MIS 416 Exam #2 Study Guide questions with
accurate answers
_____ monitoring results gives organizations the capability to maintain
awareness of the risk being incurred, highlight the need to revisit other
steps in the risk management process, and initiate process improvement
activities as needed. Ans✓✓✓ Analyzing
____________ mitigate(s) risk. Ans✓✓✓ Contols
A business impact analysis (BIA) is an output of the risk assessment
process. (T/F) Ans✓✓✓ False
A decision is made to accept, avoid, transfer, or mitigate a risk is done in
the risk evaluation stage. (T/F) Ans✓✓✓ True
A gap analysis report documents differences between what is mitigated
and what is NOT mitigated, resulting in a gap in security. (T/F)
Ans✓✓✓ True
A KPx is a summary of one or more KRIs. Ans✓✓✓ False
A risk ____ could be a simple listing of identified risks, some of which
are already assessed and others of which are still in the process of being
qualified Ans✓✓✓ Inventory
A risk assessment ends with a report. (T/F) Ans✓✓✓ True
,A risk assessment provides a point-in-time report. (T/F) Ans✓✓✓ True
A threshold KPI is significant when an index falls into a set range. (T/F)
Ans✓✓✓ True
Access controls testing verifies user rights and permissions. (T/F)
Ans✓✓✓ True
Action plans are a necessary output of the risk assessment process so
that recommendations can be acted upon quickly once the assessment is
approved. Ans✓✓✓ True
After you collect data on risks and recommendations, you include that
information in a report, and you give that report to management. Why do
you do this? Ans✓✓✓ to help management decide which
recommendations to use
All of the following are KPI types except: Ans✓✓✓ Esoteric
All of the following are risk treatments in different frameworks except?
Ans✓✓✓ Control
All of the following are risk treatments in different frameworks except?
Ans✓✓✓ Ignore
, Another term for data range and reasonableness checks is
______________. Ans✓✓✓ input validation
As a top-level executive at your own company, you are worried that
your employees may steal confidential data too easily by downloading
and taking home data onto thumb drives. What is the best way to prevent
this from happening? Ans✓✓✓ Create and enforce a written company
policy against the use of thumb drives, and install a technical controls on
the computers that will prevent the use of thumb drives.
Asset valuation is a listing or grouping of assets under an assessment.
(T/F) Ans✓✓✓ False
Change management ensures that similar systems have the same, or at
least similar, configurations. (T/F) Ans✓✓✓ False
Change management is a process that ensures that changes are made
only after a review process. (T/F) Ans✓✓✓ True
Clear and effective security risk assessment reporting requires that the
contents of the report be perceived as (check all that apply) Ans✓✓✓
Accurate, nonthreatening, unambiguous, relevant
Configuration management is the same as change management. (T/F)
Ans✓✓✓ False
accurate answers
_____ monitoring results gives organizations the capability to maintain
awareness of the risk being incurred, highlight the need to revisit other
steps in the risk management process, and initiate process improvement
activities as needed. Ans✓✓✓ Analyzing
____________ mitigate(s) risk. Ans✓✓✓ Contols
A business impact analysis (BIA) is an output of the risk assessment
process. (T/F) Ans✓✓✓ False
A decision is made to accept, avoid, transfer, or mitigate a risk is done in
the risk evaluation stage. (T/F) Ans✓✓✓ True
A gap analysis report documents differences between what is mitigated
and what is NOT mitigated, resulting in a gap in security. (T/F)
Ans✓✓✓ True
A KPx is a summary of one or more KRIs. Ans✓✓✓ False
A risk ____ could be a simple listing of identified risks, some of which
are already assessed and others of which are still in the process of being
qualified Ans✓✓✓ Inventory
A risk assessment ends with a report. (T/F) Ans✓✓✓ True
,A risk assessment provides a point-in-time report. (T/F) Ans✓✓✓ True
A threshold KPI is significant when an index falls into a set range. (T/F)
Ans✓✓✓ True
Access controls testing verifies user rights and permissions. (T/F)
Ans✓✓✓ True
Action plans are a necessary output of the risk assessment process so
that recommendations can be acted upon quickly once the assessment is
approved. Ans✓✓✓ True
After you collect data on risks and recommendations, you include that
information in a report, and you give that report to management. Why do
you do this? Ans✓✓✓ to help management decide which
recommendations to use
All of the following are KPI types except: Ans✓✓✓ Esoteric
All of the following are risk treatments in different frameworks except?
Ans✓✓✓ Control
All of the following are risk treatments in different frameworks except?
Ans✓✓✓ Ignore
, Another term for data range and reasonableness checks is
______________. Ans✓✓✓ input validation
As a top-level executive at your own company, you are worried that
your employees may steal confidential data too easily by downloading
and taking home data onto thumb drives. What is the best way to prevent
this from happening? Ans✓✓✓ Create and enforce a written company
policy against the use of thumb drives, and install a technical controls on
the computers that will prevent the use of thumb drives.
Asset valuation is a listing or grouping of assets under an assessment.
(T/F) Ans✓✓✓ False
Change management ensures that similar systems have the same, or at
least similar, configurations. (T/F) Ans✓✓✓ False
Change management is a process that ensures that changes are made
only after a review process. (T/F) Ans✓✓✓ True
Clear and effective security risk assessment reporting requires that the
contents of the report be perceived as (check all that apply) Ans✓✓✓
Accurate, nonthreatening, unambiguous, relevant
Configuration management is the same as change management. (T/F)
Ans✓✓✓ False
