MIS 416 Exam 2/Final Questions With
Correct Answers,.
Place the following in the correct order for risk management.
A) rank risks
B) analyze risks
C) identify risk
D) treat risks
E) monitor and review risks- Correct answerC B A D E
Clear and effective security risk assessment reporting requires that the contents of the
report be perceived as (check all that apply)
A) unambiguous
B) nonthreatening
C) accurate
D) relevant
E) actionable- Correct answerA B C D
Which of the following can affect the state of risks?
A) Risk levels of competitors
B) Supply Chain changes
C) Personnel changes
D) Mergers- Correct answerB C D
In addition to the data captured in your risk assessment template, exceptions and
mitigation plans need to include the following information EXCEPT:
A) Budget Process
B) Business justification for the risk
C) Mitigation action items, long- and short-term
D) Policy exceptions/risk acceptance approval and time frame - Correct
answerA
Action plans are a necessary output of the risk assessment process so that
recommendations can be acted upon quickly once the assessment is approved. T/F? -
Correct answerT
A gap analysis report documents differences between what is mitigated and what is
NOT mitigated, resulting in a gap in security. T/F? - Correct answerT
,What information should you include in your report for management when you present
your recommendations?
A) affinity diagram, POAM, and CBA
B) stakeholders, key stakeholders, and C-level stakeholders
C) recommendation, justification, and procedure
D) findings, recommendation cost and time frame, and cost-benefit analysis -
Correct answerD
Which of the following is NOT part of a risk report structure?
A) Risk Report Memorandum
B) Base Report
C) Executive-Level Report
D) Appendices
E) Exhibits- Correct answerA
The final summary of risks, impacts, rationales, and treatments is called what?
A) A Threat-Control-Vulnerability-Impact Catalog
B) A Risk Catalog
C) A Risk Index
D) A Risk Register- Correct answerD
Which of the following is NOT risk evaluation step?
A) Determine severity of threat/vulnerability
B) Determine risk exposure (including risk sensitivity)
C) Determine likelihood of threat/vulnerability
D) Determine residual risk level
E) Identify the key components- Correct answerE
The final phase of the security risk assessment is to create a(n) ________ that
addresses all security risks identified in the ___________.
A) Final report, risk assessment
B) Final report, Action plan
C) Action plan, final report
D) Action plan, data gathering phase
E) Risk report, risk assessment- Correct answerC
A risk assessment ends with a report. T/F? - Correct answerT
The objective in risk assessment reporting is to assign blame to those who pose risks.
T/F?- Correct answerF
, There is only one way to format and organize a risk assessment report. T/F? -
Correct answerF
Which of the following is a well-framed phrase used by the security risk assessment
team when risk reporting?
A) Administrators in group A failed to properly harden all servers in their area
B) Group C would be better if they had more security awareness training
C) Bad user habits leave written passwords written in the clear around their
workstations
D) The users in group B are not doing what they are supposed to
E) Security awareness training is not completely effective for all users - Correct
answerE
All of the following are risk treatments in different frameworks except?
A) Defer
B) Accept
C) Mitigate
D) Control
E) Avoid
F) Transfer- Correct answerD
After you collect data on risks and recommendations, you include that information in a
report, and you give that report to management. Why do you do this?
A) to inform management of the progress of the risk management task
B) to help management assess how much of the risk was mitigated by the proposed
solution
C) to help management decide which recommendations to use
D) to avoid several time-consuming presentations about each individual
recommendation- Correct answerC
What portion of the risk assessment report is actually essential in ANY report?
A) Supporting Appendices
B) A Good Conclusion
C) A Good Executive Summary
D) Methodology- Correct answerC
Good risk reporting should include tables and figures to visually convey information to
the audience. T/F?- Correct answerT
In the risk management process, it is not important to identify who should be
responsible for the various processes or steps. T/F? - Correct answerF
Correct Answers,.
Place the following in the correct order for risk management.
A) rank risks
B) analyze risks
C) identify risk
D) treat risks
E) monitor and review risks- Correct answerC B A D E
Clear and effective security risk assessment reporting requires that the contents of the
report be perceived as (check all that apply)
A) unambiguous
B) nonthreatening
C) accurate
D) relevant
E) actionable- Correct answerA B C D
Which of the following can affect the state of risks?
A) Risk levels of competitors
B) Supply Chain changes
C) Personnel changes
D) Mergers- Correct answerB C D
In addition to the data captured in your risk assessment template, exceptions and
mitigation plans need to include the following information EXCEPT:
A) Budget Process
B) Business justification for the risk
C) Mitigation action items, long- and short-term
D) Policy exceptions/risk acceptance approval and time frame - Correct
answerA
Action plans are a necessary output of the risk assessment process so that
recommendations can be acted upon quickly once the assessment is approved. T/F? -
Correct answerT
A gap analysis report documents differences between what is mitigated and what is
NOT mitigated, resulting in a gap in security. T/F? - Correct answerT
,What information should you include in your report for management when you present
your recommendations?
A) affinity diagram, POAM, and CBA
B) stakeholders, key stakeholders, and C-level stakeholders
C) recommendation, justification, and procedure
D) findings, recommendation cost and time frame, and cost-benefit analysis -
Correct answerD
Which of the following is NOT part of a risk report structure?
A) Risk Report Memorandum
B) Base Report
C) Executive-Level Report
D) Appendices
E) Exhibits- Correct answerA
The final summary of risks, impacts, rationales, and treatments is called what?
A) A Threat-Control-Vulnerability-Impact Catalog
B) A Risk Catalog
C) A Risk Index
D) A Risk Register- Correct answerD
Which of the following is NOT risk evaluation step?
A) Determine severity of threat/vulnerability
B) Determine risk exposure (including risk sensitivity)
C) Determine likelihood of threat/vulnerability
D) Determine residual risk level
E) Identify the key components- Correct answerE
The final phase of the security risk assessment is to create a(n) ________ that
addresses all security risks identified in the ___________.
A) Final report, risk assessment
B) Final report, Action plan
C) Action plan, final report
D) Action plan, data gathering phase
E) Risk report, risk assessment- Correct answerC
A risk assessment ends with a report. T/F? - Correct answerT
The objective in risk assessment reporting is to assign blame to those who pose risks.
T/F?- Correct answerF
, There is only one way to format and organize a risk assessment report. T/F? -
Correct answerF
Which of the following is a well-framed phrase used by the security risk assessment
team when risk reporting?
A) Administrators in group A failed to properly harden all servers in their area
B) Group C would be better if they had more security awareness training
C) Bad user habits leave written passwords written in the clear around their
workstations
D) The users in group B are not doing what they are supposed to
E) Security awareness training is not completely effective for all users - Correct
answerE
All of the following are risk treatments in different frameworks except?
A) Defer
B) Accept
C) Mitigate
D) Control
E) Avoid
F) Transfer- Correct answerD
After you collect data on risks and recommendations, you include that information in a
report, and you give that report to management. Why do you do this?
A) to inform management of the progress of the risk management task
B) to help management assess how much of the risk was mitigated by the proposed
solution
C) to help management decide which recommendations to use
D) to avoid several time-consuming presentations about each individual
recommendation- Correct answerC
What portion of the risk assessment report is actually essential in ANY report?
A) Supporting Appendices
B) A Good Conclusion
C) A Good Executive Summary
D) Methodology- Correct answerC
Good risk reporting should include tables and figures to visually convey information to
the audience. T/F?- Correct answerT
In the risk management process, it is not important to identify who should be
responsible for the various processes or steps. T/F? - Correct answerF
