of incidents C. The annual loss expectancy (ALE) of incidents D. The total cost of ownership (TCO)

Which of the following is MOST suitable for reporting IT-related business risk to senior management? A. Balanced scorecards (BSCs) B. Gantt charts/PERT diagrams C. Technical vulnerability reports D. Dashboards

Which of the following is MOST useful in developing a series of recovery time objectives (RTOs)? A. Regression analysis B. Risk analysis C. Gap analysis D. Business impact analysis (BIA)

Which of the following is MOST useful when computing annual loss exposure? A. The cost of existing controls B. The number of vulnerabilities C. The net present value (NPV) of the asset D. The business value of the asset

Which of the following is a behavior of risk avoidance? A. Take no action against the risk. B. Outsource the related process. C. Insure against a specific event. D. Exit the process that gives rise to risk.

Which of the following is a control designed to prevent segregation of duties (SoD) violations? A. Enabling IT audit trails B. Implementing two-way authentication C. Reporting access log violations D. Implementing role-based access

Which of the following is of MOST concern in a review of a virtual private network (VPN) implementation? Computers on the network are located: A. al the enterprise's remote offices. B. on the enterprise's internal network. C. at the backup site. D. in employees' homes.

Which of the following is responsible for evaluating the effectiveness of existing internal information security (IS) controls within an enterprise? A. The data owner B. Senior management C. End users D. The system auditor

Which of the following is the BEST metric to manage the information security program? A. The number of systems that are subject to intrusion detection B. The amount of downtime caused by security incidents C. The time lag between detection, reporting and acting on security incidents D. The number of recorded exceptions from the minimum information security requirements

Which of the following is the BEST reason to perform a risk assessment? A. To satisfy regulatory requirements B. To budget appropriately for needed controls C. To analyze the effect on the business D. To help determine the current state of risk

Which of the following is the BEST way to ensure that a corporate network is adequately secured against external attack? A. Utilize an intrusion detection system (IDS). B. Establish minimum security baselines. C. Implement vendor recommended settings. D. Perform periodic penetration testing.

Which of the following is the GREATEST challenge of performing a quantitative risk analysis? A. Obtaining accurate figures on the impact of a realized threat B. Obtaining accurate figures on the value of assets C. Calculating the annual loss expectancy (ALE) of a specific threat D. Obtaining accurate figures on the frequency of specific threats

Which of the following is the MOST appropriate metric to measure how well the information security function is managing the administration of user access? A. Elapsed time to suspend accounts of terminated users B. Elapsed time to suspend accounts of users transferring C. Ratio of actual accounts to actual end users D. Percent of accounts with configurations in compliance

Which of the following is the MOST effective way to ensure that third-party providers comply with the enterprise's information security policy? A. Security awareness training B. Penetration testing c. Service level monitoring D. Periodic auditing

Which of the following is the MOST important factor when designing IS controls in a complex environment? A. Development methodologies B. Scalability of the solution C. Technical platform interfaces D. Stakeholder requirements

Which of the following is the MOST important information to include in a risk management strategic plan? A. Risk management staffing requirements B. The risk management mission statement C. Risk mitigation investment plans D. The current state and desired future state

Which of the following is the MOST important reason for conducting periodic risk assessments? A. Risk assessments are not always precise. B. Reviewers can optimize and reduce the cost of controls. C. Periodic risk assessments demonstrate the value of the risk management function to senior management. D. Business risk is subject to frequent change.

Which of the following is the MOST prevalent risk in the development of end-user computing (EUC) applications? A. Increased development and maintenance costs B. Increased application development time C. Impaired decision making due to diminished responsiveness to requests for information D. Applications not subjected to testing and IT general controls

Which of the following is true about IT risk? A. IT risk cannot be assessed and measured quantitatively. B. IT risk should be calculated separately from business risk. C. IT risk management is the responsibility of the IT department. D. IT risk exists whether or not it is detected or recognized by an enterprise.

Which of the following objectives is the PRIMARY reason risk professionals conduct risk assessments? A. To maintain the enterprise's risk register B. To enable management to choose the right risk response C. To provide assurance on the risk management process D. To identify risk with the highest business impact

Which of the following outcomes of an outsourcing contract for non-core processes is of GREATEST concern to the management of an enterprise? A. Total cost of ownership (TCO) exceeds projections. B. Internal information systems experience has been lost. C. Employees of the vendor were disloyal to the client enterprise. D. Processing of critical data was subcontracted by the vendor.

Which of the following practices is MOST closely associated with risk monitoring? A. Assessment B. Mitigation c. Analysis D. Reporting

Which of the following requirements MUST be met during the initial stages of developing a risk management program? A. Management acceptance and support have been obtained. B. Information security policies and standards are established. C. A management committee to provide program oversight exists. D. The context and purpose of the program is defined.

Which of the following risk assessment outputs is MOST suitable to help justify an organizational information security program? A. An inventory of risk that may impact the enterprise B. Documented threats to the enterprise C. Evaluation of the consequences D. A list of appropriate controls for addressing risk

Which of the following situations is BEST addressed by transferring risk? A. An antiquated fire suppression system in the computer room B. The threat of disgruntled employee sabotage C. The possibility of the loss of a universal serial bus (USB) removable media drive D. A building located in a l Ou-year flood plain

Which of the following system development life cycle (SDLC) stages is MOST suitable for incorporating internal controls? A. Development B. Testing C. Implementation D. Design

Which of the following would BEST help an enterprise select an appropriate risk response? A. The degree of change in the risk environment B. An analysis of risk that can be transferred were it not eliminated C. The likelihood and impact of various risk scenarios D. An analysis of control costs and benefits

Which ofthe following is the FIRST step when developing a risk monitoring program? A. Developing key indicators to monitor outcomes B. Gathering baseline data on indicators C. Analyzing and reporting findings D. Conducting a capability assessment

Which type of risk assessment methods involves conducting interviews and using anonymous questionnaires by subject matter experts? A. Quantitative B. Probabilistic C. Monte Carlo D. Qualitative

CRISC FULL

Related study sets

Chapter 34: Origin of Vertebrates

Underground finance ids

Cultural Norms

Oral and topical medication administration

History of the English Language Terms

MM Final Review

States and their capitals

Spanish Test

Anatomy: Chapter 26: Urinary System

Exam 2 - Chapter 11

Chapter 9 Vocabulary: Urban Geography

Chapter 25

UNEC 200

Ch 13. Neural Tissue - Systemic WS

Anatomy and Physiology 102 Final Exam

Changes in the Late 1800s

Muscular System

Marketing Quiz 3

Anatomy Chapter 16

Psychology Exam 2