When a risk cannot be sufficiently mitigated through manual or automatic controls, which of the following options will BEST protect the enterprise from the potential financial impact of the risk?

• A.Updating the IT risk registry
• B.Insuring against the risk
• C.Outsourcing the related business process to a third party
• D.Improving staff-training in the risk area

Comment: *

Name: *

Email: *

Verification: *

Which of the following is the BEST source for identifying key control indicators (KCIs)?

• A.Privileged user activity monitoring controls
• B.Recent audit findings of control weaknesses
• C.Controls mapped to organizational risk scenarios
• D.A list of critical security processes

Comment: *

Name: *

Email: *

Verification: *

An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system. The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:

• A.chief risk officer.
• B.project manager.
• C.chief information officer.
• D.business process owner.

Comment: *

Name: *

Email: *

Verification: *

The PRIMARY reason for periodic penetration testing of Internet-facing applications is to:

• A.identify vulnerabilities in the system.
• B.verify Internet firewall control settings.
• C.assess the proliferation of new threats.
• D.ensure policy and regulatory compliance.

Comment: *

Name: *

Email: *

Verification: *

Which of the following comes under phases of risk management?

• A.Assessing risk
• B.Prioritization of risk
• C.Identify risk
• D.Monitoring risk
• E.Developing risk

Correct Answer: A,B,C,D

Section: Volume D
Explanation:
Risk management provides an approach for individuals and groups to make a decision on how to deal with potentially harmful situations.
Following are the four phases involved in risk management:
1. Risk identification: The first thing we must do in risk management is to identify the areas of the project where the risks can occur.
This is termed as risk identification. Listing all the possible risks is proved to be very productive for the enterprise as we can cure them before it can occur. In risk identification both threats and opportunities are considered, as both carry some level of risk with them.
2. Risk Assessment and Evaluation: Risk assessment use quantitative and qualitative analysis approaches to evaluate each significant risk identified.
3. Risk Prioritization and Response: As many risks are being identified in an enterprise, it is best to give each risk a score based on its likelihood and significance in form of ranking. This concludes whether the risk with high likelihood and high significance must be given greater attention as compared to similar risk with low likelihood and low significance. Hence, risks can be prioritized and appropriate responses to those risks are created.
4. Risk Monitoring: Risk monitoring is an activity which oversees the changes in risk assessment. Over time, the likelihood or significance originally attributed to a risk may change. This is especially true when certain responses, such as mitigation, have been made.

Comment: *

Name: *

Email: *

Verification: *