Set 2
Click anywhere on the flashcard to reveal the answer.
Risk is the combination of probability and impact. Which one of them requires the greatest amount of speculation?
Probability (likelihood)
What is the first step in the development of a risk management program?
To establish the context and purpose of the program
What is the main objective of risk evaluation?
In risk evaluation, it is determined whether a risk is within the acceptable range or whether it should be mitigated. Risk responses are decided based on risk evaluation.
What is the main objective of risk analysis?
To determine the level of exposure/impact
What is the main objective of a risk management program?
To reduce risk to an acceptable level
What is the main advantage of performing risk assessments on a consistent basis?
It reveals trends in the evolving risk profile.
The valuation of an asset in a business impact analysis should be based on:
Opportunity cost. Opportunity cost reflects the cost to the organization resulting from the unavailability of an asset.
What are the components of risk treatment (risk response)?
• Risk mitigation
• Risk acceptance
• Risk avoidance
• Risk transfer
The prioritization of a risk response is based on:
The likelihood of compromise and the impact on the business
Who is in the best position to perform a risk analysis for a business process?
The business process owner
Who should be the primary driver to implement new regulatory changes?
The business process owner
What is the objective of periodically analyzing the gap between controls and control objectives?
To address changes in exposure or the business environment. Changes in exposure, or the business environment, may require the implementation of additional controls.
Why should risk be reassessed periodically?
Risk should be reassessed periodically because it changes over time.
Which factor most influences the selection of controls?
Cost-benefit balance
What is the most effective way to mitigate the risk of phishing?
Promoting user awareness
What is the objective of segmenting sensitive data?
To reduce the exposure of sensitive data. Reducing exposure reduces the likelihood of a vulnerability being exploited.
What is the objective of an indemnity clause?
To reduce the financial impact on an organization in case of a loss suffered due to the act of a third-party service provider. An indemnity clause helps the organization claim financial loss from that service provider. Indemnity clauses can transfer operational risk and financial impacts; however, legal responsibility for the consequences of the compromise generally remains with the original organization.
What is the prime objective of change management?
To ensure that only authorized changes are carried out and modifications made to the system do not introduce new security exposures
What is the best way to reduce the risk arising from a modification of the system?
Following a change management process
What is the most effective method to address the risk of a newly identified security vulnerability?
Patch management
What is the first step when an organization receives a patch?
To validate the authenticity of the patch
What is the correct frequency for patching?
Whenever important security patches are released. However, patches should always be tested first.
What is the most effective approach to ensure the continued effectiveness of information security controls?
Effective life cycle management
What is the best way to address risk at various life cycle stages?
A structured change management procedure
What is the main advantage of asset classification?
It determines the appropriate level of protection that should be given to an asset. Classification helps to reduce the risk of the under-protection of assets and at the same time reduces the cost of overprotection. Controls are kept at levels commensurate with impact.
CISM Exam Prep Guide 2nd Edition
By Hemang Doshi
Buy the book to unlock all practice questions, flashcards, and exam tips.
Buy It Here