RSK2601 MCQ EXAM PACK
2024
A risk management program should MOST importantly seek to: - ANS-
minimize residual risk.
The BEST way to integrate risk management into life cycle processes is
through: - ANS-change management.
when should a risk assessment should be conducted - ANS-annually or
whenever there is a significant change.
risk analysis addresses - ANS-1.the value of the information asset at risk
2.risk frequency/likelihood
3. risk severity (the potential size of the risks's impact)
considered in effective risk management - ANS-the value of each information
asset
the probability or expected frequency that an event will affect an asset
the business impact of the loss incurredse
risk mitigation - ANS-an alternative to risk acceptance
which three of the following are most critical to providing a true capability for
the organization to conduct meaningful risk assessment - ANS-1.
management must have the formal training, skills, and know-how to perform
professional risk assessment
2. the people leading the risk assessment are authorized to accept the
consequences of accepted or untreated risks on behalf of the organization
3. all risk assessment and management is performed according to a pre-
determined formal, documented, and approved risk management
methedology
,risk assessment should consider - ANS-the value of each information asset,
the dollar value of the business impact risk, as well as the expected frequency
of occurrence (likelihood) of a risk
which of the following provides the best basis for determining if a risk has
been appropriately mitigated - ANS-organizational requirements
who are responsible for information classification - ANS-information owners
which of the following should be assessed first - ANS-the maturity of the
organization's risk assessment methodology and practices should be
assessed first since the effectiveness of all risk assessment efforts is driven
by the maturity of the organization's risk assessment and risk management
capability
first step to a penetration test - ANS-mapping a network to determine points
of entry
mapping major threats to business objectives should be performed after
performing a full risk assessment - ANS-false
inadequately secured information assets and it resources most significantly
increases - ANS-residual risk
typical (bad) risk culture: the board - ANS-lacks the knowledge and risk
vocabulary to engage in dialogue with management
typical (bad) risk culture: the ceo - ANS-seeks strategic dialogue about risk
but must rely on intuition
typical (bad) risk culture: the cfo - ANS-has narrow and "silo"ed view of risk,
often focusing on compliance and tangible assets
typical (bad) risk culture: the cro - ANS-understands the risks but has little
influence on decision making
, typical (bad) risk culture: the treasurer - ANS-uses sophisticated risk
management tools, but only for short term risk
typical (bad) risk culture: business unit - ANS-lacks the sophistication and
time to understand, much less measure, their own risks. Not authorized to
decide upon risk treatment
detected vulnerabilities must be evaluated for - ANS-threat, impact, and
corresponding cost of risk mitigation
ISO 27001 requires the organization to define the risk assessment approach
of the organization. which of the following ISO standards most specifically
addresses the risk assessment requirements of ISO 27001 - ANS-ISO 27005
The owner of a business process can best evaluate business risks that are -
ANS-specific to the owner's processes
what allows a risk management program to effectively address changes in risk
- ANS-implementing continuous monitoring processes via periodic re-
assessments of risk
which of the following are sections included within ISO 27005 "information
technology - security techniques - information security risk management"? -
ANS-context establishment (clause 7)
risk assessment (clause 8)
risk treatment (clause 9)
risk acceptance (clause 10)
risk communication (clause 11)
risk monitoring and review (clause 12
a primary consideration in security policy development is basing the policies
on - ANS-a threat profile
which of the following are all examples of threats - ANS-an intruder accessing
the network through a port on the firewall
circumventing existing access controls
2024
A risk management program should MOST importantly seek to: - ANS-
minimize residual risk.
The BEST way to integrate risk management into life cycle processes is
through: - ANS-change management.
when should a risk assessment should be conducted - ANS-annually or
whenever there is a significant change.
risk analysis addresses - ANS-1.the value of the information asset at risk
2.risk frequency/likelihood
3. risk severity (the potential size of the risks's impact)
considered in effective risk management - ANS-the value of each information
asset
the probability or expected frequency that an event will affect an asset
the business impact of the loss incurredse
risk mitigation - ANS-an alternative to risk acceptance
which three of the following are most critical to providing a true capability for
the organization to conduct meaningful risk assessment - ANS-1.
management must have the formal training, skills, and know-how to perform
professional risk assessment
2. the people leading the risk assessment are authorized to accept the
consequences of accepted or untreated risks on behalf of the organization
3. all risk assessment and management is performed according to a pre-
determined formal, documented, and approved risk management
methedology
,risk assessment should consider - ANS-the value of each information asset,
the dollar value of the business impact risk, as well as the expected frequency
of occurrence (likelihood) of a risk
which of the following provides the best basis for determining if a risk has
been appropriately mitigated - ANS-organizational requirements
who are responsible for information classification - ANS-information owners
which of the following should be assessed first - ANS-the maturity of the
organization's risk assessment methodology and practices should be
assessed first since the effectiveness of all risk assessment efforts is driven
by the maturity of the organization's risk assessment and risk management
capability
first step to a penetration test - ANS-mapping a network to determine points
of entry
mapping major threats to business objectives should be performed after
performing a full risk assessment - ANS-false
inadequately secured information assets and it resources most significantly
increases - ANS-residual risk
typical (bad) risk culture: the board - ANS-lacks the knowledge and risk
vocabulary to engage in dialogue with management
typical (bad) risk culture: the ceo - ANS-seeks strategic dialogue about risk
but must rely on intuition
typical (bad) risk culture: the cfo - ANS-has narrow and "silo"ed view of risk,
often focusing on compliance and tangible assets
typical (bad) risk culture: the cro - ANS-understands the risks but has little
influence on decision making
, typical (bad) risk culture: the treasurer - ANS-uses sophisticated risk
management tools, but only for short term risk
typical (bad) risk culture: business unit - ANS-lacks the sophistication and
time to understand, much less measure, their own risks. Not authorized to
decide upon risk treatment
detected vulnerabilities must be evaluated for - ANS-threat, impact, and
corresponding cost of risk mitigation
ISO 27001 requires the organization to define the risk assessment approach
of the organization. which of the following ISO standards most specifically
addresses the risk assessment requirements of ISO 27001 - ANS-ISO 27005
The owner of a business process can best evaluate business risks that are -
ANS-specific to the owner's processes
what allows a risk management program to effectively address changes in risk
- ANS-implementing continuous monitoring processes via periodic re-
assessments of risk
which of the following are sections included within ISO 27005 "information
technology - security techniques - information security risk management"? -
ANS-context establishment (clause 7)
risk assessment (clause 8)
risk treatment (clause 9)
risk acceptance (clause 10)
risk communication (clause 11)
risk monitoring and review (clause 12
a primary consideration in security policy development is basing the policies
on - ANS-a threat profile
which of the following are all examples of threats - ANS-an intruder accessing
the network through a port on the firewall
circumventing existing access controls
