DOMAIN 3—RISK RESPONSE AND REPORTING (32%)

Questions and Answers

What is the GREATEST concern for management regarding the outcomes of outsourcing noncore processes?

• Subcontracting the processing of sensitive data (correct)
• Disloyalty of vendor employees to the client enterprise
• Total cost of ownership exceeding projections
• Loss of internal information systems experience

When proposing a specific risk treatment, what does a risk practitioner PRIMARILY use?

• Budgetary requirements
• Business case (correct)
• Technical evaluation report
• Vulnerability assessment report

Which of the following is MOST important for effective risk management?

• Assigning risk owners to identified risks (correct)
• Ensuring compliance with regulatory requirements
• Implementing a risk avoidance strategy
• Integrating risk management into operational processes

An enterprise has outsourced business functions, including IT, to a firm in another country. What question should a risk professional ask FIRST?

Are specific security controls mandated in the outsourcing agreement? (A)

Which activity provides the BEST basis for establishing risk ownership?

Mapping identified risks to a specific business process (D)

A risk response report includes which of the following recommendations?

Acceptance (C)

Which type of risk is MOST likely to be reduced to achieve acceptable risk?

Residual risk (A)

A company decided not to take action on a denial-of-service vulnerability. What is the MOST likely reason for this?

The cost of the countermeasure outweighs potential loss (C)

Which factor is MOST relevant in a cost-benefit analysis of a two-factor authentication system?

Total cost of ownership (B)

Which provision is the MOST important part of any outsourcing contract?

Provisions to assess compliance of the provider (C)

Which poses the GREATEST risk to an enterprise that engaged a cloud provider?

The service level agreement is ambiguous (B)

When a risk cannot be mitigated sufficiently with manual or automatic controls, which option BEST protects the enterprise from financial impact?

Insuring against the risk (A)

Following a risk assessment, the cost to mitigate exceeds the benefit. What is the BEST risk response?

Accept the risk (D)

Senior management is reviewing feedback about service disruptions and sets up a project team. Which risk management activity will MOST benefit this initiative?

Develop IT risk scenarios (B)

A risk practitioner learns that equipment delivery will be delayed by flooding. A reciprocal agreement exists with another company until it arrives. This is an example of risk:

mitigation (B)

Which of the following factors would BEST help an enterprise select an appropriate risk response?

An analysis of control costs and benefits (C)

Which of the following leads to the BEST optimal return on security investment?

Focusing on vital info assets and determining their protection (B)

Which control can reduce the potential impact of a malicious hacker who gains access to an administrator account?

Least privilege (C)

Which of the following is critical for effective risk management?

Risk owners and accountability (D)

When the cost of anti-malware exceeds loss expectancy of malware, what is the MOST viable risk response?

Risk acceptance (D)

Which of the following is the BEST example of risk avoidance behavior?

Exiting the process that gives rise to risk (D)

Which would ensure critical dependencies are addressed in the risk treatment plan?

Verify business goals through a top-down review (A)

A CISO suggests anti-malware to protect systems. What approach is the CISO recommending?

Risk mitigation (B)

Which BEST mitigates risks associated with outsourcing?

Performing audits to verify contract compliance (C)

Which is BEST addressed by transferring risk?

Building in a 100-year floodplain (C)

What would BEST finalize the risk treatment plan?

Cost-benefit analysis (B)

What is the GREATEST benefit of implementing a risk treatment plan?

To reduce the impact and likelihood of risk occurrence (C)

What is the BEST method to validate the effectiveness of patching?

Carry out vulnerability scans (D)

What is the MOST important factor when designing information systems controls in a complex environment?

Stakeholder requirements (C)

A financial institution is testing its electronic funds transfer system upgrade. What test benefit the risk practitioner MOST?

Identifies introduction of potential gaps in security (C)

What is the BEST approach for creating key risk indicators for quarterly reporting to senior leadership?

Identify the enterprise risk appetite and metrics and measures of current risk (D)

An enterprise contracts a supplier to develop consumer product components. Risk tolerance levels are approved. Which can gauge risk that may trigger stakeholders to react?

Indicators with approved thresholds (D)

Which of the following controls within the user provision process BEST ensures revocation of system access for contractors and other temporary users when it is no longer required?

Establish predetermined, automatic expiration dates (C)

Which of the following BEST helps while presenting the current risk profile to executive management and the board of directors?

Risk register dashboard (A)

Which of the following is the MAIN reason senior management monitors and analyzes trends in key control indicators?

It proactively identifies impacts to the risk profile. (A)

Risk treatment plans are necessary to describe how the:

Chosen treatment options will be implemented (C)

In the risk management process, a cost-benefit analysis is MAINLY performed:

As part of risk-response planning (C)

In the event that available resources for risk treatment are not sufficient, the risk treatment plan should:

Define the priorities across all treatments to assist in resource allocation (A)

System backup and restore procedures can BEST be classified as:

Corrective controls (D)

A PRIMARY reason for initiating a policy-exception process is:

The risk is justified by the benefit (C)

Which would BEST measure effectiveness of operational controls?

Key control indicator (A)

Security technologies should be selected PRIMARILY on the basis of their:

Ability to mitigate risk to organizational objectives (B)

Which of the following should be in place before a black box penetration test begins?

A clearly stated definition of scope (D)

Which is the BEST way to ensure a network is adequately secured against attack?

Perform periodic penetration testing (A)

Which is PRIMARILY defined before establishing key control indicators?

Desired tolerances (B)

Accurately checking tape log records involves:

Determining whether bar code readers are installed (C)

To BEST ensure mitigation, appropriate mitigation is assigned to whom?

Assign Action plan with deadlines to personnel (C)

Flashcards

Outsourcing risks

Ceding direct control of IT processes; increased risk when sensitive data is involved.

Business case

Used to illustrate costs and benefits of proposed risk responses.

Effective risk management

Assigning risk to individual owners to maximize accountability.

Outsourcing security contracts

Ensuring security requirements are clearly stated in the outsourcing contract.

Establishing risk ownership

Mapping identified risk to a specific business process.

Risk response report

Recommendations for acceptance.

Residual risk

The remaining risk after management has implemented a risk response.

Risk acceptance: When to use it

An enterprise may decide to accept a specific risk exceeds.

Cost-benefit analysis for authentication

Total cost of ownership.

Outsourcing contracts

Provisions to assess the compliance of the provider.

Greatest risk to cloud enterprise

The service level agreement is ambiguous.

Mitigating financial risk

Insuring against the risk.

Handling costly risk mitigation

The risk should be accepted.

Improving operations

Develop IT risk scenarios.

Equipment delay and agreements

Mitigation.

Selecting risk response

An analysis of control costs and benefits.

Optimal security investment

Focusing on the most important information assets and then determining their protection.

Reducing hacker impact.

Least privilege.

Effective risk management program

Risk owners and accountability.

Viable risk response

Risk acceptance.

Risk avoidance behavior

Exiting the process that gives rise to risk.

Critical dependencies and the risk treatment plan

Verify the accomplishment of business objectives through a top-down process review.

CISO and Controls

Risk mitigation.

Mitigating Outsourcing Risks

Performing audits to verify compliance with contract requirements.

Best addressed by Risk Transfer

A building located in a 100-year flood plain.

Finalize Risk Treatment Plan

Cost-benefit analysis.

Greatest benefit of implementing a risk treatment plan

To reduce the impact and likelihood of risk occurrence.

BEST method to validate patching program

Carry out vulnerability scans.

Designing Info System controls

Stakeholder requirements.

Great Benefit from electronic funds transfer (EFT) test

Identifies the introduction of potential new gaps in security.

Creating key risk indicators(KRIs)

Identify the enterprise risk appetite and metrics and measures of current risk.

Gauge risk that may trigger stakeholder concern

Indicators with approved thresholds.

User systems access

Establish predetermined, automatic expiration dates.

Present risk profile to executive management

Risk register dashboard.

Reason senior management monitors trends

It proactively identifies impacts to the risk profile.

Treatment Plans

Chosen treatment options will be implemented.

Cost-benefit analysis

As part of risk-response planning.

Insufficient Resource

Define priorities across all treatments to assist in allocating resources.

Best

Corrective controls.

Initiating exception policy.

Risk justified by the benefit.

Effectiveness of operational controls

Key control indicator.

Study Notes

Outcomes of Outsourcing Noncore Processes

• Subcontracting the processing of sensitive data poses the greatest risk when outsourcing noncore processes.
• This is due to the enterprise ceding direct control of its IT processes.
• In contrast, total cost of ownership exceeding projections, loss of internal information systems experience, and lack of vendor loyalty are lesser concerns.
• TCO exceeding projections is common because TCO is based on modeling, and some variation is expected.
• Loss of internal IT experience is problematic for core processes, but not noncore ones.
• Lack of vendor loyalty is typically managed through service level agreements.

Proposing Specific Risk Treatment

• When proposing a specific risk treatment, a risk practitioner primarily uses a business case.
• A manager should base any proposed response on a risk assessment in the context of objectives and requirements, compliance, and routine processes.
• Business case development illustrates costs and benefits of risk response.
• A technical evaluation report and a vulnerability assessment report supplement the business case.
• Budgetary requirements represent one input into the business case.

Effective Risk Management

• Assigning risk to individual owners is the most important for effective risk management because it maximizes accountability.
• Regulatory compliance is a relatively small part of risk management.
• Risk management should be integrated into strategic, tactical, and operational processes.
• Risk avoidance is not always feasible in a business environment.

Outsourcing Arrangements

• When outsourcing business functions to a firm in another country, including IT development, data hosting, and support, the direct enumeration of security requirements in the outsourcing contract or agreement becomes most important for a risk professional.
• Policies and procedures and service level agreements, are of secondary consideration.
• Basing security programs on recognized international standards are also of secondary consideration

Establishing Risk Ownership

• Mapping an identified risk to a specific business process helps identify the prospective process owner.
• Aggregation of related business processes helps identify the prospective risk owner.
• Documenting interdependencies only helps identify the workflow.
• RACI charts are too general to establish ownership.
• Risk cannot be a shared responsibility.

Risk Response Report Recommendations

• Risk response reports include recommendations for acceptance, an alternative considered in the risk response process.
• Risk assessment, risk evaluation, and risk quantification are completed prior to determining appropriate risk responses.

Achieving Acceptable Risk

• Residual risk is most likely to be reduced to achieve acceptable risk.
• Residual risk is the remaining risk after management has deployed a risk response.
• Inherent risk cannot be minimized, only avoided.
• Control risk is incurred when controls fall short of their objectives, and it is not necessarily related to residual risk.
• Risk appetite doesn't change with mitigation activities, and it represents the risk an entity is willing to accept.

Denial-of-Service Vulnerability

• A global financial institution may decide to accept a specific risk associated with a denial-of-service vulnerability if the cost of the countermeasure outweighs the value of the asset and potential loss.
• While countermeasures can be too complicated to deploy, it does not necessarily mean that they are cost prohibitive.
• Any safeguards placed to prevent the risk need to match the risk impact.
• The enterprise may decide to accept a specific risk because the protection would cost more than the potential loss, not because the frequency cannot be predicted.

Two-Factor Authentication System

• Total cost of ownership is most relevant in a cost-benefit analysis of a two-factor authentication system given it establishes a cost baseline for the control's full life cycle.
• The approved budget may have no bearing on the actual cost.
• The relationship betweeen security frequency incidents and annual loss expectancy of security incidents, can measure the benefit, but the relationship is indirect because not all security incidents may be mitigated by implementing a two-factor authentication system.

Outsourcing Contract Legalities

• Having provisions to assess compliance of the provider secures the proper data handling better than other parameters in an outsourcing contract.
• While service providers may allow for independent compliance auditing, it is of secondary importance
• Encryption and incident notifications are of secondary importance as well.

Cloud Provider Services

• An ambiguous service level agreement poses the greatest risk to an enterprise that recently engaged cloud services because it is hard to determine provider compliance.
• Other customer references are of secondary consideration because they can not provide reasonable assurance that the vendor will deliver.
• Additionally, third-party audit firms are allowed in reporting under Statement on Standards for Attestation Engagements No. 18 (SSAE 18).

Enterprise Financial protection

• When is risk cannot be sufficiently mitigated through manual or automatic controls, insuring against the risk will best protect the enterprise from the potential financial impact of the risk by transferring the risk to the insurance company.
• Updating the risk registry will not change the risk, and will only change managements perception of it.
• Staff capacity to detect or mitigate the risk may potentially reduce the financial risk as well.

Cost of Mitigation

• Risk should be accepted if the cost to mitigate the risk is much greater than the benefit to be derived.
• It should be transfered.
• Risk termination while risk can generally not be terminated
• Treating the risk in the described scenario incurs a cost that is greater then the benefit to be derived

Continuity of Operations

• The relationship IT risk scenarios that impact business must be established to understand the effects of possible adverse events on enterprise objectives.
• Key risk indicators assist management in understanding potential changes in the control environment. A risk scenario more directly identifies circumstances that can adversely affect the enterprise's business or assets. Although risk and control ownership with clear lines of responsibility plays an important role in managing risk
• Risk times within the risk register helps guide the continuity and disaster recovery planning, but its constructed narrowly.

Night IT equipment arrival

• A risk practitioner receiving a message about a delay because the agreement exists with another company until equipment arrives mitigates risk by reducing impact when a risk event occurs through making plans such as reciprocal arrangements.
• Risk transfer is not the correct answer with insurance .
• standby is a risk mitigation strategy.
• if it were accepted, the enterprise would continue operating without the equipment until it was delivered.

Adequate Risk Response

• An analysis of costs and benefits for controls helps an enterprise understand if it can mitigate the risk to an acceptable level.
• The degree of change in the risk environment does not provide sufficient information on actual controls and benefits to make a decision.
• Risk can never be eliminated.

Security Investment Oppurtunity

• Deploying maximum controls across all information assets will overprotect some less critical information assets; therefore, investment will not be optimized.
• The primary focus should be identifying the important information assets and protecting them appropriately to optimize investment (i.e., important information assets get more protection than less important or critical assets).
• The security shall not be optimized for the given information assets, therefore, investment will not be optimized to deploy minimum protection across all information assets.
• Investing only after a major security event is a reactive approach that may severely compromise business operations in some cases, to the extent that the business does not survive.

Administrator Account

• Least privilege is used to reduce impact from a malicious hacker who gains access to an administrator account.
• However, given that administrators in many large enterprises specialize in particular areas, hackers often target administrative accounts because they are understood to be exempt from controls and have the widest scope of permission.
• Even in small enterprises (where one person holds multiple roles) least privilege can reduce losses that otherwise may result from compromised accounts.
• Multifactor authentication, is used to safeguard without authorization and password frequency is likely not enough for access.

Effective Risk Management Program

• Critical to an effective risk management program is risk owners are accountable, makes cost-effective business decisions regarding controls for their owned risk, and must be identify those risk.
• The risk response strategy, register, and profiles are tools that require ownership by users to apply and accountability.

Most Viable Risk Response

• Acceptance of a risk is most viable when the cost of anti-malware exceeds the loss expectancy of malware threats.
• Risk elimination is not a risk response, because it is not possible to reduce risk to zero.
• With high transfer and mitigation should be based on the expected cost.

Best Example of Risk

• "Exiting the process that gives rise to risk" provides the best example of risk avoidance behavior.
• By no taking action, this is and example of risk acceptance with an informed decision by management.
• Outsourcing a process is a example of risk transfer.

Risk Treatment Dependencies and CISO Recommendations

• Verifying through a top-down process and economically feasible constraints is how to ensure critical dependencies are addressed in the risk treatment plan.
• CISO has recommended several controls, such as anti-malware, to protect the enterprise's information systems is a Risk mitigation.
• Risk acceptance involves making an educated decision to accept the risk and taking no action.
• And risk transfers involves transferring the risk to another entity

Best risk mitigation Practice

• Performing regular audits to verify that the vendor is compliant with contract requirements.
• Reviewing vendor staff training and keeping a copy of sensitive data is unnecessary.
• Although it is common. reviewing the finances of the vendor, solvency does not guarantee the vendor can function and not best to address risk.

Best Addressed by Transferring Risk

• A building located in a 100-year flood plain.
• An fire suppression system or employee sabotage would be of little use.
• removable media policies could proactively mitigate stolen media

Risk Treatment Plan

• A cost-benefit analysis helps determine if the benefit of a control outweighs the cost of implementing the control.
• SWOT analysis and vulnerability analysis provides some benefit.

Greatest Benefiting Risk

• A. Implementing the risk treatment plan reduces the negative impact and likelihood of a risk occurrence.
• Not the appitite and and transferring is not the the only response option

Validating effectiveness of an

performing vulnerability scans.

• conducting testing is elevating risk
• change requests do mean a patch is applied.

Important factor for system design

• Stakeholder requirements are the most design factor when designing information system controls, such as development and scalable methodologies.

Most benefits with testing system

• The financial institution risk practitioner would be most benefiting from a test that identifies the introduction of potential new gaps in security, not the performance and volumes or recovery of the system.

Senior Leading

• Measuring key risk indicators is the most important to measure quantitatively and monitoring appropriaatly, not surveying
• Having vulnerabilities and those risk is immeasureable, not based on the that is available An enterprise has contracted an external supplier to develop critical components of a consumer product. Indictors are the most important aspect

Revocation of System Access

• Establishing predetermined, automatic expiration dates is the best means of revocation.

Presentation to Executive management

• A risk register dashboard provide a comprehensive overview of the risk profile in contrast to indicators and reports.

Main reason of Key Control

• ensure that controls actually mitigate risk at an effective level. Analysis of KCI