Which of the following presents the GREATEST challenge for an IT risk practitioner who wants to report on trends in historical IT risk levels?

• A.Changes in methods used to calculate probability
• B.Frequent use of risk acceptance as a treatment option
• C.Qualitative measures for potential loss events
• D.Changes in owners for identified IT risk scenarios

Comment: *

Name: *

Email: *

Verification: *

Who should be responsible for implementing and maintaining security controls?

• A.Data owner
• B.Internal auditor
• C.Data custodian
• D.End user

Comment: *

Name: *

Email: *

Verification: *

You are the project manager for your organization. You are preparing for the quantitative risk analysis. Mark, a project team member, wants to know why you need to do quantitative risk analysis when you just completed qualitative risk analysis. Which one of the following statements best defines what quantitative risk analysis is?

• A.Quantitative risk analysis is the review of the risk events with the high probability and the highest impact on the project objectives.
• B.Quantitative risk analysis is the process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact.
• C.Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives.
• D.Quantitative risk analysis is the planning and quantification of risk responses based on probability and impact of each risk event.
• E.Explanation:
  Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on
  overall project objectives. It is performed on risk that have been prioritized through the qualitative
  risk analysis process.
• F.is incorrect. This is actually the definition of qualitative risk analysis.
• G.is incorrect. While somewhat true, this statement does not completely define the
  quantitative risk analysis process.

Comment: *

Name: *

Email: *

Verification: *

Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?

• A.Successive assessments have the same recurring vulnerabilities.
• B.A high number of approved exceptions exist with compensating controls.
• C.Asset custodians are responsible for defining controls instead of asset owners.
• D.Redundant compensating controls are in place.

Comment: *

Name: *

Email: *

Verification: *

When evaluating enterprise IT risk management it is MOST important to:

• A.confirm the organization s risk appetite and tolerance
• B.report identified IT risk scenarios to senior management
• C.create new control processes to reduce identified IT risk scenarios
• D.review alignment with the organization's investment plan

Comment: *

Name: *

Email: *

Verification: *