Due to changes in the IT environment, the disaster recovery plan of a large enterprise has been modified. What is the GREATEST benefit of testing the new plan?
To ensure that the plan is complete is correct. The greatest benefit of testing the new plan is to ensure that the plan is complete and will work during a crisis. Testing ensures that all assets in scope were incorporated into the plan, that all staff are trained and familiar with their roles, and the backups have been tested.
System backup and restore procedures can BEST be classified as:
Corrective controls is correct. Corrective controls remediate vulnerabilities. If a system suffers harm so extensive that processing cannot continue, backup restore procedures would enable that system to be recovered. This is a corrective measure that remediates the vulnerability of that system.
When the cost of risk related to a specific business process is greater than the potential opportunity, the BEST risk response is:
Avoidance is correct. Risk avoidance is the process for systematically avoiding risk, constituting one approach to managing risk.
Which of the following risk responses is the BEST for an organization whose products and services are highly regulated?
Risk mitigation is correct. A regulatory risk that could lead to the withdrawal of an operating license is a risk that must be addressed by the organization because it can affect the organization’s ability to continue operations.
Security technologies should be selected PRIMARILY on the basis of their:
Ability to mitigate risk to organizational objectives is correct. The most fundamental criterion for selecting security technology is the capacity to reduce risk for organizational objectives.
The identification of Internet Protocol (IP) addresses is a form of which type of authentication?
Node is correct. Node authentication authenticates a device or a location. The identification through Internet Protocol (IP) addresses would help identify and validate users logging in through certain locations.
The BEST way to ensure that an information systems control is appropriate and effective is to verify that the:
Risk associated with the control is being mitigated is correct. A control is designed to mitigate or reduce a risk. Even if the control is operating correctly, it is not the appropriate control if it does not address the risk it was designed to mitigate.
Which of the following BEST addresses the risk of data leakage?
Acceptable use policies is correct. Acceptable use policies are the best measure for preventing the unauthorized disclosure of confidential information.
During which part of the overall risk management process is the cost-benefit analysis PRIMARILY performed?
During the risk response selection is correct. When selecting a risk response, one will identify a range of controls that can mitigate the risk; however, the cost-benefit analysis in this process will help identify the right controls that will address the risk at acceptable levels within the budget.
Purchasing insurance is a form of:
Risk transfer is correct. Transferring risk typically involves insurance policies to share the financial risk.
When aligning controls with business objectives, what is MOST important?
Ensuring ownership of key control activities is correct. Ensuring ownership of key control activities is the most important factor in assigning control responsibility and control accountability.
Which of the following information security controls mandates behavior by specifying what is and is not permitted?
Managerial is correct. Managerial controls, such as policies, specify what actions are and are not permitted.
Which of the following can BEST be used as a basis for recommending a data leak prevention (DLP) device as a security control?
A business case for DLP to protect data is correct. A business case with costs versus benefits provides the business reasoning why the data
leak prevention solution addresses the risk and explains how the risk losses could be reduced if the data were leaked.
Which of the following is MOST useful in managing increasingly complex deployments?
A security architecture is correct. Deploying complex security initiatives and integrating a range of diverse projects and activities is more easily managed with the overview and relationships provided by a security architecture.
What is the PRIMARY objective of conducting a peer review prior to implementing any changes to the firewall configuration?
To help detect errors in the proposed change prior to implementation is correct. Peer review is the examination of a work product by a skilled coworker. This should highlight any errors or cases where standards are not being followed and may prevent the introduction of an error into production.
A risk response report includes recommendations for:
Acceptance is correct. Acceptance of a risk is an alternative to be considered in the risk response process.
Which of the following would data owners be PRIMARILY responsible for?
User entitlement changes is correct. Data owners are responsible for assigning user entitlement changes and approving access to the systems for which they are responsible.
An enterprise is applying controls to protect its product price list from being exposed to unauthorized staff. These internal controls will include:
Authentication and authorization is correct. Authentication and authorization are two complementary control objectives that will ensure confidentiality of the price list.
Which of the following practices BEST mitigates the risk associated with outsourcing a business function?
Performing audits to verify compliance with contract requirements is correct. Regular audits verify that the vendor is compliant with contract requirements.
Which of the following is MOST relevant to include in a cost-benefit analysis of a two-factor authentication system?
The total cost of ownership. Total cost of ownership is the most relevant piece of information to be included in the cost-benefit analysis because it establishes a cost baseline that must be considered for the full life cycle of the control.
Which of the following activities is the MOST important related to testing the IT continuity plan?
A test based on defined recovery priorities is correct. A continuity test should be based on established recovery priorities associated with critical business processes. As part of the business impact analysis (BIA) exercise, management identifies what processes are of highest importance, and that should serve as a basis for developing the business continuity test and disaster recovery plan.
Which of the following is MOST important for determining what security measures to put in place for
a critical information system?
The level of acceptable risk to the enterprise is correct. Determining the level of acceptable risk will allow the enterprise to determine the security measures to put in place.
Which of the following is the BEST reason an enterprise would decide not to reduce an identified risk?
The potential gain outweighs the risk is correct. Risk is not the main driver for the business/enterprise decision process. The business will accept the risk when it is determined that the potential opportunities may yield a higher return in revenue and/or gain in market share compared to risk.
An enterprise is hiring a consultant to help determine the maturity level of the risk management program. The MOST important element of the request for proposal is the:
Methodology used in the assessment is correct. Methodology illustrates the consultant’s process and offers a basis to align expectations with execution of the assessment. Methodology establishes requirements of all parties involved in the assessment.
Which of the following will produce comprehensive results when performing a qualitative risk analysis?
Scenarios with threats and impacts is correct. Using a list of possible scenarios with threats and impacts will better frame the range of risk and facilitate a more informed discussion and decision.
Which of the following is the MAIN outcome of a business impact analysis?
Criticality of business processes is correct. A business impact analysis (BIA) measures the total impact of tangible and intangible assets on business processes. Therefore, the sum of the value and opportunity lost as well as the investment and time required to recover indicates the criticality of business processes.
When assessing the performance of a critical application server, the MOST reliable assessment results may be obtained from:
Continuous monitoring is correct. It is essential to obtain monitoring data in a consistent manner to achieve reliable results. Changing the monitoring methodology will likely yield discrepant data and defeat comparison of performance at discrete points in time.
Which of the following risk is the MOST important risk an organization must consider when developing a disaster recovery plan?
A business impact analysis has not been conducted is correct. Without a business impact analysis (BIA), the organization does not know what it needs to recover and when it needs to recover it.
Which of the following can be expected when a key control is being maintained at an optimal level?
Balance between control effectiveness and cost is correct. Maintaining controls at an optimal level translates into a balance between control cost and derived benefit.
Which of the following principles of information security is of the GREATEST concern to a social media outlet?
Availability is correct. For a social media outlet, availability is of the greatest concern because integrity, confidentiality and nonrepudiation are not the greatest concerns of social media outlet customers.
Business stakeholders and decision makers reviewing the effectiveness of IT risk responses would PRIMARILY validate whether:
IT controls achieve the desired objectives is correct. The stakeholders are most interested in whether the control meets the stated objectives.
Which of the following approaches BEST helps an enterprise achieve risk-based organizational objectives?
Embed risk management activities into business processes is correct. The primary objective of embedding risk management activities into business processes is to achieve risk-based organizational objectives in the most effective manner possible.
Information security procedures should:
Be updated frequently as new software is released is correct. Often, security procedures have to change frequently to keep up with changes in software. Because a procedure is a how-to document, it must be kept current with frequent changes in software.
Which of the following is the BEST way to verify that critical production servers are using up-to-date antivirus signature files?
Check a sample of servers is correct. The only effective way to verify currency of signature files is to look at a sample of servers.
Deriving the likelihood and impact of risk scenarios through statistical methods is BEST described as:
Quantitative risk analysis is correct. Quantitative risk analysis derives the probability and impact of risk scenarios from statistical methods and data.
Which of the following is MOST important for effective risk management?
Assignment of risk owners to identified risk is correct. It is of utmost importance to assign risk to individual owners and therein maximize accountability.
Which of the following is the MAIN concern when two or more staff members are allowed to use the same generic account?
Repudiation is correct. Repudiation is the denial of a transaction, denial of participation in all or part of a transaction or denial of the content of communication related to the transaction. Because username and password are the same for generic accounts, repudiation becomes an issue. It will be difficult to establish which user logged in and performed operations. However, with the right tools the activity can be traced back to the media access control (MAC) address if users access information through different terminals.
Risk scenarios should be created PRIMARILY based on which of the following?
Threats that the enterprise faces is correct. When creating risk scenarios, the most important factor to consider is the likely threats or threat actions that could act upon the risk.
Which one of the following aspects is MOST important for an effective IT risk management process?
Aligning with enterprise risk management is correct. Aligning IT risk management with ERM is the most important aspect because it ensures alignment of IT objectives with enterprise objectives.
After the completion of a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. A risk practitioner should recommend to business management that the risk be:
Accepted is correct. When the cost of control is more than the cost of the potential impact, the risk should be accepted.
The board of directors of a one-year-old start-up company asked their chief information officer (CIO) to create all the enterprise’s IT policies and procedures. Which of the following should the CIO create FIRST?
The strategic IT plan is correct. The strategic IT plan is the first policy to create when developing an enterprise’s governance model.
When a significant vulnerability is discovered in the security of a critical web server, immediate notification should be made to the:
System owner to take corrective action is correct. To correct the vulnerabilities, the system owner needs to be notified quickly, before an incident can take place.
Information that is no longer required to support the main purpose of the business from an information security perspective should be:
Analyzed under the retention policy is correct. Information that is no longer required should be analyzed under the retention policy to determine whether the organization is required to maintain the data for business, legal or regulatory reasons. Keeping data that are no longer required unnecessarily consumes resources; may be in breach of legal and regulatory obligations regarding retention of data; and, in the case of sensitive personal information, can increase the risk of data compromise.
Which of the following threats is the MOST difficult to detect?
Rootkits is correct. Rootkits are software suites that help intruders gain unauthorized administrative access to a computer system. They are designed to be stealthy in operation.
The MOST important reason for reporting control effectiveness as part of risk reporting is that it:
Affects the risk profile is correct. Changes may render a control ineffective and allow a vulnerability to be exploited. Changes in control may also strengthen the enterprise’s risk profile (e.g., in cases where highly manual processes are automated).
Which of the following factors determines the acceptable level of residual risk in an enterprise?
Management discretion is correct. Deciding what level of risk is acceptable to an enterprise is fundamentally a function of management. At its discretion, enterprise management may decide to accept risk. The target risk level for a control is, therefore, subject to management discretion.
The PRIMARY objective of risk reporting is to:
Provide the risk owner with information to initiate risk response is correct. The risk owner is accountable for properly managing any given risk to an acceptable level, which is based on the organization’s risk appetite and tolerance. Risk reporting provides the risk owner with a summary of the risk assessment results (in accordance with regulatory requirements) and highlights areas that require attention by the risk owner; particularly those areas where corrective action is necessary, such as when the controls are not in line with the control objectives, control thresholds have been exceeded or the control is not adequate to meet current or emerging regulatory requirements.
How can an enterprise prevent duplicate processing of a transaction?
By not allowing two identical transactions within a set time period is correct. Any time that more than one identical transaction attempts to execute within a set time period, the second transaction should trigger a notification or a fraud alert.
A healthcare organization has implemented role-based access controls for its users on systems that manage patient data. Which of the following statements BEST describes how the control reduces risk to the organization?
The control reduces the probability and impact of an insider attack event is correct. Role-based access controls address the amount of sensitive data available to users (thereby minimizing impact) and the number of attack vectors (thereby lowering probability).
The MOST important external factors that should be considered in a risk assessment are:
The installation of many insecure devices on the Internet is correct. The proliferation of insecure devices (i.e., the Internet of Things) creates a serious external threat that must be considered.
Assessing information systems risk is BEST achieved by:
Evaluating threats associated with existing information systems assets and information systems projects is correct. To assess IT risk, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches.
Risk assessments should be repeated at regular intervals because:
Business threats are constantly changing is correct. As business objectives and methods change, the nature and relevance of threats also change.
Which of the following is MOST relevant to include in a cost-benefit analysis of a two-factor authentication system?
The total cost of ownership is correct. Total cost of ownership is the most relevant piece of information to be included in the cost-benefit analysis because it establishes a cost baseline that must be considered for the full life cycle of the control.
How can an enterprise prevent duplicate processing of a transaction?
By not allowing two identical transactions within a set time period is correct. Any time that more than one identical transaction attempts to execute within a set time period, the second transaction should trigger a notification or a fraud alert.
Who MUST give final sign-off on the IT risk management plan?
Senior management is correct. Senior management understands performance metrics and indicators that measure the enterprise and its subsystems; they approved the policies and standards that govern the enterprise; and they have final responsibility for risks associated with audit findings and recommendations.
An organization is considering a cloud computing deployment and accepts the risk of confidential information in the cloud. Which is the BEST cloud deployment model that offers the most safeguards for this information?
Private cloud is correct. The private cloud model operates solely for the enterprise and will have controls in place needed to keep enterprise information confidential.
Which of the following is the PRIMARY reason
that a risk practitioner determines the security boundary prior to conducting a risk assessment?
To identify the scope of the risk assessment is correct. Identifying the security boundary establishes the fundamental scope of inquiry, including what systems and components are subject to assessment as well as those not subject to assessment. The boundary subsequently informs what laws and regulations apply, what business owners to consult, etc.
Which of the following is a MAJOR risk associated with the use of governance, risk and compliance (GRC) tools?
Obsolescence of content is correct. A governance, risk and compliance (GRC) application has to be updated regularly with current regulations, policies, etc. Obsolete
content will render the GRC outdated. Many GRC applications are based on the unified compliance framework (UCF) for mapping to various regulations, frameworks and standards. The technology team should refresh the UCF file quarterly through its vendor and should implement processes to identify and address changes from one release to the next. Additionally, the enterprise needs to commit internal resources to maintain company data in the tool to guard against obsolescence.
Strong authentication is:
The simultaneous use of several authentication techniques (e.g., password and badge) is correct. Authentication is the process of proving to someone that you are who you say you are—a guarantee of the sender's identity or origin. Because a third party vouches for the sender's identity, the recipient can rely on the
authenticity of any transaction or message signed by that user. Strong authentication requires both something you know AND either something you have or are.
Three classic methods of authentication are:
- Something you know—passwords, the combination to a safe
- Something you have—keys, tokens, badges
- Something you are—physical traits, such as fingerprints, signature, iris pattern, keystroke patterns
Which of the following is the BEST reason an
enterprise would decide not to reduce an identified risk?
The potential gain outweighs the risk is correct. Risk is not the main driver for the business/enterprise decision process. The business will accept the risk when it is determined that the potential opportunities may yield a higher return in revenue and/or gain in market share compared to risk.
Once a risk assessment has been completed, the documented test results should be:
Retained is correct. Test results should be retained in order to ensure that future tests can be compared with past results and ensure reporting consistency.
Which of the following activities provides the BEST basis for establishing risk ownership?
Mapping identified risk to a specific business process is correct. Mapping identified risk to a specific business process helps identify the process owner. Aggregation of related business processes results in identification of the prospective risk owner.
Which of the following BEST supports business continuity management in meeting external stakeholder expectations?
Prioritizing applications based on business criticality is correct. External parties (such as customers) expect that their information assets are secured. To meet this goal, it is strategically important to prioritize applications based on business criticality. This approach allows external expectations to be met optimally with limited resources.
Which of the following BEST describes the risk-related roles and responsibilities of an organizational business unit (BU)? The BU management team:
Owns the risk and is responsible for identifying, assessing and mitigating risk as well as reporting on that risk to the appropriate support functions and the board of directors is correct. The BU is responsible for owning the risk and its resulting actions. Risk owners have the responsibility of identifying, measuring, monitoring, controlling and reporting on risk to executive management as established by the corporate risk framework.
Where are key risk indicators MOST likely identified when initiating risk management across a range of projects?
Risk response is correct. Key risk indicators (KRIs) and risk definition and prioritization are both considered part of the risk response process. After having identified, quantified and prioritized the risk to the enterprise, relevant risk indicators need to be identified to help provide risk owners with meaningful information about a specific risk or a
combination of types of risk.
Which of the following is the MOST appropriate metric to measure how well the information security function is managing the administration of user access?
Percent of accounts with configurations in compliance is correct. The percent of accounts with configurations in compliance is the best measure of how well the administration is being managed because this shows the overall impact.
Which of the following groups would be the MOST effective in managing and executing an organization's risk program?
Midlevel management is correct. Midlevel management staff are the best to manage and execute an organization's risk management program because they are the most centrally located within the organizational hierarchy and they combine a sufficient breadth of influence with adequate proximity to day-to-day operations.
Which of the following choices is the MOST important critical success factor of implementing a risk-based approach to the system development life cycle?
Adequate involvement of business representatives is correct. A CSF for system development is the adequate involvement of business representatives, including management, users, quality assurance, IT, privacy, legal, audit, regulatory affairs or compliance teams in high-risk regulatory situations.
The MAIN purpose
for creating and maintaining a risk register is to:
Document all identified risk is correct. A risk register provides detailed information on each identified risk including risk owner, details of the risk scenario, assumptions, affected stakeholders, causes/indicators, detailed scores (i.e., risk ratings) on the risk analysis and detailed information on the risk response (e.g., action owner and the risk response status, time frame for action, related projects and risk tolerance level). These components can also be defined as the risk universe, which includes all identified risk to an organization.
Which of the following signifies the need to review an enterprise’s risk practices?
Business owners regularly challenge risk assessment findings is correct. An enterprise’s risk management practices must be clearly understood and supported by business stakeholders. This principle must be documented in the organization’s risk management policy/framework/plan with senior management approval and direction. If business owners challenge the risk assessment findings, either they do not support the findings, or fail to understand them clearly.
Which of the following is an effective monitoring process to ensure a third party is performing in accordance with contract requirements?
Ongoing third-party oversight is correct. Third-party management should be an ongoing process that monitors for compliance with agreements, adequate insurance coverage, business continuity tests, results of independent audits and policy reviews.
As part of an enterprise risk management (ERM) program, a risk practitioner BEST leverages the work performed by an internal audit function by having it:
Assist in monitoring, evaluating, examining and reporting on controls is correct. The internal audit function is responsible for assisting management and the board of directors in monitoring, evaluating, examining and reporting on internal controls, regardless of whether an ERM function has been implemented.
To determine the level of protection required for securing personally identifiable information, a risk practitioner should PRIMARILY consider the information:
Sensitivity is correct. Sensitivity of information is the correct answer because the sensitive nature of the information takes precedence over source, cost or reliability, being the most important item regarding the protection of information assets.
Why is it important that business managers provide IT with requirements rather than requests for specific products?
To
ensure that the solution meets business objectives is correct. The goal of IT is to deliver solutions that meet requirements. Therefore, business managers should identify requirements rather than making requests for specific products.
Senior management will MOST likely have the highest tolerance for moving which of the following to a public cloud?
The corporate email system is correct. Considerations for moving processes and information to the cloud (public or hybrid) should include, among other factors, the criticality and complexity as well as the classification of the data supported by the process. Of the options offered, the corporate email system has the least competitive distinction, complexity and sensitive/highly classified information
An enterprise expanded its operations into Europe, Asia and Latin America. The enterprise has a single-version, multiple-language employee handbook that was last updated three years ago. Which of the following is of MOSTconcern?
The handbook may violate local laws and regulations is correct. Because customs and laws affect an enterprise’s ability to operate in a given location, and because both customs and laws vary by state and by country, it is critical for the employee handbook to acknowledge and account for regional domestic and national differences.w
Which of the following would BEST help an enterprise select an appropriate risk response?
An analysis of control costs and benefits is correct. An analysis of costs and benefits for controls helps an enterprise understand if it can mitigate the risk to an acceptable level.
Which of the following environments typically represents the GREATEST risk to organizational security?
A locally managed file server is correct. A locally managed file server will be the least likely to conform to organizational security policies because it is generally subject to less oversight and monitoring. Locally managed servers may be subject to inconsistent enforcement of security procedures.
Which of the following MUST be included when developing metrics to identify and monitor the control life cycle?
Thresholds that identify when controls no longer provide the intended value is correct. Metrics used to monitor the control life cycle require thresholds to identify when controls are no longer providing their intended value, which ensures that the enterprise is aware and can take appropriate action. Without this information, an enterprise may be under the impression that ineffective controls are still effective and do not need to be adjusted or retired.
Which of the following is the BEST reason to perform a risk assessment?
To help determine the current state of risk is correct. The risk assessment is used to identify and evaluate the impact of failure on critical business processes (and IT components supporting them) and to determine time frames, priorities, resources and interdependencies. It is part of the process to help determine the current state of risk and helps determine risk countermeasures in alignment with business objectives.
In which phase of the system development life cycle should a risk practitioner FIRST become involved?
Planning is correct. The risk practitioner should become involved as early as possible in the system development life cycle and remain involved throughout the course of the project. When risk practitioners participate in planning, they can influence requests for resources in order to meet requirements of risk objectives most efficiently and effectively.
The PRIMARY result of a risk assessment process is:
Input for risk-aware decisions is correct. Risk assessment identifies and prioritizes risk and relates the aggregated risk to the enterprise’s risk appetite and risk tolerance levels to enable risk-aware decision making.
Risk management strategic plans are MOST effective when developed for:
The enterprise as a whole is correct. Risk management strategic plans are most effective when they are created and followed by the entire enterprise.
Commitment and support of senior management for information security investment can BEST be accomplished by a business case that:
Ties security risk to organizational business objectives is correct. Senior management seeks to understand the business justification for investing in security. This can best be accomplished by tying security to key business objectives.
Which of the following threats would MOST concern the risk practitioner?
An enterprise allows employee-owned devices for business functions is correct. Increased risk of malware propagation, information loss, loss of device and unauthorized access are all potential risks when employees access business information on employee-owned devices. These risks would be of most concern to the risk practitioner.
Which of the following approaches BEST helps address significant system vulnerabilities that were discovered during a network scan?
Treatment should be based on threat, impact and cost considerations is correct. The treatment should consider the degree of
exposure and potential impact and the costs of various treatment options.
In order for an organization to effectively complete a risk assessment, a risk practitioner must FIRST determine the:
Risk owners and accountability is correct. The identification of risk owners is critical because risk owners must make informed and cost-effective business decisions regarding appropriate controls to mitigate their owned risk. Risk response strategy, risk registers and risk profiles are tools that require owners who use or apply them accountably and proactively.
Budget has been approved for patching vulnerabilities detected through regularly scanning web-facing applications. This is an example of:
Risk mitigation is correct. In order to mitigate the risk, the organization has decided to patch vulnerabilities
The MAIN purpose for creating and maintaining a risk register is to:
Document all identified risk is correct. A risk register provides detailed information on each identified risk including risk owner, details of the risk scenario, assumptions, affected stakeholders, causes/indicators, detailed scores (i.e., risk ratings) on the risk analysis and detailed information on the risk response (e.g., action owner and the risk response status, time frame for action, related projects and risk tolerance level). These components can also be defined as the risk universe, which includes all identified risk to an organization.
When requesting information to comply with ediscovery, an enterprise learned that its cloud email provider was never contracted to back up messages even though the company’s email retention policy explicitly states that all email must be saved for three years. Which of the following would have BEST safeguarded the company from this outcome?
Validating the company policies to the provider’s contract is correct. The initial review of third-party services should confirm that vendors are contractually required to enforce all internal policies, including the policy on record retention if the enterprise’s record retention policy specifically covers data that will be managed by a third party.
Which of the following control practices related to information systems architecture includes establishing and maintaining baselines for internally developed systems?
Configuration management is correct. Establishing and maintaining baselines for hardware, software and releases of internally developed systems fall under configuration management.
Which of the following should be of MOST concern to a risk practitioner?
Failure to internally report a successful attack is correct. Failure to report a successful intrusion is a serious concern to the risk practitioner and could—in some instances—be interpreted as abetting.
Which of the following examples includes ALL required components of a risk calculation?
Over the next quarter, it is estimated that there is a 30 percent chance of two projects failing to meet a contract deadline, resulting in a US $500,000 fine related to breach of service level agreements.
In the risk management process, a cost-benefit analysis is MAINLY performed:
As part of risk response planning is correct. In risk response, a range of controls will be identified that can mitigate risk; however, a cost-benefit analysis in this process will help identify the right controls that will address the risk at acceptable levels within the budget.
Which of the following BESTaddresses the potential for bias in developing risk scenarios?
Using representative and significant historical data is correct. Using representative and significantly broad historical data helps to avoid bias that may otherwise characterize the selection of data by individual functional experts.
How can an enterprise determine the aggregated risk from several sources?
Through a security information and event management system is correct. A security information and event management system will gather incident activity from several locations and prepare reports from risk trends and correlated events.
While consulting with risk owners prior to implementing risk mitigation controls, the IT risk practitioner should PRIMARILY focus on:
Following the life cycle approach for control management is correct. Controls should be implemented by following a life cycle approach starting with a business case (including feasibility and cost-benefit analysis) and moving through design, implementation and retirement.
Which of the following factors determines the acceptable level of residual risk in an enterprise?
Management discretion is correct. Deciding what level of risk is acceptable to an enterprise is fundamentally a function of management. At its discretion, enterprise management may decide to accept risk. The target risk level for a control is, therefore, subject to management discretion.
Which of the following will BEST assist a risk practitioner when addressing risk within the supply chain lifecycle?
Understanding relevant jurisdictional legal requirements is correct. Identification and understanding of the legal requirements relevant to the supply chain will assist the risk practitioner to identify, assess and monitor risk on an ongoing basis.
To ensure an organization’s risk program effectively mitigates risk, which of the following should be FIRST addressed by management?
Blame culture is correct. A blame culture should be addressed and remedied as soon as possible. It hinders effective risk mitigation because it defeats accountability.
Which of the following is the BEST method to ensure the overall effectiveness of a risk management program?
Participation by applicable members of the enterprise is correct. Effective risk management requires participation, support and acceptance by all applicable members of the enterprise, beginning with executives. Personnel must understand their responsibilities, receive training on how to fulfill their roles, exercise active judgment and take appropriate action.
Which of the following combinations of factors helps quantify risk?
Probability and consequence is correct. The quantification of risk is based on the probability (likelihood) of a threat exploiting a vulnerability resulting in a damaging consequence (impact) to an asset.
Who MUST give final sign-off on the IT risk management plan?
Senior management is correct. Senior management understands performance metrics and indicators that measure the enterprise and its subsystems; they approved the policies and standards that govern the enterprise; and they have final responsibility for risks associated with audit findings and recommendations.
Whether a risk has been reduced to an acceptable level should be determined by:
Organizational requirements is correct. Organizational requirements should determine when a risk has been reduced to an acceptable level. Information systems and security requirements and standards may help inform organizational requirements, but in themselves lack the critical context of enterprise business goals.
Which of the following is MOST important for effective risk management?
Assignment of risk owners to identified risk is correct. It is of utmost importance to assign risk to individual owners and therein maximize accountability.
Which of the following is the BEST control for securing data on mobile universal serial bus (USB) drives?
Encrypting universal serial bus (USB) devices is correct. Encryption provides the most effective protection of data on mobile devices.
During the risk assessment process, it is MOST important to establish a clear line of accountability to:
Ensure that risk ownership is assigned to the appropriate level is correct. Applying risk ownership to the appropriate level is the most important element in establishing a clear line of accountability.
During the initial phase of the system development life cycle, the risk professional provided input on how to secure the proposed system. The project team prepared a list of requirements that will be used to design the system. Which of the following tasks MUST be performed before moving on to the system design phase?
The risk associated with the proposed system and controls is accepted by management
is correct. The risk acceptance decision is made by senior management. Before moving further into the project, it is important to have sign-off from management that management acknowledges and accepts the risk that is associated with this project. If management does not accept the risk, then there is no point in proceeding any further.
The MOST important task in system control verification is:
Managing alerts is correct. The most important task in system control verification is managing the response time to critical alerts and alarms.
Which of the following is the BEST way to ensure that contract programmers comply with organizational security policies?
Perform periodic security reviews of the contractors is correct. Periodic reviews are the most effective way of obtaining compliance because these reviews provide insight into which contractors are following organizational policies and which are not.
The GREATEST risk posed by an absence of strategic
planning is:
Improper oversight of IT investments is correct. Improper oversight of IT investment is the greatest risk. Without proper oversight from management, IT investment may fail to align with business strategy, and IT expenditures may not support business objectives.
Who should be accountable for risk to an IT system that supports a critical business process?
Senior management is correct. The accountable party is senior management. Although they are not responsible for executing the risk management program, they are ultimately liable for acceptance and mitigation of all risk.
IT plans to replace its existing wired local area network with a wireless infrastructure to accommodate the use of mobile devices within the organization. This will increase the risk of which of the following attacks?
Wardriving is correct. Wireless infrastructure is specifically subject to wardriving attacks; therefore, risk associated with wired local area networks (LANs) will increase to reflect the new wireless infrastructure.
Which of the following vulnerabilities will make a web application MOST susceptible to a structured query language (SQL) injection attack?
Inadequate validation input is correct. SQL injection attacks occur through the input of commands in fields meant for simple data. If the fields do not validate properly, the commands will be executed.
Which of the following poses the GREATEST risk to an organization that recently engaged the services of a cloud provider?
The service level agreement is ambiguous is correct. If the service level agreement is ambiguous, it will be difficult to determine whether the provider complies.
Which of the following approaches to corporate policy BEST supports an enterprise's expansion to other regions, where different local laws apply?
A global policy amended to comply with local laws is correct. A global policy including local amendments ensures alignment with local laws and
regulations.
An enterprise has outsourced several business functions to a firm in another country, including IT development, data hosting and support. What is the MOST important question the risk professional will ask in relation to the outsourcing arrangements?
"Are specific security controls mandated in the outsourcing contract/agreement?" is correct. Without enumerating security requirements directly in the outsourcing contract, the outsourcing company has no assurance that the provider will comply with specific security requirements.
A new data protection regulation directly affects an organization. What information should the risk practitioner gather to BEST ensure compliance?
Risk scenarios with the potential impact on compliance is correct. Risk scenarios should indicate potential effects of noncompliance with the new regulation and guide management in evaluating whether the cost of compliance outweighs the cost of noncompliance and if this is in alignment with the organization’s risk tolerance. Understanding the impact of compliance versus noncompliance will inform which controls are ultimately implemented to achieve and maintain compliance.
Overall business risk for a particular threat can be expressed as the:
Product of the probability of exploitation and magnitude of the impact if a threat exploits a vulnerability is correct. The product of the probability of exploitation and magnitude of the impact provides the best measure of the risk to an asset.
Which of the following is of MOST concern in a review of a virtual private network implementation? Computers on the network are located:
In employees' homes is correct. In a virtual private network, all machines should be subject to the same security policy. Home computers are least often subject to the corporate security policy and therefore are high-risk machines. Once a computer is hacked and “owned,” any network that trusts that computer is at risk. Implementation and adherence to the corporate security policy are easier when all computers on the network reside at the enterprise’s campus.
Acceptable risk for an enterprise is achieved
when:
Residual risk is within tolerance levels is correct. Residual risk is the risk that remains after all controls have been applied; therefore, acceptable risk is achieved when residual risk is aligned with the enterprise risk appetite.
The preparation of a risk register begins in which risk management process?
Risk identification is correct. The risk register details all identified risk, including description, category, cause, probability of occurring, impact(s) on objectives, proposed responses, owners and current status. The primary outputs from risk identification are the initial entries into the risk register.
Which of the following is the MOST important information to include in a risk management strategic plan?
The current state and desired future state is correct. It is most important to paint a vision for the future and then draw a road map from the starting point; therefore, this requires that the current state and desired future state be fully understood.
According to good practices, which of the following is PRIMARILY used to detect vulnerabilities in Internet-facing systems?
Penetration testing is correct. A penetration test simulates the actions of real attackers to test security defenses and detect vulnerabilities.
Which of the following BEST identifies controls addressing risk related to cloud computing?
Data encryption, tenant isolation, controlled change management is correct. Encryption facilitates separation of data among tenants. Tenant isolation ensures that one tenant’s data are sequestered from other tenants. Controlled change management ensures that all changes are well planned and tenant dependencies are mapped to underlying resources and services.
The PRIMARY focus of managing IT-related business risk is to protect:
Information is correct. The primary objective for any enterprise is to protect mission-critical information based on a risk assessment.
Which of the following would be the MOST influential in determining an organization’s approach to risk management?
Enterprise policies is correct. Enterprise policies state the organization’s guidance for risk management.
Who is accountable for business risk related to IT?
Users of IT services is correct. Ultimately, the business (i.e., the users of IT services) owns business-related risk, including the risk related to the use of IT. The business should set the mandate for risk management, provide the resources and funding to support a risk management plan designed to protect business interests, and monitor whether risk is being managed.
Which of the following attacks occurs PRIMARILY because user input is not properly validated?
Cross-site scripting is correct. Cross-site scripting (XSS) is an injection attack in which malicious scripts are injected into otherwise benign and trusted web sites. XSS results when insufficient input validation allows a user to submit malicious executable code into a web application.
Which of the following is the BEST method to ensure the overall effectiveness of a risk management program?
Participation by applicable members of the enterprise is correct. Effective risk management requires participation, support and acceptance by all applicable members of the enterprise, beginning with executives. Personnel must understand their responsibilities, receive training on how to fulfill their roles, exercise active judgment and take appropriate action.
The board of directors of a one-year-old start-up company asked their chief information officer (CIO) to create all the enterprise’s IT policies and procedures. Which of the following should the CIO create FIRST?
The strategic IT plan is correct. The strategic IT plan is the first policy to create when developing an enterprise’s governance model.
Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system?
Basing the information security infrastructure on a risk assessment is correct. The information security infrastructure should be based on a risk assessment.
Which of the following requirements MUST be met during the initial stages of developing a risk management program?
The context and purpose of the program are defined is correct. Initial requirements to determine the enterprise’s purpose for creating an information security risk management program include determining the desired outcomes and defining objectives.
To which of the following documents does an organization refer to determine the intellectual property ownership of an application built by a third-party service manager in the course of its work for the organization?
Statement of work is correct. A statement of work typically defines terms of governance, conditions for third-party engagement and delineates IP ownership of products developed under the contract. Failure to include adequate
language for IP may result in limited or no rights to resulting deliverables. Therefore, it is critical to review language rather than rely on boilerplate clauses to optimize ownership of deliverables and assess vulnerability associated with third-party engagements.
The MOST important external factors that should be considered in a risk assessment are:
The installation of many insecure devices on the Internet is correct. The proliferation of insecure devices (i.e., the Internet of Things) creates a serious external threat that must be considered.
A risk practitioner’s PRIMARY role is to:
Consult and recommend risk responses is correct. A risk practitioner is responsible for consulting about risk and recommending possible solutions for risk responses.
When a start-up company becomes popular, it suddenly is the target of hackers. This is considered:
An emerging threat is correct. A threat is any event in which a threat condition or actor acts upon an asset in a manner that has the potential to directly result in harm. The stem describes the emerging threat of hackers attacking the start-up company.
Which of the following is the PRIMARYobjective of a risk management program?
Maintain residual risk at an acceptable level is correct. Ensuring that all residual risk is maintained at a level acceptable to the business is the objective of a risk management program.
Which of the following provides the GREATEST level of information security awareness?
Security training is correct. Security training is the best way to inform all employees about changes to the risk landscape and enhance information security awareness of risks to the enterprise risk management strategy.
The GREATEST advantage in performing a business impact analysis is that it:
Promotes continuity awareness in the enterprise is correct. A BIA raises awareness of risk to business recovery and continuity enterprisewide.
Which of the following outcomes of outsourcing noncore processes is of GREATEST concern to the management of an enterprise?
Processing of sensitive data was subcontracted by the vendor is correct. The greatest risk in third-party relationships is the fact that the enterprise is ceding direct control of it's IS processes. Subcontracting will increase this risk; therefore, the subcontracting process must be reviewed because sensitive data are involved.
Which of the following will have the MOST significant impact on standard information security governance models?
Complexity of the organizational structure is correct. Information security governance models are highly dependent on the complexity of the organizational structure. Elements that affect organizational structure include multiple business units, dispersion of multiple functions across the organization, multiple leadership hierarchies and multiple lines of communication.
Which of the following choices should drive the IT plan?
Strategic planning and business requirements is correct. IT exists to support business objectives. Management of enterprise IT should align the IT plan closely with the business.
Who is accountable for the overall enterprise strategy for risk governance?
Board of directors is correct. The board of directors is accountable for the overall enterprise risk governance strategy as they state the enterprise strategy.
Which of the following approaches results in risk scenarios applicable to an enterprise’s identified risk?
A top-down approach driven by business objectives is correct. Top-down approaches ensure that an organization’s unique perspectives and business objectives are prioritized in risk scenarios.
An organization is considering a cloud computing deployment and accepts the risk of confidential information in the cloud. Which is the BEST cloud
deployment model that offers the most safeguards for this information?
Private cloud is correct. The private cloud model operates solely for the enterprise and will have controls in place needed to keep enterprise information confidential.
Development of corporate information security policy should PRIMARILY be based on:
Assets is correct. The corporate information security policy is based on management’s commitment to protect the assets of the enterprise (and relevant information of its business partners) from threats, risk and exposures that could occur.
The FIRST step in identifying and assessing IT risk is to:
Gather information on the current and future environment is correct. The first step in any risk assessment is to gather information about the current state and pending internal and external changes to the enterprise’s environment (scope, technology, incidents, modifications, etc.).
Which of the following resources has
the GREATEST risk of failure while implementing any security solution?
Security staff is correct. Staff represent the greatest risk of failure because people are vulnerable to risk such as fraud and deliberate or accidental misconfiguration of software processes or hardware.
Which of the following is the MOST prevalent risk in the development of end-user computing (EUC) applications?
Failure to subject applications to testing and IT general controls is correct. End-user applications may not be subject to independent outside review by systems analysts and frequently are not created in the context of a formal development methodology. The applications may lack appropriate standards, controls, quality-assurance procedures and documentation. End-user applications may not be subject to backup and recovery procedures because operations may not be aware of them.