A risk practitioner has learned that an effort to implement a risk mitigation action plan has stalled due to lack of funding. The risk practitioner should report that the associated risk has been:

• A.avoided
• B.deferred
• C.accepted
• D.mitigated

Comment: *

Name: *

Email: *

Verification: *

Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?

• A.Define and implement a data classification policy
• B.Implement mandatory encryption on data
• C.Conduct an awareness program for data owners and users.
• D.Maintain and review the classified data inventor.

Comment: *

Name: *

Email: *

Verification: *

When evaluating a number of potential controls for treating risk, it is MOST important to consider:

• A.risk tolerance and control complexity.
• B.inherent risk and control effectiveness.
• C.residual risk and cost of control.
• D.risk appetite and control efficiency.

Comment: *

Name: *

Email: *

Verification: *

You are the project manager of GHT project. You are performing cost and benefit analysis of control. You come across the result that costs of specific controls exceed the benefits of mitigating a given risk. What is the BEST action would you choose in this scenario?

• A.The enterprise may apply the appropriate control anyway.
• B.The enterprise should adopt corrective control.
• C.The enterprise may choose to accept the risk rather than incur the cost of mitigation.
• D.The enterprise should exploit the risk.

Correct Answer: C

Explanation/Reference:
Explanation:
If the costs of specific controls or countermeasures (control overhead) exceed the benefits of mitigating a given risk the enterprise may choose to accept the risk rather than incur the cost of mitigation. This is done according to the principle of proportionality described in:
Generally accepted security systems principles (GASSP)

Generally accepted information security principles (GAISP)

Incorrect Answers:
A: When the cost of specific controls exceed the benefits of mitigating a given risk, then controls are not applied, rather risk is being accepted.
B: As the cost of control exceeds the benefits of mitigating a given risk, hence no control should be applied.
Corrective control is a type of control and hence it should not be adopted.
D: The risk is being exploited when there is an opportunity, i.e., the risk is positive. But here in this case, negative risk exists as it needs mitigation. So, exploitation cannot be done.

Comment: *

Name: *

Email: *

Verification: *

Which of the following would be of GREATEST concern to a risk practitioner reviewing current key risk indicators (KRIs)?

• A.The KRIs' source data lacks integrity.
• B.The KRIs do not allow for trend analysis.
• C.The KRIs are not quantitative.
• D.The KRIs are not automated.

Comment: *

Name: *

Email: *

Verification: *