Which of the following helps ensure compliance with a non-repudiation policy requirement for electronic transactions?
Correct Answer: A
Section: Volume D
Question 352
The MAIN goal of the risk analysis process is to determine the:
Correct Answer: B
Question 353
In an organization with a mature risk management program, which of the following would provide the BEST evidence that the IT risk profile is up to date?
Correct Answer: C
Question 354
You are working in an enterprise. You project deals with important files that are stored on the computer. You have identified the risk of the failure of operations. To address this risk of failure, you have guided the system administrator sign off on the daily backup. This scenario is an example of which of the following?
Correct Answer: D
Explanation/Reference: Explanation: Mitigation is the strategy that provides for the definition and implementation of controls to address the risk described. Here in this scenario, you are trying to reduce the risk of operation failure by guiding administrator to take daily backup, hence it is risk mitigation. Risk mitigation attempts to reduce the probability of a risk event and its impacts to an acceptable level. Risk mitigation can utilize various forms of control carefully integrated together. The main control types are: Managerial(e.g.,policies) Technical (e.g., tools such as firewalls and intrusion detection systems) Operational (e.g., procedures, separation of duties) Preparedness activities Incorrect Answers: A: The scenario does not describe risk avoidance. Avoidance is a strategy that provides for not implementing certain activities or processes that would incur risk. B: The scenario does not describe the sharing of risk. Transference is the strategy that provides for sharing risk with partners or taking insurance coverage. C: The scenario does not describe risk acceptance, Acceptance is a strategy that provides for formal acknowledgment of the existence of a risk and the monitoring of that risk.
Question 355
Which of the following phases is involved in the Data Extraction, Validation, Aggregation and Analysis?
Correct Answer: B
Section: Volume B Explanation: The basic concepts related to data extraction, validation, aggregation and analysis is important as KRIs often rely on digital information from diverse sources. The phases which are involved in this are: * Requirements gathering: Detailed plan and project's scope is required for monitoring risks. In the case of a monitoring project, this step should involve process owners, data owners, system custodians and other process stakeholders. * Data access: In the data access process, management identifies which data are available and how they can be acquired in a format that can be used for analysis. There are two options for data extraction: - Extracting data directly from the source systems after system owner approval - Receiving data extracts from the system custodian (IT) after system owner approval Direct extraction is preferred, especially since this involves management monitoring its own controls, instead of auditors/third parties monitoring management's controls. If it is not feasible to get direct access, a data access request form should be submitted to the data owners that detail the appropriate data fields to be extracted. The request should specify the method of delivery for the file. * Data validation: Data validation ensures that extracted data are ready for analysis. One of its important objective is to perform tests examining the data quality to ensure data are valid complete and free of errors. This may also involve making data from different sources suitable for comparative analysis. Following concepts should be considered while validating data: - Ensure the validity, i.e., data match definitions in the table layout - Ensure that the data are complete - Ensure that extracted data contain only the data requested - Identify missing data, such as gaps in sequence or blank records - Identify and confirm the validity of duplicates - Identify the derived values - Check if the data given is reasonable or not - Identify the relationship between table fields - Record, in a transaction or detail table, that the record has no match in a master table * Data analysis: Analysis of data involves simple set of steps or complex combination of commands and other functionality. Data analysis is designed in such a way to achieve the stated objectives from the project plan. Although this may be applicable to any monitoring activity, it would be beneficial to consider transferability and scalability. This may include robust documentation, use of software development standards and naming conventions. * Reporting and corrective action: According to the requirements of the monitoring objectives and the technology being used, reporting structure and distribution are decided. Reporting procedures indicate to whom outputs from the automated monitoring process are distributed so that they are directed to the right people, in the right format, etc. Similar to the data analysis stage, reporting may also identify areas in which changes to the sensitivity of the reporting parameters or the timing and frequency of the monitoring activity may be required. Incorrect Answers: D: These are the phases that are involved in risk management.
