Risk Assessment Inputs

What is the purpose of applying risk assessments in an organization?

To identify, estimate, and prioritize risks to the organization's mission and assets

Which of the following is NOT listed as a potential input for conducting risk assessments?

Non-disclosure agreements with employees

What is the expected output of conducting organization-level risk assessments?

Organizationally-tailored control baselines and Cybersecurity Framework Profiles

Which of the following is an optional task for organizations to complete related to risk assessments?

Implementing organizationally-tailored control baselines and Cybersecurity Framework Profiles Signup and view all the answers

In the context of risk assessments, what do 'organizationally-tailored control baselines' refer to?

Specific security measures customized for a particular organization Signup and view all the answers

What type of information can be obtained from continuous monitoring for use in risk assessments?

Security and privacy information Signup and view all the answers

What is the primary purpose of a system-level risk assessment?

To identify potential threats and vulnerabilities in the system Signup and view all the answers

What are the key components of a system-level risk assessment according to the text?

Identification of threat sources, threat events, asset vulnerabilities, likelihood of exploitation, and impact of asset loss Signup and view all the answers

What is the purpose of prioritizing system assets based on the adverse impact or consequence of asset loss?

To update the risk assessment results on an ongoing basis Signup and view all the answers

What is the expected output of Task P-13 according to the text?

Documentation of the stages through which information passes in the system Signup and view all the answers

Which of the following is NOT a key component of a system-level risk assessment according to the text?

Determination of the expected financial cost of implementing security controls Signup and view all the answers

Which of the following is the MOST accurate description of the purpose of Task P-14, Risk Assessment—System?

To conduct a system-level risk assessment and update the risk assessment results on an ongoing basis Signup and view all the answers

What is the primary purpose of Task P-2, Risk Management Strategy?

To establish a risk management strategy for the organization, including a determination of risk tolerance. Signup and view all the answers

What is the primary function of risk tolerance in the organization's risk management process?

All of the above Signup and view all the answers

Which of the following is NOT listed as a potential input of Task P-2, Risk Management Strategy?

Organizational risk assessment results Signup and view all the answers

What is the primary purpose of Task P-3, Risk Assessment—Organization?

To assess organization-wide security and privacy risk and update the risk assessment results on an ongoing basis. Signup and view all the answers

Which of the following is NOT a key feature of risk tolerance in the organization's risk management process?

It is determined independently of the organization's risk assessment results. Signup and view all the answers

Which of the following is listed as an expected output of Task P-2, Risk Management Strategy?

A risk management strategy and statement of risk tolerance inclusive of information security and privacy risk. Signup and view all the answers