Question 1

A given threat is usually associated with one risk

Accepted Answer

A threat can be associated with multiple risks. For example, a data breach threat can lead to risks such as financial loss, reputational damage, and legal penalties.

Question 2

If assessed using the NIST 800-39 framework, the risk estimate is an accurate measure of the IT risk facing the organization

Accepted Answer

The NIST 800-39 framework provides a structured approach to risk management, but the risk estimate is not always fully accurate as it depends on the quality and completeness of the data and assumptions used in the assessment.

Question 3

In the NIST 800-39 framework, risk monitoring&#10;A) Addresses how organizations respond to risks&#10;B) Identifies and aggregates the risks facing the organization&#10;C) Describes the environment in which risk-based decisions are made&#10;D) Evaluates the effectiveness of the organization's risk-management plan

Accepted Answer

Risk monitoring in the NIST 800-39 framework is focused on evaluating the effectiveness of the organization's risk-management plan. This includes monitoring the implementation of the plan, evaluating its effectiveness, and making adjustments as needed based on changes in the organization's risk environment. It does not address how organizations respond to risks (which is addressed in the NIST 800-30 framework), identify and aggregate risks facing the organization (which is addressed in the NIST 800-30 and 800-37 frameworks), or describe the environment in which risk-based decisions are made (which is addressed in the NIST 800-37 framework).

Question 4

Section 302 of the Sarbanes-Oxley act of 2002 specifies that&#10;A) Penalties for non-compliance with the law&#10;B) Attestations are made in accordance with PCAOB standards&#10;C) Signing officers take personal responsibility for the reported financial statements&#10;D) Privacy requirements for healthcare records

Accepted Answer

Section 302 of the Sarbanes-Oxley act of 2002 specifies that signing officers take personal responsibility for the reported financial statements. It requires the CEO and CFO to certify the accuracy and completeness of financial statements and disclosures, and to ensure that they fairly present, in all material respects, the financial condition of the company. Penalties for non-compliance with the act and attestations being made in accordance with PCAOB standards are covered under other sections of the act, while privacy requirements for healthcare records are not related to the Sarbanes-Oxley act.

Question 5

The motivation for the passage of the Sarbanes-Oxley act was&#10;A) Failure of Internet technologies&#10;B) Denial of culpability by senior executives for falsification of records&#10;C) To prevent stock market crashes&#10;D) To recover retiree savings

Accepted Answer

The Sarbanes-Oxley act was passed in response to corporate scandals such as Enron and WorldCom, where senior executives were found to have falsified financial records but denied culpability. The act aimed to improve corporate governance and accountability to prevent such scandals from happening again. The other options (A, C, and D) are not accurate reasons for the passage of this act.

Question 6

Section 404 of the Sarbanes-Oxley act of 2002 specifies that&#10;A) The signing officer has reviewed financial statements&#10;B) Penalties for non-compliance with the law&#10;C) Privacy requirements for healthcare records have been followed&#10;D) Attestations are made in accordance with PCAOB standards

Accepted Answer

Section 404 of the Sarbanes-Oxley Act requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting, and these attestations must be made in accordance with PCAOB standards.

Question 7

In the NIST 800-39 framework, risk response&#10;A) Addresses how organizations respond to risks&#10;B) Identifies and aggregates the risks facing the organization&#10;C) Describes the environment in which risk-based decisions are made&#10;D) Evaluates the effectiveness of the organization's risk-management plan

Accepted Answer

Risk response in the NIST 800-39 framework specifically addresses how organizations respond to risks.

Question 8

The NIST risk management framework includes&#10;A) Profits, losses&#10;B) Agent, action, asset&#10;C) Assets, threats, vulnerabilities, controls&#10;D) Frame, assess, monitor, respond

Accepted Answer

The NIST risk management framework involves a process that includes framing risk, assessing risk, monitoring risk, and responding to risk.

Question 9

The management model that guides the ISO risk management methodology is&#10;A) Toyota's Muda, Kaizen, Jidoka, Muri&#10;B) Juran's planning, control, improvement&#10;C) Shewart's mean, range, standard error&#10;D) Deming's Plan-Do-Check-Act

Accepted Answer

The ISO risk management methodology is guided by Deming's Plan-Do-Check-Act (PDCA) cycle. Deming's PDCA cycle is a continuous improvement model that involves the steps of planning, implementing, monitoring, and adjusting or improving a process. This model is commonly used in risk management to identify, assess, and mitigate risks in an organization. Therefore, the answer is D.

Question 10

IT risk is&#10;A) The risk associated with the use of IT in an organization&#10;B) A quantified measure of the potential damage caused by a specified threat&#10;C) IT resource or information that is to be protected&#10;D) Weaknesses in an IT system that can lead to a compromise of an asset

Accepted Answer

IT risk refers to the potential negative impact on an organization's objectives or operations that arises from the use of IT. It includes both the risk associated with the technology itself and the risk associated with how the technology is used within the organization. Therefore, option A is the best choice as it defines IT risk as the risk associated with the use of IT in an organization.

Question 11

A certain risk has a 1% likelihood of occurrence in the coming year. If the risk is observed, the organization estimates a loss of $1million. The risk is then assessed as&#10;A) 1%&#10;B) $1,000,000&#10;C) 1,000&#10;D) $10,000

Accepted Answer

The answer of A certain risk has a 1% likelihood...

Question 12

The Sarbanes-Oxley act applies to&#10;A) Internal control over financial reporting by publicly traded companies&#10;B) Internal control over financial reporting by all financial entities&#10;C) Privacy of healthcare information&#10;D) External audits of publicly traded companies

Accepted Answer

The answer of The Sarbanes-Oxley act applies to&#10;A) Internal control...

Question 13

Risk is&#10;A) A quantified measure of the potential damage caused by a specified threat&#10;B) Capabilities, intentions and attack methods of adversaries to cause harm to assets&#10;C) Resource or information that is to be protected&#10;D) Weaknesses in an information system that can lead to a compromise of an asset

Accepted Answer

The answer of Risk is&#10;A) A quantified measure of the...

Question 14

Risk is quantified by taking the product of&#10;A) Hours and hourly rates&#10;B) GDP and growth rate&#10;C) Likelihood and magnitude&#10;D) Risk frame and risk assessment

Accepted Answer

The answer of Risk is quantified by taking the product...

Question 15

As described in the text, a statement of a risk includes&#10;A) Agent, threat, asset, damage&#10;B) Agent, action, damage, threat&#10;C) Agent, action, asset, damage&#10;D) Threat, asset, action, damage

Accepted Answer

The answer of As described in the text, a statement...

Question 16

In the NIST 800-39 framework, risk assessment&#10;A) Addresses how organizations respond to risks&#10;B) Identifies and aggregates the risks facing the organization&#10;C) Describes the environment in which risk-based decisions are made&#10;D) Evaluates the effectiveness of the organization's risk-management plan

Accepted Answer

The answer of In the NIST 800-39 framework, risk assessment&#10;A)...

Question 17

A certain risk has a 1% likelihood of occurrence in the coming year. If the risk is observed, the organization estimates a loss of $1million. A second risk has a 15% likelihood of occurrence in the coming year. If the second risk is observed, the organization estimates a loss of $100,000. Comparing the two risks

A) Risk 2 is greater than risk 1
B) Risk 1 is greater than risk 2
C) Risk 2 is equal to risk 1
D) Risk 2 is negligible

Accepted Answer

The answer of A certain risk has a 1% likelihood...

Question 18

The NIST risk-management framework is specified in the NIST document&#10;A) 27002&#10;B) 404&#10;C) 800-39&#10;D) 27000

Accepted Answer

The answer of The NIST risk-management framework is specified in...

Question 19

In the NIST 800-39 framework, the risk frame&#10;A) Addresses how organizations respond to risks&#10;B) Identifies and aggregates the risks facing the organization&#10;C) Describes the environment in which risk-based decisions are made&#10;D) Evaluates the effectiveness of the organization's risk-management plan

Accepted Answer

The answer of In the NIST 800-39 framework, the risk...

Question 20

Risk management is&#10;A) A quantified measure of the potential damage caused by a specified threat&#10;B) Managing the financial impacts of unusual events&#10;C) Avoiding risks&#10;D) Avoiding uncertainty

Accepted Answer

The answer of Risk management is&#10;A) A quantified measure of...

Question 21

The verification of IT general controls as part of a SOX audit follows a&#10;A) Top-down procedure&#10;B) Bottom-up procedure&#10;C) Either of the above, depending upon the organization&#10;D) Both the above, to ensure comprehensive coverage

Accepted Answer

The answer of The verification of IT general controls as...

Question 22

Internal controls over financial reporting involve all of the following except&#10;A) A process&#10;B) Supervision of the company's principal executives&#10;C) Profit guidance&#10;D) Maintenance of records

Accepted Answer

The answer of Internal controls over financial reporting involve all...

Question 23

Section 906 of the Sarbanes-Oxley act of 2002 specifies&#10;A) Penalties for non-compliance with the law&#10;B) That the signing officer has reviewed financial statements&#10;C) Privacy requirements for healthcare records have been followed&#10;D) That attestations are made in accordance with PCAOB standards

Accepted Answer

The answer of Section 906 of the Sarbanes-Oxley act of...

Question 24

IT general controls are controls that&#10;A) Only affect non-financial systems such as email systems&#10;B) Involve the most important financial applications&#10;C) Are directly supervised by the organization's senior leadership&#10;D) Involve the underlying IT systems which support financial applications

Accepted Answer

The answer of IT general controls are controls that&#10;A) Only...

Question 25

The PCAOB created by the Sarbanes-Oxley act of 2002&#10;A) Defines the format of annual financial reports&#10;B) Oversees auditors and defines auditing standards&#10;C) Performs independent audits of suspect firms&#10;D) Regulates the stock market

Accepted Answer

The answer of The PCAOB created by the Sarbanes-Oxley act...

Deck 14: It Risk Analysis and Risk Management