Certified in Risk and Information Systems Control v1.0

Answer : A

Information about the propriety of cutoff is a kind of direct information.
Incorrect Answers:
B: Reports that show orders that were rejected for credit limitations provide indirect information that credit checking aspects of the system are working as intended.
C: Reports that provide information about any unusual deviations and individual product margins (whereby, the price of an item sold is compared to its standard cost) provide indirect information that controls over billing and pricing are operating.
D: The lack of any significant differences between perpetual levels and actual levels provides indirect information that its billing controls are operating.

Answer : A

A salience model defines and charts stakeholders' power, urgency, and legitimacy in the project.
The salience model is a technique for categorizing stakeholders according to their importance. The various difficulties faced by the project managers are as follows:
✑ How to choose the right stakeholders?
✑ How to prioritize competing claims of the stakeholders communication needs?
Stakeholder salience is determined by the evaluation of their power, legitimacy and urgency in the organization.
✑ Power is defined as the ability of the stakeholder to impose their will.
✑ Urgency is the need for immediate action.
✑ Legitimacy shows the stakeholders participation is appropriate or not.
The model allows the project manager to decide the relative salience of a particular stakeholder.
Incorrect Answers:
B: This defines the power/interest grid.
C: This defines an influence/impact grid.
D: This defines a power/influence grid.

Answer : A

Asset identification is the most crucial and first step in the risk assessment process. Risk identification, assessment and evaluation (analysis) should always be clearly aligned to assets. Assets can be people, processes, infrastructure, information or applications.

Answer : A

Risk indicators are metrics used to indicate risk thresholds, i.e., it gives indication when a risk level is approaching a high or unacceptable level of risk. The main objective of a risk indicator is to ensure tracking and reporting mechanisms that alert staff about the potential risks.
Incorrect Answers:
B, D: Estimation of risk's consequence and priority for awareness is conducted by using probability and impact matrix. These matrices specify the mixture of probability and impact that directs to rating the risks as low, moderate, or high priority.
C: A risk scenario is a description of an event that can lay an impact on business, when and if it would occur.
Some examples of risk scenario are of:
✑ Having a major hardware failure
✑ Failed disaster recovery planning (DRP)
✑ Major software failure

Answer : AD

Risk appetite is the amount of risk a company or other entity is willing to accept in pursuit of its mission. This is the responsibility of the board to decide risk appetite of an enterprise. When considering the risk appetite levels for the enterprise, the following two major factors should be taken into account:
The enterprise's objective capacity to absorb loss, e.g., financial loss, reputation damage, etc.
The culture towards risk taking-cautious or aggressive. In other words, the amount of loss the enterprise wants to accept in pursue of its objective fulfillment.
Incorrect Answers:
B: Alignment with risk-culture is also one of the factors but is not as important as these two.
C: Risk aware decision is not the factor, but is the result which uses risk appetite information as its input.

Answer : B

The risk monitoring and controlling is responsible for identifying new risks, determining the status of risks that may have changed, and determining which risks may be outdated in the project.
Incorrect Answers:
A: Risk planning creates the risk management plan and determines how risks will be identified, analyzed, monitored and controlled, and responded to.
C: Risk identification is a process that identifies risk events in the project.
D: Risk analysis helps determine the severity of the risk events, the risks' priority, and the probability and impact of risks.

Answer : B

The Single Loss Expectancy (SLE) of this project will be $31,250.
Single Loss Expectancy is a term related to Quantitative Risk Assessment. It can be defined as the monetary value expected from the occurrence of a risk on an asset. It is mathematically expressed as follows:
Single Loss Expectancy (SLE) = Asset Value (AV) * Exposure Factor (EF) where the Exposure Factor represents the impact of the risk over the asset, or percentage of asset lost. As an example, if the Asset Value is reduced two third, the exposure factor value is .66. If the asset is completely lost, the Exposure Factor is 1.0. The result is a monetary value in the same unit as the Single Loss
Expectancy is expressed.
Therefore,
SLE = Asset Value * Exposure Factor
= 125,000 * 0.25
= $31,250
Incorrect Answers:
A, C, D: These are not SLEs of this project.

Answer : ABD

The principles of access controls focus on availability, integrity, and confidentiality, as loss or danger is directly related to these three:
✑ Loss of confidentiality- Someone sees a password or a company's secret formula, this is referred to as loss of confidentiality.
✑ Loss of integrity- An e-mail message is modified in transit, a virus infects a file, or someone makes unauthorized changes to a Web site is referred to as loss of integrity.
✑ Loss of availability- An e-mail server is down and no one has e-mail access, or a file server is down so data files aren't available comes under loss of availability.

Answer : C

Since the enterprise's internal and external environments are constantly changing, the risk environment is also highly dynamic, i.e., threats and vulnerabilities change over time. Hence KRIs need to be maintained to ensure that KRIs continue to effectively capture these changes.
Incorrect Answers:
A: Timely risk reporting is one of the business requirements, but is not the reason behind KRI maintenance.
B: While most key risk indicator metrics need to be optimized in respect to their sensitivity, the most important objective of KRI maintenance is to ensure that KRIs continue to effectively capture the changes in threats and vulnerabilities over time.
D: Avoiding risk is a type of risk response. Risk responses are based on KRI reporting.

Answer : A

Program Management control comes under management class of controls, not technical.
Program Management control is driven by the Federal Information Security Management Act (FISMA). It provides controls to ensure compliance with FISMA.
These controls complement other controls. They don't replace them.
Incorrect Answers:
B, C, D: These controls comes under technical class of control.
The Technical class of controls includes four families. These families include over 75 individual controls. Following is a list of each of the families in the Technical class:
✑ Access Control (AC): This family of controls helps an organization implement effective access control. They ensure that users have the rights and permissions they need to perform their jobs, and no more. It includes principles such as least privilege and separation of duties.
✑ Audit and Accountability (AU): This family of controls helps an organization implement an effective audit program. It provides details on how to determine what to audit. It provides details on how to protect the audit logs. It also includes information on using audit logs for non-repudiation.
Identification and Authentication (IA): These controls cover different practices to identify and authenticate users. Each user should be uniquely identified. In

other words, each user has one account. This account is only used by one user. Similarly, device identifiers uniquely identify devices on the network.
✑ System and Communications Protection (SC): The SC family is a large group of controls that cover many aspects of protecting systems and communication channels. Denial of service protection and boundary protection controls are included. Transmission integrity and confidentiality controls are also included.

Answer : C

Mary is using brainstorming in this example. Brainstorming attempts to create a comprehensive list of risks and often is led by a moderator or facilitator to move the process along.
Brainstorming is a technique to gather general data. It can be used to identify risks, ideas, or solutions to issues by using a group of team members or subject- matter expert. Brainstorming is a group creativity technique that also provides other benefits, such as boosting morale, enhancing work enjoyment, and improving team work.
Incorrect Answers:
A: The Delphi technique uses rounds of anonymous surveys to generate a consensus on the identified risks.
B: Expert judgment is not the best answer for this; projects experts generally do the risk identification, in addition to the project team.
D: Checklist analysis uses historical information and information from similar projects within the organization's experience.

Answer : C

Answer : D

The risk management plan, part of the comprehensive management plan, defines how risks will be identified, analyzed, monitored and controlled, and even responded to.
A Risk management plan is a document arranged by a project manager to estimate the effectiveness, predict risks, and build response plans to mitigate them. It also consists of the risk assessment matrix.
Risks are built in with any project, and project managers evaluate risks repeatedly and build plans to address them. The risk management plan consists of analysis of possible risks with both high and low impacts, and the mitigation strategies to facilitate the project and avoid being derailed through which the common problems arise. Risk management plans should be timely reviewed by the project team in order to avoid having the analysis become stale and not reflective of actual potential project risks. Most critically, risk management plans include a risk strategy for project execution.
Incorrect Answers:
A: The project plan is not an official PMBOK project management plan.
B: The resource management plan defines the management of project resources, such as project team members, facilities, equipment, and contractors.
C: The project management plan is a comprehensive plan that communicates the intent of the project for all project management knowledge areas.

Answer : D

All risks, their responses, and other characteristics are documented in the risk register. As the project progresses and the conditions of the risk events change, the risk register should be updated to reflect the risk conditions.
Incorrect Answers:
A: The risk management plan addresses the project management's approach to risk management, risk identification, analysis, response, and control.
B: The project management plan is the overarching plan for the project, not the specifics of the risk responses and risk identification.
C: The risk response plan only addresses the planned risk responses for the identified risk events in the risk register.