Section: Volume C Explanation: All risks are determined by risk assessment, regardless whether risks are residual or not. Incorrect Answers: A: Determining remaining vulnerabilities after countermeasures are in place says nothing about threats, therefore risk cannot be determined. B: Transferring all the risks in not relevant to determining residual risk. It is one of the method of risk management. C: Risk cannot be determined by threat analysis alone, regardless whether it is residual or not.
Question 227
Which of the following is NOT true for risk management capability maturity level 1?
Correct Answer: B
Section: Volume A Explanation: The enterprise with risk management capability maturity level 0 makes decisions without having much knowledge about the risk credible information. In level 1, enterprise takes decisions on the basis of risk credible information. Incorrect Answers: A, C, D: An enterprise's risk management capability maturity level is 1 when: * There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk. * Any risk identification criteria vary widely across the enterprise. * Risk appetite and tolerance are applied only during episodic risk assessments. * Enterprise risk policies and standards are incomplete and/or reflect only external requirements and lack defensible rationale and enforcement mechanisms. * Risk management skills exist on an ad hoc basis, but are not actively developed. * Ad hoc inventories of controls that are unrelated to risk are dispersed across desktop applications.
Question 228
For the first time, the procurement department has requested that IT grant remote access to third-party suppliers. Which of the following is the BEST course of action for IT in responding to the request?
Correct Answer: A
Section: Volume D
Question 229
Which of the following controls focuses on operational efficiency in a functional area sticking to management policies?
Correct Answer: C
Explanation/Reference: Explanation: Administrative control is one of the objectives of internal control and is concerned with ensuring efficiency and compliance with management policies. Incorrect Answers: A: It controls accounting operations, including safeguarding assets and financial records. B: Detective control simply detects and reports on the occurrence of an error, omission or malicious act. D: It focuses on day-to-day operations, functions, and activities. It also ensures that all the organization's objectives are being accomplished.
Question 230
Qualitative risk assessment uses which of the following terms for evaluating risk level? Each correct answer represents a part of the solution. Choose two.
Correct Answer: A,C
Section: Volume D Explanation: Unlike the quantitative risk assessment, qualitative risk assessment does not assign dollar values. Rather, it determines risk's level based on the probability and impact of a risk. These values are determined by gathering the opinions of experts. * Probability- establishing the likelihood of occurrence and reoccurrence of specific risks, independently, and combined. The risk occurs when a threat exploits vulnerability. Scaling is done to define the probability that a risk will occur. The scale can be based on word values such as Low, Medium, or High. Percentage can also be assigned to these words, like 10% to low and 90% to high. * Impact- Impact is used to identify the magnitude of identified risks. The risk leads to some type of loss. However, instead of quantifying the loss as a dollar value, an impact assessment could use words such as Low, Medium, or High. Impact is expressed as a relative value. For example, low could be 10, medium could be 50, and high could be 100. Risk level = Probability * Impact Incorrect Answers: B, D: These are used for calculating Annual loss expectancy (ALE) in quantitative risk assessment. Formula is given as follows: ALE= SLE * ARO
