RISK MANAGEMENT (SPED SFPC) EXAM WITH VERIFIED
SOLUTIONS #9
Defined threat & a recognized vulnerability - correct answer What two things must exist
for a security risk to be present?
Intentional insider - correct answer What presents the greatest area of concern for
Security Management?
Acceptance, Avoidance, Assignment, Planning, Acknowledgement, & Transfer - correct
answer What are the 6 Risk Mitigation options?
True - correct answer T/F Risk Assessment methods and processes should be simple,
structured, and organizational centric
Risk Assessment - correct answer What can be the most difficult process to accomplish
in the Risk Management continuum?
Reduce the risk level to the IT system to an acceptable or reasonable level. - correct
answer What is the goal of countermeasures?
Value analysis & sound business case - correct answer What two things should
investments in risk management technologies be based on?
Compliance testing - correct answer What is used to determine whether unauthorized
modifications were made to production programs?
False - correct answer T/F An enterprise that is subject to regulation by multiple
governments or organizations doesn't need to establish baseline standards for all
locations or add supplemental standards.
Stakeholder requirements - correct answer What is an important factor when designing
information system controls in a complex environment?
Assessment of threats to the organization, prioritization of applications, development of
recovery scenarios - correct answer Risk Assessment is a balancing act based on:
Focus of Risk Management - correct answer Ability to assess security needs and
capabilities, select appropriate safeguards, develop an effective security design,
implement required controls, select adequate test controls, implement and manage
changes, accept residual risk
Categorization, Selection of controls, Implementation, Assessment, Authorization,
Monitoring - correct answer What are the six strategic components of Risk Management
Framework?
, Building INFOSEC capabilities into commercial and federal iss, & provide essential info
to facilitate acceptance of Risk - correct answer What is the emphasis of Risk
Management Framework?
Preventative and recovery controls - correct answer What does contingency planning
provide?
Program Risk Management - correct answer What provides the ability to assess
security need and capabilities, select appropriate safeguards, implement required
controls, select adequate test controls, implement and manage changes and accept
residual risk?
Risk consequences - correct answer What places people at risk, system continuity and
info at risk, organizational ops at risk as well as an organizational reputation at risk?
All possible threats, assessment of potential impact loss of confidentiality, evaluation of
critical organizational needs, & establish recovery priorities - correct answer What must
be considered when a Risk Assessment is performed as part of the contingency
response?
Design Phase - correct answer In what system life-cycle phase does Risk Analysis
begin?
Regularly - correct answer How often should risks be reviewed to ensure the initial risk
acceptance rationale is still valid?
Monitoring techniques - correct answer What implementation can help detect
organizational, operational, and environmental trends?
Capability Maturity Monitoring - correct answer What allows an enterprise to understand
its level of maturity in its risk capabilities as an indicator of operational readiness and
effectiveness?
Network vulnerability assessment - correct answer What type of assessment intends to
identify known vulnerabilities that are based on common mis-configurations and missing
updates?
True - correct answer T/F An objective of a Risk Management program is to maintain
residual risk at an acceptable level.
Classifying information assets - correct answer What allows for identification of controls
proportional to risk?
Retention policy - correct answer What policy is used when determining the disposition
of information that is no longer required to support the main purpose of the business
from an information security perspective?
SOLUTIONS #9
Defined threat & a recognized vulnerability - correct answer What two things must exist
for a security risk to be present?
Intentional insider - correct answer What presents the greatest area of concern for
Security Management?
Acceptance, Avoidance, Assignment, Planning, Acknowledgement, & Transfer - correct
answer What are the 6 Risk Mitigation options?
True - correct answer T/F Risk Assessment methods and processes should be simple,
structured, and organizational centric
Risk Assessment - correct answer What can be the most difficult process to accomplish
in the Risk Management continuum?
Reduce the risk level to the IT system to an acceptable or reasonable level. - correct
answer What is the goal of countermeasures?
Value analysis & sound business case - correct answer What two things should
investments in risk management technologies be based on?
Compliance testing - correct answer What is used to determine whether unauthorized
modifications were made to production programs?
False - correct answer T/F An enterprise that is subject to regulation by multiple
governments or organizations doesn't need to establish baseline standards for all
locations or add supplemental standards.
Stakeholder requirements - correct answer What is an important factor when designing
information system controls in a complex environment?
Assessment of threats to the organization, prioritization of applications, development of
recovery scenarios - correct answer Risk Assessment is a balancing act based on:
Focus of Risk Management - correct answer Ability to assess security needs and
capabilities, select appropriate safeguards, develop an effective security design,
implement required controls, select adequate test controls, implement and manage
changes, accept residual risk
Categorization, Selection of controls, Implementation, Assessment, Authorization,
Monitoring - correct answer What are the six strategic components of Risk Management
Framework?
, Building INFOSEC capabilities into commercial and federal iss, & provide essential info
to facilitate acceptance of Risk - correct answer What is the emphasis of Risk
Management Framework?
Preventative and recovery controls - correct answer What does contingency planning
provide?
Program Risk Management - correct answer What provides the ability to assess
security need and capabilities, select appropriate safeguards, implement required
controls, select adequate test controls, implement and manage changes and accept
residual risk?
Risk consequences - correct answer What places people at risk, system continuity and
info at risk, organizational ops at risk as well as an organizational reputation at risk?
All possible threats, assessment of potential impact loss of confidentiality, evaluation of
critical organizational needs, & establish recovery priorities - correct answer What must
be considered when a Risk Assessment is performed as part of the contingency
response?
Design Phase - correct answer In what system life-cycle phase does Risk Analysis
begin?
Regularly - correct answer How often should risks be reviewed to ensure the initial risk
acceptance rationale is still valid?
Monitoring techniques - correct answer What implementation can help detect
organizational, operational, and environmental trends?
Capability Maturity Monitoring - correct answer What allows an enterprise to understand
its level of maturity in its risk capabilities as an indicator of operational readiness and
effectiveness?
Network vulnerability assessment - correct answer What type of assessment intends to
identify known vulnerabilities that are based on common mis-configurations and missing
updates?
True - correct answer T/F An objective of a Risk Management program is to maintain
residual risk at an acceptable level.
Classifying information assets - correct answer What allows for identification of controls
proportional to risk?
Retention policy - correct answer What policy is used when determining the disposition
of information that is no longer required to support the main purpose of the business
from an information security perspective?
