Which of the following parameters are considered for the selection of risk indicators? Each correct answer represents a part of the solution. Choose three. A. Size and complexity of the enterprise B. Type of market in which the enterprise operates C. Risk appetite and risk tolerance D. Strategy focus of the enterprise
Correct Answer: ABD
Explanation:
Explanation:
Risk indicators are placed at control points within the enterprise and are used to collect data. These collected data are used to measure the risk levels at that point. They also track events or incidents that may indicate a potentially harmful situation.
Risk indicators can be in form of logs, alarms and reports. Risk indicators are selected depending on a number of parameters in the internal and external environment, such as:
Size and complexity of the enterprise
Type of market in which the enterprise operates
Strategy focus of the enterprise
Incorrect Answers:
C: Risk appetite and risk tolerance are considered when applying various risk responses.
Which of the following come under the management class of controls?
Each correct answer represents a complete solution. (Choose two.) A. Risk assessment control B. Audit and accountability control C. Program management control D. Identification and authentication control
Correct Answer: AC
Explanation:
Explanation:
The Management class of controls includes five families. These families include over 40 individual controls. Following is a list of each of the families in the Management class:
Certification, Accreditation, and Security Assessment (CA): This family of controls addresses steps to implement a security and assessment program. It includes controls to ensure only authorized systems are allowed on a network. It includes details on important security concepts, such as continuous monitoring and a plan of action and milestones.
Planning (PL): The PL family focuses on security plans for systems. It also covers Rules of Behaviour for users. Rules of Behaviour are also called an acceptable use policy.
Risk Assessment (RA): This family of controls provides details on risk assessments and vulnerability scanning.
System and Services Acquisition (SA): The SA family includes any controls related to the purchase of products and services. It also includes controls related to software usage and user installed software.
Program Management (PM): This family is driven by the Federal Information Security Management Act (FISMA). It provides controls to ensure compliance with FISMA. These controls complement other controls. They don’t replace them.
Incorrect Answers: B, D: Identification and authentication, and audit and accountability control are technical class of controls.
Which of the following parameters would affect the prioritization of the risk responses and development of the risk response plan? Each correct answer represents a complete solution. Choose three. A. Importance of the risk B. Time required to mitigate risk. C. Effectiveness of the response D. Cost of the response to reduce risk within tolerance levels
Correct Answer: ACD
Explanation:
Explanation:
The prioritization of the risk responses and development of the risk response plan is influenced by several parameters:
Cost of the response to reduce risk within tolerance levels
Importance of the risk
Capability to implement the response
Effectiveness of the response
Efficiency of the response
Incorrect Answers:
B: Time required to mitigate risk does not influence the prioritization of the risk and development of the risk response plan. It affects the scheduled time of the project.
You are the project manager of GHT project. A risk event has occurred in your project and you have identified it. Which of the following tasks you would do in reaction to risk event occurrence? Each correct answer represents a part of the solution. Choose three. A. Monitor risk B. Maintain and initiate incident response plans C. Update risk register D. Communicate lessons learned from risk events
Correct Answer: ABD
Explanation:
Explanation:
When the risk events occur then following tasks have to done to react to it:
Maintain incident response plans
Monitor risk
Initiate incident response
Communicate lessons learned from risk events
Incorrect Answers:
C: Risk register is updated after applying appropriate risk response and at the time of risk event occurrence.
What is the most important benefit of classifying information assets? A. Linking security requirements to business objectives B. Allotting risk ownership C. Defining access rights D. Identifying controls that should be applied
Correct Answer: D
Explanation:
Explanation:
All of the options are directly or indirectly are the advantages of classifying information assets, but the most important benefit amongst them is that appropriate controls can be identified.
Incorrect Answers: A, B, C: These all are less significant than identifying controls.
Which of the following is the way to verify control effectiveness? A. The capability of providing notification of failure. B. Whether it is preventive or detective. C. Its reliability. D. The test results of intended objectives.
Correct Answer: D
Explanation:
Explanation:
Control effectiveness requires a process to verify that the control process worked as intended and meets the intended control objectives. Hence the test result of intended objective helps in verifying effectiveness of control.
Incorrect Answers:
A: Notification of failure does not determine control strength, hence this option is not correct.
B: The type of control, like preventive or detective, does not help determine control effectiveness.
C: Reliability is not an indication of control strength; weak controls can be highly reliable, even if they do not meet the control objective.
Which of the following test is BEST to map for confirming the effectiveness of the system access management process? A. user accounts to human resources (HR) records. B. user accounts to access requests. C. the vendor database to user accounts. D. access requests to user accounts.
Correct Answer: B
Explanation:
Explanation: Tying user accounts to access requests confirms that all existing accounts have been approved. Hence, the effectiveness of the system access management process can be accounted.
Incorrect Answers:
A: Tying user accounts to human resources (HR) records confirms whether user accounts are uniquely tied to employees, not accounts for the effectiveness of the system access management process.
C: Tying vendor records to user accounts may confirm valid accounts on an e-commerce application, but it does not consider user accounts that have been established without the supporting access request.
D: Tying access requests to user accounts confirms that all access requests have been processed; however, the test does not consider user accounts that have been established without the supporting access request.
Which of the following is the MOST important aspect to ensure that an accurate risk register is maintained? A. Publish the risk register in a knowledge management platform with workflow features that periodically contacts and polls risk assessors to ensure accuracy of content B. Perform regular audits by audit personnel and maintain risk register C. Submit the risk register to business process owners for review and updating D. Monitor key risk indicators, and record the findings in the risk register
Correct Answer: A
Explanation:
Explanation: A knowledge management platform with workflow and polling feature will automate the process of maintaining the risk registers. Hence this ensures that an accurate and updated risk register is maintained.
Incorrect Answers:
B: Audit personnel may not have the appropriate business knowledge in risk assessment, hence cannot properly identify risk. Regular audits may also cause hindrance to the business activities.
C: Business process owners typically cannot effectively identify risk to their business processes. They may not have the ability to be unbiased and may not have the appropriate skills or tools for evaluating risks.
D: Monitoring key risk indicators, and record the findings in the risk register will only provide insights to known and identified risk and will not account for obscure risk, i.e. , risk that has not been identified yet.
Which negative risk response usually has a contractual agreement? A. Sharing B. Transference C. Mitigation D. Exploiting
Correct Answer: B
Explanation:
Explanation:
Transference is the risk response that transfers the risk to a third party, usually for a fee. Insurance and subcontracting of dangerous works are two common examples of transference with a contractual obligation.
Incorrect Answers:
A: Sharing is a positive risk response. Note that sharing may also have contractual obligations, sometimes called teaming agreements.
C: Mitigation is a negative risk response used to lower the probability and/or impact of a risk event.
D: Exploiting is a positive risk response and not a negative response and doesn’t have contractual obligations.
Which of the following is the greatest risk to reporting? A. Integrity of data B. Availability of data C. Confidentiality of data D. Reliability of data
Correct Answer: D
Explanation:
Explanation:
Reporting risks are caused due to wrong reporting which leads to bad decision. This bad decision due to wrong report hence causes a risk on the functionality of the organization. Therefore, the greatest risk to reporting is reliability of data. Reliability of data refers to the accuracy, robustness, and timing of the data.
Incorrect Answers: A, B, C: Integrity, availability, and confidentiality of data are also important, but these three in combination comes under reliability itself.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.