Which of the following is the BEST way to identify changes in the risk profile of an organization?

• A.Monitor key risk indicators (KRIs)
• B.Monitor key performance indicators (KPIs)
• C.Conduct a gap analysis
• D.Interview the risk owner

Comment: *

Name: *

Email: *

Verification: *

Jane, the Director of Sales, contacts you and demands that you add a new feature to the software your project team is creating for the organization. In the meeting she tells you how important the scope change would be.
You explain to her that the software is almost finished and adding a change now could cause the deliverable to be late, cost additional funds, and would probably introduce new risks to the project. Jane stands up and says to you, "I am the Director of Sales and this change will happen in the project." And then she leaves the room.
What should you do with this verbal demand for a change in the project?

• A.Include the change in the project scope immediately.
• B.Direct your project team to include the change if they have time.
• C.Do not implement the verbal change request.
• D.Report Jane to your project sponsor and then include the change.

Comment: *

Name: *

Email: *

Verification: *

Which of the following is MOST important for an organization to have in place when developing a risk management framework?

• A.A strategic approach to risk including an established risk appetite
• B.A risk-based internal audit plan for the organization
• C.A control function within the risk management team
• D.An organization-wide risk awareness training program

Comment: *

Name: *

Email: *

Verification: *

FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?

• A.Annually
• B.Quarterly
• C.Every three years
• D.Never

Correct Answer: A

Explanation/Reference:
Explanation:
Inspection of FISMA is required to be done annually. Each year, agencies must have an independent evaluation of their program. The objective is to determine the effectiveness of the program. These evaluations include:
Testing for effectiveness: Policies, procedures, and practices are to be tested. This evaluation does not

test every policy, procedure, and practice. Instead, a representative sample is tested.
An assessment or report: This report identifies the agency's compliance as well as lists compliance with

FISMA. It also lists compliance with other standards and guidelines.
Incorrect Answers:
B, C, D: Auditing of compliance by external organization is done annually, not quarterly or every three years.

Comment: *

Name: *

Email: *

Verification: *

Which of the following is the GREATEST advantage of implementing a risk management program?

• A.Promoting a risk-aware culture
• B.Improving security governance
• C.Enabling risk-aware decisions
• D.Reducing residual risk

Comment: *

Name: *

Email: *

Verification: *