SPM EXAM 2025 QUESTIONS & ANSWERS
SOLVED 100% CORRECT!!
Application of training and education is a common method of which risk
control strategy?
a. mitigation
b. defense
c. acceptance
d. transferal Answer - b
17. Which of the following describes an organization's efforts to reduce
damage caused by a realized incident or disaster?
a. acceptance
b. avoidance
c. transference
d. mitigation Answer - d
18. Strategies to limit losses before and during a realized adverse event is
covered by which of the following plans in the mitigation control approach?
a. incident response plan
b. business continuity plan
c. disaster recovery plan
d. damage control plan Answer - a
,19. The only use of the acceptance strategy that is recognized as valid by
industry practices occurs when the organization has done all but which of the
following?
a. Determined the level of risk posed to the information asset
b. Performed a thorough cost-benefit analysis
c. Determined that the costs to control the risk to an information asset are
much lower than the benefit gained from the information assets
d. Assessed the probability of attack and the likelihood of a successful
exploitation of a vulnerability Answer - c
20. Which of the following can be described as the quantity and nature of risk
that organizations are willing to accept as they evaluate the trade-offs between
perfect security and unlimited accessibility?
a. residual risk
b. risk appetite
c. risk assurance
d. risk termination Answer - b
21. Which of the following is NOT a valid rule of thumb on risk control strategy
selection?
a. When a vulnerability exists: Implement security controls to reduce the
likelihood of a vulnerability being exploited.
b. When a vulnerability can be exploited: Apply layered protections,
architectural designs, and administrative controls to minimize the risk or
prevent the occurrence of an attack.
c. When the potential loss is substantial: Apply design principles, architectural
designs, and technical and non-technical protections to limit the extent of the
attack, thereby reducing the potential for loss.
,d. When the attacker's potential gain is less than the costs of attack: Apply
protections to decrease the attacker's cost or reduce the attacker's gain, by
using technical or operational controls. Answer - d
Which of the following affects the cost of a control?
a. liability insurance
b. CBA report
c. asset resale
d. maintenance Answer - d
By multiplying the asset value by the exposure factor, you can calculate which
of the following?
a. annualized cost of the safeguard
b. single loss expectancy
c. value to adversaries
d. annualized loss expectancy Answer - b
What is the result of subtracting the post-control annualized loss expectancy
and the ACS from the pre-control annualized loss expectancy?
a. cost-benefit analysis
b. exposure factor
c. single loss expectancy
d. annualized rate of occurrence Answer - a
25. Which of the following determines acceptable practices based on
consensus and relationships among the communities of interest.
a. organizational feasibility
b. political feasibility
, c. technical feasibility
d. operational feasibility Answer - b
26. The Microsoft Risk Management Approach includes four phases. Which of
the following is NOT one of them?
a. conducting decision support
b. implementing controls
c. evaluating alternative strategies
d. measuring program effectiveness Answer - c
What does FAIR rely on to build the risk management framework that is unlike
many other risk management frameworks?
a. qualitative assessment of many risk components
b. quantitative valuation of safeguards
c. subjective prioritization of controls
d. risk analysis estimates Answer - a
28. In which technique does a group rate or rank a set of information, compile
the results and repeat until everyone is satisfied with the result?
a. OCTAVE
b. Fair
c. Hybrid Measures
d. Delphi Answer - d
Once a control strategy has been selected and implemented, what should be
done on an ongoing basis to determine their effectiveness and to estimate the
remaining risk?
a. analysis and adjustment
SOLVED 100% CORRECT!!
Application of training and education is a common method of which risk
control strategy?
a. mitigation
b. defense
c. acceptance
d. transferal Answer - b
17. Which of the following describes an organization's efforts to reduce
damage caused by a realized incident or disaster?
a. acceptance
b. avoidance
c. transference
d. mitigation Answer - d
18. Strategies to limit losses before and during a realized adverse event is
covered by which of the following plans in the mitigation control approach?
a. incident response plan
b. business continuity plan
c. disaster recovery plan
d. damage control plan Answer - a
,19. The only use of the acceptance strategy that is recognized as valid by
industry practices occurs when the organization has done all but which of the
following?
a. Determined the level of risk posed to the information asset
b. Performed a thorough cost-benefit analysis
c. Determined that the costs to control the risk to an information asset are
much lower than the benefit gained from the information assets
d. Assessed the probability of attack and the likelihood of a successful
exploitation of a vulnerability Answer - c
20. Which of the following can be described as the quantity and nature of risk
that organizations are willing to accept as they evaluate the trade-offs between
perfect security and unlimited accessibility?
a. residual risk
b. risk appetite
c. risk assurance
d. risk termination Answer - b
21. Which of the following is NOT a valid rule of thumb on risk control strategy
selection?
a. When a vulnerability exists: Implement security controls to reduce the
likelihood of a vulnerability being exploited.
b. When a vulnerability can be exploited: Apply layered protections,
architectural designs, and administrative controls to minimize the risk or
prevent the occurrence of an attack.
c. When the potential loss is substantial: Apply design principles, architectural
designs, and technical and non-technical protections to limit the extent of the
attack, thereby reducing the potential for loss.
,d. When the attacker's potential gain is less than the costs of attack: Apply
protections to decrease the attacker's cost or reduce the attacker's gain, by
using technical or operational controls. Answer - d
Which of the following affects the cost of a control?
a. liability insurance
b. CBA report
c. asset resale
d. maintenance Answer - d
By multiplying the asset value by the exposure factor, you can calculate which
of the following?
a. annualized cost of the safeguard
b. single loss expectancy
c. value to adversaries
d. annualized loss expectancy Answer - b
What is the result of subtracting the post-control annualized loss expectancy
and the ACS from the pre-control annualized loss expectancy?
a. cost-benefit analysis
b. exposure factor
c. single loss expectancy
d. annualized rate of occurrence Answer - a
25. Which of the following determines acceptable practices based on
consensus and relationships among the communities of interest.
a. organizational feasibility
b. political feasibility
, c. technical feasibility
d. operational feasibility Answer - b
26. The Microsoft Risk Management Approach includes four phases. Which of
the following is NOT one of them?
a. conducting decision support
b. implementing controls
c. evaluating alternative strategies
d. measuring program effectiveness Answer - c
What does FAIR rely on to build the risk management framework that is unlike
many other risk management frameworks?
a. qualitative assessment of many risk components
b. quantitative valuation of safeguards
c. subjective prioritization of controls
d. risk analysis estimates Answer - a
28. In which technique does a group rate or rank a set of information, compile
the results and repeat until everyone is satisfied with the result?
a. OCTAVE
b. Fair
c. Hybrid Measures
d. Delphi Answer - d
Once a control strategy has been selected and implemented, what should be
done on an ongoing basis to determine their effectiveness and to estimate the
remaining risk?
a. analysis and adjustment
