Which of the following will BEST help in communicating strategic risk priorities?

• A.Heat map
• B.Risk register
• C.Business impact analysis (BIA)
• D.Balanced Scorecard

Comment: *

Name: *

Email: *

Verification: *

Which of the following controls do NOT come under technical class of control?

• A.Program management control
• B.System and Communications Protection control
• C.Identification and Authentication control
• D.Access Control

Correct Answer: A

Explanation/Reference:
Explanation:
Program Management control comes under management class of controls, not technical.
Program Management control is driven by the Federal Information Security Management Act (FISMA). It provides controls to ensure compliance with FISMA. These controls complement other controls. They don't replace them.
Incorrect Answers:
B, C, D: These controls comes under technical class of control.
The Technical class of controls includes four families. These families include over 75 individual controls.
Following is a list of each of the families in the Technical class:
Access Control (AC): This family of controls helps an organization implement effective access control.

They ensure that users have the rights and permissions they need to perform their jobs, and no more. It includes principles such as least privilege and separation of duties.
Audit and Accountability (AU): This family of controls helps an organization implement an effective audit

program. It provides details on how to determine what to audit. It provides details on how to protect the audit logs. It also includes information on using audit logs for non-repudiation.
Identification and Authentication (IA): These controls cover different practices to identify and

authenticate users. Each user should be uniquely identified. In other words, each user has one account. This account is only used by one user. Similarly, device identifiers uniquely identify devices on the network.
System and Communications Protection (SC): The SC family is a large group of controls that cover

many aspects of protecting systems and communication channels. Denial of service protection and boundary protection controls are included. Transmission integrity and confidentiality controls are also included.

Comment: *

Name: *

Email: *

Verification: *

To communicate the risk associated with IT in business terms, which of the following MUST be defined?

• A.Risk appetite of the organization
• B.Compliance objectives
• C.Organizational objectives
• D.Inherent and residual risk

Comment: *

Name: *

Email: *

Verification: *

What is the PRIMARY objective difference between an internal and an external risk management assessment reviewer?

• A.In quality of work
• B.In ease of access
• C.In profession
• D.In independence
• E.Explanation:
  Independence is the freedom from conflict of interest and undue influence. By the mere fact that the external auditors belong to a different entity, their independence level is higher than that of the reviewer inside the entity for which they are performing a review. Independence is directly linked to objectivity.

Comment: *

Name: *

Email: *

Verification: *

A risk practitioner is organizing a training session lo communicate risk assessment methodologies to ensure a consistent risk view within the organization Which of the following i< the MOST important topic to cover in this training?

• A.Applying risk factors
• B.Referencing risk event data
• C.Applying risk appetite
• D.Understanding risk culture

Comment: *

Name: *

Email: *

Verification: *