USA: +1(669)289-8683 
Sign in
The risk treatment option of applying controls to reduce risk is known as:
Question options:Risk Modification or MitigationRisk Retention or AcceptanceRisk Avoidance or EliminationRisk Sharing or Transfer
| View Feedback |
| Question 2 | 0 / 4 points |
The risk treatment option of deliberately operating without applying one of the other treatment options available is known as
Question options:Risk Retention or AcceptanceRisk Avoidance or EliminationRisk Modification or MitigationRisk Sharing or TransferView Feedback
| Question 3 | 4 / 4 points |
A security policy must be so written that it can be understood by
Question options:The CEOIts Target AudienceThe Security TeamThe CISOView Feedback
| Question 4 |
Theseare created by various third-party organizations and are designed toprovide a framework to assist organizations in building theirinformation security programQuestion options:PoliciesStandardsProceduresLawsView Feedback
| Question 5 |
Residual risk is defined as
Question options:Risk that remains after controls are implementedRisk from a 3rd party vendorRisk that is harmlessThe total risk that existsView Feedback
| Question 6 |
Compliance is the act of conforming to:
Question options:LawsAll stated requirementsContractsPoliciesView Feedback
| Question 7 |
The risk treatment option of reassigning accountability for a risk to another entity or organization is known as
Question options:Risk Sharing or TransferRisk Retention or AcceptanceRisk Modification or MitigationRisk Avoidance or EliminationView Feedback
| Question 8 |
These exist to guide the processes of identifying, treating, and monitoring information security risks in an organization.
Question options:Security Operations CentersSecurity PoliciesRisk Management FrameworksThreat Intelligence FeedsView Feedback
| Question 9 |
Controls are implemented to:
Question options:Develop ProcessesChange PoliciesMitigate RisksProvide DataView Feedback
| Question 10 |
__________ is a central repository where risks and risk treatments are stored and regularly reviewed.
Question options:Quantitative AssessmentRisk RegistryQualitative AssessmentRisk Treatment PlanView Feedback
| Question 11 | 0 / 6 points |
Ifyou were CISO of a company that primarily does business with the U.S.government and had to design an information security program whichframework would be most appropriate?Question options:HITRUST Common Security Framework (CSF)NIST 800 seriesISO 27001PCI DSSView Feedback
| Question 12 |
Whatfinancial tool would a CISO use to ensure that the cost of securitycontrols cannot exceed the value of the information or assets beingprotected?Question options:Return on Investment (ROI)Net Present Value (NPV)Internal Rate of Return (IRR)Cost Benefit Analysis (CBA)View Feedback
| Question 13 |
Whichof the following articles has the least impact on the development of anorganization’s information security policies, standards, andprocedures?Question options:Best practicesStandardsRegulationsLawsView Feedback
| Question 14 |
Governance, Risk, and _______ are the 3 things that account for nearly half of a CISO’s time.
Question options:Vendor ManagementComplianceTrainingAuditsView Feedback
| Question 15 | 6 / 6 points |
Ifa risk would cause $800,000 in damages and $200,000 in clean-up costsand the likelihood of the risk manifesting is 5%, what would be theAnnual Loss Expectation?Question options:$1 million$800,000$200,000$50,000View Feedback
| Question 16 | 0 / 10 points |
Thematurity of an organization influences governance which influences thegovernance of the information security program. What size company wouldbe more likely to have a higher level of maturity?Question options:SmallNone of the listed choices are correct.LargeMediumView Feedback
| Question 17 |
How would you demonstrate an organization’s commitment to adhere to legal and regulatory requirements?
Question options:Implementing controls to mitigate risk.Audit findings.A properly written security policy.Develop appropriate security procedures.View Feedback
| Question 18 |
Inthe case of business leadership choosing an alternate risk treatmentthan what the CISO recommended, what position does the CISO take?Question options:
The CISO should support the decision and ensure the risk treatment is implemented.
The CISO should conduct another risk analysis to ensure the risk treatment recommended is the most appropriate.
The CISO should refuse to implement the alternate risk treatment
The CISO should shift from being an advisor to advocate for the recommended risk treatment.
