CISM - Risk management & Response
C is the correct answer.
Justification
File backup procedures ensure the availability of information in alignment with data retention
requirements but do nothing to prevent leakage.
Database integrity checks verify the allocation and structural integrity of all the objects in the
specified database but do nothing to prevent leakage.
An acceptable use policy establishes an agreement between users and the enterprise and
defines for all parties the ranges of use that are approved before gaining access to a
network or the Internet.
Incident response procedures provide detailed steps that help an organization minimize the
impact of an adverse event and do not directly address data leakage. - ANSWhich of the
following would BEST address the risk of data leakage?
File backup procedures
Database integrity checks
Acceptable use policies
Incident response procedures
B is the correct answer.
Justification
Risk assessment includes identification and analysis to determine the likelihood and
potential consequences of a compromise, which is not when risk is to be considered for
acceptance or requires mitigation.
If after risk evaluation a risk is unacceptable, acceptability is determined after risk mitigation
efforts.
Risk identification is the process during assessment during which viable risk is identified
through developing a series of potential risk scenarios.
Monitoring is unrelated to risk acceptance. - ANSRisk acceptance is a component of which
of the following?
,Risk assessment
Risk treatment
Risk identification
Risk monitoring
C is the correct answer.
Justification
Only after data are determined critical to the organization can a data leak prevention
program be properly implemented.
User awareness training can be helpful but only after data have been classified.
Information classification must be conducted first.
Network intrusion detection is a technology that can support the data leak prevention
program, but it is not a primary consideration. - ANSIn controlling information leakage,
management should FIRST establish:
a data leak prevention program.
user awareness training.
an information classification process.
a network intrusion detection system.
D is the correct answer.
Justification
A gap analysis is not as appropriate for evaluating a business impact analysis.
A gap analysis is not as appropriate for developing a business balanced scorecard.
A gap analysis is not as appropriate for evaluating demonstrating the relationship between
controls.
A gap analysis is most useful in addressing the differences between the current state and
future state. - ANSWhich of the following is the MOST appropriate use of gap analysis?
Evaluating a business impact analysis
Developing a balanced business scorecard
,Demonstrating the relationship between controls
Measuring current state versus desired future state
A is the correct answer.
Justification
Organizational requirements should determine when a risk has been reduced to an
acceptable level.
The acceptability of a risk is ultimately a management decision, which may or may not be
consistent with information systems requirements.
The acceptability of a risk is ultimately a management decision, which may or may not be
consistent with information security requirements.
Because each organization is unique, international standards may not represent the best
solution for specific organizations and are primarily a guideline. - ANSThe decision as to
whether an IT risk has been reduced to an acceptable level should be determined by:
organizational requirements.
information systems requirements.
information security requirements.
international standards.
A is the correct answer.
Justification
Role-based access control is a preventive control that provides access according to
business needs; therefore, it reduces unnecessary access rights and enforces
accountability.
Audit trail monitoring is a detective control, which is "after the fact."
Privacy policy is not relevant to this risk.
Defense in depth primarily focuses on external threats and control layering. - ANSWhich of
the following measures would be MOST effective against insider threats to confidential
information?
Role-based access control
, Audit trail monitoring
Privacy policy
Defense in depth
C is the correct answer.
Justification
The fact that overall risk has been quantified does not necessarily indicate the existence of a
successful risk management practice.
Eliminating inherent risk is virtually impossible.
A successful risk management practice reduces residual risk to acceptable levels.
Although the tying of control risk to business may improve accountability, this is not as
desirable as achieving acceptable residual risk levels. - ANSWhich of the following BEST
indicates a successful risk management practice?
Overall risk is quantified.
Inherent risk is eliminated.
Residual risk is minimized.
Control risk is tied to business units.
D is the correct answer.
Justification
Inherent risk may already be acceptable and require no remediation. Minimizing below the
acceptable level is not the objective and usually raises costs.
Elimination of business risk is not possible.
Effective controls are naturally a clear objective of a risk management program to the extent
of achieving the primary goal of achieving acceptable risk across the organization.
The goal of a risk management program is to ensure that acceptable risk levels are achieved
and maintained. - ANSWhat is the PRIMARY objective of a risk management program?
Minimize inherent risk.
Eliminate business risk.
C is the correct answer.
Justification
File backup procedures ensure the availability of information in alignment with data retention
requirements but do nothing to prevent leakage.
Database integrity checks verify the allocation and structural integrity of all the objects in the
specified database but do nothing to prevent leakage.
An acceptable use policy establishes an agreement between users and the enterprise and
defines for all parties the ranges of use that are approved before gaining access to a
network or the Internet.
Incident response procedures provide detailed steps that help an organization minimize the
impact of an adverse event and do not directly address data leakage. - ANSWhich of the
following would BEST address the risk of data leakage?
File backup procedures
Database integrity checks
Acceptable use policies
Incident response procedures
B is the correct answer.
Justification
Risk assessment includes identification and analysis to determine the likelihood and
potential consequences of a compromise, which is not when risk is to be considered for
acceptance or requires mitigation.
If after risk evaluation a risk is unacceptable, acceptability is determined after risk mitigation
efforts.
Risk identification is the process during assessment during which viable risk is identified
through developing a series of potential risk scenarios.
Monitoring is unrelated to risk acceptance. - ANSRisk acceptance is a component of which
of the following?
,Risk assessment
Risk treatment
Risk identification
Risk monitoring
C is the correct answer.
Justification
Only after data are determined critical to the organization can a data leak prevention
program be properly implemented.
User awareness training can be helpful but only after data have been classified.
Information classification must be conducted first.
Network intrusion detection is a technology that can support the data leak prevention
program, but it is not a primary consideration. - ANSIn controlling information leakage,
management should FIRST establish:
a data leak prevention program.
user awareness training.
an information classification process.
a network intrusion detection system.
D is the correct answer.
Justification
A gap analysis is not as appropriate for evaluating a business impact analysis.
A gap analysis is not as appropriate for developing a business balanced scorecard.
A gap analysis is not as appropriate for evaluating demonstrating the relationship between
controls.
A gap analysis is most useful in addressing the differences between the current state and
future state. - ANSWhich of the following is the MOST appropriate use of gap analysis?
Evaluating a business impact analysis
Developing a balanced business scorecard
,Demonstrating the relationship between controls
Measuring current state versus desired future state
A is the correct answer.
Justification
Organizational requirements should determine when a risk has been reduced to an
acceptable level.
The acceptability of a risk is ultimately a management decision, which may or may not be
consistent with information systems requirements.
The acceptability of a risk is ultimately a management decision, which may or may not be
consistent with information security requirements.
Because each organization is unique, international standards may not represent the best
solution for specific organizations and are primarily a guideline. - ANSThe decision as to
whether an IT risk has been reduced to an acceptable level should be determined by:
organizational requirements.
information systems requirements.
information security requirements.
international standards.
A is the correct answer.
Justification
Role-based access control is a preventive control that provides access according to
business needs; therefore, it reduces unnecessary access rights and enforces
accountability.
Audit trail monitoring is a detective control, which is "after the fact."
Privacy policy is not relevant to this risk.
Defense in depth primarily focuses on external threats and control layering. - ANSWhich of
the following measures would be MOST effective against insider threats to confidential
information?
Role-based access control
, Audit trail monitoring
Privacy policy
Defense in depth
C is the correct answer.
Justification
The fact that overall risk has been quantified does not necessarily indicate the existence of a
successful risk management practice.
Eliminating inherent risk is virtually impossible.
A successful risk management practice reduces residual risk to acceptable levels.
Although the tying of control risk to business may improve accountability, this is not as
desirable as achieving acceptable residual risk levels. - ANSWhich of the following BEST
indicates a successful risk management practice?
Overall risk is quantified.
Inherent risk is eliminated.
Residual risk is minimized.
Control risk is tied to business units.
D is the correct answer.
Justification
Inherent risk may already be acceptable and require no remediation. Minimizing below the
acceptable level is not the objective and usually raises costs.
Elimination of business risk is not possible.
Effective controls are naturally a clear objective of a risk management program to the extent
of achieving the primary goal of achieving acceptable risk across the organization.
The goal of a risk management program is to ensure that acceptable risk levels are achieved
and maintained. - ANSWhat is the PRIMARY objective of a risk management program?
Minimize inherent risk.
Eliminate business risk.
