Reviewer D-2
81. According to good practices, which of the following is PRIMARILY used to detect vulnerabilities in Internet-facing systems? A. Penetration testing B. Intrusion prevention systems C. Antivirus systems D. Spam filtering systems
A is the correct answer. Justification: A. A penetration test simulates the actions of real attackers to test security defenses and detect vulnerabilities. B. Intrusion prevention systems are designed to detect attacks and prevent the target hosts from being affected. They do not scan for vulnerabilities. C. Antivirus systems block malware. They do not detect vulnerabilities. D. Spam filtering systems block spam email. They do not detect vulnerabilities.
17. The GREATEST advantage in performing a business impact analysis is that it: A. does not have to be updated because the impact will not change. B. promotes continuity awareness in the enterprise. C. requires only qualitative estimates. D. eliminates the need for risk analysis.
B is the correct answer. Justification: A. A business impact analysis (BIA) should be updated periodically because existing environments, systems, risk and applications change, and new systems are added. B. A BIA raises enterprise-wide awareness of risk to business recovery and continuity. C. A BIA should use both qualitative and quantitative estimates; however, the analysis can be completed and estimates determined with or without minimum historical data. D. Although a BIA is a part of the documentation used during a risk analysis, it cannot eliminate the need to perform a risk analysis.
35. The FIRST step in identifying and assessing IT risk is to: A. confirm the risk tolerance level of the enterprise. B. identify threats and vulnerabilities. C. gather information on the current and future environment. D. review past incident reports and response activity.
C is the correct answer. Justification: A. A risk practitioner must understand the risk appetite of senior management and the associated risk tolerance level. However, risk tolerance primarily informs risk response and does not facilitate risk identification and assessment. B. Identification of relevant threats and vulnerabilities is important but must be supplemented by consideration of pending changes to the enterprise's environment; anticipated changes may widen or narrow the scope of relevance. C. The first step in any risk assessment is to gather information about the current state and pending internal and external changes to the enterprise's environment (scope, technology, incidents, modifications, etc.). D. While the review of past incident reports may be an input for the identification and assessment of IT risk, focusing on these factors is not adequate.
44. The PRIMARY benefit of using a maturity model to assess the enterprise's data management process is that it: A. can be used for benchmarking. B. helps identify gaps. C. provides goals and objectives. D. enforces continuous improvement.
B is the correct answer. Justification: A. While maturity models can be used for benchmarking, the benchmarking is not a primary benefit. B. Maturity models can be used to help identify gaps between the current and the desired state to help enterprises determine necessary remediation efforts. C. While maturity models help determine goals and objectives, their primary value is to identify current and desired states.Understanding gaps between the two states can help define remedial action. D. Continuous improvement may not always be an objective of an enterprise, particularly when the current maturity level meets its needs.
50. If risk has been identified, but not yet mitigated, the enterprise would: A. record and mitigate serious risk and disregard low-level risk. B. obtain management commitment to mitigate all identified risk within a reasonable time frame. C. document identified risk in the risk register and maintain the remediation status. D. conduct an annual risk assessment, but disregard previous assessments to prevent risk bias.
C is the correct answer. Justification: A. All levels of risk identified should be documented in the risk register. It is important to be able to identify where low-level risk can be aggregated within the register. B. Not all identified risk will necessarily be mitigated. The enterprise will conduct a cost-benefit analysis before determining the appropriate risk response. C. All identified risk should be included in the risk register. The register should capture the proposed remediation plan, the risk owner, and the anticipated date of completion. D. Annual risk assessments should consider previous risk assessments.
76. A lack of adequate controls represents: A. an impact. B. a risk indicator. C. a vulnerability. D. a threat.
C is the correct answer. Justification: A. Impact measures the financial loss posed by a threat. B. A risk indicator is a metric capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds its defined risk appetite. C. The lack of adequate controls represents a vulnerability, exposing sensitive processes and/or data to the possibility of malicious damage, attack, or unauthorized access by hackers. Vulnerabilities can result in loss of sensitive information, financial loss, legal penalties, etc. D. A threat is a potential cause or actor behind an adverse incident.
40. Which of the following capability dimensions is MOST important when using a maturity model for assessing the risk management process? A. Effectiveness B. Efficiency C. Profitability D. Performance
D is the correct answer. Justification: A. Effectiveness is a subset of the performance capability criterion. B. Efficiency is a subset of the performance capability criterion. C. Profitability is generally not considered when using a capability maturity model for assessing the risk management process. D. Performance is achieved when the implemented process fulfills its purpose; thus, performance is the most important capability dimension when using a capability maturity model to assess the risk management process.
100. Which of the following MOST affects a risk scenario? A. A threat type B. An event C. An asset D. An actor
D is the correct answer. Justification: A. There is no scenario without an actor. B. There is no scenario without an actor. C. There is no scenario without an actor. D. Someone needs to exploit the vulnerability.
83. Risk tolerance levels, risk ratings, related projects, affected stakeholders, assessment details and risk owners are all captured in which of the following items? A. Risk register B. Risk subject C. Risk factors D. Risk treatment plan
A is the correct answer. Justification: A. A risk register includes risk tolerance levels, risk ratings, related projects, affected stakeholders, assessment details and risk owners. B. A risk subject refers to the risk owner and affected business unit but does not address projects. C. Risk factors reference internal and external context, risk management and IT-related capabilities. D. A risk treatment plan includes risk scenarios requiring mitigation, root cause analysis, risk response, evaluation criteria, accountability and responsibility, proposed actions, required resources, performance measurements and constraints, cost-benefit analysis, reporting and monitoring requirements, and timing and scheduling.
25. Which of the following BEST helps identify information systems control deficiencies? A. Gap analysis B. The current IT risk profile C. The IT controls framework D. Countermeasure analysis
A is the correct answer. Justification: A. Controls are deployed to achieve control objectives based on risk assessments and business requirements. The gap between desired control objectives and actual control design and operational effectiveness identifies control deficiencies in information systems. B. Without knowing the gap between desired state and current state, one cannot identify control deficiencies relative to a desired state. The current IT risk profile does not expose this gap. C. The IT controls framework is a generic document with no information on the desired future state of IS controls or the current state of the enterprise; therefore, it will not help identify IS control deficiencies. D. Countermeasure analysis helps only in identifying deficiencies in countermeasures and not in the full set of primary controls.
78. Which of the following factors determines the acceptable level of residual risk in an enterprise? A. Management discretion B. Regulatory requirements C. Risk assessment results D. Internal audit findings
A is the correct answer. Justification: A. Deciding what level of risk is acceptable to an enterprise is fundamentally a function of management. At its discretion, enterprise management may decide to accept risk. The target risk level for a control is, therefore, subject to management discretion. B. Failure to comply with regulatory requirements has consequences, but those consequences are considered in the context of enterprise risk. In some cases, the cost of failure to comply may be lower than the cost of compliance; in this case, management may decide to accept the risk. C. The acceptable level of residual risk is determined by management and is not dependent on the results of the risk assessment. D.The results of an internal audit determine the actual level of residual risk within a specific audit scope, but whether this level is acceptable is fundamentally a management decision.
7 Which of the following is the PRIMARY objective of a risk management program? A. Maintain residual risk at an acceptable level B. Implement preventive controls for every threat C. Remove all identified risk D. Reduce inherent risk to zero
A is the correct answer. Justification: A. Ensuring that all residual risk is maintained at a level acceptable to the business is the objective of a risk management program. B. Implementing controls for every threat is not the objective of the risk management program. The program considers known threats and determines the risk response to those threats as determined by the enterprise's risk appetite and acceptance levels. C. A risk management program is not intended to remove every identified risk. D. Inherent risk-the risk level of an activity, business process or entity without taking into account the actions that management has taken or may take-is always greater than zero.
74. The likelihood of an attack being launched against an enterprise is MOST dependent on: A. the skill and motivation of the potential attacker. B. the frequency that monitoring systems are reviewed. C. the ability to respond quickly to any incident. D. the effectiveness of the controls.
A is the correct answer. Justification: A. Factors that affect likelihood include the skill and motivation of the attacker; knowledge of vulnerabilities; use of popular hardware or software; value of the asset (which varies directly with motivation); and environmental factors such as politics, activists, and disgruntled employees or dissatisfied customers. B. Monitoring systems may detect an attack but will not usually affect the likelihood of an attack. An exception occurs when the attacker becomes aware of being monitored, realizes the likelihood of being caught is high, and accordingly becomes less likely to launch an attack. C. The ability to respond is important but is only relevant once an attack has been conducted.It will not affect likelihood. D. Controls may deter, prevent, detect or aid recovery from an attack, but they will not necessarily affect the likelihood of someone trying to attack.
24. Which of the following information in the risk register BEST helps in developing proper risk scenarios? A list of: A. potential threats to assets. B. residual risk on individual assets. C. accepted risk. D. security incidents.
A is the correct answer. Justification: A. Identifying potential threats to business assets will help isolate vulnerabilities and associated risk, all of which contribute to developing proper risk scenarios. B. Identifying residual risk on individual assets does not help develop a proper risk scenario. C. Accepted risk generally reflects a small subset of entries in the risk register. Accepted risk should be included in the risk register to ensure that events continue to be monitored in case an actual incident alters current acceptance of the risk. D. Previous security incidents at the enterprise itself or at entities with a similar profile may inspire the inclusion of similar risk scenarios in the risk register. However, the best approach to create a meaningful risk register is to capture potential threats on tangible and intangible assets.
16. Which of the following BEST describes the information needed for each risk in a risk register? A. Risk scenario including date, description, impact, probability, risk score, mitigation action and owner B. Risk scenario including date, description, risk score, cost to remediate, communication plan and owner C. Risk scenario including date, description, impact, cost to remediate and owner D. Various activities leading to risk management planning
A is the correct answer. Justification: A. Information required for each risk in a risk register includes date, description, impact, probability, risk score, mitigation action and owner. B. Some of these elements are necessary to facilitate informed decisions, but others are needed as well(impact, probability, mitigation action). A communication plan is not required for each risk in a risk register. C. In addition to these elements, probability, risk score and mitigation action are needed for each risk in a risk register to make informed decisions. D. A risk register results from risk management planning, not the other way around.
A lack of adequate controls represents: A. a vulnerability. B.an impact. C. an asset. D. a threat.
A is the correct answer. Justification: A. Lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack, or unauthorized access by hackers. This could result in a loss of sensitive information, financial loss, legal penalties, etc. B.Impact is the measure of financial loss incurred by a threat or incident. C. Assets have tangible or intangible value worth protecting and include people, systems, infrastructure, finances and reputation. D. A threat is a potential cause of a security incident.
32. Which of the following BEST improves decision-making related to risk? A. Maintaining a documented risk register of all possible risk B. Risk awareness training in line with the risk culture C. Maintaining updated security policies and procedures D. Allocating accountability of risk to the department as a whole
A is the correct answer. Justification: A. Maintaining a documented risk register improves decision-making related to risk response because a risk register captures the population of relevant risk scenarios and provides a basis for prioritization of risk responses. B. Offering risk awareness training to stakeholders and customizing its content according to the enterprise's risk culture will sensitize stakeholders and users to their risk responsibilities. Training helps enhance accountability to make decisions on acceptance of residual risk but is less useful with respect to emerging threats. C. Maintaining policies and procedures will not necessarily improve decisions related to residual risk. D. Allocating accountability to the department as a whole dilutes ownership because there will be no individual owner for risk.
18. The PRIMARY advantage of creating and updating a risk register is to: A. ensure that an inventory of identified risk is maintained. B. record all risk scenarios considered during the risk identification process. C. collect similar data on all risk identified within the enterprise. D. run reports based on various risk scenarios.
A is the correct answer. Justification: A. Once assets and risk are identified, the risk register is used as an inventory of that risk. The risk register can accelerate risk decision-making and establish accountability for specific risk. B. Recording all considered scenarios in the register and reassessing them annually are good practices; however, maintaining the inventory is the primary advantage. C. Similar data elements can be collected in a spreadsheet or governance, risk and compliance (GRC) tool in a single format, but ensuring the inventory is still the primary advantage. D. Running reports is a benefit of the risk registry but not its primary purpose.
29. Deriving the likelihood and impact of risk scenarios through statistical methods is BEST described as: A. quantitative risk analysis. B. risk scenario analysis. C. qualitative risk analysis. D. probabilistic risk assessment.
A is the correct answer. Justification: A. Quantitative risk analysis derives the probability and impact of risk scenarios from statistical methods and data. B. A risk scenario analysis generally includes several risk analysis methods, including quantitative, semi- quantitative and qualitative. C. A qualitative risk analysis would use non-quantitative measures to estimate the likelihood and impact of adverse events.These might include low, medium and high for likelihood; and low, medium, high and catastrophic for the impact. D. Probabilistic risk assessments are mostly applied to risk associated with complex engineered technology (e.g.,nuclear plants, airplanes). They rely on a systematic and comprehensive methodology and consider both quantitative and qualitative risk analysis.
58. It is MOST important for a risk evaluation to: A. take into account the potential size and likelihood of a loss. B. consider inherent and control risk. C. include a benchmark of similar companies in its scope. D. assume an equal degree of protection for all assets.
A is the correct answer. Justification: A. Risk evaluation should consider the potential size and likelihood of a loss. B. Although inherent and control risk should be considered in the analysis, the impact of the risk (potential likelihood and impact of loss) should be the primary driver. C. Risk evaluation can include comparisons with a group of companies of similar size. D. Risk evaluation should not assume an equal degree of protection for all assets because assets may have different risk factors.
43. What is the MAIN objective of risk identification? A. To detect possible threats that may affect the business B. To ensure that risk factors and root causes are managed C. To enable the review of the key performance indicators D. To provide qualitative impact values to stakeholders
A is the correct answer. Justification: A. Risk identification is the process of determining and documenting the risk that an enterprise faces. The identification of risk is based on the recognition of threats, vulnerabilities, assets and controls in the enterprise's operational environment. B. Ensuring that risk factors and root causes are addressed is the objective of the risk response process, not of risk identification. C. Ensuring that risk factors and root causes are addressed is the objective of the risk response process, not of risk identification. D. Qualitative risk impact values derive from the risk assessment process.
70. How often should risk be evaluated? A. Annually or when there is a significant change B. Once a year for each business process and subprocess C. Every three to six months for critical business processes D. Only after significant changes occur
A is the correct answer. Justification: A. Risk is constantly changing.Evaluating risk annually or when there is a significant change offers the best alternative; this approach considers reasonable frequency of review and allows flexibility to address significant intervening change. B. Evaluating risk once a year is insufficient if important changes take place. C. Evaluating risk every three to six months for critical processes may not be necessary; because there is a cost associated with evaluation activities, annually or whenever significant change takes place is the right strategy to adopt. D. Evaluating risk only after significant changes occur may fail to consider less significant changes that collectively affect overall risk.
19. Which of the following BEST assists a risk practitioner in measuring the existing level of development of risk management processes against the desired state? A. A capability maturity model B. Risk management audit reports C. A balanced scorecard D. Enterprise security architecture
A is the correct answer. Justification: A. The capability maturity model grades processes on a scale of 0 to 5, based on their maturity, and is commonly used by entities to measure their existing state and then to determine the desired one. B. Risk management audit reports offer a limited view of the current state of risk management. C.A balanced scorecard enables management to measure the implementation of strategy and assists in its translation into action. D. Enterprise security architecture explains the security architecture of an entity in terms of business strategy, objectives, relationships, risk, constraints and enablers; it also provides a business-driven and business- focused view of security architecture.
13. An enterprise learns of a security breach at another entity using similar network technology. The MOST important action for a risk practitioner is to: A. assess the likelihood of the incident occurring at the risk practitioner's enterprise. B. discontinue the use of the vulnerable technology. C. report to senior management that the enterprise is not affected. D. remind staff that no similar security breaches have taken place.
A is the correct answer. Justification: A. The likelihood of a similar incident occurring at the risk practitioner's enterprise should be assessed first, based on available information. B. Discontinuing vulnerable technology is not necessarily required; furthermore, the technology is likely to be needed to support the enterprise. C. Reporting to senior management that the enterprise is not affected is premature until the risk practitioner assesses the likelihood of a similar incident. D. Pending further research, the risk practitioner cannot be certain that no similar security breaches have taken place.
69. The PRIMARY reason to verify the completion of a risk mitigation response is to: A. confirm that residual risk is within acceptable thresholds. B. verify that vulnerabilities are no longer exploitable. C. maintain an accurate risk profile and inventory. D. manage and report on the status of risk action plans.
A is the correct answer. Justification: A. The primary reason to verify the completion of the risk mitigation response is to confirm that residual risk is within acceptable thresholds or to plan for further action if it is not. B. Verifying if vulnerabilities are no longer exploitable is not the primary reason to verify completion of a risk mitigation response as new exploits continuously emerge. C. Accuracy of the risk register is not the primary reason for monitoring residual risk. D. Risk reporting is not the primary reason to verify residual risk and its impact to the enterprise.
96. Which of the following examples includes the required components of a risk calculation? A. Over the next quarter, it is estimated that there is a 30 percent chance of two projects failing to meet a contract deadline, resulting in a US$500,000 fine related to breach of service level agreements. B. Security experts believe that if a system is compromised, it will result in the loss ofUS$15 million in lost contracts. C. The likelihood of disk corruption resulting from a single event of uncontrolled system power failure is estimated by engineers to be 15 percent. D. The impact to security of a business line of a malware-related workstation event is estimated to be low.
A is the correct answer. Justification: A. The probability and impact of a specific event are required components of a risk calculation. B. The impact of the event is addressed but not the probability. C. The probability of the event is addressed but not the impact. D. The impact of the event is addressed but not the probability.
71. Which of the following combinations of factors helps quantify risk? A. Probability and consequence B. Threat and impact C. Threat and exposure D. Sensitivity and exposure
A is the correct answer. Justification: A. The quantification of risk is based on the probability (likelihood) of a threat exploiting a vulnerability resulting in a damaging consequence (impact) to an asset. B. A threat is anything (e.g., object, substance, human actor) that is capable of acting against an asset in a manner that can result in harm. The impact is the effect of the threat on the asset.Threat and impact are not sufficient to quantify risk. C. A threat is anything (e.g., object, substance, human actor) that is capable of acting against an asset in a manner that can result in harm. Exposure reflects potential loss due to the occurrence of an adverse event. Threat and exposure are not sufficient to quantify risk. D. Sensitivity is a measure of the impact that improper disclosure of information may have on an enterprise. Exposure reflects potential loss due to the occurrence of an adverse event but is not used to quantify risk.
54. The MAIN reason an enterprise maintains a risk register is that it: A. acts as a repository of identified risk for decision-making. B. helps in benchmarking against the risk impacting industry peers. C. improves the risk culture by communicating risk to all employees. D. establishes the risk indicators that an enterprise can focus upon.
A is the correct answer. Justification: A. The risk register has the identified risk and is a repository that helps in decision-making. B. The risk registers from industry peers are never published, so benchmarking is not possible. C. Risk culture can be improved through awareness, but the risk register itself is not a means of communicating risk awareness. D. The risk register may include information that the risk owner could use to establish risk indicators, but that is not its main purpose.
59. When performing a risk assessment on the impact of losing a server, calculating the monetary value of the server should be based on the: A. cost to obtain a replacement. B. annual loss expectancy. C. cost of the software stored. D. original cost to acquire.
A is the correct answer. Justification: A. The value of the server should be based on its replacement cost; however, the financial impact to the enterprise may be much broader, based on the function that the server performs and the value it brings to the enterprise. B. The annual loss expectancy for all risk related to the server does not represent the server's value. C. The software can be restored from backup media. D. The original cost may be significantly different from the current cost and, therefore, not as relevant.
87. Which of the following BEST addresses the potential for bias in developing risk scenarios? A. Using representative and significant historical data B. Securing participation of a large team of functional experts C. Establishing a clearly defined escalation process D. Integrating quantitative risk analysis techniques
A is the correct answer. Justification: A. Using representative and significantly broad historical data helps to avoid bias that may otherwise characterize the selection of data by individual functional experts. B. Securing participation of a large team of functional experts can help reduce subjectivity to some extent. However, it will not preclude bias because each expert may provide data based on individual experience and knowledge. C. Establishing a clearly defined escalation process will provide opportunities to challenge risk values but in itself will not address potential bias. D. Integrating quantitative risk analysis techniques will not reduce bias unless factual internal and external data are available in the first place.
92. In which of the following cases would an enterprise opt for a risk analysis based on qualitative techniques rather than quantitative risk techniques? A. The established enterprise is evaluating the risk associated with developing a new company logo. B. The enterprise wants an approximate measure of the magnitude of impact in financial terms. C. The enterprise intends to rely primarily on external data in performing the risk analysis. D. The enterprise is evaluating the risk associated with an established line of manufacturing.
A is the correct answer. Justification: A. When an existing enterprise decides to rebrand itself, it is taking a risk that the new branding will not be accepted by customers. Therefore, when considering developing a new logo, enterprises should conduct surveys and focus groups to gain customer opinion rather than relying on historical or industry data. Qualitative analysis is ideally suited to this case. B. Approximating the magnitude of impact in financial terms is the purpose of quantitative risk analysis. C. Reliance on external data is a technique associated with quantitative risk analysis. D. Established lines of manufacturing are able to draw on considerable quantities of data and are ideally suited to statistical process control, a technique associated with quantitative risk analysis.
64. Which of the following vulnerabilities is the MOST serious and allows attackers to access data through a web application? A. Validation checks are missing in data input fields. B. Password rules do not enforce sufficient complexity. C. Application transaction log management is weak. D. The application and database share a single access ID.
A is the correct answer. Justification: A. When validation checks are missing in data input fields, attackers are able to exploit other weaknesses in the system.For example, they can submit part of a structured query language(SQL) statement(SQL injection attack) to retrieve application data illegally, deface or even disable the web application. Input validation checks are effective countermeasures. B. Noncomplex passwords may make accounts vulnerable to brute force attacks, but those attacks can be countered in other ways besides complexity (e.g.,lockout thresholds). C. If application transaction log management is weak, confidential information could inadvertently be written to the application transaction log. Sufficient care should therefore be given to log management. However, it is uncommon for attackers to use the log server to steal database information. D. It is quite common that the application and database share a single access ID. If the supporting domain architecture is sufficiently secure, the overall risk is low.
15. Which of the following is the BEST risk identification technique to support an enterprise that allows employees to identify risk anonymously? A. The Delphi technique B. Isolated pilot groups C. A SWOT analysis D. A root cause analysis
A is the correct answer. Justification: A. With the Delphi technique, polling or information gathering is done either anonymously or privately between the interviewer and interviewee. B. Participants generally do not identify risk anonymously within isolated pilot groups. C. With a SWOT (strengths, weaknesses, opportunities and threats) analysis, participants generally do not identify risk anonymously. D. With a root cause analysis, participants generally do not identify risk anonymously.
42. Which of the following statements BEST describes the value of a risk register? A. It captures the risk inventory. B. It drives the risk response plan. C. It is a risk reporting tool. D. It lists internal risk and external risk.
B is the correct answer. Justification: A. A risk register provides detailed information on each identified risk including risk owner, details of the risk scenario, assumptions, affected stakeholders, causes/indicators, detailed scores (i.e.,risk ratings) on the risk analysis, and detailed information on the risk response (e.g., action owner and risk response status, time frame for action, related projects, and risk tolerance level). These components can also be defined as the risk universe. B. Risk registers serve as the main reference for all risk-related information, supporting risk-related decisions such as risk response activities and their prioritization. C. Risk register data are used to generate management reports, but a risk register is not in itself a risk reporting tool. D. The risk register tracks all internal and external risk, the quality and quantity of the controls, and the likelihood and impact of the risk.
3. Which of the following will produce comprehensive results when performing a qualitative risk analysis? A. A vulnerability assessment B. Scenarios with threats and impacts C. The value of information assets D. Estimated productivity losses
B is the correct answer. Justification: A. A vulnerability assessment itself provides a one-sided view unless it is linked to specific risk scenarios that help determine likelihood and impact. B. Using a list of possible scenarios with threats and impacts will better frame the range of risk and facilitate a more informed discussion and decision. C. The value of information assets is an important starting point when performing a qualitative risk analysis. However, value without consideration of realistic threats and determination of likelihood and impact is not sufficient for a risk analysis. D. Estimated productivity losses may be necessary to project magnitude of impact but are insufficient for a risk analysis.
45. The goal of IT risk analysis is to: A. enable the alignment of IT risk management with enterprise risk management. B. enable the prioritization of risk responses. C. satisfy legal and regulatory compliance requirements. D. identify known threats and vulnerabilities to information assets.
B is the correct answer. Justification: A. Aligning IT risk management with enterprise risk management is important to ensure the cost-effectiveness of the overall risk management process. However, risk analysis does not enable such an alignment. B. Risk analysis estimates the likelihood and magnitude of IT risk scenarios.Risk analysis helps ensure that areas with the greatest risk likelihood and impact are prioritized above those with lower likelihood and impact. Prioritization of IT risk helps maximize return on investment in risk responses. C. Risk analysis evaluates risk on the basis of likelihood and impact and includes financial, environmental, regulatory and other risk. It considers regulatory risk as one of many types of risk. It is not specifically designed to satisfy legal and regulatory compliance requirements. D. Risk analysis occurs after risk identification and evaluation. Risk identification uncovers threats and vulnerabilities; risk evaluation assesses levels of risk and creates valid risk scenarios. Risk analysis quantifies risk along vectors of likelihood and impact to help prioritize risk responses.
34. Which of the following is BEST suited for the review of IT risk analysis results before the results are sent to management for approval and use in decision-making? A. An internal audit review B. A peer review C. A compliance review D. A risk policy review
B is the correct answer. Justification: A. An internal audit review is not best suited for the review of IT risk analysis results. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an enterprise's operations. It helps an enterprise accomplish its objectives through a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. B. It is effective, efficient and good practice to perform a peer review of IT risk analysis results before sending them to management. C. A compliance review is not best suited for the review of IT risk analysis results. Compliance reviews measure conformance with a specific, measurable standard. D. A review of the risk policy may change the content and methodology of the risk analysis eventually, but this is not a way of reviewing IT risk analysis results before sending them to management.
55. Which of the following types of risk is high for projects that affect multiple business areas? A. Control risk B. Inherent risk C. Compliance risk D. Residual risk
B is the correct answer. Justification: A. Control risk may be high, but it would follow from failure to identify, evaluate or test internal controls, not from the number of users or business areas affected. B. Inherent risk normally grows as the number of users and business areas that may be affected increases. Inherent risk reflects risk or exposure without accounting for mitigating action by management. It is often higher whenever multiple parties may have conflicting responsibilities for a business process. C. Compliance risk reflects the penalty applied to current and future earnings for nonconformance to laws and regulations; number of users and affected business areas will not necessarily increase compliance risk. D. Residual risk is risk that persists after management implements a risk response. It is not based on the number of users or business areas affected.
A business impact analysis is PRIMARILY used to: A. estimate the resources required to resume normal operations after a disruption. B. evaluate the impact of disruption on an enterprise's ability to operate over time. C. calculate the likelihood and impact of known threats on specific functions. D. evaluate high-level business requirements.
B is the correct answer. Justification: A. Determining the resource requirements to resume normal operations is part of business continuity planning. B. A business impact analysis (BIA) is primarily intended to evaluate the impact of disruption over time to an enterprise's ability to operate. It determines the urgency of each business activity. Key deliverables include recovery time objectives and recovery point objectives. C. Likelihood and impact are calculated during risk analysis. D. High-level business requirements are defined during the early phases of a system development life cycle, not as part of a BIA.
57. Which of the following activities is MOST important when evaluating and assessing the risk to an enterprise or business process? A. Identification of controls that are currently in place to mitigate identified risk B. Threat intelligence, including likelihood of identified threats C. Historical risk assessment data D. Control testing results
B is the correct answer. Justification: A. Identification of controls that are currently in place is an important part of the risk assessment process but is not as important as threat intelligence. B. One of the key requirements of effective risk assessment is its association and alignment with current intelligence that includes data on the likelihood of identified threats.The probability of risk being realized is one of the primary determinations of risk prioritization. C. Historical risk assessment data are useful in understanding previously identified risk but are not essential to the risk assessment process. D. Control testing results are a component of risk assessment that helps support conclusions.Threat intelligence will often drive the testing of specific controls based on the identification of risk scenarios during the evaluation and assessment activity. These data are valuable to the risk assessment process but are not as valuable as accurate threat intelligence.
77. A risk professional has been asked to determine which factors were responsible for a loss event. Which of the following methods should be used? A. Key risk indicators B. Cause-and-effect analysis C. Business process modeling D. Business impact analysis
B is the correct answer. Justification: A. Key risk indicators are highly relevant and possess a high probability of predicting or indicating important risk. They are not used after a loss event occurs. B. Cause-and-effect analysis is a predictive or diagnostic analytical tool used to explore the root causes or factors that contribute to positive or negative effects or outcomes. It can also be used to identify potential risk. A typical form is the fishbone diagram. C. Business process modeling is not used for root cause analysis. D. Business impact analysis is a process to determine the impact of losing the support of any resource and is not used for root cause analysis.
88. Which of the following considerations is MOST applicable to risk assessments dealing with data management? A. Changing market conditions B. Changing configuration item data C. Lack of staff education D. Growing capabilities of attackers
B is the correct answer. Justification: A. Market conditions influence business objectives and may affect available resources, but these impacts tend to be distributed broadly and do not have any special applicability to risk assessment. B. Attributes and relationships for configuration items are subject to frequent change, and risk assessments must have accurate and up-to-date configuration item data in order to target correct information assets. C. Lack of staff education represents an increase in general enterprise vulnerability and does not have any special applicability to risk assessment. D. The growing capabilities of attackers represent an increase in the general threat environment and do not have any special applicability to risk assessment.
28. IT risk is measured by its: A. level of damage to IT systems. B. impact on business operations. C. cost of countermeasures. D. annual loss expectancy.
B is the correct answer. Justification: A. Measurement by IT damage alone is not comprehensive; business risk must also be considered. B. IT risk includes information and communication technology risk but is primarily measured by its impact on the business. IT risk is the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. C. The cost and benefit of countermeasures is concerned with risk response, not with risk assessment. D. Annual loss expectancy is a quantitative measure and must be used in conjunction with qualitative measures, such as loss of reputation.
90. Which of the following is the MAIN outcome of a business impact analysis (BIA)? A. Project prioritization B. Criticality of business processes C. The root cause of IT risk D. Asset alignment with business processes
B is the correct answer. Justification: A. Project prioritization is a core focus of program management and seeks to optimize resource utilization. It is not the main outcome of a business impact analysis. B. A business impact analysis measures the total impact of tangible and intangible assets on business processes. Therefore, the sum of the value and opportunity lost plus the investment and time required to recover indicates the criticality of business processes. C. A root cause analysis investigates and diagnoses the origins of events.It typically assesses consequences of errors and problems and is not an outcome of a BIA. D. Third-party vendor risk should be documented during the BIA process, but it is not a main outcome.
The PRIMARY result of a risk assessment process is: A. a defined business plan. B. input for risk-aware decisions. C. data classification. D. minimized residual risk.
B is the correct answer. Justification: A. Risk assessment deliverables are not the primary input into the business plan as a business plan defines how a business goal will be achieved. B. Risk assessment identifies and prioritizes risk and relates the aggregated risk to the enterprise's risk appetite and risk tolerance levels to enable risk-aware decision-making. C. Establishing data classification can be one outcome of a risk assessment but it is not the primary result of risk assessment. D. Risk assessment itself does not minimize any risk. Residual risk is an outcome after controls are implemented. It is an outcome of risk assessment and risk treatment.
46. Which of the following factors should be assessed after the likelihood of a loss event has been determined? A. Risk tolerance B. Magnitude of impact C. Residual risk D. Compensating controls
B is the correct answer. Justification: A. Risk tolerance reflects acceptable deviation from acceptable risk. Risk tolerance requires quantification of risk, which in turn requires determining the magnitude of impact. B. Once likelihood has been determined, the next step is to determine magnitude of impact. C. Residual risk is the risk that remains after management implements a risk response.It cannot be calculated until controls are selected. D. Compensating controls are internal controls that reduce the risk of an existing or potential control weakness that can result in errors and omissions. They would not be assessed directly in conjunction with assessing the likelihood of a loss event.
62. Which of the following is the BEST method to analyze risk, incidents and related interdependencies to determine the impact on enterprise goals? A. Security information and event management solutions B. A business impact analysis C. Enterprise risk management steering committee meetings D. Interviews with business leaders to develop a risk profile
B is the correct answer. Justification: A. Security information and event management solutions will primarily account for technical risk and typically do not evaluate the impact that business process objectives have on operational components. B. A business impact analysis should include the examination of risk, incidents and interdependencies to identify consequences for business objectives. C. Enterprise risk management steering committees are useful for reviewing analyses that have been completed, but not for conducting analysis. D. Interviews with business leaders will assist in identifying risk tolerance and key business objectives and activities, but will not yield risk or incident analysis.
51. Once a risk assessment has been completed, the documented test results should be: A. destroyed. B. retained. C. summarized. D. published.
B is the correct answer. Justification: A. Test results should be stored in a secure manner for future reference and comparison and not destroyed. B. Test results should be retained in order to ensure that future tests can be compared with past results and ensure reporting consistency. C. Test results are summarized as part of the risk assessment process. D. Assessment results are not usually published due to vulnerability disclosure.
67. The board of directors wants to know the financial impact of specific, individual risk scenarios.What type of approach is BEST suited to fulfill this requirement? A. Delphi method B. Quantitative analysis C. Qualitative analysis D. Financial risk modeling
B is the correct answer. Justification: A. The Delphi method is a forecasting method based on expert opinions that are gathered over several iterations of anonymous surveys. B. A quantitative approach to risk evaluations would be the best approach because it is formula-based and puts a monetary amount on the potential loss resulting from a risk scenario, which is of most interest to senior management. C. Qualitative analysis does not quantify the risk and loss in numbers and therefore is not the best option. D. Financial risk modeling determines aggregate risk in a financial portfolio. It is generally not used to provide the financial impact of individual risk scenarios.
47. The GREATEST benefit of using an IT risk register is that it is: A. a list of potential events that have been identified to understand their impact. B. a document used to track risk that has been identified, analyzed and prioritized. C. a list of risk that can be shared with all stakeholders in an easy-to-read format. D. the basis for choosing a commercial, off-the-shelf risk management tool.
B is the correct answer. Justification: A. The IT risk register includes a list of potential events, along with the likelihood and impact of the potential risk, but that is not its greatest benefit. B. The greatest benefit of a risk register is that it provides information about the likelihood, impact and prioritization of all identified IT risk. C. The IT risk register is a standardized format that can be easily shared, but that is not its greatest benefit. The greatest benefit of an IT risk register is the prioritization of the analyzed risk. D. The IT register can provide inputs into what commercial software solutions need to provide in terms of functionality, but that is not the greatest benefit of a risk register.
41. A small start-up software development company has been flooded and insurance does not pay because the premium has lapsed. In relation to risk management, the lapsed premium is considered a: A. risk. B. vulnerability. C. threat. D. negligence.
B is the correct answer. Justification: A. This scenario describes a weakness in the insurance premium payment process, which is considered a vulnerability, based on a management decision. B. A lapsed insurance premium describes a vulnerability. A vulnerability is a weakness in the design, implementation, operation or internal control of a process that could expose the enterprise to a threat condition or actor. C. A threat is anything(e.g., object, substance, human actor) that is capable of acting against an asset in a manner that can result in harm. In this case, the flood is the threat. D. Negligence is a legal term describing a civil wrong causing injury or harm to another person or to property as the result of doing something or failing to provide a proper or reasonable level of care. Negligence is not specifically related to risk management.
52. When developing IT-related risk scenarios with a top-down approach, it is MOST important to identify the: A. information system environment. B. business objectives. C. hypothetical risk scenarios. D. internal and external risk scenarios.
B is the correct answer. Justification: A. Top-down risk scenario development identifies the enterprise's business objectives and builds risk scenarios based on risk that may jeopardize those objectives. The information system environment would be a risk factor. B. Typically, top-down risk scenario development is performed by identifying business objectives and recognizing risk scenarios with the greatest potential to jeopardize business objectives. C. The identification of generic risk scenarios is usually related to a bottom-up risk identification method. D. It is important to identify both external and internal risk scenarios.
9 A procurement employee notices that new printer models offered by the vendor keep a copy of all printed documents on an internal hard disk. Considering the risk of unintentionally disclosing confidential data, the employee should: A. proceed with the order and configure printers to automatically wipe all data on disks after each print job. B. notify the security manager to conduct a risk assessment for the new equipment. C. seek another vendor that offers printers without built-in hard disk drives. D. procure printers with built-in hard disks and notify staff to wipe hard disks when decommissioning the printer.
B is the correct answer. Justification: A. Wiping hard disks after each job is not appropriate without a prior risk assessment. The data may be useful for forensic investigation; furthermore, the consumption of processing resources may affect printer performance. B. Risk assessment is most appropriate because it yields risk mitigation techniques that are appropriate for enterprise risk context and appetite. C. Focusing solely on risk and ignoring opportunity are inappropriate. A risk associated with nonvolatile storage is not a sufficient reason for changing vendors. Default archiving of copies to the internal disk may be a general industry trend with printers; furthermore, it may bring business benefits in addition to the risk, which should be evaluated. D. Notifying staff is not a sufficient control and does not mitigate risk associated with printers serviced by an external party.
5. Which of the following is the BEST way to ensure that an accurate risk register is maintained over time? A. Monitor key risk indicators and record the findings in the risk register. B. Publish the risk register centrally with workflow features that periodically poll risk assessors. C. Distribute the risk register to business process owners for review and updating. D. Use audit personnel to perform regular audits and to maintain the risk register.
B is the correct answer. Justification: A. Monitoring key risk indicators will only provide insights to known and identified risk and will not account for risk that has yet to be identified. B. Centrally publishing the risk register and enabling periodic polling of risk assessors through workflow features will ensure accuracy of content. A knowledge management platform with workflow and polling features will automate the process of maintaining the risk register. C. Business process owners typically cannot effectively identify risk to their business processes. They may not have the ability to be unbiased in their review and may not have the appropriate skills or tools to effectively evaluate risk. D. Audit personnel may not have the appropriate business knowledge or training in risk assessment to appropriately identify risk. Regular audits of business processes can also be a hindrance to business activities and most likely will not be allowed by business leadership.
20. Which of the following is MOST effective in assessing business risk? A. A use case analysis B.A business case analysis C. Risk scenarios D. A risk plan
C is the correct answer. Justification: A. A use case analysis identifies business requirements for a system or process. B. Business cases are generally part of a project charter and help define the project's purpose. C. Risk scenarios are the most effective technique in assessing business risk. Scenarios help determine the likelihood and impact of an identified risk. D. A risk plan is the output of the risk assessment.
38. When a start-up company becomes popular, it suddenly is the target of hackers. This is considered: A. an emerging vulnerability. B. a vulnerability event. C. an emerging threat. D. an environmental risk factor.
C is the correct answer. Justification: A. A vulnerability is a weakness in the design, implementation, operation or internal control of a process that can expose the system to adverse threats from threat events. B. A vulnerability event reflects a material increase in vulnerability as a result of changes in control conditions or changes in threat capability/force. C. A threat is any event in which an asset is exposed to a threat condition or action that has the potential to directly result in harm. D. Environmental risk factors can be internal and external. Internal environmental factors are, to a large extent, under the control of the enterprise, although they may not always be easy to change. External environmental factors are, to a large extent, outside the control of the enterprise.
1. Which of the following uses risk scenarios when estimating the likelihood and impact of significant risk to the enterprise? A. An IT audit B. A security gap analysis C. A threat and vulnerability assessment D. An IT security assessment
C is the correct answer. Justification: A. An IT audit typically uses technical evaluation tools or assessment methodologies to enumerate risk. B. A security gap analysis typically uses technical evaluation tools or assessment methodologies to enumerate risk or areas of noncompliance but does not use risk scenarios. C. A threat and vulnerability assessment typically evaluates all elements of a business process for threats and vulnerabilities and identifies the likelihood of occurrence and the business impact if the threats were realized. D. An IT security assessment typically uses technical evaluation tools or assessment methodologies to enumerate risk or areas of noncompliance but does not use risk scenarios.
85. Which of the following should management use to allocate resources for risk response? A. Audit report findings B. Penetration test results C. Risk analysis results D. Vulnerability test results
C is the correct answer. Justification: A. An audit report provides recommendation and remediation areas. B. Penetration test results help identify vulnerabilities. C. Risk analysis results provide a basis for prioritizing risk responses and allocating resources. D. Vulnerability test results provide an enterprise with a list of known vulnerabilities for the systems that have been assessed. They do not take "control-in-depth" considerations into account and are not a meaningful tool for determining the allocation of risk response resources.
93. After a security incident, which of the following techniques associated with risk analysis would be the FIRST step toward yielding an actionable plan that will effectively mitigate the risk? A. Cost-benefit analysis B. Gap analysis C. Root cause analysis D. Impact analysis
C is the correct answer. Justification: A. Cost-benefit analysis evaluates whether it will cost more to implement and maintain a control than the control will save the enterprise by avoiding losses associated with the risk it is meant to address. It delivers a result (based on assumptions) that management can use to make a decision regarding a particular control, but knowing which control should be analyzed on a cost-benefit basis requires root cause analysis. B. Gap analysis compares a current state to a desired future state and identifies what would need to change to attain it. Gap analysis can be useful in determining a proposed control that can address the root cause only after the root cause has been identified. C. Root cause analysis is used to determine the actual cause of the event, which is typically different from what initially appears to be responsible. Identifying a root cause allows an enterprise to address the cause rather than a symptom, which increases the odds that the mitigation will be effective at reducing the likelihood or impact of similar events in the future. D. Impact analysis prioritizes loss events based on consequences. It is not directly beneficial in devising a mitigation strategy for a particular risk.
33. The PRIMARY reason to have the risk management process reviewed by an independent risk management professional is to: A. validate cost-effective solutions for mitigating risk. B. validate control weaknesses detected by the internal team. C. assess the validity of the end-to-end process. D. assess whether the risk profile and risk factors are properly defined.
C is the correct answer. Justification: A. Cost-effective solutions can be provided by the internal teams. B. The internal team can find weaknesses. It is not necessary to involve an external risk professional to validate the weaknesses detected by the internal team. C. The independent risk professional will be unbiased to review the risk management process end to end. The independent reviewer will not have any involvement in any stage of the risk management process and will be unaffected by all internal factors. D. The risk profile and risk factors are properly defined when the risk assessment process is performed correctly. An independent assessment may result in further improvements.
89. Which of the following statements is a risk scenario? A. The password for the configuration of the tape backup system is set to the vendor default. B. A program that processes records does not include data input validation. C. Dedicated capacity for processing on an enterprise system exceeds projected maximum usage, resulting in wasted infrastructure resources. D. Attackers develop a new piece of malware based on a known, but patched, vulnerability.
C is the correct answer. Justification: A. If the password to configure a tape backup system is set to its vendor default, the password reflects the state of a technology control. Its state is not an event that could result in a loss. B. A program that processes records without data input validation presents a vulnerability. It is not an event that could result in a loss. C. Dedicated processing capacity that exceeds projected maximum usage and therefore results in wasted infrastructure resources constitutes potential loss. D. If attackers develop a new piece of malware based on a known, but patched, vulnerability, their actions constitute a threat, but not a valid risk, because the vulnerability has already been patched.
27. Which of the following presents the GREATEST risk when updating the risk register? Updates are: A. carried out jointly with other functions. B. carried out following incidents. C. carried out annually. D. subject to approval by the chief information security officer.
C is the correct answer. Justification: A. In some cases, the risk-related aspects may be managed by multiple functions and hence updated jointly. B. While updating the risk register only following incidents presents a risk, it is not the greatest risk when compared to carrying out updates to risk only once a year. C. Updating the risk register only annually means the risk register does not reflect the true status of IT risk in the enterprise. D. Updating the risk register only with the approval of the chief information security officer is problematic, but it is not as great a risk compared to only annual updates.
36. Risk scenarios should be created PRIMARILY based on which of the following? A. Input from senior management B. Previous security incidents C. Threats that the enterprise faces D. Results of the risk analysis
C is the correct answer. Justification: A. Input from senior management is not as critical as enterprise threats in developing risk scenarios. B. Previous incidents are not as critical as enterprise threats in developing risk scenarios. C. When creating risk scenarios, the most important factor to consider is the likelihood of threats or threat actions occurring due to the risk. D. Risk scenarios should be an input to the risk analysis, not vice versa.
61. Which of the following is the PRIMARY factor when deciding between conducting a quantitative or qualitative risk assessment? A. The corporate culture B. The amount of time available C. The availability of data D. The cost involved with risk assessment
C is the correct answer. Justification: A. Management will make decisions based on the risk assessment provided. If management makes decisions based only on financial values, then a quantitative risk analysis is appropriate. If the decision will be based on non-numerical values regarding conceptual elements, then a qualitative analysis is appropriate. B. The amount of time available may be a factor in deciding between a quantitative and qualitative analysis, but it is not the primary factor. C. The availability of data is the primary factor in deciding between a quantitative and qualitative risk analysis.The requirement of data sets for both methods is altogether different.Quantitative analysis provides benefit relative to the adequacy and availability of data. D. The cost involved with a risk assessment may be a factor in deciding between a quantitative and qualitative analysis, but it is not the primary factor.
8 Risk assessment techniques should be used by a risk practitioner to: A. maximize the return on investment. B. provide documentation for auditors and regulators. C. justify the selection of risk mitigation strategies. D. quantify the risk that would otherwise be subjective.
C is the correct answer. Justification: A. Maximizing the return on investment may be a key objective of implementing risk responses, but it is not part of the risk assessment process. B. A risk assessment does not focus on auditors or regulators as primary recipients of the risk assessment documentation. However, risk assessment results may provide input into the audit process. C. A risk practitioner should use risk assessment techniques to justify and implement a risk mitigation strategy as efficiently as possible. D. Risk assessment is generally high-level, whereas risk analysis can be either quantitative or qualitative, based on the needs of the enterprise.
26. When assessing the performance of a critical application server, the MOST reliable assessment results may be obtained from: A. activation of native database auditing. B. documentation of performance objectives. C. continuous monitoring. D. documentation of security modules.
C is the correct answer. Justification: A. Native database audit logs are a good detective control but do not provide information about the application server performance. B. Documentation of performance objectives is important but does not provide information about the application server performance. C. With continuous monitoring it is possible to track key performance metrics and also possible to address critical issues with minimum impact. D. Documentation of associated security modules may be helpful but does not provide information about the application server performance.
10. Risk assessments should be repeated at regular intervals because: A. omissions in earlier assessments can be addressed. B. periodic assessments allow various methodologies. C. business threats are constantly changing. D. they help raise risk awareness among staff.
C is the correct answer. Justification: A. Omissions not found in earlier assessments do not necessarily justify regular reassessments. B. Unless the environment changes, risk assessments should be performed using the same methodologies. C. As business objectives and methods change, the nature and relevance of threats also change. D. There are better ways of raising security awareness than by performing a risk assessment, such as risk awareness training.
11. Assessing information systems risk is BEST achieved by: A. using the enterprise's past actual loss experience to determine current exposure. B. reviewing published loss statistics from comparable enterprises. C. evaluating threats associated with existing information systems assets. D. reviewing information systems control weaknesses identified in audit reports.
C is the correct answer. Justification: A. Past actual loss experience is potentially useful input to the risk assessment process, but it does not address realistic risk scenarios that have not occurred in the past. B. Published loss statistics from comparable enterprises are a potentially useful input to the risk assessment process but do not address enterprise-specific risk scenarios or those that have not occurred in the past. C. To assess IT risk, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches. D. Control weaknesses and other vulnerabilities are an important input to the risk assessment process, but by themselves are not useful.
48. What is the ULTIMATE goal of risk aggregation? A. To prevent attacks from exploiting a combination of low-level types of risk that individually have not been properly mitigated B. To address the threat of an exploit that attacks a system through a series of individual attacks C. To ensure that the combined value of low-level risk is not overlooked in the risk management process D. To stop attackers from gaining low-level access and then escalating their attack through access aggregation
C is the correct answer. Justification: A. Risk aggregation is the process of integrating risk assessments at a corporate level to obtain a complete view of the overall risk for the enterprise and assessing more specifically for exploit opportunities, whereas a series or combination of types of low-level risk left unaddressed can provide an attacker with a means to exploit one or more enterprise resources. B. An exploit using several individual attacks in sequence to launch an attack is not an example of risk aggregation but of a chained exploit. C. Individual or singular, discrete, low-level incidents may have minimal impact, and considered independently, the risk may remain relatively low. However, significant overall risk can accrue if several instances are aggregated to defeat risk controls. For example, one machine cannot flood a network, but many machines working together can. Likewise, illicit access to an individual record in a database is not generally considered a high risk; however, if multiple records are accessed and manipulated, an attacker may gather or compromise sufficient information to classify the incident at a higher level. D. Many attacks start at a low level and then increase their capability as they move through the system.Such attacks are often facilitated through accounts with excessive levels of access. This is not an example of risk aggregation.
39. The PRIMARY reason an external risk assessment team reviews documentation as the first step in the risk assessment is to gain a thorough understanding of: A. the technologies used. B. gaps in the documentation. C. the enterprise's business processes. D. the risk assessment plan.
C is the correct answer. Justification: A. Technology can be reviewed during the risk assessment. B. Gaps in documentation can be surfaced during the risk assessment. C. In order to evaluate risk, the external assessment team should thoroughly understand the enterprise's business processes before the assessment, because risk is always formulated within the context of business objectives. D. The risk assessment plan should be created by the external auditors.
14. The MOST likely trigger for conducting a comprehensive risk assessment is detection of changes in: A. the asset inventory. B. asset classification levels. C. the business environment. D. information security policies.
C is the correct answer. Justification: A. The addition and removal of assets from the asset inventory is an ongoing process and will not generally trigger a risk assessment. B. Asset classification requirements do not trigger comprehensive periodic risk assessment. C. Changes in the business environment, including new threats, vulnerabilities, or changes to information asset deployment, will trigger comprehensive periodic risk assessment. Based on periodic risk assessment, policies may be modified. However, risk assessment is not necessarily performed because policy changes are made. D. Information security policies may change when a risk assessment indicates deficiencies at the level of security policies; however, changes to security policies do not trigger risk assessments.
98 A government agency is charged with enforcement of a regulation for processing electronic health records. Violations of the regulation result in a set fine of US$1 million. A risk analyst is charged with calculating the potential impact to two enterprises: Enterprise A, with capital of US$10 million, and Enterprise B, with capital of US$100 million. Which of the following assertions is reasonable regarding the impact to the enterprises? A. The impact to both enterprises is the same because the dollar amount of the fine is the same. B. The impact to both enterprises is the same because the utility of money is the same regardless of how much capital an enterprise has. C. The impact to Enterprise A is higher because the utility of the fine in proportion to the capital of the organization is greater. D. The impact to the organizations cannot be calculated because the loss is tangible.
C is the correct answer. Justification: A. The dollar amount of the fine is the same for both enterprises, but it is proportionally much larger for Enterprise A. B. The utility of money is not linear, so this statement is incorrect. C. The utility of money is directly correlated to the proportion of the money in relation to the capital of the entity affected by the event. D. The impact to the organizations is tangible and should be measured in terms of the probability of lost utility in the event of a fine.
72. Which of the following BEST describes the objective of a business impact analysis? A. The identification of threats, risk and vulnerabilities that can adversely affect the enterprise B. The development of procedures for initial response and stabilization during an emergency C. The identification of time-sensitive critical business functions and interdependencies D. The development of communication procedures in case of a crisis
C is the correct answer. Justification: A. The identification of threats, risk and vulnerabilities is the objective of risk identification and analysis. B. The development of procedures for initial response and stabilization during an emergency is a key output of preparedness and response planning. C. Identification of time-sensitive critical business functions and interdependencies is a deliverable of the business impact analysis (BIA); the BIA includes metrics like recovery-time objectives and recovery-point objectives. D. Communication procedures are beneficial to every business process, including crisis management; however, they are not the main deliverable of the BIA and relate more closely to business continuity and disaster recovery planning.
99. At the end of which phase of risk management would information about newly discovered risk be communicated to decision makers and relevant stakeholders? A. Risk identification B. Risk response and mitigation C. Risk assessment D. Risk and control monitoring and reporting
C is the correct answer. Justification: A. The risk identification phase determines what could happen to cause a potential loss and to gain insight into how, where and why the loss might happen. Until the risk has been analyzed, the likelihood and impact are unknown. Risk analysis occurs after risk identification and prior to risk communication. B. In the risk response and mitigation phase, controls to reduce, retain, avoid or transfer risk should be selected, and a risk treatment plan should be defined. The risk analysis must be communicated to the risk owners for them to select the proper risk response. C. During the risk assessment phase, identified risk is being analyzed and evaluated for likelihood and impact. Risk-based decision-making is enabled through communication of the results of the risk assessment. D. In the risk and control monitoring and reporting phase, risk should be monitored and reviewed to identify any changes in the context of the enterprise at an early stage and to maintain an overview of the complete risk picture.
49. How can a risk professional calculate the total impact to operations if hard drives supporting a critical financial system fail? A. Calculate the replacement cost for failed equipment and the time needed for service restoration. B. Gather estimates from the finance department to determine the cost. C. Use quantitative and qualitative methods to measure the cumulative effects on all business areas. D. Review regulatory and contractual requirements to quantify liabilities.
C is the correct answer. Justification: A. The risk is not solely dependent on the IT-related costs of the failed equipment.The impact on the business can be much higher than the cost of replacement of failed equipment. B. Gathering cost estimates is a quantitative method of risk assessment; it may not reflect the total impact of the event if only the finance department's costs are taken into consideration. C. An event in one department may affect many areas of the enterprise, and the impact on all areas should be included in the risk calculation. Using quantitative and qualitative methods will provide the information required to assess the effects of the failure. D. The regulatory and contractual requirements must be included in the risk calculation, but they are not the only relevant factors.
53. What is a PRIMARY advantage of performing a risk assessment on a consistent basis? A. It lowers the costs of assessing risk. B. It provides evidence of threats. C. It indicates trends in the risk profile. D. It eliminates the need for periodic audits.
C is the correct answer. Justification: A. There may be some minor cost benefits to performing risk assessments on a consistent basis, but that is not a primary benefit. B. A risk assessment provides evidence of risk; however, it is not intended to provide evidence of threats. C. Tracking trends in evolving risk is of significant benefit to managing risk and ensuring that appropriate controls are in place. D. The performance of risk assessment on a consistent basis does not preclude the requirement to perform periodic independent audits.
31. Which of the following BEST estimates the likelihood of significant events affecting an enterprise? A. Threat analysis B. Cost-benefit analysis C. Scenario analysis D. Countermeasure analysis
C is the correct answer. Justification: A. Threat analysis does not provide sufficient information to estimate likelihood.While there may be a threat, many other factors, including existing controls, must be considered to determine the likelihood of a threat. B. Cost-benefit analysis is used in selecting controls and does not help estimate the likelihood of significant events. C. Scenario analysis, along with vulnerability analysis, best determines whether a particular risk is relevant to the enterprise, and helps estimate the likelihood that significant events will affect the enterprise. D. Countermeasure analysis is used to assess controls that address specific attacks, sometimes while an attack is occurring.Countermeasure analysis does not help estimate the likelihood of significant events.
75. Which of the following risk management activities initially identifies critical business functions and key business risk? A.Risk monitoring B. Risk analysis C. Risk assessment D. Risk evaluation
C is the correct answer. Justification: A.Risk monitoring provides timely information on the actual status of risk in the enterprise. B. Risk analysis estimates the frequency and magnitude of IT risk scenarios. C. Risk assessment identifies and evaluates risk and its potential effects. It includes recognizing and assessing critical functions and processes necessary for an enterprise to continue operating, defines the controls in place to reduce exposure, and evaluates the cost of such controls. D. Risk evaluation compares estimated risk against given risk criteria to determine the significance of the risk.
37. Which of the following triggers performance of an internal ad hoc risk assessment before the annual occurrence? A. A new chief information officer is hired. B. Senior management adjusts risk appetite. C. Risk changes on a frequent basis. D. A new system is introduced into the environment.
D is the correct answer. Justification: A. A new chief information officer may undertake a new enterprise risk assessment, but it would not necessarily be required because the CIO could review the last risk assessment if there were no changes to the environment. B. Senior management adjusting risk appetite will significantly affect risk responses but does not require a risk assessment. C. Risk changing on a frequent basis will be captured during the annual risk assessment. D. Introduction of new systems adds to overall risk of business objectives. The level of new or added risk should be determined via an ad hoc risk assessment.
63. A risk assessment process that uses likelihood and impact in calculating the level of risk is a: A. qualitative process. B. failure modes and effects analysis. C. fault tree analysis. D. quantitative process.
D is the correct answer. Justification: A. A qualitative risk assessment process uses scenarios and ranking of risk levels in calculating the level of risk. B. A failure modes and effects analysis determines the extended impact of an adverse event on other systems or operational areas. C. A fault tree analysis risk assessment determines threats by considering all sources that threaten a business process. D. A quantitative risk assessment uses likelihood and impact to calculate the monetary value of risk.
94. Which of the following is the MOST important reason for conducting periodic risk assessments? A. Risk assessments are not always precise. B. Reviewers can optimize and reduce the cost of controls. C. Risk assessments demonstrate the value of risk management to senior management. D. Business risk is subject to frequent change.
D is the correct answer. Justification: A. Although an assessment can never be perfect and invariably contains some errors, this is not the most important reason for periodic reassessment. B. Optimizing control cost is an insufficient reason. C. Demonstrating the value of the risk management function to senior management is an insufficient reason. D. Risk is constantly changing, so a previously conducted risk assessment may not include measured risk introduced since the last assessment.
60. The risk register is PRIMARILY a document communicating risk to: A. the public. B. the employees. C. regulatory bodies and compliance. D. relevant stakeholders.
D is the correct answer. Justification: A. As it contains security risk and weaknesses information, the risk register is not made public. B. The risk register is not typically communicated to all employees since it may not contain information relevant to all employees in the job functions. C. The risk register is not intended for use by regulatory bodies and compliance teams. D. As it contains information regarding risk and weaknesses relevant to the enterprise, the risk register is shared only with relevant stakeholders.
80. When developing risk scenarios for an enterprise, which of the following is the BEST approach? A. The top-down approach to consider overall business impact B. The top-down approach because it has the support of senior management C. The bottom-up approach to understand the impact of system outages more accurately D. The top-down and the bottom-up approach because they have different perspectives
D is the correct answer. Justification: A. Business impact is important, and IT risk must be measured relative to associated business practices. However, an exclusive assessment from business objectives will lack detail grounded in daily processes. B. Management buy-in is essential, but risk scenarios should also consider the impact of individual system outages. C. A bottom-up approach is too narrow; risk cannot be separated from business objectives. D. Top-down and bottom-up risk scenario development integrates both perspectives. In a top-down approach, one starts from the overall business objectives and performs an analysis of the most relevant and probable risk scenarios affecting business objectives. The bottom-up approach builds on generic risk scenarios to create more concrete and customized scenarios, applied to the individual enterprise's situation. A combined approach affords the best of both.
73. The MOST important of the following external factors that should be considered in risk assessment is: A. the discovery of new vulnerabilities. B. the number of viruses and other malware being developed. C. international crime statistics and political unrest. D. the connectivity of many unsecured devices on the Internet.
D is the correct answer. Justification: A. Discovery of new vulnerabilities is relevant only if they affect the assets in use by an enterprise. B. The number of new malware types being developed is something worth watching, but it is not a factor that the risk professional can use directly to calculate risk for a risk assessment report. C. International crime statistics and political unrest may raise concerns, but compared to unsecured devices they are not an immediate threat. D. The proliferation of unsecured devices (i.e.,the Internet of Things)creates a serious external threat that must be considered.
2 Because of its importance to the business, an enterprise wants to quickly implement a technical solution that deviates from the company's policies. The risk practitioner should: A. recommend against implementation because it violates the company's policies. B. recommend revision of the current policy. C. conduct a risk assessment and allow or disallow based on the outcome. D. recommend a risk assessment and subsequent implementation only if residual risk is accepted.
D is the correct answer. Justification: A. Every business decision is driven by cost and benefit considerations. A risk practitioner's contribution to the process is most likely a risk assessment, identifying both the risk and opportunities related to the proposed solution. B. A recommendation to revise the current policy should not be triggered by a single request without conducting a risk assessment. C. While a risk practitioner may conduct a risk assessment to enable a risk-aware business decision, it is management that will make the final decision. D. A risk assessment should be conducted to clarify the risk whenever the enterprise's policies cannot be followed. The solution should be implemented only if the related risk is formally accepted by the enterprise.
86. Which of the following approaches results in risk scenarios applicable to an enterprise's identified risk? A. A bottom-up approach based on generic scenarios B. A bottom-up approach emphasizing threat events C. A top-down approach based on magnitude of loss D. A top-down approach driven by business objectives
D is the correct answer. Justification: A. Generic risk scenarios help ensure that no risk is overlooked; they encourage the enterprise to avoid blind spots outside its normal frame of reference. However, the bottom-up approach is not tailored to specific identified risk.Most enterprises will combine the bottom-up and top-down approaches to ensure business relevance. B. Threat events represent only one component of a risk scenario. C. Magnitude of loss does not entail probability. If risk scenarios are developed primarily on the basis of potential impact, they may become highly theoretical and appear unrealistic to business owners. D. A top-down approach ensures that an enterprise's unique perspectives and business objectives are prioritized in risk scenarios.
21. The preparation of a risk register begins in which risk management process? A. Risk response planning B.Risk monitoring and control C. Risk management planning D. Risk identification
D is the correct answer. Justification: A. In the risk response planning process, appropriate responses are determined by consensus and included in the risk register. B. Risk monitoring and control often require identification of new risk and reassessment of known risk. Outcomes of risk reassessments, risk audits and periodic risk reviews trigger updates to the risk register. C. Risk management planning describes how risk management will be structured and performed. D. The risk register details all identified risk, including description, category, cause, probability of occurring, impact on objectives, proposed responses, owners and current status.The primary outputs of risk identification are the initial entries into the risk register.
95. An information security trade journal publishes information about potential cybercriminal activity and targeted enterprises.A risk practitioner's company is on the list of targets,What is the FIRST action the risk practitioner should take after making the discovery? A. Advise IT management about the threat. B. Inform all employees about the threat. C. Contact law enforcement officials about the threat. D. Inform senior managers about the threat.
D is the correct answer. Justification: A. Only critical members of the IT management team should be notified of the threat. B. Information should be given on a need-to-know basis; all employees do not need to know of a potential threat to the company. C. Contacting law enforcement is premature, although law enforcement may need to be contacted in the future with management approval. D. All senior managers need to be aware of the threat, so they can be prepared if an incident takes place.
84 Which type of risk assessment method involves conducting interviews and using anonymous questionnaires answered by subject matter experts (Delphi method)? A. Quantitative B. Probabilistic C. Deterministic D. Qualitative
D is the correct answer. Justification: A. Quantitative risk assessments use a mathematical calculation based on security metrics on the asset (system or application). B. Probabilistic risk assessments use a mathematical model to construct the qualitative risk assessment approach while using the quantitative risk assessment techniques and principles. C. Deterministic methods use point estimates that are often (but not necessarily always) worst-case estimates. D. Qualitative risk assessment methods include interviewing and using anonymous questionnaires (the Delphi method).
97. Which of the following is MOST useful in developing a series of recovery time objectives? A. Regression analysis B. Risk analysis C. Gap analysis D. Business impact analysis
D is the correct answer. Justification: A. Regression analysis is used to test changes to program modules. B. Risk analysis is the process by which frequency and impact of risk scenarios are estimated; it is a component of a business impact analysis (BIA). C. Gap analysis addresses differences between a current state and an ideal future state. D. Recovery time objectives(RTOs) are a primary deliverable of a BIA. RTOs relate to the financial impact of system downtime.
4. Risk may be removed from the risk register when the risk: A. has been eliminated. B. is transferred to the vendor. C. threshold is exceeded. D. is no longer relevant.
D is the correct answer. Justification: A. Risk cannot be eliminated. Therefore if the risk is relevant, it will remain in the risk register. B. Although risk is transferred to vendor, the enterprise is still accountable for the risk and it will remain in the risk register. C. If the risk threshold is exceeded, it means the risk continues to be relevant and remains in the risk register. D. If a risk is relevant, it will be listed in the risk register. Once the risk is no longer relevant, it may be removed.
91. Acceptable risk for an enterprise is achieved when: A. transferred risk is minimized. B. control risk is minimized. C. inherent risk is minimized. D. residual risk is within tolerance levels.
D is the correct answer. Justification: A. Risk transfer is the process of assigning risk to another enterprise, usually through the purchase of an insurance policy or through outsourcing the service.In both a physical and legal sense, risk transfer does not relieve an enterprise of a risk, but it can leverage the skills of another party to help manage the risk and thus reduce the financial consequence of adverse events. B. Control risk is the risk that a material error would not be prevented or detected on a timely basis by the system of internal controls. C. Inherent risk reflects a level of risk or exposure apart from actions that management has taken or might take (e.g.,implementing controls). Inherent risk cannot be minimized. D. Residual risk is the risk that remains after all controls have been applied; therefore, acceptable risk is achieved when residual risk is aligned with the enterprise risk appetite.
65. Which of the following is the GREATEST challenge of performing a quantitative risk analysis? A. Obtaining accurate figures on the impact of a realized threat B. Obtaining accurate figures on the value of assets C. Calculating the annual loss expectancy of a specific threat D. Obtaining accurate figures on the frequency of specific threats
D is the correct answer. Justification: A. The impact of a threat can be determined based on the type of threat that occurs. B. The value of an asset should be easy to ascertain. C. Annual loss expectancy will not be difficult to calculate if you know the correct frequency of threat occurrence. D. It can be challenging to obtain an accurate figure representing the frequency of threat occurrence.
68. Which of the following objectives is the PRIMARY reason that risk professionals conduct risk assessments? A. To maintain the enterprise's risk register B. To enable management to choose the right risk response C. To provide assurance on the risk management process D. To identify risk with the highest business impact
D is the correct answer. Justification: A. The maintenance of the risk register is part of the ongoing risk assessment process. B. Management chooses the right risk response strategy based on risk analysis. A risk assessment itself is not sufficient to make educated risk response decisions. C. Assurance on risk management is not the main reason risk assessment is performed by the risk professional. D. All decisions should be taken in the context of business impact. For each action to be taken, consideration ultimately must be given to its positive or negative impact on the business.
66. The MOST effective method to conduct a risk assessment on an internal system in an enterprise is to start by understanding the: A. performance metrics and indicators. B. policies and standards. C. recent audit findings and recommendations. D. system and its subsystems.
D is the correct answer. Justification: A. The person performing the risk assessment should already understand the performance metrics and indicators. B. The person performing the risk assessment should already understand the policies and standards f the enterprise. C. Recent audit findings and recommendations could be useful but are not as important as understanding the system. D. To conduct a proper risk assessment, the risk practitioner must understand the system and subsystems, and how they work. This knowledge provides the basis for understanding how policies and standards are applied within the system and subsystems, and for understanding process-specific risk, existing interdependencies and performance indicators.
82. While prioritizing the risk for treatment, the IT risk practitioner should PRIMARILY consider the: A. risk impact B. risk appetite C. risk exposure D. risk rating
D is the correct answer. Justification: A. The risk impact is only one component of the risk assessment and prioritization process. A high-impact event may have a low likelihood, thus resulting in a low risk rating. B. The risk appetite is only one component of the risk assessment and prioritization process. Risk should be quantified to determine if it falls within the enterprise's risk appetite; therefore, the risk rating is needed. C. The risk exposure is only one component of the risk assessment and prioritization process. It may or may not be quantifiable at the time of prioritization. D. The risk rating quantifies the risk by providing a ranking (for example, high, medium, low)that can be used to prioritize treatment.
23. Risk scenarios enable the risk assessment process because they: A. cover a wide range of potential risk. B. minimize the need for quantitative risk analysis techniques. C. segregate IT risk from business risk for easier risk analysis. D. help estimate the frequency and impact of risk.
D is the correct answer. Justification: A. When used correctly, risk scenarios can address a wide range of risk, but this is not always the result. However, risk scenarios always help to address the frequency and impact of risk-two key elements in the risk assessment process. B. Risk scenarios do not necessarily minimize the need for quantitative risk analysis. C. Risk scenarios can be applied to both IT risk and business risk and there is no question of segregating the risk. D. While risk scenarios may address a wide range of risk, risk scenarios help to estimate the frequency and impact of risk-two key elements of the risk assessment process. These elements aid subsequent steps in risk management by making risk relevant to business process owners.
6. An emerging risk should be added to the risk register by the risk practitioner when: A. the impact of the risk can be quantified B. the probability of occurrence is high. C. a competitor has added the risk to its register. D. the activity that triggers the risk initiates.
D is the correct answer. Justification: A. While impact quantification is important, it is not the factor that decides when emerging risk will be added to the risk register. B. A high impact need not be the only criterion deciding when risk gets added to the risk register. C. An industry benchmark should not be used as a criterion to add risk to the register because risk relevant to one enterprise may not be relevant to another due to each enterprise's unique operating environment. D. Risk identification usually starts when planning an activity, and risk identified at planning needs to be added to the risk register to ensure effective risk management.
30. During an internal risk assessment in a global enterprise, a risk manager notes that local management has proactively mitigated some of the high-level risk related to the global purchasing process. This means that: A. the local management is now responsible for the risk. B. the risk owner is the corporate chief risk officer. C. the risk owner is the local purchasing manager. D. corporate management remains responsible for the risk.
D is the correct answer. Justification: A.While the local management has mitigated the risk, corporate management remains responsible for the risk. B. The corporate chief risk officer is responsible for the corporate risk management program, yet does not own the risk related to the global purchasing process. C. The risk owner is the global purchasing manager. D. Corporate management remains responsible for the risk, even when the risk response is executed at a lower organizational level.
56. Which of the following is the BEST reason to perform a risk assessment? A.To satisfy regulatory requirements B. To budget appropriately for needed controls C. To analyze the effect on the business D. To help determine the current state of risk
D is the correct answer. Justification: A. Performing a risk assessment may satisfy regulatory requirements but that is not the reason to perform a risk assessment. B. Budgeting may improve, but that is not the reason to perform a risk assessment. C. Analyzing the effect on the business is part of the process, and understanding the current state of risk will better inform how those effects impact the business and what responses would be appropriate to take, if any. D. The risk assessment is used to identify and evaluate the impact of failure on critical business processes (and IT components supporting them) and to determine time frames, priorities, resources and interdependencies.It is part of the process to help determine the current state of risk and helps determine risk countermeasures in alignment with business objectives.