MIS 416 Exam 1&2/Final Questions With
Correct Answers( COMBINED)
MIS 416 Exam 1/Final Questions With
Correct Answers,.
Place the following in the correct order for risk management.
A) rank risks
B) analyze risks
C) identify risk
D) treat risks
E) monitor and review risks- Correct answerC B A D E
Clear and effective security risk assessment reporting requires that the contents of the
report be perceived as (check all that apply)
A) unambiguous
B) nonthreatening
C) accurate
D) relevant
E) actionable- Correct answerA B C D
Which of the following can affect the state of risks?
A) Risk levels of competitors
B) Supply Chain changes
C) Personnel changes
D) Mergers- Correct answerB C D
In addition to the data captured in your risk assessment template, exceptions and
mitigation plans need to include the following information EXCEPT:
A) Budget Process
B) Business justification for the risk
C) Mitigation action items, long- and short-term
D) Policy exceptions/risk acceptance approval and time frame - Correct
answerA
Action plans are a necessary output of the risk assessment process so that
recommendations can be acted upon quickly once the assessment is approved. T/F? -
Correct answerT
,MIS 416 Exam 1&2/Final Questions With
Correct Answers( COMBINED)
A gap analysis report documents differences between what is mitigated and what is
NOT mitigated, resulting in a gap in security. T/F? - Correct answerT
What information should you include in your report for management when you present
your recommendations?
A) affinity diagram, POAM, and CBA
B) stakeholders, key stakeholders, and C-level stakeholders
C) recommendation, justification, and procedure
D) findings, recommendation cost and time frame, and cost-benefit analysis -
Correct answerD
Which of the following is NOT part of a risk report structure?
A) Risk Report Memorandum
B) Base Report
C) Executive-Level Report
D) Appendices
E) Exhibits- Correct answerA
The final summary of risks, impacts, rationales, and treatments is called what?
A) A Threat-Control-Vulnerability-Impact Catalog
B) A Risk Catalog
C) A Risk Index
D) A Risk Register- Correct answerD
Which of the following is NOT risk evaluation step?
A) Determine severity of threat/vulnerability
B) Determine risk exposure (including risk sensitivity)
C) Determine likelihood of threat/vulnerability
D) Determine residual risk level
E) Identify the key components- Correct answerE
The final phase of the security risk assessment is to create a(n) ________ that
addresses all security risks identified in the ___________.
A) Final report, risk assessment
B) Final report, Action plan
C) Action plan, final report
D) Action plan, data gathering phase
E) Risk report, risk assessment- Correct answerC
A risk assessment ends with a report. T/F? - Correct answerT
,MIS 416 Exam 1&2/Final Questions With
Correct Answers( COMBINED)
The objective in risk assessment reporting is to assign blame to those who pose risks.
T/F?- Correct answerF
There is only one way to format and organize a risk assessment report. T/F? -
Correct answerF
Which of the following is a well-framed phrase used by the security risk assessment
team when risk reporting?
A) Administrators in group A failed to properly harden all servers in their area
B) Group C would be better if they had more security awareness training
C) Bad user habits leave written passwords written in the clear around their
workstations
D) The users in group B are not doing what they are supposed to
E) Security awareness training is not completely effective for all users - Correct
answerE
All of the following are risk treatments in different frameworks except?
A) Defer
B) Accept
C) Mitigate
D) Control
E) Avoid
F) Transfer- Correct answerD
After you collect data on risks and recommendations, you include that information in a
report, and you give that report to management. Why do you do this?
A) to inform management of the progress of the risk management task
B) to help management assess how much of the risk was mitigated by the proposed
solution
C) to help management decide which recommendations to use
D) to avoid several time-consuming presentations about each individual
recommendation- Correct answerC
What portion of the risk assessment report is actually essential in ANY report?
A) Supporting Appendices
B) A Good Conclusion
C) A Good Executive Summary
D) Methodology- Correct answerC
, MIS 416 Exam 1&2/Final Questions With
Correct Answers( COMBINED)
Good risk reporting should include tables and figures to visually convey information to
the audience. T/F?- Correct answerT
In the risk management process, it is not important to identify who should be
responsible for the various processes or steps. T/F? - Correct answerF
FAIR's BRAG uses qualitative assessment of many risk components using scales with
value ranges. T/F?- Correct answerF
Information Technology Infrastructure Library provides guidance in the development
and implementation of an organizational InfoSec governance structure. T/F? -
Correct answerF
The ISO 27005 Standard for InfoSec Risk Management includes a five-stage
management methodology; among them are risk treatment and risk communication.
T/F?- Correct answerT
The COSO framework is built on eight interrelated components. Which of the following
is NOT one of them?
A) Risk assessment
B) InfoSec Governance
C) Monitoring
D) Risk response- Correct answerB
It is important to understand that not all frameworks are created as equivalents. Let's
look at the differences between FAIR and OCTAVE. Which statement is NOT true?
A) OCTAVE is more flexible and customizable
B) FAIR is more quantitative and prescriptive
C) FAIR addresses a wider range of security and risk assessment issues than OCTAVE
D) OCTAVE is lower level, more methodological - Correct answerC
What are the seven COBIT enablers?
A) covering the enterprise end-to-end; processes; organizational structures; culture,
ethics, and behavior; information; services, infrastructure, and applications; and
applying a single integrated framework
B) meeting stakeholder needs; processes; enabling a holistic approach; culture, ethics,
and behavior; information; services, infrastructure, and applications; and people, skills,
and competencies
C) meeting stakeholder needs; covering the enterprise end-to-end; applying a single
integrated framework; enabling a holistic approach; information; separating governance
from management; and people, skills, and competencies
Correct Answers( COMBINED)
MIS 416 Exam 1/Final Questions With
Correct Answers,.
Place the following in the correct order for risk management.
A) rank risks
B) analyze risks
C) identify risk
D) treat risks
E) monitor and review risks- Correct answerC B A D E
Clear and effective security risk assessment reporting requires that the contents of the
report be perceived as (check all that apply)
A) unambiguous
B) nonthreatening
C) accurate
D) relevant
E) actionable- Correct answerA B C D
Which of the following can affect the state of risks?
A) Risk levels of competitors
B) Supply Chain changes
C) Personnel changes
D) Mergers- Correct answerB C D
In addition to the data captured in your risk assessment template, exceptions and
mitigation plans need to include the following information EXCEPT:
A) Budget Process
B) Business justification for the risk
C) Mitigation action items, long- and short-term
D) Policy exceptions/risk acceptance approval and time frame - Correct
answerA
Action plans are a necessary output of the risk assessment process so that
recommendations can be acted upon quickly once the assessment is approved. T/F? -
Correct answerT
,MIS 416 Exam 1&2/Final Questions With
Correct Answers( COMBINED)
A gap analysis report documents differences between what is mitigated and what is
NOT mitigated, resulting in a gap in security. T/F? - Correct answerT
What information should you include in your report for management when you present
your recommendations?
A) affinity diagram, POAM, and CBA
B) stakeholders, key stakeholders, and C-level stakeholders
C) recommendation, justification, and procedure
D) findings, recommendation cost and time frame, and cost-benefit analysis -
Correct answerD
Which of the following is NOT part of a risk report structure?
A) Risk Report Memorandum
B) Base Report
C) Executive-Level Report
D) Appendices
E) Exhibits- Correct answerA
The final summary of risks, impacts, rationales, and treatments is called what?
A) A Threat-Control-Vulnerability-Impact Catalog
B) A Risk Catalog
C) A Risk Index
D) A Risk Register- Correct answerD
Which of the following is NOT risk evaluation step?
A) Determine severity of threat/vulnerability
B) Determine risk exposure (including risk sensitivity)
C) Determine likelihood of threat/vulnerability
D) Determine residual risk level
E) Identify the key components- Correct answerE
The final phase of the security risk assessment is to create a(n) ________ that
addresses all security risks identified in the ___________.
A) Final report, risk assessment
B) Final report, Action plan
C) Action plan, final report
D) Action plan, data gathering phase
E) Risk report, risk assessment- Correct answerC
A risk assessment ends with a report. T/F? - Correct answerT
,MIS 416 Exam 1&2/Final Questions With
Correct Answers( COMBINED)
The objective in risk assessment reporting is to assign blame to those who pose risks.
T/F?- Correct answerF
There is only one way to format and organize a risk assessment report. T/F? -
Correct answerF
Which of the following is a well-framed phrase used by the security risk assessment
team when risk reporting?
A) Administrators in group A failed to properly harden all servers in their area
B) Group C would be better if they had more security awareness training
C) Bad user habits leave written passwords written in the clear around their
workstations
D) The users in group B are not doing what they are supposed to
E) Security awareness training is not completely effective for all users - Correct
answerE
All of the following are risk treatments in different frameworks except?
A) Defer
B) Accept
C) Mitigate
D) Control
E) Avoid
F) Transfer- Correct answerD
After you collect data on risks and recommendations, you include that information in a
report, and you give that report to management. Why do you do this?
A) to inform management of the progress of the risk management task
B) to help management assess how much of the risk was mitigated by the proposed
solution
C) to help management decide which recommendations to use
D) to avoid several time-consuming presentations about each individual
recommendation- Correct answerC
What portion of the risk assessment report is actually essential in ANY report?
A) Supporting Appendices
B) A Good Conclusion
C) A Good Executive Summary
D) Methodology- Correct answerC
, MIS 416 Exam 1&2/Final Questions With
Correct Answers( COMBINED)
Good risk reporting should include tables and figures to visually convey information to
the audience. T/F?- Correct answerT
In the risk management process, it is not important to identify who should be
responsible for the various processes or steps. T/F? - Correct answerF
FAIR's BRAG uses qualitative assessment of many risk components using scales with
value ranges. T/F?- Correct answerF
Information Technology Infrastructure Library provides guidance in the development
and implementation of an organizational InfoSec governance structure. T/F? -
Correct answerF
The ISO 27005 Standard for InfoSec Risk Management includes a five-stage
management methodology; among them are risk treatment and risk communication.
T/F?- Correct answerT
The COSO framework is built on eight interrelated components. Which of the following
is NOT one of them?
A) Risk assessment
B) InfoSec Governance
C) Monitoring
D) Risk response- Correct answerB
It is important to understand that not all frameworks are created as equivalents. Let's
look at the differences between FAIR and OCTAVE. Which statement is NOT true?
A) OCTAVE is more flexible and customizable
B) FAIR is more quantitative and prescriptive
C) FAIR addresses a wider range of security and risk assessment issues than OCTAVE
D) OCTAVE is lower level, more methodological - Correct answerC
What are the seven COBIT enablers?
A) covering the enterprise end-to-end; processes; organizational structures; culture,
ethics, and behavior; information; services, infrastructure, and applications; and
applying a single integrated framework
B) meeting stakeholder needs; processes; enabling a holistic approach; culture, ethics,
and behavior; information; services, infrastructure, and applications; and people, skills,
and competencies
C) meeting stakeholder needs; covering the enterprise end-to-end; applying a single
integrated framework; enabling a holistic approach; information; separating governance
from management; and people, skills, and competencies
