Risk Assessment Inputs

Questions and Answers

What is the purpose of applying risk assessments in an organization?

• To identify, estimate, and prioritize risks to the organization's mission and assets (correct)
• To focus solely on the organization's reputation
• To eliminate all risks from an organization's operations
• To increase the organization's operational costs

Which of the following is NOT listed as a potential input for conducting risk assessments?

• Real-time threat information
• Supply chain risk assessment results
• Non-disclosure agreements with employees (correct)
• Previous organization-level security and privacy risk assessment results

What is the expected output of conducting organization-level risk assessments?

• Supply chain risk assessment results
• Organizationally-tailored control baselines and Cybersecurity Framework Profiles (correct)
• Previous security and privacy risk assessment results
• Information sharing agreements

Which of the following is an optional task for organizations to complete related to risk assessments?

Implementing organizationally-tailored control baselines and Cybersecurity Framework Profiles (C)

In the context of risk assessments, what do 'organizationally-tailored control baselines' refer to?

Specific security measures customized for a particular organization (B)

What type of information can be obtained from continuous monitoring for use in risk assessments?

Security and privacy information (C)

What is the primary purpose of a system-level risk assessment?

To identify potential threats and vulnerabilities in the system (A)

What are the key components of a system-level risk assessment according to the text?

Identification of threat sources, threat events, asset vulnerabilities, likelihood of exploitation, and impact of asset loss (A)

What is the purpose of prioritizing system assets based on the adverse impact or consequence of asset loss?

To update the risk assessment results on an ongoing basis (D)

What is the expected output of Task P-13 according to the text?

Documentation of the stages through which information passes in the system (D)

Which of the following is NOT a key component of a system-level risk assessment according to the text?

Determination of the expected financial cost of implementing security controls (A)

Which of the following is the MOST accurate description of the purpose of Task P-14, Risk Assessment—System?

To conduct a system-level risk assessment and update the risk assessment results on an ongoing basis (A)

What is the primary purpose of Task P-2, Risk Management Strategy?

To establish a risk management strategy for the organization, including a determination of risk tolerance. (A)

What is the primary function of risk tolerance in the organization's risk management process?

All of the above (D)

Which of the following is NOT listed as a potential input of Task P-2, Risk Management Strategy?

Organizational risk assessment results (C)

What is the primary purpose of Task P-3, Risk Assessment—Organization?

To assess organization-wide security and privacy risk and update the risk assessment results on an ongoing basis. (B)

Which of the following is NOT a key feature of risk tolerance in the organization's risk management process?

It is determined independently of the organization's risk assessment results. (B)

Which of the following is listed as an expected output of Task P-2, Risk Management Strategy?

A risk management strategy and statement of risk tolerance inclusive of information security and privacy risk. (A)