Explanation: Risks that are now outdated should be closed by the project manager, there is no need to keep record of that.
Incorrect Answers:
A: Risks do not go into the issue log, but the risk register.
C: Identified risks are already in the risk register.
D: Risks with low probability and low impact go on the risk watchlist.

Explanation:
As business case includes business need (like new product, change in process, compliance need, etc.) and the requirements of the enterprise (new technology, cost, etc.), risk professional should utilize this for implementing specific risk mitigation activity. Risk professional must look at the costs of the various controls and compare them against the benefits that the organization will receive from the risk response. Hence he/she needs to have knowledge of business case development to illustrate the costs and benefits of the risk response.
Incorrect Answers: A, C, D: These all options are supplemental.

Explanation: Complexity of the organizational structure will have the most significant impact on the Information security governance model. Some of the elements that impact organizational structure are multiple business units and functions across the organization.
Incorrect Answers:
A: Currency with changing legislative requirements should not have major impact once good governance models are placed, hence, governance will help in effective management of the organization’s ongoing compliance.
B, D: The numbers of employees and the distance between physical locations have less impact on Information security models as well-defined process, technology and people components together provide the proper governance.

Explanation:
The primary goal of qualitative risk analysis is to determine proportion of effect and theoretical response. The inputs to the Qualitative Risk Analysis process are:

• Organizational process assets
• Project Scope Statement
• Risk Management Plan
• Risk Register

Incorrect Answers:
B: The cost management plan is the input to the perform quantitative risk analysis process.

Explanation:
A trigger is a warning sign or a condition that a risk event is likely to occur within the project.
Incorrect Answers:
A: Issues are events that come about as a result of risk events. Risks become issues only after they have actually occurred.
B: A contingency response is a pre-planned response for a risk event, such as a rollback plan.
D: A threshold is a limit that the risk passes to actually become an issue in the project.

Explanation:
Residual risk can be used by management to determine:

• Which areas require more control Whether the benefits of such controls outweigh the costs
• As residual risk is the output that comes after applying appropriate controls, so it can also estimate the area which need more sophisticated control. If the cost of control is large that its benefits then no control is applied, hence residual risk can determine benefits of these controls over cost.

Incorrect Answers:
A: Status of enterprise’s risk can be determined only after risk monitoring.
B: Appropriate control can only be determined as the result of risk assessment, not through residual risk.

Explanation:
A policy is an executive mandate which helps in identifying a topic that contains particular risks to avoid or prevent. Policies are high-level documents signed by a person of high authority with the power to force cooperation. The policy is a simple document stating that a particular high-level control objective is important to the organization’s success. Policies are usually only one page in length. The authority of the person mandating a policy will determine the scope of implementation. Hence in other words, policy is an overall statement of information security scope and direction.
Incorrect Answers:
A, B, D: These are not the valid definitions of the policy.

Explanation: Threat is an act of coercion wherein an act is proposed to elicit a negative response. Threats are real, while the vulnerabilities are a possibility. They can result in risks from external sources, and can become imminent by time or can diminish.
Incorrect Answers:
C, E: These two are true for vulnerability, but not threat. Unlike the threat, vulnerabilities are possibility and can result in risks from internal sources. They will arise and stay in place until they are properly dealt.

Explanation: Integrated change control is the component that is responsible for reviewing all aspects of a change’s impact on a project – including risks that may be introduced by the new change. Integrated change control is a way to manage the changes incurred during a project. It is a method that manages reviewing the suggestions for changes and utilizing the tools and techniques to evaluate whether the change should be approved or rejected.
Integrated change control is a primary component of the project’s change control system that examines the affect of a proposed change on the entire project.
Incorrect Answers:
A: Configuration management controls and documents changes to the features and functions of the product scope.
B: Scope change control focuses on the processes to allow changes to enter the project scope.
C: Risk monitoring and control is not part of the change control system, so this choice is not valid.

Explanation: Senior management is responsible for the acceptance and mitigation of all risk. Hence they will also own the risk to an information system that supports a critical business process.
Incorrect Answers:
A: The system users are responsible for utilizing the system properly and following procedures, but they do not own the risk.
C: The IT director manages the IT systems on behalf of the business owners.
D: The risk management department determines and reports on level of risk, but does not own the risk. Risk is owned by senior management.