Alternate Comprehensive Exam: IT Risk Management Chapters 1-11

Part 1: Chapters 1-4 (Alternate Questions)

1. Which of the following best describes the principle of “integrity” in information security?
A) Ensuring data is accessible only to authorized users
B) Ensuring data is accurate and free from unauthorized modifications
C) Ensuring systems are always available to users
D) Ensuring that users are held accountable for their actions
2. What is the primary purpose of a risk management framework?
A) To increase profits for the organization
B) To establish a structured approach to identifying, assessing, and managing risks
C) To define the company’s mission statement
D) To determine marketing strategies
3. In the context of risk management, what is residual risk?
A) Risk that has been completely mitigated
B) Risk that remains after implementing controls
C) Risk transferred to third parties
D) Risk that cannot be quantified
4. Which of the following is an example of a preventive control?
A) Investigating a security breach after it occurs
B) Installing firewalls to block unauthorized access
C) Monitoring audit logs for suspicious activity
D) Applying patches after a vulnerability is discovered
5. What does the concept of “defense in depth” focus on?
A) Establishing a single, strong barrier to protect critical assets
B) Implementing multiple layers of security controls to protect against threats
C) Ensuring physical security measures are prioritized
D) Relying solely on encryption for data protection
6. When conducting a Business Impact Analysis (BIA), which of the following is crucial?
A) Estimating potential revenue growth
B) Identifying critical business processes and their dependencies
C) Developing new marketing strategies
D) Assessing employee satisfaction
Part 2: Chapters 5-11
7. Which of the following frameworks focuses on aligning IT risk management with
business goals?
A) NIST CSF
B) ISO 27001
C) COBIT 5
D) CIS Critical Security Controls
8. In the context of threat modeling, what is the primary purpose of identifying asset
sensitivity?
A) Estimating the financial value of assets
B) Determining the level of protection needed based on criticality and confidentiality
C) Calculating the cost of replacing assets
 D) Optimizing software performance
9. Which of the following best describes ISO 27002?
A) A certifiable standard focused on incident response
B) A guideline providing best practices for implementing security controls
C) A framework for regulatory compliance
D) A tool for monitoring physical security
10. What is the role of a corrective control in a risk management plan?
A) Detecting and reporting suspicious activity
B) Restoring systems and data after a security incident
C) Preventing unauthorized access
D) Encrypting data in transit
11. Which of the following describes a key function of a Security Information and Event
Management (SIEM) system?
A) Centralized monitoring and analysis of security events across multiple platforms
B) Automating cloud deployment processes
C) Managing user access controls
D) Tracking project milestones
12. The CIS Critical Security Controls are designed to:
A) Provide guidelines for regulatory compliance
B) Offer a prioritized set of high-impact cybersecurity actions
C) Establish best practices for vendor management
D) Optimize customer satisfaction
13. Which cloud model gives customers the most control over security configurations?
A) SaaS
B) PaaS
C) IaaS
D) Private cloud
14. In the context of risk management, which of the following is an example of a detective
control?
A) Monitoring and analyzing audit logs for suspicious activities
B) Installing antivirus software
C) Encrypting sensitive data
D) Applying security patches
15. What is the purpose of a Business Continuity Plan (BCP)?
A) Developing marketing strategies during peak seasons
B) Ensuring critical business functions can continue during and after a disruption
C) Managing the organization’s IT infrastructure
D) Evaluating customer satisfaction metrics
16. Which of the following is true about the NIST Cybersecurity Framework (CSF)?
A) It is a flexible, voluntary framework that can be applied across different industries
B) It focuses exclusively on government agencies
C) It is mandatory for financial institutions
D) It only applies to physical security controls
17. What does TARA (Threat Agent Risk Assessment) primarily focus on?
 A) Assessing threat agents, their motivations, and potential impact
B) Analyzing application vulnerabilities
C) Auditing network traffic
D) Reviewing compliance with industry standards
18. Which of the following statements is true regarding ISO 27001?
A) It defines the requirements for an Information Security Management System
(ISMS)
B) It is primarily used for physical security measures
C) It focuses exclusively on cloud computing
D) It cannot be used for certification purposes
19. What is the main purpose of conducting a Business Impact Analysis (BIA)?
A) Evaluate customer engagement strategies
B) Identify critical business functions and determine the impact of disruptions
C) Develop marketing campaigns
D) Analyze employee performance data
20. What is a primary benefit of adopting the NIST CSF?
A) It helps organizations identify and address gaps in their cybersecurity posture
B) It certifies organizations for regulatory compliance
C) It guarantees the elimination of all risks
D) It automates all cybersecurity processes
21. Which of the following is an advantage of using a SIEM solution in security operations?
A) Centralizing and correlating data from various security tools to identify threats
B) Reducing the need for endpoint security
C) Automating human resource tasks
D) Optimizing cloud storage management
22. Which of the following describes a preventive control in cybersecurity?
A) Implementing multi-factor authentication to prevent unauthorized access
B) Reviewing audit logs
C) Responding to a security breach
D) Restoring data from backups
23. Which of the following is a key challenge of using AI in security operations?
A) Potential manipulation of machine learning algorithms
B) Lack of data to process
C) Inability to scale for large enterprises
D) Excessive manual intervention
24. What is the primary role of governance in the COBIT 5 framework?
A) Setting strategic direction and prioritizing business objectives
B) Handling day-to-day operations
C) Implementing technical security controls
D) Managing vendor relationships
25. What does the concept of “defense in depth” focus on?
A) Layering multiple security controls to create redundant protection mechanisms
B) Relying solely on encryption
C) Ensuring physical security is the primary focus
 D) Using a single control to protect against all threats
26. Which of the following best describes residual risk?
A) Risk that has been fully mitigated
B) Risk remaining after implementing controls
C) Risk that is transferred to third parties
D) Risk eliminated by adopting a framework
27. Which of the following frameworks emphasizes high-priority, high-impact cybersecurity
controls?
A) ISO 27001
B) NIST CSF
C) CIS Critical Security Controls
D) COBIT 5
28. Which of the following best describes the difference between ISO 27001 and ISO 27002?
A) ISO 27001 defines “what” is needed, while ISO 27002 explains “how” to achieve it
B) ISO 27001 focuses solely on physical security, while ISO 27002 is for cloud security
C) ISO 27001 is voluntary, while ISO 27002 is certifiable
D) ISO 27001 and ISO 27002 are interchangeable
29. Which of the following control types is primarily used to detect security events after
they occur?
A) Detective controls
B) Preventive controls
C) Corrective controls
D) Administrative controls
30. Which cloud service model generally provides customers with the least control over
security?
A) SaaS
B) PaaS
C) IaaS
D) Hybrid cloud
31. What is the purpose of a disaster recovery plan (DRP)?
A) Optimize marketing strategies
B) Restore critical systems and data after a disruption
C) Evaluate employee performance
D) Track financial metrics
32. Which of the following is a primary objective of endpoint security solutions?
A) Detect and prevent security incidents on user devices
B) Manage organizational finances
C) Monitor cloud infrastructure
D) Conduct vulnerability assessments on third-party vendors
33. What does the term “asset inventory” refer to in threat modeling?
A) A list of critical assets used to prioritize security controls
B) An analysis of financial assets
C) A record of employee performance
D) An assessment of customer engagement
34. Which of the following describes the Recovery Time Objective (RTO) in a BCP?
A) The maximum amount of data loss acceptable during a disruption
B) The maximum time allowed to restore a business function after a disruption
C) The budget required to implement business continuity measures
D) The expected duration of downtime for non-critical systems
35. What is the purpose of conducting a risk assessment?
A) Identify and evaluate risks to determine appropriate risk responses
B) Monitor sales growth and revenue
C) Optimize marketing strategies
D) Automate compliance reporting
36. Which of the following is a corrective control in risk management?
A) Implementing firewalls
B) Restoring systems after a security breach
C) Monitoring user activity
D) Applying encryption
37. Which of the following frameworks provides a comprehensive structure for managing
information security risks?
A) ISO 27001
B) COBIT 5
C) CIS Controls
D) NIST CSF
38. What is a benefit of using the NIST CSF?
A) It provides a structured approach to assessing and improving cybersecurity posture
B) It guarantees compliance with industry regulations
C) It eliminates all risks
D) It automates security operations
39. What is the role of a Business Impact Analysis (BIA)?
A) Determine the impact of disruptions on critical business processes
B) Develop marketing strategies
C) Analyze financial performance
D) Assess employee engagement
40. Which of the following is a key function of ISO 27001?
A) Defining the requirements for an Information Security Management System (ISMS)
B) Managing physical security measures
C) Implementing customer engagement strategies
D) Automating compliance reporting