In which of the following risk management capability maturity levels risk appetite and tolerance are applied only during episodic risk assessments?

• A.Level 3
• B.Level 2
• C.Level 4
• D.Level 1

Correct Answer: D

Explanation/Reference:
Explanation:
An enterprise's risk management capability maturity level is 1 when:
There is an understanding that risk is important and needs to be managed, but it is viewed as a

technical issue and the business primarily considers the downside of IT risk.
Any risk identification criteria vary widely across the enterprise.

Risk appetite and tolerance are applied only during episodic risk assessments.

Enterprise risk policies and standards are incomplete and/or reflect only external requirements and lack

defensible rationale and enforcement mechanisms.
Risk management skills exist on an ad hoc basis, but are not actively developed.

Ad hoc inventories of controls that are unrelated to risk are dispersed across desktop applications.

Incorrect Answers:
A: In level 3 of risk management capability maturity model, local tolerances drive the enterprise risk tolerance.
B: In level 2 of risk management capability maturity model, risk tolerance is set locally and may be difficult to aggregate.
C: In level 4 of risk management capability maturity model, business risk tolerance is reflected by enterprise policies and standards reflect.

Comment: *

Name: *

Email: *

Verification: *

In an organization with a mature risk management program, which of the following would provide the BEST evidence that the IT risk profile is up to date?

• A.Risk questionnaire
• B.Risk register
• C.Compliance manual
• D.Management assertion

Comment: *

Name: *

Email: *

Verification: *

Which of the following will BEST help an organization select a recovery strategy for critical systems?

• A.Review the business impact analysis.
• B.Conduct a root cause analysis.
• C.Analyze previous disaster recovery reports.
• D.Create a business continuity plan.

Comment: *

Name: *

Email: *

Verification: *

You work as a project manager for BlueWell Inc. You have declined a proposed change request because of the risk associated with the proposed change request. Where should the declined change request be documented and stored?

• A.Change request log
• B.Project archives
• C.Lessons learned
• D.Project document updates
• E.Explanation:
  The change request log records the status of all change requests, approved or declined. The change request log is used as an account for change requests and as a means of tracking their disposition on a current basis. The change request log develops a measure of consistency into the change management process. It encourages common inputs into the process and is a common estimation approach for all change requests. As the log is an important component of project requirements, it should be readily available to the project team members responsible for project delivery. It should be maintained in a file with read-only access to those who are not responsible for approving or disapproving project change requests.
• F.is incorrect. Lessons learned are not the correct place to document the status of a
  declined, or approved, change request.

Comment: *

Name: *

Email: *

Verification: *

Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?

• A.Ensure the risk profile is defined and communicated.
• B.Obtain an objective view of process gaps and systemic errors.
• C.Obtain objective assessment of the control environment.
• D.Validate the threat management process.

Comment: *

Name: *

Email: *

Verification: *