USA: +1(669)289-8683 
Sign in
The risk treatment option of applying controls to reduce risk is known as:
Question options:Risk Modification or MitigationRisk Retention or AcceptanceRisk Avoidance or EliminationRisk Sharing or Transfer
| View Feedback |
| Question 2 | 0 / 4 points |
The risk treatment option of deliberately operating without applying one of the other treatment options available is known as
Question options:Risk Retention or AcceptanceRisk Avoidance or EliminationRisk Modification or MitigationRisk Sharing or TransferView Feedback
| Question 3 | 4 / 4 points |
A security policy must be so written that it can be understood by
Question options:The CEOIts Target AudienceThe Security TeamThe CISOView Feedback
| Question 4 |
These are created by various third-party organizations and are designed to provide a framework to assist organizations in building their information security program
Question options:PoliciesStandardsProceduresLawsView Feedback
| Question 5 |
Residual risk is defined as
Question options:Risk that remains after controls are implementedRisk from a 3rd party vendorRisk that is harmlessThe total risk that existsView Feedback
| Question 6 |
Compliance is the act of conforming to:
Question options:LawsAll stated requirementsContractsPoliciesView Feedback
| Question 7 |
The risk treatment option of reassigning accountability for a risk to another entity or organization is known as
Question options:Risk Sharing or TransferRisk Retention or AcceptanceRisk Modification or MitigationRisk Avoidance or EliminationView Feedback
| Question 8 |
These exist to guide the processes of identifying, treating, and monitoring information security risks in an organization.
Question options:Security Operations CentersSecurity PoliciesRisk Management FrameworksThreat Intelligence FeedsView Feedback
| Question 9 |
Controls are implemented to:
Question options:Develop ProcessesChange PoliciesMitigate RisksProvide DataView Feedback
| Question 10 |
__________ is a central repository where risks and risk treatments are stored and regularly reviewed.
Question options:Quantitative AssessmentRisk RegistryQualitative AssessmentRisk Treatment PlanView Feedback
| Question 11 | 0 / 6 points |
If you were CISO of a company that primarily does business with the U.S. government and had to design an information security program which framework would be most appropriate?
Question options:HITRUST Common Security Framework (CSF)NIST 800 seriesISO 27001PCI DSSView Feedback
| Question 12 |
What financial tool would a CISO use to ensure that the cost of security controls cannot exceed the value of the information or assets being protected?
Question options:Return on Investment (ROI)Net Present Value (NPV)Internal Rate of Return (IRR)Cost Benefit Analysis (CBA)View Feedback
| Question 13 |
Which of the following articles has the least impact on the development of an organization’s information security policies, standards, and procedures?
Question options:Best practicesStandardsRegulationsLawsView Feedback
| Question 14 |
Governance, Risk, and _______ are the 3 things that account for nearly half of a CISO’s time.
Question options:Vendor ManagementComplianceTrainingAuditsView Feedback
| Question 15 | 6 / 6 points |
If a risk would cause $800,000 in damages and $200,000 in clean-up costs and the likelihood of the risk manifesting is 5%, what would be the Annual Loss Expectation?
Question options:$1 million$800,000$200,000$50,000View Feedback
| Question 16 | 0 / 10 points |
The maturity of an organization influences governance which influences the governance of the information security program. What size company would be more likely to have a higher level of maturity?
Question options:SmallNone of the listed choices are correct.LargeMediumView Feedback
| Question 17 |
How would you demonstrate an organization’s commitment to adhere to legal and regulatory requirements?
Question options:Implementing controls to mitigate risk.Audit findings.A properly written security policy.Develop appropriate security procedures.View Feedback
| Question 18 |
In the case of business leadership choosing an alternate risk treatment than what the CISO recommended, what position does the CISO take?
Question options:The CISO should support the decision and ensure the risk treatment is implemented.The CISO should conduct another risk analysis to ensure the risk treatment recommended is the most appropriate.The CISO should refuse to implement the alternate risk treatmentThe CISO should shift from being an advisor to advocate for the recommended risk treatment.
