CRISC FULL EXAM ALL SOLUTION LATEST EDITION GUARANTEED GRADE A+

Which of the following is the MOST important reason for conducting security awareness programs throughout an enterprise? A. Reducing the risk of a social engineering attack B. Training personnel in security incident response C. Informing business units about the security strategy D. Maintaining evidence of training records to ensure compliance A Which of the following is MOST important to determine when defining risk management strategies? A. Risk assessment criteria B. IT architecture complexity C. An enterprise disaster recovery plan (DRP) D. Organizational objectives D Which of the following is the MOST important information to include in a risk management strategic plan? A. Risk management staffing requirements B. The risk management mission statement C. Risk mitigation investment plans D. The current state and desired future state D Information that is no longer required to support the main purpose of the business from an information security perspective should be: A. analyzed under the retention policy. B. protected under the information classification policy. C. analyzed under the backup policy. D. protected under the business impact analysis (BIA). A An enterprise has outsourced the majority of its IT department to a third party whose servers are in a foreign country. Which of the following is the MOST critical security consideration? A. A security breach notification may get delayed due to the time difference. B. Additional network intrusion detection sensors should be installed, resulting in additional cost. C. The enterprise could be unable to monitor compliance with its internal security and privacy guidelines. D. Laws and regulations of the country of origin may not be enforceable in the foreign country. D An enterprise recently developed a breakthrough technology that could provide a significant competitive edge. Which of the following FIRST governs how this information is to be protected from within the enterprise? A. The data classification policy B. The acceptable use policy C. Encryption standards D. The access control policy A Malware has been detected that redirects users' computers to web sites crafted specifically for the purpose of fraud. The malware changes domain name system (DNS) server settings, redirecting users to sites under the hackers' control. This scenario BEST describes a: C What is the MOST effective method to evaluate the potential impact of legal, regulatory and contractual requirements on business objectives? A. A compliance-oriented gap analysis B. Interviews with business process stakeholders C. A mapping of compliance requirements to policies and procedures D. A compliance-oriented business impact analysis (BIA) D Which of the following is the BEST way to ensure that an accurate risk register is maintained over time? A. Monitor key risk indicators (KRJs), and record the findings in the risk register. B. Publish the risk register centrally with workflow features that periodically poll risk assessors. C. Distribute the risk register to business process owners for review and updating. D. Utilize audit personnel to perform regular audits and to maintain the risk register. B Shortly after performing the annual review and revision of corporate policies, a risk practitioner becomes aware that a new law may affect security requirements for the human resources system. The risk practitioner should: A. analyze what systems and technology-related processes may be impacted. B. ensure necessary adjustments are implemented during the next review cycle. C. initiate an ad hoc revision of the corporate policy. D. notify the system custodian to implement changes. A Which of the following is the PRIMARY objective of a risk management program? A. Maintain residual risk at an acceptable level B. Implement preventive controls for every threat C. Remove all inherent risk D. Reduce inherent risk to zero A Assessing information systems risk is BEST achieved by: A. using the enterprise's past actual loss experience to determine current exposure. B. reviewing published loss statistics from comparable organizations. C. evaluating threats associated with existing information systems assets and information systems projects. D. reviewing information systems control weaknesses identified in audit reports. C Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system? A. Performing a business impact analysis (BIA) B. Considering personal devices as part of the security policy C. Basing the information security infrastructure on a risk assessment D. Initiating IT security training and familiarization C The PRIMARY concern of a risk practitioner reviewing a formal data retention policy is: A. storage availability. B. applicable organizational standards. C. generally accepted industry best practices. D. business requirements. D Which of the following areas is MOST susceptible to the introduction of an information-security-related vulnerability? A. Tape backup management B. Database management C. Configuration management D. Incident response management C Which of the following is the GREATEST risk of a policy that inadequately defines data and system ownership? A. Audit recommendations may not be implemented. B. Users may have unauthorized access to originate, modify or delete data. C. User management coordination does not exist. D. Specific user accountability cannot be established. B We have an expert-written solution to this problem! A lack of adequate controls represents: A. a vulnerability. B. an impact. C. an asset. D. a threat. A The PRIMARY focus of managing IT-related business risk is to protect: A. information. B. hardware. C. applications. D. databases. A Which of the following provides the BEST view of risk management? A. An interdisciplinary team B. A third-party risk assessment service provider C. The enterprise's IT department D. The enterprise's internal compliance department A Which of the following approaches to corporate policy BEST supports an enterprise's expansion to other regions, where different local laws apply? A. A global policy that does not contain content that might be disputed at a local level B. A global policy that is locally amended to comply with local laws C. A global policy that complies with law at corporate headquarters and that all employees must follow D. Local policies to accommodate laws within each region B Which of the following is the BEST indicator that incident response training is effective? A. Decreased reporting of security incidents to the incident response team B. Increased reporting of security incidents to the incident response team C. Decreased number of password resets D. Increased number of identified system vulnerabilities B Which of the following factors will have the GREATEST impact on the type of information security governance model that an enterprise adopts? A. The number of employees B. The enterprise's budget C. The organizational structure D. The type of technology that the enterprise uses C An enterprise has learned of a security breach at another entity that utilizes similar technology. The MOST important action a risk practitioner should take is to: A. assess the likelihood of the incident occurring at the risk practitioner's enterprise. B. discontinue the use of the vulnerable technology. C. report to senior management that the enterprise is not affected. D. remind staff that no similar security breaches have taken place. A Which of the following is the GREATEST benefit ofa risk-aware culture? A. Issues are escalated when suspicious activity is noticed. B. Controls are double-checked to anticipate any issues. C. Individuals communicate with peers for knowledge sharing. D. Employees are self-motivated to learn about costs and benefits. A The MAIN objective of IT risk management is to: A. prevent loss of IT assets. B. provide timely management reports. C. ensure regulatory compliance. D. enable risk-aware business decisions. D Which of the following is the BEST risk identification technique for an enterprise that allows employees to identify risk anonymously? A. The Delphi technique B. Isolated pilot groups C. A strengths, weaknesses, opportunities and threats (SWOT) analysis D. A root cause analysis A Who MUST give the final sign-off on the IT risk management plan? A. IT auditors performing the risk assessment B. Business process owners C. Senior management D. IT security administrators C Which of the following is the PRIMARY reason that a risk practitioner determines the security boundary prior to conducting a risk assessment? A. To determine which laws and regulations apply B. To determine the scope of the risk assessment C. To determine the business owner(s) of the system D. To decide between conducting a quantitative or qualitative analysis B Which of the following BEST describes the information needed for each risk on a risk register? A. Various risk scenarios with their date, description, impact, probability, risk score, mitigation action and owner B. Various risk scenarios with their date, description, risk score, cost to remediate, communication plan and owner C. Various risk scenarios with their date, description, impact, cost to remediate and owner D. Various activities leading to risk management planning A The GREATEST advantage of performing a business impact analysis (BIA) is that it: A. does not have to be updated because the impact will not change. B. promotes continuity awareness in the enterprise. C. can be performed using only qualitative estimates. D. eliminates the need to perform a risk analysis. B The PRIMARY advantage of creating and maintaining a risk register is to: A. ensure that an inventory of potential risk is maintained. B. record all risk scenarios considered during the risk identification process. C. collect similar data on all risk identified within the organization. D. run reports based on various risk scenarios. A Which of the following is MOST effective in assessing business risk? A. A use case analysis B. A business case analysis C. Risk scenarios D. A risk plan C The board of directors of a one-year-old start-up company has asked their chief information officer (CIO) to create all of the enterprise's IT policies and procedures. Which of the following should the CIO create FIRST? A. The strategic IT plan B. The data classification scheme C. The information architecture document D. The technology infrastructure plan A The preparation of a risk register begins in which risk management process? A. Risk response planning B. Risk monitoring and control C. Risk management planning D. Risk identification D A business impact analysis (BIA) is PRIMARILY used to: A. estimate the resources required to resume and return to normal operations after a disruption. B. evaluate the impact of a disruption to an enterprise's ability to operate over time. C. calculate the likelihood and impact of known threats on specific functions. D. evaluate high-level business requirements. B Which of the following provides the GREATEST level of information security awareness? A. Job descriptions B. A security manual C. Security training D. An organizational diagram C Which of the following is the BIGGEST concern for a chief information security officer (CISO) regarding interconnections with systems outside of the enterprise? A. Requirements to comply with each other's contractual security requirements B. Uncertainty that the other system will be available as needed C. The ability to perform risk assessments on the other system D. Ensuring that communication between the two systems is encrypted through a virtual private network (VPN) tunnel A The board of directors of a one-year-old start-up company has asked their chief information officer (CIO) to create all of the enterprise's IT policies and procedures, which will be managed and approved by the IT steering committee. The IT steering committee will make all of the IT decisions for the enterprise, including those related to the technology budget. Which type of IT organizational structure does the enterprise have? A. Project-based B. Centralized C. Decentralized D. Divisional B Which of the following is the MAIN concern when two or more staff members are allowed to use the same generic account? A. Segregation of duties B. Inability to change the password C. Repudiation D. Inability to trace account activities C Which of the following is a PRIMARY consideration when developing an IT risk awareness program? A. Why technology risk is owned by IT B. How technology risk can impact each attendee's area of business C. How business process owners can transfer technology risk D. Why technology risk is more difficult to manage compared to other risk B Which of the following is the BEST approach when conducting an IT risk awareness campaign? A. Provide technical details on exploits. B. Provide common messages tailored for different groups. C. Target system administrators and help desk staff. D. Target senior managers and business process owners. B It is MOST important that risk appetite be aligned with business objectives to ensure that: A. resources are directed toward areas of low risk tolerance. B. major risk is identified and eliminated. C. IT and business goals are aligned. D. the risk strategy is adequately communicated. A Risk scenarios enable the risk assessment process because they: A. cover a wide range of potential risk. B. minimize the need for quantitative risk analysis techniques. C. segregate IT risk from business risk for easier risk analysis. D. help estimate the frequency and impact of risk. D Who is accountable for business risk related to IT? A. The chief information officer (CIO) B. The chief financial officer (CFO) C. Users of IT services-the business D. The chief architect C Which of the following information in the risk register BEST helps in developing proper risk scenarios? A list of: A. potential threats to assets. B. residual risk on individual assets. C. accepted risk. D. security incidents. A Which of the following is true about IT risk? A. IT risk cannot be assessed and measured quantitatively. B. IT risk should be calculated separately from business risk. C. IT risk management is the responsibility of the IT department. D. IT risk exists whether or not it is detected or recognized by an enterprise. D Which of the following is MOST important when selecting an appropriate risk management methodology? A. Risk culture B. Countermeasure analysis C. Cost-benefit analysis D. Risk transfer strategy A Which of the following BEST determines compliance with the risk appetite of an enterprise? A. Balance between preventive and detective controls B. Inherent risk and acceptable risk level C. Residual risk and acceptable risk level D. Balance between countermeasures and preventive controls C Which of the following BEST improves decision making related to risk? A. Maintaining a documented risk register of all possible risk B. Risk awareness training in line with the risk culture C. Maintaining updated security policies and procedures D. Allocating accountability of risk to the department as a whole A The FIRST step in identifying and assessing IT risk is to: A. confirm the risk tolerance level of the enterprise. B. identify threats and vulnerabilities. C. gather information on the current and future environment. D. review past incident reports and response activity. C Which of the following outcomes of an outsourcing contract for non-core processes is of GREATEST concern to the management of an enterprise? A. Total cost of ownership (TCO) exceeds projections. B. Internal information systems experience has been lost. C. Employees of the vendor were disloyal to the client enterprise. D. Processing of critical data was subcontracted by the vendor. D Which of the following is MOST important for effective risk management? A. Assignment of risk owners to identified risk B. Ensuring compliance with regulatory requirements C. Integration of risk management into operational processes D. Implementation of a risk avoidance strategy A Risk scenarios should be created PRIMARILY based on which of the following? A. Input from senior management B. Previous security incidents C. Threats that the enterprise faces D. Results of the risk analysis C Which of the following causes an internal ad hoc risk assessment to be performed before the annual occurrence? A. A new chief information officer (CIO) is hired. B. Senior management adjusts risk appetite. C. Risk changes on a frequent basis. D. A new system is introduced into the environment. D An enterprise expanded operations into Europe, Asia and Latin America. The enterprise has a single-version, multiple-language employee handbook last updated three years ago. Which of the following is of MOST concern? A. The handbook may not have been correctly translated into all languages. B. Newer policies may not be included in the handbook. C. Expired policies may be included in the handbook. D. The handbook may violate local laws and regulations. D When requesting information for an e-discovery, an enterprise learned that their email cloud provider was never contracted to back up the messages even though the company's email retention policy explicitly states that all emails are to be saved for three years. Which of the following would have BEST safeguarded the company from this outcome? A. Providing the contractor with the record retention policy up front B. Validating the company policies to the provider's contract C. Providing the contractor with the email retention policy up front D. Backing up the data on the company's internal network nightly B Which of the following is the BEST indicator of an effective information risk management program? A. The security policy is made widely available. B. Risk is considered before all decisions. C. Security procedures are updated annually. D. Risk assessments occur on an annual basis. B Risk management strategic plans are MOST effective when developed for: A. the enterprise as a whole. B. each individual system based on technology utilized. C. every location based on geographic threats. D. end-to-end business processes. A Which of the following is MOST important when considering the risk appetite of an enterprise? A. The capacity of the enterprise to absorb loss B. The definition of responsibilities for risk management C. The line of business and the typical risk of the industry D. The culture and predisposition toward risk taking D The PRIMARY purpose of adopting an enterprisewide risk management framework is to: A. allow the flexibility to adjust the risk response strategy throughout the enterprise. B. centralize the responsibility for the maintenance of the risk response program. C. enable a consistent approach to risk response throughout the enterprise. D. avoid higher costs for risk reduction and audit strategies throughout the enterprise. C A review of an enterprise's IT projects finds that projects frequently go over time or budget by nearly 10 percent. On review, management advises the risk practitioner that a deviation of 15 percent is acceptable. This is an example of: A. risk avoidance. B. risk tolerance. C. risk acceptance. D. risk mitigation. B When a start-up company becomes popular, it suddenly is the target of hackers. This is considered: A. an emerging vulnerability. B. a vulnerability event. C. an emerging threat. D. an environmental risk factor. C Which of the following is a MAJOR risk associated with the use of governance, risk and compliance (GRC) tools? A. Misinterpretation of the dashboard's output B. Poor authentication mechanism C. Obsolescence of content D. Complex integration of the diverse requirements C The PRIMARY reason an external risk assessment team reviews documentation before starting the actual risk assessment is to gain a thorough understanding of: A. the technologies utilized. B. gaps in the documentation. C. the enterprise's business processes. D. the risk assessment plan. C A small start-up software development company has been flooded and the insurance does not payout because the premium has lapsed. In relation to risk management, the lapsed premium is considered a: A. risk. B. vulnerability. C. threat. D. negligence. B Which of the following statements BEST describes the value of a risk register? A. It captures the risk inventory. B. It drives the risk response plan. C. It is a risk reporting tool. D. It lists internal risk and external risk. B Accountability for risk ultimately belongs to the: A. chief risk officer (CRO). B. compliance officer. C. chieffinancial officer (CFO). D. board of directors. D What is the MAIN objective of risk identification? A. To detect possible threats that may affect the business B. To ensure that risk factors and root causes are managed C. To enable the review of the key performance indicators (KPIs) D. To provide qualitative impact values to stakeholders A Which of the following examples of risk should be addressed during application design? A. A lack of skilled resources B. The risk of migration to a new system C. Incomplete technical specifications D. Third-party supplier risk A If risk has been identified, but not yet mitigated, the enterprise would: A. record and mitigate serious risk and disregard low-level risk. B. obtain management commitment to mitigate all identified risk within a reasonable time frame. C. document all risk in the risk register and maintain the status of the remediation. D. conduct an annual risk assessment, but disregard previous assessments to prevent risk bias. C When developing IT-related risk scenarios with a top-down approach, it is MOST important to identify the: A. information system environment. B. business objectives. C. hypothetical risk scenarios. D. external risk scenarios. B An enterprise has outsourced several business functions to a firm in another country, including IT development, data hosting and support. What is the MOST important consideration the risk professional will examine in relation to the outsourcing arrangements? A. Are policies and procedures in place to handle security exceptions? B. Is the outsourcing supplier meeting the terms of the service level agreements (SLAs)? C. Is the security program of the outsourcing provider based on an international standard? D. Are specific security controls mandated in the outsourcing contract/agreement? D The MAIN purpose for creating and maintaining a risk register is to: A. ensure that all assets have low residual risk. B. define the risk assessment methodology. C. document all identified risk. D. study various risk scenarios in the threat landscape. C Which of the following activities provides the BEST basis for establishing risk ownership? A. Documenting interdependencies between departments B. Mapping identified risk to a specific business process C. Referring to available RACI charts D. Distributing risk equally among all asset owners B Which of the following types of risk is high for projects that affect multiple business areas? A. Control risk B. Inherent risk C. Compliance risk D. Residual risk B To be effective, risk management should be applied to: A. those elements identified by a risk assessment. B. any area that exceeds acceptable risk levels. C. all organizational activities. D. only those areas that have potential impact. C Corporate information security policy development should PRIMARILY be based on: A. vulnerabilities. B. threats. C. assets. D. impacts. C Which of the following vulnerabilities is the MOST serious and allows attackers access to data through a web application? A. Validation checks are missing in data input fields. B. Password rules do not enforce sufficient complexity. C. Application transaction log management is weak. D. The application and database share a single access ID. A Which of the following combinations of factors helps quantify risk? A. Probability and consequence B. Impact and threat C. Threat and exposure D. Sensitivity and exposure A Which of the following requirements MUST be met during the initial stages of developing a risk management program? A. Management acceptance and support have been obtained. B. Information security policies and standards are established. C. A management committee to provide program oversight exists. D. The context and purpose of the program is defined. D The likelihood of an attack being launched against an enterprise is MOST dependent on: A. the skill and motivation of the potential attacker. B. the frequency that monitoring systems are reviewed. C. the ability to respond quickly to any incident. D. the effectiveness of the controls. A Which of the following choices is the MOST important part of any outsourcing contract? A. The right to audit the outsourcing provider 8. Provisions to assess the compliance of the provider C. Procedures for dealing with incident notification D. Requirements to encrypt hosted data B The MOST important external factors that should be considered in a risk assessment effort are: A. proposed new security tools and technologies. B. the number of viruses and other mal ware being developed. C. international crime statistics and political unrest. D. supply chain and market conditions. D The sales manager of a home improvement enterprise wants to expand the services available on the enterprise's web page to include sending free promotional samples of their products to prospective clients. What is the GREATEST concern the risk professional would have? A. Are there any data privacy concerns about storing client data? B. Are there any concerns about protecting credit card or payment data? C. Can the system be misused by a person to obtain multiple samples? D. Will the web site be able to handle the expected volume of traffic? A Senior management will MOST likely have the highest tolerance for moving which of the following to a public cloud? A. Credit card processing B. Research and development C. The legacy financial system D. The corporate email system D Which of the following items is MOST important to consider in relation to a risk profile? A. A summary of regional loss events B. Aggregated risk to the enterprise C. A description of critical risk D. An analysis of historical loss events B Which of the following factors determines the acceptable level of residual risk in an enterprise? A. Management discretion B. Regulatory requirements C. Risk assessment results D. Internal audit findings A Which of the following environments typically represents the GREATEST risk to organizational security? A. An enterprise data warehouse B. A load-balanced, web server cluster C. A centrally managed data switch D. A locally managed file server D Overall business risk for a particular threat can be expressed as the: A. magnitude of the impact should a threat source successfully exploit the vulnerability. B. likelihood of a given threat source exploiting a given vulnerability. C. product of the probability and magnitude of the impact if a threat exploits a vulnerability. D. collective judgment of the risk assessment team. C When developing risk scenarios for an enterprise, which of the following is the BEST approach? A. The top-down approach for capital-intensive enterprises B. The top-down approach because it achieves automatic buy-in C. The bottom-up approach for unionized enterprises D. The top-down and the bottom-up approach because they are complementary D Which of the following documents BEST identifies an enterprise's compliance risk and the corrective actions in progress to meet these regulatory requirements? A. An internal audit report B. A risk register C. An external audit report D. A risk assessment report B Which of the following uses risk scenarios when estimating the likelihood and impact of significant risk to the organization? A. An IT audit B. A security gap analysis C. A threat and vulnerability assessment D. An IT security assessment C Which of the following will have the MOST significant impact on standard information security governance models? A. Number of employees B. Cultural differences between physical locations C. Complexity of the organizational structure D. Evolving legislative requirements C Which of the following will produce comprehensive results when performing a qualitative risk analysis? A. A vulnerability assessment B. Scenarios with threats and impacts C. The value of information assets D. Estimated productivity losses B Who should be accountable for the risk to an IT system that supports a critical business process? A. IT management B. Senior management C. The risk management department D. System users B Which of the following is the MAIN outcome of a business impact analysis (BIA)? A. Project prioritization B. Criticality of business processes C. The root cause of IT risk D. Third-party vendor risk B Which of the following provides the MOST valuable input to incident response efforts? A. Qualitative analysis of threats B. The annual loss expectancy (ALE) total C. A vulnerability assessment D. Penetration testing A Which of the following BEST describes the risk-related roles and responsibilities of an organizational business unit (BD)? The BD management team: A. owns the mitigation plan for the risk belonging to their BU, while board members are responsible for identifying and assessing risk as well as reporting on that risk to the appropriate support functions. B. owns the risk and is responsible for identifying, assessing and mitigating risk as well as reporting on that risk to the appropriate support functions and the board of directors. C. carries out the respective risk-related responsibilities, but ultimate accountability for the day-to-day work of risk management and goal achievement belongs to the board members. D. is ultimately accountable for the day-to-day work of risk management and goal achievement, and board members own the risk B Risk assessment techniques should be used by a risk practitioner to: A. maximize the return on investment (ROI). B. provide documentation for auditors and regulators. C. justify the selection of risk mitigation strategies. D. quantify the risk that would otherwise be subjective. C Which of the following assessments of an enterprise's risk monitoring process will provide the BEST information about its alignment with industry-leading practices? A. A capability assessment by an outside firm B. A self-assessment of capabilities C. An independent benchmark of capabilities D. An internal audit review of capabilities C Risk assessments should be repeated at regular intervals because: A. omissions in earlier assessments can be addressed. B. periodic assessments allow various methodologies. C. business threats are constantly changing. D. they help raise risk awareness among staff. C Which of the following is MOST beneficial to the improvement of an enterprise's risk management process? A. Key risk indicators (KRls) B. External benchmarking C. The latest risk assessment D. A maturity model D Which of the following is the PRIMARY reason for having the risk management process reviewed by independent risk auditors/assessors? A. To ensure that the risk results are consistent B. To ensure that the risk factors and risk profile are well defined C. To correct any mistakes in risk assessment D. To validate the control weaknesses for management reporting B Which of the following provides the GREATEST support to a risk practitioner recommending encryption of corporate laptops and removable media as a risk mitigation measure? A. Benchmarking with peers B. Evaluating public reports on encryption algorithm in the public domain C. Developing a business case D. Scanning unencrypted systems for vulnerabilities C The MOST likely trigger for conducting a comprehensive risk assessment is changes to: A. the asset inventory. B. asset classification levels. C. the business environment. D. information security policies. C Which of the following is used to determine whether unauthorized modifications were made to production programs? A. An analytical review B. Compliance testing C. A system log analysis D. A forensic analysis B An enterprise is hiring a consultant to help determine the maturity level of the risk management program. The MOST important element of the request for proposal (RFP) is the: A. sample deliverable. B. past experience of the engagement team. C. methodology used in the assessment. D. references from other organizations C The BEST time to perform a penetration test is after: A. a high turnover in systems staff. B. an attempted penetration has occurred. C. various infrastructure changes are made. D. an audit has reported control weaknesses C Which of the following should be in place before a black box penetration test begins? A. A clearly stated definition of scope B. Previous test results C. Proper communication and awareness training D. An incident response plan A Which of the following BEST assists a risk practitioner in measuring the existing level of development of risk management processes against their desired state? A. A capability maturity model (CMM) B. Risk management audit reports C. A balanced scorecard (BSC) D. Enterprise security architecture A Which of the following is the BEST way to ensure that a corporate network is adequately secured against external attack? A. Utilize an intrusion detection system (IDS). B. Establish minimum security baselines. C. Implement vendor recommended settings. D. Perform periodic penetration testing. D A third party is engaged to develop a business application. Which of the following BEST measures for the existence of back doors? A. Security code reviews for the entire application B. System monitoring for traffic on network ports C. Reverse engineering the application binaries D. Running the application from a high-privileged account on a test system A A substantive test to verify that tape library inventory records are accurate is: A. determining whether bar code readers are installed. B. conducting a physical count of the tape inventory. C. checking whether receipts and issues of tapes are accurately recorded. D. determining whether the movement of tapes is authorized. B The BEST method for detecting and monitoring a hacker's activities without exposing information assets to unnecessary risk is to utilize: A. firewalls. B. bastion hosts. C. honeypots. D. screened subnets. C Which of the following is the BEST way to verify that critical production servers are utilizing up-to-date antivirus signature files? A. Check a sample of servers. B. Verify the date that signature files were last pushed out. C. Use a recently identified benign virus to test whether it is quarantined. D. Research the most recent signature file, and compare it to the console. A Which of the following BEST helps identify information systems control deficiencies? A. Gap analysis B. The current IT risk profile C. The IT controls framework D. Countermeasure analysis A When assessing the performance of a critical application server, the MOST reliable assessment results may be obtained from: A. activation of native database auditing. B. documentation of performance objectives. C. continuous monitoring. D. documentation of security modules. C The PRIMARY goal of a postincident review is to: A. gather evidence for subsequent legal action. B. identify ways to improve the response process. C. identify individuals who failed to take appropriate action. D. make a determination as to the identity of the attacker B IT risk is measured by its: A. level of damage to IT systems. B. impact on business operations. C. cost of countermeasures. D. annual loss expectancy (ALE). B Deriving the likelihood and impact of risk scenarios through statistical methods is BEST described as: A. quantitative risk analysis. B. risk scenario analysis. C. qualitative risk analysis. D. probabilistic risk assessment. A During an internal risk assessment in a global enterprise, a risk manager notes that local management has proactively mitigated some of the high-level risk related to the global purchasing process. This means that: A. the local management is now responsible for the risk. B. the risk owner is the corporate chief risk officer (CRO). C. the risk owner is the local purchasing manager. D. corporate management remains responsible for the risk. D Which of the following BEST estimates the likelihood of significant events impacting an enterprise? A. Threat analysis B. Cost-benefit analysis C. Scenario analysis D. Countermeasure analysis C