Several network user accounts were recently created without the required management approvals. Which of the following would be the risk practitioner's BEST recommendation to address this situation?

• A.Declare a security breach and Inform management.
• B.Conduct a comprehensive compliance review.
• C.Investigate the root cause of noncompliance.
• D.Develop incident response procedures for noncompliance.

Comment: *

Name: *

Email: *

Verification: *

Which of the following would be a weakness in procedures for controlling the migration of changes to production libraries?

• A.Test and production programs are in distinct libraries.
• B.The programming project leader solely reviews test results before approving the transfer to production.
• C.A synchronized migration of executable and source code from the test environment to the production environment is allowed.
• D.Only operations personnel are authorized to access production libraries.

Comment: *

Name: *

Email: *

Verification: *

Which of the following is NOT true for effective risk communication?

• A.Risk information must be known and understood by all stakeholders.
• B.Use of technical terms of risk
• C.Any communication on risk must be relevant
• D.For each risk, critical moments exist between its origination and its potential business consequence

Correct Answer: B

Explanation/Reference:
Explanation:
For effective communication, information communicated should not inundate the recipients. All ground rules of good communication apply to communication on risk. This includes the avoidance of jargon and technical terms regarding risk because the intended audiences are generally not deeply technologically skilled. Hence use of technical terms is avoided for effective communication Incorrect Answers:
A, C, D: These all are true for effective risk communication. For effective risk communication the risk information should be clear, concise, useful and timely. Risk information must be known and understood by all the stakeholders. Information or communication should not overwhelm the recipients. This includes the avoidance of technical terms regarding risk because the intended audiences are generally not much technologically skilled.
Any communication on risk must be relevant. Technical information that is too detailed or is sent to inappropriate parties will hinder, rather than enable, a clear view of risk. For each risk, critical moments exist between its origination and its potential business consequence.
Information should also be aimed at the correct target audience and available on need-to-know basis.
Hence for effective risk communication risk information should be:
Clear

Concise

Useful

Timely given

Aimed at the correct audience

Available on need-to-know basis

Comment: *

Name: *

Email: *

Verification: *

Which of the following are the common mistakes while implementing KRIs?
Each correct answer represents a complete solution. Choose three.

• A.Choosing KRIs that are difficult to measure
• B.Choosing KRIs that has high correlation with the risk
• C.Choosing KRIs that are incomplete or inaccurate due to unclear specifications
• D.Choosing KRIs that are not linked to specific risk

Correct Answer: A,C,D

Explanation/Reference:
Explanation:
A common mistake when implementing KRIs other than selecting too many KRIs includes choosing KRIs that are:
Not linked to specific risk

Incomplete or inaccurate due to unclear specifications

Too generic

Difficult to aggregate, compare and interpret

Difficult to measure

Incorrect Answers:
B: For ensuring high reliability of the KRI, The indicator must possess a high correlation with the risk and be a good predictor or outcome measure. Hence KRIs are chosen that has high correlation with the risk.

Comment: *

Name: *

Email: *

Verification: *

Which of the following is the PRIMARY reason to perform ongoing risk assessments?

• A.The risk environment is subject to change.
• B.New system vulnerabilities emerge at frequent intervals.
• C.Emerging risk must be continuously reported to management.
• D.The information security budget must be justified.

Comment: *

Name: *

Email: *

Verification: *