Domain 3 – Risk Response and Mitigation

R3-1 Because of its importance to the business, an enterprise wants to quickly implement a technical solution that deviates from the company’s policies. The risk practitioner should:

A. recommend against implementation because it violates the company’s policies.
B. recommend revision of current policy.
C. conduct a risk assessment and allow or disallow based on the outcome.
D. recommend a risk assessment and subsequent implementation only if residual risk is accepted.

D. A risk assessment should be conducted to clarify the risk whenever the company’s policies cannot be followed. The solutions should only be implemented if the related risk is formally accepted by the business.
R3-2. When proposing the implementation of a specific risk mitigation activity, a risk practitioner PRIMARILY utilizes a:

A. technical evaluation report.
B. business case.
C. vulnerability assessment report.
D. budgetary requirements.

B. A manager needs to base the proposed risk evaluation, the business need (new product, changes in process, compliance need, etc.) and requirements of the enterprise (new technology, cost, etc.). The manager must look at the costs of the various controls and compare them against the benefit that the organization will receive from the risk response. The manager needs to have knowledge of business case development to illustrate the costs and benefits of the risk response.
R3-3. Risk management programs are designed to reduce risk to:

A. the point at which the benefit exceeds the expense.
B. a level that is too small to be measurable.
C. a rate of return that equals the current cost of capital.
D. a level that the enterprise is willing to accept.

D. Risk should be reduced to a level that an organization is willing to accept.
R3-4. Whether a risk has been reduced to an acceptable level should be determined by:

A. IS requirements.
B. information security requirements.
C. international standards.
D. organizational requirements.

D. Organizational requirements should determine when a risk has been reduced to an acceptable level.
R3-5. Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level?

A. Eliminate the risk.
B. Accept the risk.
C. Transfer the risk.
D. Implement countermeasures.

C. Typically, when the probability of an incident is low but the impact is high, risk is transferred to insurance companies. Examples include hurricanes, tornados and earthquakes. While an enterprise cannot technically transfer risk, transferring risk describes a risk response in which an enterprise indemnified against the impact of the realized risk.
R3-6. A risk response report includes recommendations for:

A. acceptance.
B. assessment.
C. evaluation.
D. quantification.

A. Acceptance of a risk is an alternative to be considered in the risk response process.
R3-7. Which of the following is minimized when acceptable risk is achieved?

A. Transferred risk
B. Control risk
C. Residual risk
D. Inherent risk

C. After putting into place an effective risk management program, the remaining risk is called residual risk. Acceptable risk is achieved when residual risk is minimized,
R3-8. A global financial institution has decided not to take any further action on a denial-of-service (DoS) vulnerability found by the risk assessment team. The MOST likely reason for making this decision is that:

A. the needed countermeasure is too complicated to deploy.
B. there are sufficient safeguards in place to prevent this risk from happening.
C. the likelihood of the risk occurring is unknown.
D. the cost of countermeasure outweighs the value of the asset and potential loss.

D. An enterprise may decide to accept a specific risk because the protection would cost more than the potential loss.
R3-9. Which of the following is MOST relevant to include in a cost-benefit analysis of a two-factor authentication system?

A. The approved budget of the project
B. The frequency of incidents
C. The annual loss expectancy (ALE) of incidents
D. The total cost of ownership (TCO)

D. Total cost of ownership (TCO) is the most relevant piece of information to be included in the cost-benefit analysis because it establishes a cost baseline that must be considered for the full life cycle of the control.
R3-10. In the risk management process, a cost-benefit analysis is MAINLY performed:

A. as part of an initial risk assessment.
B. as part of risk response planing.
C. during an information asset valuation.
D. when insurance is calculated for risk transfer.

B. In risk response, a range of controls will be identified that can mitigate the risk; however, a cost-benefit analysis in this process will help identify the right controls that will address the risk at acceptable levels within the budget.
R3-11. During a risk management exercise, an analysis was conducted on the identified risk and mitigations were identified. Which choice BEST reflects residual risk?

A. Risk left after the implementation of new or enhanced controls.
B. Risk mitigated as a result of the implementation of new or enhanced controls.
C. Risk identified prior to implementation of new or enhanced controls.
D. Risk classified as high after the implementation of new or enhanced controls.

A. The classic definition of residual risk is any risk left after appropriate controls have been implemented to mitigate the target risk.
R3-12. Which of the following choices will BEST protect the enterprise from financial risk?

A. Insuring against the risk.
B. Updating the risk registry.
C. Improving staff training in the risk area.
D. Outsourcing the process to a third party.

A. An insurance policy can compensate the enterprise up to 100 percent.
R3-13. After the completion of a risk assessment, it is determined that the cost to mitigate the risk is much greater than the benefit to be derived. A risk practitioner should recommend to business management that the risk be:

A. treated.
B. terminated.
C. accepted.
D. transferred.

C. When the cost of control is more than the cost of the potential impact, the risk should be accepted.
R3-14. A PRIMARY reason for initiating a policy exception process is when:

A. the risk is justified by the benefit.
B. policy compliance is difficult to enforce.
C. operations are too busy to comply.
D. users may initially be inconvenienced.

A. Exceptions to policy are warranted in circumstances in which the benefits outweigh the costs of policy compliance; however, the enterprise needs to assess both the tangible and intangible risk and assess those against existing risk.
R3-15. A risk practitioner receives a message late at night that critical IT equipment will be delivered several days late due to flooding. Fortunately, a reciprocal agreement exists with another company for replacement until the equipment arrives. This is an example of risk:

A. transfer.
B. avoidance.
C. acceptance.
D. mitigation.

D. Risk mitigation attempts to reduce the impact when a risk event occurs. Making plans such as a reciprocal arrangement with another company reduces the consequence of the risk event.
R3-16. Which of the following would BEST help an enterprise select an appropriate risk response?

A. The degree of change in the risk environment
B. An analysis of risk that can be transferred were it not eliminated
C. The likelihood and impact of various risk scenarios
D. An analysis of control costs and benefits.

D. An analysis of costs and benefits for controls helps an enterprise understand if it can mitigate the risk to an acceptable level.
R3-17. Which of the following leads to the BEST optimal return on security investment?

A. Deploying maximum security protection across all of the information assets
B. Focusing on the most important information assets and then determining their protection
C. Deploying minimum protection across all the information assets.
D. Investing only after a major security incident is reported to justify investment

B. To optimize return on security investment, the primary focus should be identifying the important information assets and protecting them appropriately to optimize investment (i.e., important information assets get more protection than less important or critical assets).
R3-18. As part of fire drill testing, designated doors swing open, as planned, to allow employees to leave the building faster. An observer notices that this practice allows unauthorized personnel to enter the premises unnoticed. The BEST way to alter the process is to:

A. stop the designated doors from opening automatically in case of a fire.
B. include the local police force to guard the doors in case of fire.
C. instruct the facilities department to guard the doors and have staff show their badge when exiting the building.
D. assign designated personnel to guard the doors once the alarm sounds.

D. Unless there are designated personnel monitoring each door from the time the alarm sounds, there is no way to prevent unauthorized individuals from entering the building while employees are exiting.
R3-19. During a quarterly interdepartmental risk assessment, the IT operations center indicates a heavy increase of malware attacks. Which of the following recommendations to the business is MOST appropriate?

A. Contract with a new anti-malware software vendor because the current solution seems ineffective.
B. Close down the Internet connection to prevent employees from visiting infected web sites.
C. Make the number of malware attacks part of each employee’s performance metrics.
D. Increase employee awareness training, including end-user roles and responsibilities.

D. Employee awareness training will help the enterprise avoid, and more quickly detect, malware attacks, particularly when staff understand the typical symptoms and are knowledgeable about the incident reporting process.
R3-20. In a situation where the cost of anti-malware exceeds the loss expectancy of malware threats, what is the MOST viable risk response?

A. Risk elimination
B. Risk acceptance
C. Risk transfer
D. Risk mitigation

B. When the cost of a risk response (i.e., the implementation of anti-malware) exceeds the loss expectancy, the most viable risk response is risk acceptance.
R3-21. Which of the following is a behavior of risk avoidance?

A. Take no action against the risk.
B. Outsource the related process.
C. Insure against a specific event.
D. Exit the process that gives rise to risk.

D. Avoidance means exiting the activities or conditions that give rise to the risk. Risk avoidance applies when no other risk response is adequate. Some IT-related examples of risk avoidance may include relocating a data center away from a region with significant natural hazards or declining to engage in a very large project when the business case shows a notable risk of failure.
R3-22. Which of the following is MOST important for determining what security measures to put in place for a critical information system?

A. The number of threats to the system
B. The level of acceptable risk to the enterprise
C. The number of vulnerabilities in the system
D. The existing security budget

B. Determining the level of acceptable risk will allow the enterprise to determine the security measures to put in place.
R3-23. A chief information security officer (CISO) has recommended several controls such as anti-malware to protect the enterprise’s information systems. Which approach to handling risk is the CISO recommending?

A. Risk transference
B. Risk mitigation
C. Risk acceptance
D. Risk avoidance

B. By implementing controls the company is trying to decrease risk to an acceptable level, thereby mitigating risk.
R3-24. Obtaining senior management commitment and support for information security investments can BEST be accomplished by a business case that:

A. explains the technical risk to the enterprise.
B. includes industry good practices as they relate to information security.
C. details successful attacks against a competitor.
D. ties security risk to organizational business objectives.

D. Senior management seeks to understand the business justification for investing in security. This can best be accomplished by tying security to key business objectives.
R3-25. Acceptable risk for an enterprise is achieved when:

A. transferred risk is minimized.
B. control risk is minimized.
C. inherent risk is minimized.
D. residual risk is within tolerance levels.

D. Residual risk is the risk that remains after all controls have been applied; therefore, acceptable risk is achieved when residual risk is aligned with the enterprise risk appetite.
R3-26. A procurement employee notices that new printer models offered by the vendor keeps copy of all printed documents on a built-in hard disk. Considering the risk of unintentionally disclosing confidential data, the employee should:

A. proceed with the order and configure printers to automatically wipe all the data on the disks after each print job.
B. notify the security manager to conduct a risk assessment for the new equipment.
C. seek another vendor that offers printers without built-in hard disk drives.
D. procure printers with built-in hard disks and notify staff to wipe hard disks when decommissioning the printer.

B. Risk assessment is the most appropriate answer because it will result in risk mitigation techniques that are appropriate for organizational risk context and appetite.
R3-27. Which of following situations is BEST addressed by transferring risk?

A. An antiquated fire suppression system in the computer room
B. The threat of disgruntled employee sabotage
C. The possibility of the loss of a universal serial bus (USB) removable media drive
D. A building located in a 100-year flood plain

D. Purchasing an insurance policy transfers the risk of a flood. Risk transfer is the process of assigning risk to another entity, usually through the purchase of am insurance policy or outsourcing the service.
R3-28. SCENARIO 2 – The chief information officer (CIO) of an enterprise has just received this year’s IT security audit report. The report shows numerous open vulnerability findings on both business-critical and non business-critical information systems. The CIO briefed the chief executive officer (CEO) and board of directors on the findings and expressed his concern on the impact to the enterprise. He was informed that there are not enough funds to mitigate all of the findings from the report.

The chief information officer (CIO) should respond to the findings identified in the IT security audit report by mitigating:

A. the most critical findings on both the business-critical and nonbusiness-critical systems.
B. all vulnerabilities on business-critical information systems first.
C. the findings that are the least expensive to mitigate first to save funds.
D. the findings that are the most expensive to mitigate first and leave all others until more funds become available.

B. Mitigating vulnerabilities on business-critical information systems should be completed first to ensure that the business can continue to operate.
R3-29. SCENARIO 2 – The chief information officer (CIO) of an enterprise has just received this year’s IT security audit report. The report shows numerous open vulnerability findings on both business-critical and non business-critical information systems. The CIO briefed the chief executive officer (CEO) and board of directors on the findings and expressed his concern on the impact to the enterprise. He was informed that there are not enough funds to mitigate all of the findings from the report.

Assuming that the chief information officer (CIO) is unable to address all of the findings, how should the CIO deal with any findings that remain after available funds have been spent?

A. Create a plan of actions and milestones for open vulnerabilities.
B. Shut down the information systems with the open vulnerabilities.
C. Reject the risk on the open vulnerabilities.
D. Implement compensating controls on the systems with open vulnerabilities.

A. Creating a plan of actions and milestones ensures that there is a plan to mitigate the remaining vulnerabilities over time. It will also identify the order in which the vulnerabilities should be mitigated with target dates for mitigation.
R3-30. Which of the following MOST likely indicates that a customer data warehouse should remain in-house rather than be outsourced to an offshore operation?

A. The telecommunications costs may be much higher in the first year.
B. Privacy laws may prevent a cross-border flow of information.
C. Time zone differences may impede communications between IT teams.
D. Software development may require more detailed specifications.

B. Privacy laws prohibiting the cross-border flow of personally identifiable information (PII) may make it impossible to locate a data warehouse containing customer information in another country.
R3-31. Which of the following is the MOST important factor when designing IS controls in a complex environment?

A. Development methodologies
B. Scalability of the solution
C. Technical platform interfaces
D. Stakeholder requirements

D. The most important factor when designing IS controls is that they advance the interest of the business by addressing stakeholder requirements.
R3-32. A global enterprise that is subject to regulation by multiple governmental jurisdictions with differing requirements should:

A. bring all locations into conformity with the aggregate requirements of all governmental jurisdictions.
B. bring all locations into conformity with a generally accepted set of industry good practices.
C. establish a baseline standard incorporating those requirements that all jurisdictions have in common.
D. establish baseline standards for all locations and add supplemental standards as required

D. It is more efficient to establish a baseline standard and then develop additional standards for locations that must meet specific requirements.
R3-33. The person responsible for ensuring that information is classified is the:

A. security manager.
B. technology group.
C. data owner.
D. senior management.

C. The data owner is responsible for applying the proper classification to the data.
R3-34. When transmitting personal information across networks, there MUST be adequate controls over:

A. encrypting the personal information.
B. obtaining consent to transfer personal information.
C. ensuring the privacy of the personal information.
D. change management.

C. Privacy protection is necessary to ensure that the receiving party has the appropriate level of protection of personal data.
R3-35. Which of the following BEST addresses the risk of data leakage?

A. Incident response procedures
B. File backup procedures
C. Acceptable use policies (AUPs)
D. Database integrity checks

C. Acceptable use policies (AUPs) are the best measure for preventing the unauthorized disclosure of confidential information.
R3-36. Which of the following devices should be placed with in a demilitarized zone (DMZ)?

A. An authentication server
B. A mail relay
C. A firewall
D. A router

B. A mail relay should normally be placed within a DMZ to shield the internal network.
R3-37. Which of the following controls within the user provision process BEST enhances the removal of system access for contractors and other temporary users when it is no longer required?

A. Log all account usage and send it to their manager.
B. Establish predetermined, automatic expiration dates.
C. Ensure that each individual has signed a security acknowledgement.
D. Require managers to email security when the user leaves.

B. Predetermined expiration dates are the most effective means of removing systems access for temporary users.
R3-38. Which of the following BEST provides message integrity, sender identity authentication and non repudiation?

A. Symmetric cryptography
B. Message hashing
C. Message authentication code
D. Public key infrastructure (PKI)

D. Public key infrastructure (PKI) combines public key encryption with a trusted third party to publish and revoke digital certificates that contain the public key of the sender. Senders can digitally sign a message with their private key and attach their digital certificate (provided by the trusted third party). These characteristics allow senders to provide authentication, integrity validation and no repudiation.
R3-39. Which of the following will BEST prevent external security attacks?

A. Securing and analyzing system access logs
B. Network address translation
C. Background checks for temporary employees
D. Static Internet protocol (IP) addressing

B. Network address translation is helpful by having internal addresses that are nonroutable.
R3-40. Which of the following is the BEST control for securing data on mobile universal serious bus (USB) drives?

A. Requiring authentication when using USB devices
B. Prohibiting employees from copying data to USB devices
C. Encrypting USB devices
D. Limiting the use of USB devices

C. Encryption provides the most effective protection of data on mobile devices.
R3-41. When configuring a biometric access control system that protects a high-security data center, the system’s sensitivity level should be set to:

A. a lower equal error rate (EER).
B. a higher false acceptance rate (FAR).
C. A higher false reject rate (FRR).
D. the crossover error rate exactly.

C. Biometric access control systems are not infallible. When tuning the solution for a high-security data center, the sensitivity level should be adjusted to give preference either to an FRR (type I error rate) in which the system will be more prone to falsely reject access to a valid user than falsely granting access to an invalid user. In a very sensitive system, it may be desirable to minimize the number of false accepts – the number of unauthorized people allowed access. To do this, the system is tuned to be more sensitive, which causes the false rejects to increase – the number of authorized people not allowed access.
R3-42. Which of the following is the MOST effective measure to protect data held on mobile computing devices?

A. Protection of data being transmitted
B. Encryption of stored data
C. Power-on passwords
D. Biometric access control

B. Encryption of stored data will help ensure that the actual data cannot be recovered without the encryption key.
R3-43. Which of the following is MOST useful in managing increasingly complex deployments?

A. Policy development
B. A security architecture
C. Senior management support
D. A standards-based approach

B. Deploying complex security initiatives and integrating a range of diverse projects and activities is more easily managed with the overview and relationships provided by a security architecture.
R3-44. Business continuity plans (BCPs) should be written and maintained by:

A. the information security and information technology functions.
B. representatives from all functional units.
C. the risk management function.
D. executive management.

B. Business continuity planning is an enterprise wide activity; it is only successful if all business owners collaborate in the development, testing and maintenance of the plan.
R3-45. Which of the following is a control designed to prevent segregation of duties (SoD) violations?

A. Enabling IT audit trails
B. Implementing two-way authentication
C. Reporting access log violations
D. Implementing role-based access

D. Implementing role-based access is a preventive method to mitigate S0D violations. All access levels can be adjusted according to the current role of the user, thus avoiding approvals of self-initiated transactions.
R3-46. System backup and restore procedures can BEST be classified as:

A. Technical controls
B. Detective controls
C. Corrective controls
D. Deterrent controls

C. Corrective controls remediate vulnerabilities. If a system suffers harm so extensive that processing cannot continue, backup restore procedures enable that system to be recovered. This is a corrective measure that remediate the vulnerabilities of that system.
R3-47. Which of the following system development life cycle (SDLC) stages is MOST suitable for incorporating internal controls?

A. Development
B. Testing
C. Implementation
D. Design

D. Internal controls should be incorporated in the new system at the earliest stage possible (i.e., at the design stage).
R3-48. An enterprise has outsourced personnel data processing to a supplier, and a regulatory violation occurs during processing. Who will be held legally responsible?

A. The supplier, because it has the operational responsibility
B. The enterprise, because it own the data
C. The enterprise and the supplier
D. The supplier, because it did not comply with the contract

B. The enterprise retains responsibility for the management of, and adherence to, policies, procedures and regulatory requirements. If the supplier fails to provide appropriate controls and/or performance based on the contract terms, the enterprise may have legal recourse. However, the regulatory authority will generally hold the enterprise responsible for failure to comply with regulations, including any penalties that may result.
R3-49. Which of the following provides the formal authorization on user access?

A. Database administrator
B. Data owner
C. Process owner
D. Data custodian

B. The data owner provides the formal authorization to provide access to any user request.
R3-50. To determine the level of protection required for securing personally identifiable information, a risk practitioner should PRIMARILY consider the information:

A. source.
B. cost.
C. sensitivity.
D. validity.

C. Sensitivity of the information is the correct answer because the sensitive nature of the information takes precedence over source, cost or reliability.
R3-51. Risk assessments are MOST effective in a software development organization when they are performed:

A. before system development begins.
B. during system deployment.
C. during each stage of the business development life cycle (SDLC).
D. before developing a business case.

C. Performing risk assessments at each stage of the system development life cycle (SDLC) is the most cost-effective way because it ensures that flaws are caught as soon as they occur.
R3-52. Security technologies should be selected PRIMARILY on the basis of their:

A. evaluation in security publications.
B. compliance with industry standards.
C. ability to mitigate risk to organizational objectives.
D. cost compared to the enterprise’s IT budget.

C. The most fundamental evaluation criteria for the selection of security technology is its ability to reduce risk.
R3-53. Which of the following groups would be the MOST effective in managing and executing an organization’s risk program?

A. Mid level management
B. Senior management
C. Frontline employees
D. The incident response team

A. Mid level management staff are the best to manage and execute an organization’s risk management program because they are the most centrally located within the organizational hierarchy and they combine a sufficient breadth of influence with adequate proximity to day-to-day operations.
R3-54. Strong authentication is:

A. an authentication technique formally approved by a standardized organization.
B. the simultaneous use of several authentication techniques (e.g., password and badge).
C. an authentication system that makes use of cryptography.
D. an authentication system that uses biometric data to identify a person (e.g., a fingerprint).

B. Authentication is the process of proving to someone that you are who you say you are – a guarantee of the sender’s identity or origin. Because a third party vouches for the sender’s identity, the recipient can rely on the authenticity of any transaction or message signed by that user. Strong authentication requires both something you know AND either something you have or are.
Three classic methods of authentication are:
– Something you know – passwords, the combination to a safe
– Something you have – keys, tokens, badges
– Something you are – physical traits, such as fingerprints, signature, iris pattern, keystroke patterns
R3-55. The board of directors of a one-year-old start-up company has asked their chief information officer (CIO) to create all of the enterprise’s IT policies and procedures, which will be managed and approved by the IT steering committee. The IT steering committee will make all of the IT decisions for the enterprise, including those related to the technology budget. The IT steering committee will be BEST represented by:

A. members of the executive board.
B. high-level members or the IT department.
C. IT experts from outside of the enterprise.
D. key members from each department.

D. The IT steering committee should be comprised of individuals from each department to ensure that the entire enterprise is represented and that all business objectives are more likely to be met.
R3-56. Information security procedures should:

A. be updated frequently as new software is released.
B. underline the importance or security governance.
C. define the allowable limits of behavior.
D. describe security baselines for each platform.

A. Often, security procedures have to change frequently to keep up with changes in software. Because a procedure is a how-to document, it must be kept up-to-date with frequent changes in software.
R3-57. SEcurity administration efforts are BEST reduced through the deployment of:

A. access control lists (ACLs).
B. discretionary access controls (DACs).
C. mandatory access controls (MACs).
D. role-based access controls (RBACs).

D. Role-based access controls (RBACs) tie individuals to specific roles. The use of roles, hierarchies and constraints to organize privileges reduces the security administration effort when individuals change positions. RBACs are also know as nondiscretionary access controls.
R3-58. Which of the following is the BEST approach when malicious code from a spear phishing attack resides on the network and the finance department is concerned that scanning the network will slow down work and delay quarter-end reporting?

A. Instruct finance to finalize quarter-end reporting, and then perform a scan of the entire network.
B. Block all outgoing traffic to avoid outbound communication to the expecting command host.
C. Scan network devices that are not supporting financial reporting, and then scan the critical financial drives at night.
D. Perform a staff survey and ask staff to report if they are aware of the enterprise being a target of a spear phishing attack.

C. Implementing an incremental scanning approach helps confirm the potential risk while allowing the business unit responsible for financial reporting to conduct their operations with minimal interference.
R3-59. Which of the following is the BEST option to ensure that corrective actions are taken after a risk assessment is performed?

A. Conduct a follow-up review.
B. Interview staff member(s) responsible for implementing the corrective action.
C. Ensure that an organizational executive documents that the corrective action was taken.
D. Run a monthly report and verify that the corrective action was taken.

A. Conducting a follow-up review is correct because it is the only option that ensures that the corrective action was taken.
R3-60. Which of the following BEST ensures that the appropriate mitigation occurs on identified information systems vulnerabilities?

A. Presenting root cause analysis to the management of the organization
B. Implementing software to input the action points
C. Incorporating the findings in the annual report to shareholders
D. Assigning action plans with deadlines to responsible personnel

D. Assigning mitigation to personnel establishes responsibility for its completion within the deadline.
R3-61. Which of the following BEST ensures that information systems control deficiencies are appropriately remediate?

A. A risk mitigation plan
B. Risk reassessment
C. Control risk reevaluation
D. Countermeasure analysis

A. Once risk is identified due to current IS control deficiencies, a risk mitigation plan will have the set of controls with a detailed plan, including countermeasures that can best help in risk remediation to an appropriate level.
R3-62. Which organizational function is accountable for risk policies, guidelines and standards?

A. Operations
B. IT
C. Management
D. Legal

C. Management security controls, in conjunction with technical and operational controls, are implemented to manage and reduce the risk of loss and to protect an enterprise’s mission. Management controls focus on the stipulation of information protection policy, guidelines and standards, which are carried out through operational procedures to fulfill the enterprise’s goals and missions.
R3-63. The risk action plan MUST include an appropriate resolution, a date for completion and:

A. responsible personnel.
B. mitigating factors.
C. likelihood of occurrence.
D. cost of completion.

A. Risk response activities must be assigned to the responsible person or group; if this is not included, it will be unclear who will implement the countermeasure.
R3-64. Risk response should focus on which of the following?

A. Destruction of obsolete computer equipment
B. Theft of a smart phone from an office
C. Sanitization and reuse of a flash drive
D. Employee deletion of a file

B. Disposal of data should be addresses in the IT operations function. Risk response should focus on no operational data disposal (loss or theft). Theft of a smart phone is an example of a risk that should be addresses by an appropriate response such as a remote wipe.
R3-65. Which of the following risk response options is MOST likely to increase the liability of the enterprise?

A. Risk acceptance
B. Risk reduction
C. Risk transfer
D. Risk avoidance

A. An enterprise may choose to accept risk without knowing the correct level of risk that is being accepted; this may result in accusations of negligence.
R3-66. Which of the following is the BEST reason an enterprise would decide not to reduce and identified risk?

A. There is no regulatory requirement to reduce the risk.
B. The inherent risk of the related business process is low.
C. The potential gain outweighs the risk.
D. The cost of reducing the risk exceeds the budget.

C. Risk is not the main driver for the business/enterprise decision process. The business will accept the risk when it is determined that the potential opportunities may yield a higher return in revenue and/or gain in market share compared to risk.
R3-67. An enterprise decides to address risk associated with an IT project by outsourcing part of the IT activities to a third party with a specialized skill set. In relation to the project itself, this is an example of:

A. risk transfer.
B. risk avoidance.
C. risk acceptance.
D. risk mitigation.

D. Outsourcing part of an activity in itself doe not transfer risk; the risk remains with the enterprise. However, when specific activities are outsourced to an entity with a specialized skill set, the inherent risk of the activity is reduced.
R3-68. Which of the following BEST helps to respond to risk in a cost-effective manner?

A. Prioritizing and addressing risk according to the risk management strategy
B. Mitigating risk on the basis of risk likelihood and magnitude of impact
C. Performing countermeasure analysis for each of the controls deployed
D. Selecting controls that are at zero or near-zero costs

A. If risk is prioritized and addresses in line with the risk treatment strategy, it balances the costs and benefits of managing the IT risk.
R3-69. Which of the following BEST assists in the development of the risk profile?

A. The presence of preventive and detective controls
B. Inherent risk and detection risk
C. Cost-benefit analysis of controls
D. Likelihood and impact of risk

D. Likelihood and impact of risk in itself helps in the development of the risk profile.
R3-70. Which of the following can BEST be used as a basis for recommending a data leak prevention (DLP) device as a security control?

A. Benchmarking with peers on DLP deployment
B. A business case for DLP to protect data
C. Evaluation report of popular DLP solutions
D. DLP scenario in risk register

B. A business case with costs versus benefits provides the business reasoning why the data leak prevention (DLP) solution addresses the risk and explains how the risk losses could be reduced if the data were leaked.
R3-71. Which of the following is BEST performed for business continuity management to meet external stakeholder expectations?

A. Prioritize applications based on business criticality.
B. Ensure that backup data are available to be restored.
C. Disclose the crisis management strategy statement.
D. Obtain risk assessment by an independent party.

A. External parties (such as customers) expect that their information assets are secured. To meet this goal, it is strategically important to prioritize applications based on business criticality. With this approach, their expectations can be maximized with the use of limited resources.
R3-72. When the risk related to specific business process is greater than the potential opportunity, the BEST risk response it:

A. transfer.
B. acceptance.
C. mitigation.
D. avoidance.

D. Risk avoidance is the process for systematically avoiding risk, constituting one approach to managing risk.
R3-73. Which of the following should management use to allocate resources for risk response?

A. Audit report findings
B. Penetration test results
C. Risk analysis results
D. Vulnerability test results

C. Risk analysis results provide a basis for prioritization of risk responses and the allocation of resources.
R3-74. Which of the following BEST identifies changes in an enterprise’s risk profile?

A. The risk register
B. Risk classification
C. Changes in risk indicator thresholds
D. Updates to the control inventory

A. The risk register is the central document to identify changes in an enterprise’s risk profile.
R3-75. Which of the following BEST identifies controls addressing risk related to cloud computing?

A. Data encryption, tenant isolation, controlled change management
B. Data encryption, customizing the application template, creating and importing custom widgets
C. Selecting an open standards-based technology, data encryption, tenant isolation
D. Tenant isolation, controlled change management, creating and importing custom widgets

A. One of the baseline controls – encryption – enables keeping data separate from other tenants. Tenant isolation, as opposed to commingling tenants, is a basic way of keeping data separate from multiple tenants. Having a controlled change management process ensure no surprises from either the tenant or the vendor, and that all changes are well planned and tenant dependencies are mapped to underlying resources and services.
R3-76. Prior to releasing an operating system security patch into production, a leading practice is to have the patch:

A. applied simultaneously to all systems.
B. procured from an approved vendor.
C. tested in a preproduction test environment.
D. approved by business stakeholders.

C. When a change goes into production, the most important practice is to ensure that testing has been completed. In the case of a security patch, testing is essential because an untested security patch may cause serious business disruptions.
R3-77. Which of the following helps ensure that the cost is justifiable when selecting an IT control?

A. The investment is within budget.
B. The risk likelihood and it s impact are reflected.
C. The net present value (NPV) is high.
D. Open source technology is used.

B. While other factors may be relevant, the total cost of ownership of a control should not exceed the projected likelihood times the impact of the risk it is intended to mitigate.
R3-78. The PRIMARY purpose of providing built-in audit trails in applications is to:

A. support e-discovery.
B. collect information for auditors.
C. enable troubleshooting.
D. establish accountability.

D. Audit trails will record the various events that are processed as part of the complete transaction and therefore establish accountability for processed transaction because no one can deny the facts regarding the processed transactions.
R3-79. Which of the following BEST protects the confidentiality of data being transmitted over a network?

A. Data re encapsulated in data packets with authentication headers.
B. A digital hash is appended to all messages sent over the network.
C. Network devices are hardened in compliance with corporate standards.
D. Fiber-optic cables are used instead of copper cables.

A. Data are encapsulated in data packets with authentication headers that will protect confidentiality even if there is man-in-the-middle attack or interception of the data by other means.
R3-80. Which of the following is the MOST significant risk associated with handling credit card data through a web application?

A. Displaying both the first six and last four digits of the credit card, thus exposing sensitive information
B. Allowing the transmission of credit card data over the Internet using an insecure channel such as Secure Sockets Layer (SSL) protocol or Transport Layer Security (TLS) protocol
C. Failure to store credit card data in a secure area segregated from the demilitarized zone (DMZ)
D. Installation on network devices with default access settings disabled or inoperable.

C. Failure to store credit card data in a secure are segregated from the demilitarized zone (DMZ) is one of the most common and serious flaws in a secure architecture.
R3-81. Which of the following is the MOST important consideration when developing a record retention policy?

A. Delete, as quickly as practical, all data that are not required.
B. Retain data only as long as necessary for business or regulator requirements.
C. Keep data to ensure future availability.
D. Archive old data without encryption as quickly as possible.

B. Good practice states that data should be kept only as long as required by business or regulation requirements.
R3-82. An enterprise is implementing controls to protect its product price list from being exposed to unauthorized individuals. The internal control requirements will come from:

A. the risk management team.
B. internal audit.
C. IT management.
D. process owners.

D. Process owners will provide the internal control requirements based on the business needs and objectives.
R3-83. Which of the following is MOST important when mitigating or managing risk?

A. Vulnerability assessment results
B. A business impact analysis (BIA)
C. The risk tolerance level
D. A security controls framework

C. The risk tolerance level (along with risk appetite) determines what kind of risk response an enterprise selects and it needs to be defined in order for an enterprise to appropriately address risk.
R3-84. The MAIN benefit of information classification is that it helps:

A. determine how information can be further labeled.
B. establish the access control matrices.
C. determine the risk tolerance.
D. select security measures that are proportional to risk.

D. Based on information classification, information is divided into various buckets of sensitivity, importance and risk so proportional security measures can be designed.
R3-85. Which type of cost incurred is used when leveraging existing network cabling for an IT project?

A. Indirect cost
B. Infrastructure cost
C. Project cost
D. Maintenance cost

A. Indirect costs are often overlooked when calculating the total cost for projects. Full consideration of costs requires attention to both opportunities and indirect costs. For example, the cost of utilizing existing network cabling for a project can be calculated from the amount of new traffic generated or from some other prorating factor.
R3-86. An enterprise is applying controls to protect its product price list from being exposed to unauthorized staff. These internal control will include:

A. identification and authentication.
B. authentication and authorization.
C. segregation of duties (SoD) and authorization.
D. availability and confidentiality.

B. Authentication and authorization are two complementary control objectives that will ensure confidentiality of the price list.
R3-87. During a risk assessment of a start-up company with a bring your own device (BYOD) practice, a risk practitioner notes that the database administrator (DBA) minimizes a social media web site on his/her personal device before running a query of credit card account numbers on a third-party cloud application. The risk practitioner should recommend that the enterprise:

A. develop and deploy an acceptable use policy for BYOD.
B. place a virtualized desktop on each mobile device.
C. blacklist social media web sites for devices inside the demilitarized zone (DMZ).
D. provide the DBA with user awareness training.

B. By allowing the BYOD to access the network only via a virtualized desktop client, no data are stored on the device and all the commands entered through the device are actually executed and stored within the enterprise’s demilitarized zone (DMZ), network or servers. By using this type of mobile/enterprise architecture, users can be allowed to access the corporate network/data while on a personal device and still be compliant with the enterprise’s acceptable use policy.
R3-88. Controls are most effective when they are designed to reduce:

A. threats.
B. likelihood.
C. uncertainty.
D. vulnerabilities.

D. Controls are most effective when they are designed to reduce vulnerabilities affecting the enterprise. Vulnerabilities can result from external relationships, such as sole-source suppliers.
R3-89. In a large enterprise, system administrators may release critical patches into production without testing. Which of the following would BEST mitigate the risk of interoperability issues?

A. Ensure that a reliable system rollback plan is in place.
B. Test the patch on the least critical systems first.
C. Only allow updates to occur after hours.
D. Ensure that patches are approved by the chief information security officer (CISO).

A. A reliable system rollback plan will allow the administrators to roll back the patches from the system in case the patches affect the system negatively.
R3-90. Which of the following BEST mitigates control risk?

A. Continuous monitoring
B. An effective security awareness program
C. Effective change management procedures
D. Senior management support for control implementation

A. Continuous monitoring tests controls that mitigate the risk of the control being less effective over time. A risk assessment will identify when the control is no longer effective and the control will be replaced.
R3-91. During a root cause analysis review of recent incident it is discovered that the IT department is not tracking any metrics. A risk practitioner should recommend to management that they implement which of the following to reduce the risk?

A. A new help desk system
B. Change management
C. Problem management
D. New reports to track issues

C. Problem management is part of the Information Technology Information Library (ITIL) and is a process that is used to minimize the impact of problems in an enterprise. Metrics, known errors and incidents are all tracked to minimize problems.
R3-92. Purchasing insurance is a form of:

A. risk avoidance.
B. risk mitigation.
C. risk acceptance.
D. risk transfer.

D. Transferring risk typically involves insurance policies to share the financial risk.
R3-93. Which of the following would PRIMARILY help and enterprise select and prioritize risk responses?

A. A cost-benefit analysis of available risk mitigation options
B. The level of acceptable risk per risk appetite
C. The potential to transfer or eliminate the risk
D. The number of controls necessary to reduce the risk

A. The selection and priorities of a risk response will consider the cost-benefit of the various risk mitigation options in order to get the highest return on investment (ROI) and reduce the risk to an acceptable level.
R3-94. Business stakeholders and decision makers reviewing the effectiveness of IT risk responses would PRIMARILY validate whether:

A. IT controls eliminate the risk in question.
B. IT controls are continuously monitored.
C. IT controls achieve the desired objectives.
D. IT risk indicators are formally documented.

C. The stakeholders are most interested in whether the control meets the stated objectives.
R3-95. A risk assessment indicates the risk to the enterprise that exceeds the risk acceptance level set by senior management. What is the BEST way to address this risk?

A. Ensure that the risk is quickly brought within acceptable limits, regardless of cost.
B. Recommend mitigating controls if the cost and/or benefit would justify the controls.
C. Recommend that senior management revise the risk acceptance levels.
D. Ensure that risk calculations are performed to revalidate the controls.

B. Risk mitigating controls should be implemented based on cost and benefit. Controls are not justified if the cost of the control exceeds the benefit obtained.
R3-96. Which of the following actions is the BEST when a critical risk has been identified and the resources t mitigate are not immediately available?

A. Log the risk in the risk register and review it with senior management on a regular basis.
B. Capture the risk in the risk register once resources are available to address the risk.
C. Escalate the risk report to senior management to obtain the resources to mitigate the risk.
D. Review the risk level with senior management and determine whether the risk calculations are correct.

C. If resources are not available or priorities need to be adjusted, it is important to engage senior management to assist in escalating the remediation.
R3-97. Which of the following combinations of factors is the MOST important consideration when prioritizing the development of controls and countermeasures?

A. Likelihood and impact
B. Impact and exposure
C. Criticality and sensitivity
D. Value and classification

A. The likelihood that a compromise will occur and the impact of that compromise are the two most important factors in determining risk, which in turn drives the development of controls and countermeasures.
R3-98. During what stage of the overall risk management process is the cost-benefit analysis PRIMARILY performed?

A. During the initial risk assessment
B. During the information asset classification
C. During the definition of the risk profile
D. During the risk response selection

D. When selecting a risk response, one will identify a range of controls that can mitigate the risk; however, the cost-benefit analysis in this process will help identify the right controls that will address the risk at acceptable levels within the budget.
R3-99. Which of the following approaches BEST helps address significant system vulnerabilities that were discovered during a network scan?

A. All significant vulnerabilities must be mitigated in a timely fashion.
B. Treatment should be based on threat, impact and cost considerations.
C. Compensating controls must be implemented for major vulnerabilities.
D. Mitigation options should be proposed for management approval.

B. The treatment should consider the degree of exposure and potential impact and the costs of various treatment options.
R3-100. What is the BEST risk response for risk scenarios where the likelihood is low and financial impact is high?

A. Transfer the risk to a third party.
B. Accept the high cost of protection.
C. Implement detective controls.
D. Implement compensation controls.

A. High-impact, low-likelihood situations are typically most cost effectively covered by transferring the risk to a third party (e.g., insurance).
R3-101. Faced with numerous risk, the prioritization of treatment options will be MOST effective when based on:

A. the existence of identified threats and vulnerabilities.
B. the likelihood of compromise and subsequent impact.
C. the results of vulnerability scans and exposure.
D. the exposure of corporate assets and operational risk.

B. The probability of compromise coupled with the likely impact will be the most important considerations for selecting treatment options.
R3-102. Which of the following activities is an example of risk sharing?

A. Moving a function to another department
B. Selling a product or service to another company
C. Deploying redundant firewalls
D. Contracting with a third party

D. Contracting with a third party to share the responsibility for supporting activities can provide a form of risk transference as long as it is documented within the outsourcing contract.
R3-103. Which of the following risk response selection parameters results in a decrease in magnitude of an event?

A. Efficiency of response
B. Cost of response
C. Effectiveness of response
D. Capability to implement response

C. Effectiveness of response is the extent to which the response reduces the likelihood and impact.
R3-104. Who grants formal authorization for user access to a protected file?

A. The process owner
B. The system administrator
C. The data owner
D. The security manager

C. The data owner grants formal authorization for users to access protected files.
R3-105. A business case developed to support risk mitigation efforts for a complex application development project should be retained until:

A. the project is approved
B. user acceptance of the application
C. the application is deployed
D. the application’s end of life

D. All documentation related to the system should be updated and retained until the system is no longer in service. The retention may exceed this decommission date if the record retention period declares a longer period.
R3-106. Which of the following tools aids management in determining whether a project should continue based on scope, schedule and cost? Analysis of:

A. earned value management.
B. the function point.
C. the Gantt chart
D. the program evaluation and review technique (PERT).

A. Earned value management takes into consideration scope, schedule and cost in a single integrated system and helps provide accurate forecasts of project performance problems.
R3-107. AN enterprise has recently implemented a corporate bring your own device (BYOD) policy to reduce the risk of data leakage. Which of the following approaches MOST enables the policy to be effective?

A. Obtaining signed acceptance from users on the BYOD policy
B. Educating users on acceptable and unacceptable practices
C. Requiring users to read BYOD policy and any future updates
D. Clearly stating the disciplinary action for noncompliance

B. While the bring your own device (BYOD) policy is approved and communicated, it would not be effective without proper training of all users.
R3-108. In which phase of the system development life cycle (SDLC) should the process to amend the deliverables be defined to prevent the risk of scope creep?

A. Feasibility
B. Development
C. User acceptance
D. Design

A. During the feasibility phase (planning or initiation), the process for amending the deliverables is defined, including the authority to approve a change and the process for a change to be submitted.
R3-109. Which of the following resources has the GREATEST risk of failure while implementing any security solution?

A. Security hardware
B. Security staff
C. Security processes
D. Security software

B. The human component has the greatest risk of failure because people are vulnerable to risk such as fraud and deliberate or accidental misconfiguration of software processes or hardware.
R3-110. Due to changes in the IT environment, the disaster recovery plan of a large enterprise has been modified. What is the GREATEST benefit of testing the new plan?

A. To ensure that the plan is complete
B. To ensure that the team is trained
C. To ensure that al assets have been identified
D. To ensure that the risk assessment was validated

A. The greatest benefit of testing the new plan is to ensure that the plan is complete and will work during a crisis. Testing ensures that all assets in scope were incorporated into the plan, that all staff are trained and familiar with their roles, and the backups have been tested.
R3-111. The database administrator has decided to disable certain normalization controls in the database to provide users with increased query performance. This will MOST like increase the risk of:

A. loss of audit trails.
B. duplicate indexes.
C. data redundancy.
D. unauthorized access to data.

C. Normalization is performed to reduce redundant data; if these normalization controls are disabled to increase query performance, it will also increase the risk of redundancy of data.
R3-112. What control focuses directly on preventing the risk of collusion?

A. Mandatory access control
B. Principle of least privilege
C. Discretionary access control
D. Mandatory job rotation

D. Collusion risk happens when two or more people who are bound by segregation of duties come together and work together to bypass security controls. In job rotation, people will be assigned different job responsibilities over a period of time and this will reduce the opportunity for collusion.
R3-113. What is the purpose of system accreditation?

A. To ensure that risk associated with implementation has been identified and explicitly accepted by a senior manager.
B. To review all technical and nontechnical controls to ensure that the security risk has been reduced to acceptable levels.
C. To ensure that changes to the security controls are properly authorized, tested and documented
D. To require the training and certification of staff that will be responsible for working on a system

R3-114. How does an enterprise BEST ensure that developers do not have access to implement changes to production applications?

A. The enterprise must ensure that development staff does not have access to executable code.
B. The enterprise must have segregation of duties between application development and operations.
C. The enterprise system development life cycle (SDLC) must be enforced to require segregation of duties.
D. The enterprise’s change management process must be enforced for all but emergency changes.

B. Segregation of duties will ensure that the developer cannot move a change into production. The developer can make the change, but the operations staff will only move the changed code into production upon approval through the change control process.
R3-115. How can an enterprise prevent duplicate processing of a transaction?

A. By encrypting the transaction to prevent copying
B. By comparing hash values of each transaction
C. By not allowing two identical transactions within a set time period
D. By not allowing more than one transaction per account per login

C. Any time that more than one identical transaction attempts to execute within a set time period, the second transaction should trigger a notification or a fraud alert.
R3-116. The PRIMARY goal of certifying a system prior to implementation is to:

A. protect the enterprise from liability for releasing a substandard system.
B. review the system controls to ensure that the controls are configured correctly.
C. test the integrated system to detect any upstream or downstream liabilities.
D. ensure that the system meets its specified security requirements at the time of testing.

D. According to the certification and accreditation process, the goal is to deliver a system that meets the agreed-on set of security requirements and the operational conditions that were set for its implementation to ensure that it will be operated in a secure manner.
R3-117. Which of the following is a PRIMARY role of the system owner during the accreditation process? The system owner:

A. reviews and approves the security plan supporting the system.
B. selects and documents the security controls for the system.
C. assesses the security controls in accordance with the assessment procedures.
D. determines whether the risk to business is acceptable.

B. The system owner specifies the information security controls for the system being deployed based on functional requirements from the information owner.
R3-118. Which of the following compensating controls should management implement when a segregation of duties conflict exists because an enterprise has a small IT department?

A. Independent analysis of IT incidents
B. Entitlement reviews
C. Independent review of audit logs
D. Tighter controls over user provisioning

C. An independent review of the audit logs would be the best compensation control because someone outside the IT department is validating that actual activity did not exploit segregation of duties.
R3-119. The BEST way to ensure that an information systems control is appropriate and effective is to verify:

A. that the control is operating as designed.
B. that the risk associated with the control is being mitigated.
C. that the control has not been bypassed.
D. the frequency at which the control logs are reviewed.

B. A control is designed to mitigate or reduce a risk. Even if the control is operating correctly, it is not the correct control if it does not address the risk it was designed to mitigate.
R3-120. Which of the following information systems controls is the BEST way to detect malware?

A. Reviewing changes to file size
B. Reviewing administrative-level changes
C. Reviewing audit logs
D. Reviewing incident logs

A. One method to detect malware is to compare current executables and files with historical sizes and time stamps.
R3-121. An enterprise security policy is an example of which control?

A. Operational control
B. Management control
C. Technical control
D. Corrective control

B. There are two control methods: technical and nontechnical. Enterprise security policies are nontechnical management controls.
R3-122. What is the BEST action to take once a new control has been implemented to mitigate a previously identified risk?

A. Update the risk register to show that the risk has been mitigated.
B. Schedule a new risk review to ensure that no new risk is present.
C. Test the control to ensure that the risk has been adequately mitigated.
D. Validate the tests conducted by the implementation team and close out the risk.

C. The risk assessment team is responsible for the risk identification and cannot accept assurances from others that the risk has been adequately addressed. They must test to ensure the risk has in fact been properly mitigated,
R3-123. What is the BEST tool for documenting the status of risk mitigation and risk ownership?

A. Risk action plans
B. Risk scenarios
C. Business impact analysis (BIA) documents
D. A risk register

D. A risk register is designed to document all risk identified for the enterprise. For each risk it records, at a minimum, the likelihood, potential impact, priority, status of mitigation and owner.
R3-124. Which of the following would data owners be PRIMARILY responsible for?

A. Intrusion detection
B. Antivirus controls
C. User entitlement changes
D. Platform security

C. Data owners are responsible for assigning user entitlement changes and approving access to the system for which they are responsible.
R3-125. When using a formal approach to respond to a security-related incident, which of the following provides the GREATEST benefit from a legal perspective?

A. Proving adherences to statutory audit requirements
B. Proving adherence to corporate data protection requirements
C. Demonstrating due care
D. Working with law enforcement agencies

C. Stockholders, customers, business partners and governments have the expectation that corporate officers will run the business in accordance with accepted business practices and in compliance with laws and other regulatory requirements. So while no entity can protect themselves completely from security incidents, in case of legal action, by demonstrating due care, these entities can make a case that they are actually doing things to monitor and maintain the protection mechanisms and that these activities are ongoing.
R3-126. Which of the following processes is CRITICAL for deciding prioritization of actions in a business continuity plan (BCP)?

A. Risk assessment
B. Vulnerability assessment
C. A business impact analysis (BIA)
D. Business process mapping

C. The business impact analysis (BIA) is the most critical process for deciding which part of the information system/business process should be given prioritization in case of a security incident.
R3-127. The MOST effective starting point to determine whether an IT system continues to meet the enterprise’s objectives is to conduct interviews with:

A. executive management.
B. IT management.
C. business process owners.
D. external auditors.

C. Business process owners are an effective starting point for conducting interviews to ensure that IT systems are meeting their individual business process needs.
R3-128. It is MOST important for risk mitigation to:

A. eliminate threats and vulnerabilities.
B. reduce the likelihood of risk occurrence.
C. reduce risk within acceptable cost.
D. reduce inherent risk to zero.

C. Risk should be reduced or mitigated at an acceptable cost while reducing risk to an acceptable level.
R3-129. The cost of mitigating a risk should not exceed the:

A. expected benefit to be derived.
B. annual loss expectancy (ALE).
C. value of the physical asset.
D. cost to exploit the weakness.

A. The cost of mitigating a risk should never exceed the value that is expected to result from its implementation. It is illogical to spend US $1,000 to protect against a risk that in a worst case scenario would create a loss of less than US $100.
R3-130. During the initial phase of the system development life cycle (SDLC), the risk professional provided input on how to secure the proposed system. The project team prepared a list of requirements that will be used to design the system. Which of the following tasks MUST be performed before moving on to the system design phase?

A. The risk associated with the proposed system and controls is accepted by management.
B. Various test scenarios that will be used to test the controls are documented.
C. The project budget is increased to include additional costs for security.
D. Equipment and software are procured to meet the security requirements.

A. The risk acceptance decision is made by senior management. Before moving further into the project, it is important to have sign-off from management that management acknowledges and accepts the risk that is associated with this project. If management does not accept the risk, then there is no point in proceeding any further.
R3-131. Which of the following risk assessment outputs is MOST suitable to help justify an organizational information security program?

A. An inventory of risk that may impact the enterprise
B. Documented threats to the enterprise
C. Evaluation of the consequences
D. A list of appropriate controls for addressing risk

D. A list of appropriate information security controls in response to the risk scenarios identified during the risk assessment is one of the primary deliverables of a risk assessment exercise. In this case it is also the best choice because it demonstrates due consideration of the risk as well as suitable controls to address the risk.
R3-132. Which of the following is the MOST desirable strategy when developing risk mitigation options associated with the unavailability of IT services due to a natural disaster?

A. Assume the worst-case incident scenario.
B. Target low-cost locations for alternate sites.
C. Develop awareness focused on natural disasters.
D. Enact multiple tiers of authority delegation.

A. To be prepared for a natural disaster, it is appropriate to assume the worst-case scenario; otherwise, the resulting impact may exceed the enterprise’s ability to recover.
R3-133. What is the PRIMARY objective of conducting a peer review prior to implementing any changes to the firewall configuration?

A. To assist in the detection of fraudulent or inappropriate activity
B. To reduce the need for more technical testing since the changes have already been examined
C. To facilitate ongoing knowledgeable transfer staff to learn by examining the work of senior staff
D. To help detect errors in the proposed change prior to implementation

D. Peer review is the examination of a work product by a skilled coworker. This should highlight any errors or cases where standards are not being followed and may prevent the introduction of an error into production.
R3-134. The aggregated results of continuous monitoring activities are BEST communicated to:

A. the risk owner.
B. technical staff.
C. the audit department.
D. the information security manager.

A. The risk owner is the most suitable target audience for aggregated results of continuous monitoring because they own the risk and are accountable for the fact that appropriate responses are executed in alignment with the enterprise’s risk appetite.
R3-135. An operations manager assigns monitoring responsibility of key risk indicators (KRIs) to line staff. Which of the following is MOST effective in validating the effort?

A. Reported results should be independently reviewed.
B. Line staff should complete risk management training.
C. The threshold should be determined by risk management.
D. Indicators should have benefits that exceed their costs.

A. Because key risk indicators (KRIs) are monitored by line staff, there is a chance that staff may alter results to suppress unfavorable results. Additional reliability of monitoring metrics can be achieved by having the results reviewed by an independent party.
R3-136. Effective control implementation correlates PRIMARILY to the decrease of:

A. residual risk.
B. risk register entries.
C. risk reporting.
D. risk tolerance.

A, Residual risk is (in nearly all risk-related standards and frameworks) defined as the remaining risk after management has implemented risk response. Therefore, it should be a fact and also a consequence that an effective implemented risk response correlates with decreased residual risk.
R3-137. Which of the following activities is the MOST important related to testing the IT continuity plan?

A. A test based on defined recovery priorities
B. A test limited to the recovery of IT infrastructure
C. A test that can be performed at any time
D. Roundtable exercises, where testing is not feasible

A. A continuity test should be based on established recovery priorities associated with critical business processes. As part of the business impact analysis (BIA) exercise, management identifies what processes are of highest importance, and that should serve as a basis for developing the business continuity test and disaster recovery plan (DRP).
R3-138. The implementation of unjustified controls is MOST likely to result in:

A. an increase in residual risk related to the controls.
B. a decrease in residual risk related to the controls.
C. an ineffective monitoring of the related controls.
D. a smaller return on IT investment.

D. Organizations that have a large suite of controls that do not relate to their critical objectives have a greater likelihood of decreasing their return on IT investment due to the cost of implementing those controls.
R3-139. Which of the following risk responses relieves the enterprise of risk ownership?

A. Mitigation
B. Avoidance
C. Transference
D. Acceptance

B. When an enterprise avoids a risk, it relieves itself of ownership of the risk by ceasing to engage in the activities with which the risk is associated.
R3-140. Which of the following controls BEST reduces the residual risk that can result in the inadvertent disclosure of sensitive files stored on a laptop?

A. Performing a backup of sensitive files onto a remote server
B. Setting the program to encrypt a particular partition
C. Providing staff awareness training to identify and encrypt files
D. Copying all encrypted files onto an externally attached universal serial bus (USB) drive.

C. Providing staff with awareness training to identify and encrypt files that contain sensitive information can prevent inadvertent disclosure if the laptop is lost.
R3-141. Why is it important that business managers provide IT with requirements rather than requests for specific products?

A. To ensure that software development is given equal consideration
B. To ensure that a solution is put in place that meets business objectives
C. To reduce the potential for conflicts of interest by business managers
D. To reduce the cost of maintenance associated with aging software

B. The goal of IT is to deliver solutions that meet requirements. Therefore, business managers should identify their requirements rather than making requests for specific products.
R3-142. A company has decided to perform backups on a weekly basis. Which of the following choices BEST describes the risk response approach used by management?

A. Any residual risk from performing weekly backups has been accepted.
B. The risk of losing data has been mitigated to as low a level as possible.
C. The control is ineffective because any loss of data should be minimized.
D. The inherent risk of losing data has not been adequately mitigated.

A. Residual risk arises where there is a risk response or control in place, but the potential for loss is still probable. There is a risk for data loss, but management tolerance for risk is such that they are willing to accept the loss.
R3-143. Which of the following automated risk monitoring techniques BEST monitors the risk in a host application system without interrupting the regular processing?

A. Monitor hooks
B. An integrated test facility
C. Continuous and intermittent simulation
D. A systems control audit review file

D. A systems control audit review file involves embedding specially written software in the enterprise’s host application system so that the application systems are monitored on a selective basis and without interrupting the regular processing.
R3-144. Which of the following categories of information security controls addresses a deficiency or weakness in the control structure of an enterprise?

A. Corrective
B. Preventive
C. Compensating
D. Directive

C. Compensating controls are deployed to mitigate risk to an acceptable level when a requirement cannot be met explicitly through remediation due to a legitimate technical or business constraint. An example of a compensating control is adding multiple challenge-response instances to compensate for an inability to implement multi factor authentication.
R3-145. What is the PRIMARY reason that an enterprise would establish segregation of duties (SoD) controls?

A. To restrict users to the minimum level of access required to perform their jobs
B. To ensure that transactions that violate corporate policy are logged for review
C. To restrict users to working on systems that reflect their area of expertise
D. To ensure that any fraudulent activity that occurs would generally be the result of collusion.

D. It is considerably more difficult for fraudulent activities to be arranged and for these to go undetected over a long-term period when more than one person is involved. Enterprises establish SoD for precisely that reason, ensuring that any fraudulent activities that do occur require collusion that decreases the likelihood of occurrence and increases the likelihood of detection.
R3-146. Which of the following data security controls BEST protects the confidentiality of data stored on backup media in transit to a third-party storage facility?

A. Hash totals
B. Bonded couriers
C. Tamper-resistant packaging
D. Encryption

D. Encryption prevents someone who has access to the media from accessing the data. While the duration of prevention varies based on the algorithms used, computing power brought to bear in attempting to decipher the data, strength of the keys and other factors, encryption is the only choice listed that protects confidentiality.
R3-147. Which of the following techniques associated with risk analysis has the GREATEST impact on the decision whether to implement a control?

A. Cost-benefit analysis
B. Payback period
C. Root cause analysis
D. Net present value (NPV)

A. The decision to implement a control is based on whether it will cost more to implement and maintain the control than the cost savings associated with the risk that the control is meant to address. Cost-benefit analysis compares these factors and delivers a result (based on assumptions) that management can use to make a decision.
R3-148. Which of the following control practices related to information systems architecture includes establishing and maintaining baselines for internally developed systems?

A. Release management
B. Configuration management
C. Change management
D. Asset management

B. Establishing and maintaining baselines for hardware, software and releases of internally developed systems fall under configuration management.
R3-149. Which of the following choices is the BEST criterion to select technology products for control implementation? The product:

A. is easy to use and supported by system manuals.
B. has a built-in audit trail feature.
C. addresses the business risk at acceptable costs.
D. has a large installation base worldwide.

C. The decision to implement a control is based on whether it will cost more to implement and maintain the control that the cost savings associated with the risk that the control is meant to address. Controls should be selected on the basis that they reduce risk at an acceptable cost.
R3-150. Which of the following choices is the BEST approach for organizational risk response?

A. Mitigating risk on the basis of frequency of occurrence
B. Performing a countermeasure analysis for deployed controls
C. Selecting controls based on ease of implementation
D. Mitigating risk in line with the risk priority sequence

D. If risk is prioritized and addresses in line with the risk treatment strategy, it balances the costs and benefits of managing IT risk.
R3-151. When data are no longer needed by a particular process, they should be:

A. encrypted and archived.
B. handles according to policy.
C. handled according to law.
D. destroyed in a secure manner.

B. How data are handled depends on business requirements as defined in the data management policy.
R3-152. Which of the following risk responses is the BEST for an organization whose products and services are highly regulated?

A. Risk mitigation
B. Risk acceptance
C. Risk transfer
D. Risk avoidance

A. A regulatory risk that could lead to the withdrawal of an operating license is a risk that must be addressed by the organization because it can affect the organization’s ability to continue operations.
R3-153. The PRIMARY consideration when selecting a risk response technique is:

A. coverage of all identified risk.
B. availability of resources.
C. organizational goals and objectives.
D. standards and industry best practices.

C. The risk response will be based primarily on goals and objectives of the organization. Risk can harm these goals and is required to be mitigated according to priority.
R3-154. Which of the following information system (IS) control practices would be MOST effective against internal threats to confidential information stored within an applications?

A. Strong data encryption
B. Role-based access control (RBAC)
C. Digital certificate-based access
D. Signed confidentiality agreements

B. RBAC implementation would ensure that internal staff members do not access other non relevant confidential information.
R3-155. Minimizing single points of failure of a widespread natural disaster can be controlled by:

A. implementing redundant systems and applications onsite.
B. using fireproof vaults to retain onsite backup plan.
C. preparing business continuity and disaster recovery planning documents for identified disasters.
D. allocating resources geographically.

D. Minimizing single points of failure of a common disaster (e.g., earthquake or large terrorist attack on a city) is mitigated by geographically allocating resources.
R3-156. Which of the following controls protects the integrity of the event logs on a stand-alone logging system?

A. Users must be authenticated in order to gain read-access to the event logs.
B. The event logging system is configured to have a mirror-system in a remote data center.
C. The event logging system changes are administered under dual control.
D. The event logs are written directly to a shared network drive.

C. The event logging system changes administered under dual control protect data integrity by reducing the likelihood that a single actor would be able to perpetrate an unauthorized modification of system configurations or records.
R3-157. Which of the following information security controls mandates behavior by specifying what is and is not permitted?

A. Managerial
B. Detective
C. Corrective
D. Prevetive

A. Managerial controls, such as policies, specify what actions are and are not permitted.
R3-158. If an organization does not have a formal policy in place regarding personal devices in the workplace, which of the following should the risk practitioner recommend?

A. Introduce remote wipe functionality on personal devices at the workplace.
B. Implement an exception process based on appropriate approvals.
C. Update incident response procedures covering personal devices.
D. Create and maintain an inventory of personal devices in use.

B. If employees are allowed to attach personal devices to a company network but there is no formal policy in place, employees should be required to gain approval from management, and this approval should be documented and reviewed in a security exception form based on the exception process.