Nancy is the project manager of the NHH project. She and the project team have identified a significant risk in the project during the qualitative risk analysis process. Bob is familiar with the technology that the risk is affecting and proposes to Nancy a solution to the risk event. Nancy tells Bob that she has noted his response, but the risk really needs to pass through the quantitative risk analysis process before creating responses. Bob disagrees and ensures Nancy that his response is most appropriate for the identified risk. Who is correct in this scenario?

A. Bob is correct. Bob is familiar with the technology and the risk event so his response should be implemented.
B. Nancy is correct. Because Nancy is the project manager she can determine the correct procedures for risk analysis and risk responses. In addition, she has noted the risk response that Bob recommends.
C. Nancy is correct. All risks of significant probability and impact should pass the quantitative risk analysis process before risk responses are created.
D. Bob is correct. Not all risk events have to pass the quantitative risk analysis process to develop effective risk responses.

SIMULATION Fill in the blank with an appropriate word. ________ ensures that the information is not disclosed to unauthorized persons or processes.

Which of the following is a temporary approval to operate based on an assessment of the implementation status of the assigned IA Controls?

A. IATT
B. ATO
C. IATO
D. DATO

Walter is the project manager of a large construction project. He'll be working with several vendors on the project. Vendors will be providing materials and labor for several parts of the project. Some of the works in the project are very dangerous so Walter has implemented safety requirements for all of the vendors and his own project team. Stakeholders for the project have added new requirements, which have caused new risks in the project. A vendor has identified a new risk that could affect the project if it comes into fruition. Walter agrees with the vendor and has updated the risk register and created potential risk responses to mitigate the risk. What should Walter also update in this scenario considering the risk event?

A. Project management plan
B. Project contractual relationship with the vendor
C. Project communications plan
D. Project scope statement

Which of the following individuals is responsible for monitoring the information system environment for factors that can negatively impact the security of the system and its accreditation?

A. Chief Risk Officer
B. Chief Information Security Officer
C. Information System Owner
D. Chief Information Officer

Mary is the project manager of the HGH Project for her company. She and her project team have agreed that if the vendor is late by more than ten days they will cancel the order and hire the NBG Company to fulfill the order. The NBG Company can guarantee orders within three days, but the costs of their products are significantly more expensive than the current vendor. What type of a response strategy is this?

A. Contingent response strategy
B. Expert judgment
C. Internal risk management strategy
D. External risk response

Which of the following classification levels defines the information that, if disclosed to the unauthorized parties, could be reasonably expected to cause exceptionally grave damage to the national security?

A. Secret information
B. Top Secret information
C. Confidential information
D. Unclassified information

Which of the following components ensures that risks are examined for all new proposed change requests in the change control system?

A. Risk monitoring and control
B. Scope change control
C. Configuration management
D. Integrated change control

You work as the project manager for Bluewell Inc. There has been a delay in your project work that is adversely affecting the project schedule. You decide, with your stakeholders' approval, to fast track the project work to get the project done faster. When you fast track the project, what is likely to increase?

A. Human resource needs
B. Risks
C. Costs
D. Quality control concerns

Which of the following describes residual risk as the risk remaining after risk mitigation has occurred?

A. DIACAP
B. ISSO
C. SSAA
D. DAA