Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 21
During which phase of development is it MOST appropriate to begin assessing the risk of a new application system?
Risk should be addressed as early in the development of a new application system as possible. In some cases, identified risks could be mitigated through design changes. If needed changes are not identified until design has already commenced, such changes become more expensive. For this reason, beginning risk assessment during the design, development or testing phases is not the best solution.
The MOST effective way to incorporate risk management practices into existing production systems is through:
- policy development.
- change management.
- awareness training.
- regular monitoring.
Change is a process in which new risks can be introduced into business processes and systems. For this reason, risk management should be an integral component of the change management process. Policy development, awareness training and regular monitoring, although all worthwhile activities, are not as effective as change management.
Which of the following would be MOST useful in developing a series of recovery time objectives (RTOs)?
- Gap analysis
- Regression analysis
- Risk analysis
- Business impact analysis
Recovery time objectives (RTOs) are a primary deliverable of a business impact analysis. RTOs relate to the financial impact of a system not being available. A gap analysis is useful in addressing the differences between the current state and an ideal future state. Regression analysis is used to test changes to program modules. Risk analysis is a component of the business impact analysis.
The recovery time objective (RTO) is reached at which of the following milestones?
- Disaster declaration
- Recovery of the backups
- Restoration of the system
- Return to business as usual processing
The recovery time objective (RTO) is based on the amount of time required to restore a system; disaster declaration occurs at the beginning of this period. Recovery of the backups occurs shortly after the beginning of this period. Return to business as usual processing occurs significantly later than the RTO. RTO is an “objective,” and full restoration may or may not coincide with the RTO. RTO can be the minimum acceptable operational level, far short of normal operations.
Which of the following results from the risk assessment process would BEST assist risk management decision making?
- Control risk
- Inherent risk
- Risk exposure
- Residual risk
Residual risk provides management with sufficient information to decide to the level of risk that an organization is willing to accept. Control risk is the risk that a control may not succeed in preventing an undesirable event. Risk exposure is the likelihood of an undesirable event occurring. Inherent risk is an important factor to be considered during the risk assessment.
The decision on whether new risks should fall under periodic or event-driven reporting should be based on which of the following?
- Mitigating controls
- Visibility of impact
- Likelihood of occurrence
- Incident frequency
Visibility of impact is the best measure since it manages risks to an organization in the timeliest manner. Likelihood of occurrence and incident frequency are not as relevant. Mitigating controls is not a determining factor on incident reporting.
Risk acceptance is a component of which of the following?
Risk acceptance is one of the alternatives to be considered in the risk mitigation process. Assessment and evaluation are components of the risk analysis process. Risk acceptance is not a component of monitoring.
Risk management programs are designed to reduce risk to:
- a level that is too small to be measurable.
- the point at which the benefit exceeds the expense.
- a level that the organization is willing to accept.
- a rate of return that equals the current cost of capital.
Risk should be reduced to a level that an organization is willing to accept. Reducing risk to a level too small to measure is impractical and is often cost-prohibitive. To tie risk to a specific rate of return ignores the qualitative aspects of risk that must also be considered. Depending on the risk preference of an organization, it may or may not choose to pursue risk mitigation to the point at which the benefit equals or exceeds the expense. Therefore, choice C is a more precise answer.
A risk assessment should be conducted:
- once a year for each business process and subprocess.
- every three to six months for critical business processes.
- by external parties to maintain objectivity.
- annually or whenever there is a significant change.
Risks are constantly changing. Choice D offers the best alternative because it takes into consideration a reasonable time frame and allows flexibility to address significant change. Conducting a risk assessment once a year is insufficient if important changes take place. Conducting a risk assessment every three-to-six months for critical processes may not be necessary, or it may not address important changes in a timely manner. It is not necessary for assessments to be performed by external parties.
The MOST important function of a risk management program is to:
- quantify overall risk.
- minimize residual risk.
- eliminate inherent risk.
- maximize the sum of all annualized loss expectancies (ALEs).
A risk management program should minimize the amount of risk that cannot be otherwise eliminated or transferred; this is the residual risk to the organization. Quantifying overall risk is important but not as critical as the end result. Eliminating inherent risk is virtually impossible. Maximizing the sum of all ALEs is actually the opposite of what is desirable.
Which of the following risks would BEST be assessed using qualitative risk assessment techniques?
- Theft of purchased software
- Power outage lasting 24 hours
- Permanent decline in customer confidence
- Temporary loss of e-mail due to a virus attack
A permanent decline in customer confidence does not lend itself well to measurement by quantitative techniques. Qualitative techniques are more effective in evaluating things such as customer loyalty and goodwill. Theft of software, power outages and temporary loss of e-mail can be quantified into monetary amounts easier than can be assessed with quantitative techniques.
Which of the following will BEST prevent external security attacks?
- Static IP addressing
- Network address translation
- Background checks for temporary employees
- Securing and analyzing system access logs
Network address translation is helpful by having internal addresses that are nonroutable. Background checks of temporary employees are more likely to prevent an attack launched from within the enterprise. Static IP addressing does little to prevent an attack. Writing all computer logs to removable media does not help in preventing an attack.
In performing a risk assessment on the impact of losing a server, the value of the server should be calculated using the:
- original cost to acquire.
- cost of the software stored.
- annualized loss expectancy (ALE).
- cost to obtain a replacement.
The value of the server should be based on its cost of replacement. The original cost may be significantly different from the current cost and, therefore, not as relevant. The value of the software is not at issue because it can be restored from backup media. The ALE for all risks related to the server does not represent the server’s value.
A business impact analysis (BIA) is the BEST tool for calculating:
- total cost of ownership.
- priority of restoration.
- annualized loss expectancy (ALE).
- residual risk.
A business impact analysis (BIA) is the best tool for calculating the priority of restoration for applications. It is not used to determine total cost of ownership, annualized loss expectancy (ALE) or residual risk to the organization.
When residual risk is minimized:
- acceptable risk is probable.
- transferred risk is acceptable.
- control risk is reduced.
- risk is transferable.
Since residual risk is the risk that remains after putting into place an effective risk management program, it is probable that the organization will decide that it is an acceptable risk if sufficiently minimized. Transferred risk is risk that has been assumed by a third party, therefore its magnitude is not relevant. Accordingly, choices B and D are incorrect since transferred risk does not necessarily indicate whether risk is at an acceptable level. Minimizing residual risk will not reduce control risk.
Quantitative risk analysis is MOST appropriate when assessment data:
- include customer perceptions.
- contain percentage estimates.
- do not contain specific details.
- contain subjective information.
Percentage estimates are characteristic of quantitative risk analysis. Customer perceptions, lack of specific details or subjective information lend themselves more to qualitative risk analysis.
Which of the following is the MOST appropriate use of gap analysis?
- Evaluating a business impact analysis (BIA)
- Developing a balanced business scorecard
- Demonstrating the relationship between controls
- Measuring current state vs. desired future state
A gap analysis is most useful in addressing the differences between the current state and an ideal future state. It is not as appropriate for evaluating a business impact analysis (BIA), developing a balanced business scorecard or demonstrating the relationship between variables.
Identification and prioritization of business risk enables project managers to:
- establish implementation milestones.
- reduce the overall amount of slack time.
- address areas with most significance.
- accelerate completion of critical paths.
Identification and prioritization of risk allows project managers to focus more attention on areas of greater importance and impact. It will not reduce the overall amount of slack time, facilitate establishing implementation milestones or allow a critical path to be completed any sooner.
A risk analysis should:
- include a benchmark of similar companies in its scope.
- assume an equal degree of protection for all assets.
- address the potential size and likelihood of loss.
- give more weight to the likelihood vs. the size of the loss.
A risk analysis should take into account the potential size and likelihood of a loss. It could include comparisons with a group of companies of similar size. It should not assume an equal degree of protection for all assets since assets may have different risk factors. The likelihood of the loss should not receive greater emphasis than the size of the loss; a risk analysis should always address both equally.
The recovery point objective (RPO) requires which of the following?
- Disaster declaration
- Before-image restoration
- System restoration
- After-image processing
The recovery point objective (RPO) is the point in the processing flow at which system recovery should occur. This is the predetermined state of the application processing and data used to restore the system and to continue the processing flow. Disaster declaration is independent of this processing checkpoint. Restoration of the system can occur at a later date, as does the return to normal, after-image processing.