WIXLIB

Isaca CISAobserved that for a few of the risks, the cost benefit analysis shows that risk mitigation cost(countermeasures, controls, or safeguard) is more than the potential lost that could be incurred. What kindof a strategy should Sam recommend to the senior management to treat these risks?Options:A. Risk MitigationB. Risk AcceptanceC. Risk AvoidanceD. Risk transferAnswer: BExplanation:Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that mayalso weigh the cost versus the benefit of dealing with the risk in another way.For your exam you should know below information about risk assessment and treatment:A risk assessment, which is a tool for risk management, is a method of identifying vulnerabilities andthreats and assessing the possible impacts to determine where to implement security controls. A riskassessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security iscost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for wellversed security professionals, and it is easy to apply too much security, not enough security, or the wrongsecurity controls, and to spend too much money in the process without attaining the necessary objectives.Risk analysis helps companies prioritize their risks and showsmanagement the amount of resources that should be applied to protecting against those risks in a sensiblemanner.A risk analysis has four main goals:Identify assets and their value to the organization.Identify vulnerabilities and threats.Quantify the probability and business impact of these potential threats.Provide an economic balance between the impact of the threat and the costof the countermeasure.Treating RiskRisk MitigationRisk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented.Examples of risk mitigation can be seen in everyday life and are readily apparent in the informationtechnology world. Risk Mitigation involves applying appropriate control to reduce risk. For example, tolessen the risk of exposing personal and financial information that is highly sensitive and confidentialorganizations put countermeasures in place, such as firewalls, intrusion detection/prevention systems, andhttps://www.certification-questions.com

Isaca CISAother mechanisms, to deter malicious outsiders from accessing this highly sensitive information. In theunderage driver example, risk mitigation could take the form of driver education for the youth orestablishing a policy not allowing the young driver to use a cell phone while driving, or not letting youth of acertain age have more than one friend in the car as a passenger at any given time.Risk TransferRisk transfer is the practice of passing on the risk in question to another entity, such as an insurancecompany. Let us look at one of the examples that were presented above in a different way. The family isevaluating whether to permit an underage driver to use the family car. The family decides that it is importantfor the youth to be mobile, so it transfers the financial risk of a youth being in an accident to the insurancecompany, which provides the family with auto insurance.It is important to note that the transfer of risk may be accompanied by a cost. This is certainly true for theinsurance example presented earlier, and can be seen in other insurance instances, such as liabilityinsurance for a vendor or the insurance taken out by companies to protect against hardware and softwaretheft or destruction. This may also be true if an organization must purchase and implement security controlsin order to make their organization less desirable to attack. It is important to remember that not all risk canbe transferred. While financial risk is simple to transfer through insurance, reputational risk may almostnever be fully transferred.Risk AvoidanceRisk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. Forexample, have you ever heard a friend, or parents of a friend, complain about the costs of insuring anunderage driver? How about the risks that many of these children face as they become mobile? Some ofthese families will decide that the child in question will not be allowed to drive the family car, but will ratherwait until he or she is of legal age (i.e., 18 years of age) before committing to owning, insuring, and drivinga motor vehicle.In this case, the family has chosen to avoid the risks (and any associated benefits) associated with anunderage driver, such as poor driving performance or the cost of insurance for the child. Although thischoice may be available for some situations, it is not available for all. Imagine a global retailer who,knowing the risks associated with doing business on the Internet, decides to avoid the practice. Thisdecision will likely cost the company a significant amount of its revenue (if, indeed, the company hasproducts or services that consumers wish to purchase). In addition, the decision may require the companyto build or lease a site in each of the locations, globally, for which it wishes to continue business. This couldhave a catastrophic effect on the company’s ability to continue business operationsRisk AcceptanceIn some cases, it may be prudent for an organization to simply accept the risk that is presented in certainscenarios. Risk acceptance is the practice of accepting certain risk(s), typically based on a businessdecision that may also weigh the cost versus the benefit of dealing with the risk in another way.For example, an executive may be confronted with risks identified during the course of a risk assessmentfor their organization. These risks have been prioritized by high, medium, and low impact to theorganization. The executive notes that in order to mitigate or transfer the low-level risks, significant costscould be involved. Mitigation might involve the hiring of additional highly skilled personnel and the purchaseof new hardware, software, and office equipment, while transference of the risk to an insurance companyhttps://www.certification-questions.com

Isaca CISAwould require premium payments. Theexecutive then further notes that minimal impact to the organization would occur if any of the reported lowlevel threats were realized. Therefore, he or she (rightly) concludes that it is wiser for the organization toforgo the costs and accept the risk. In the young driver example, risk acceptance could be based on theobservation that the youngster has demonstrated the responsibility and maturity to warrant the parent’strust in his or her judgment.The following answers are incorrect:Risk Transfer - Risk transfer is the practice of passing on the risk in question to another entity, such as aninsurance company. Let us look at one of the examples that were presented above in a different way.Risk Avoidance - Risk avoidance is the practice of coming up with alternatives so that the risk in question isnot realized.Risk Mitigation -Risk mitigation is the practice of the elimination of, or the significant decrease in the level ofrisk presented.Reference:CISA Review Manual 2014 Page number 51andOfficial ISC2 guide to CISSP CBK 3rd edition page number 534-539Question 5Which of the following risk handling technique involves the practice of being proactive so that the risk inquestion is not realized?Options:A. Risk MitigationB. Risk AcceptanceC. Risk AvoidanceD. Risk transferAnswer: CExplanation:Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized.For your exam you should know below information about risk assessment and treatment:https://www.certification-questions.com

Isaca CISAA risk assessment, which is a tool for risk management, is a method of identifying vulnerabilities andthreats and assessing the possible impacts to determine where to implement security controls. A riskassessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security iscost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for wellversed security professionals, and it is easy to apply too much security, not enough security, or the wrongsecurity controls, and to spend too much money in the process without attaining the necessary objectives.Risk analysis helps companies prioritize their risks and shows management the amount of resources thatshould be applied to protecting against those risks in a sensible manner.A risk analysis has four main goals:Identify assets and their value to the organization.Identify vulnerabilities and threats.Quantify the probability and business impact of these potential threats.Provide an economic balance between the impact of the threat and the costof the countermeasure.Treating RiskRisk MitigationRisk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented.Examples of risk mitigation can be seen in everyday life and are readily apparent in the informationtechnology world. Risk Mitigation involves applying appropriate control to reduce risk. For example, tolessen the risk of exposing personal and financial information that is highly sensitive and confidentialorganizations put countermeasures in place, such as firewalls, intrusion detection/prevention systems, andother mechanisms, to deter malicious outsiders from accessing this highly sensitive information. In theunderage driver example, risk mitigation could take the form of driver education for the youth orestablishing a policy not allowing the young driver to use a cell phone while driving, or not letting youth of acertain age have more than one friend in the car as a passenger at any given time.Risk TransferRisk transfer is the practice of passing on the risk in question to another entity, such as an insurancecompany. Let us look at one of the examples that were presented above in a different way. The family isevaluating whether to permit an underage driver to use the family car. The family decides that it is importantfor the youth to be mobile, so it transfers the financial risk of a youth being in an accident to the insurancecompany, which provides the family with auto insurance.It is important to note that the transfer of risk may be accompanied by a cost. This is certainly true for theinsurance example presented earlier, and can be seen in other insurance instances, such as liabilityinsurance for a vendor or the insurance taken out by companies to protect against hardware and softwaretheft or destruction. This may also be true if an organization must purchase and implement security controlsin order to make their organization less desirable to attack. It is important to remember that not all risk canbe transferred. While financial risk is simple to transfer through insurance, reputational risk may almostnever be fully transferred.Risk Avoidancehttps://www.certification-questions.com

Isaca CISARisk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. Forexample, have you ever heard a friend, or parents of a friend, complain about the costs of insuring anunderage driver? How about the risks that many of these children face as they become mobile? Some ofthese families will decide that the child in question will not be allowed to drive the family car, but will ratherwait until he or she is of legal age (i.e., 18 years of age) before committing to owning, insuring, and drivinga motor vehicle.In this case, the family has chosen to avoid the risks (and any associated benefits) associated with anunderage driver, such as poor driving performance or the cost of insurance for the child. Although thischoice may be available for some situations, it is not available for all. Imagine a global retailer who,knowing the risks associated with doing business on the Internet, decides to avoid the practice. Thisdecision will likely cost the company a significant amount of its revenue (if, indeed, the company hasproducts or services that consumers wish to purchase). In addition, the decision may require the companyto build or lease a site in each of the locations, globally, for which it wishes to continue business. This couldhave a catastrophic effect on the company’s ability to continue business operationsRisk AcceptanceIn some cases, it may be prudent for an organization to simply accept the risk that is presented in certainscenarios. Risk acceptance is the practice of accepting certain risk(s), typically based on a businessdecision that may also weigh the cost versus the benefit of dealing with the risk in another way.For example, an executive may be confronted with risks identified during the course of a risk assessmentfor their organization. These risks have been prioritized by high, medium, and low impact to theorganization. The executive notes that in order to mitigate or transfer the low-level risks, significant costscould be involved. Mitigation might involve the hiring of additional highly skilled personnel and the purchaseof new hardware, software, and office equipment, while transference of the risk to an insurance companywould require premium payments. Theexecutive then further notes that minimal impact to the organization would occur if any of the reported lowlevel threats were realized. Therefore, he or she (rightly) concludes that it is wiser for the organization toforgo the costs and accept the risk. In the young driver example, risk acceptance could be based on theobservation that the youngster has demonstrated the responsibility and maturity to warrant the parent’strust in his or her judgment.The following answers are incorrect:Risk Transfer - Risk transfer is the practice of passing on the risk in question to another entity, such as aninsurance company. Let us look at one of the examples that were presented above in a different way.Risk Acceptance - Risk acceptance is the practice of accepting certain risk(s), typically based on abusiness decision that may also weigh the cost versus the benefit of dealing with the risk in another way.Risk Mitigation -Risk mitigation is the practice of the elimination of, or the significant decrease in the level ofrisk presentedhttps://www.certification-questions.com

Isaca CISAReference:CISA Review Manual 2014 Page number 51andOfficial ISC2 guide to CISSP CBK 3rd edition page number 534-536Question 6Which of the following control is intended to discourage a potential attacker?Options:A. DeterrentB. PreventiveC. CorrectiveD. RecoveryAnswer: AExplanation:Deterrent Control are intended to discourage a potential attackerFor your exam you should know below information about different security controlsDeterrent ControlsDeterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent tothreats and attacks by the simple fact that the existence of the control is enough to keep some potentialattackers from attempting to circumvent the control. This is often because the effort required to circumventthe control is far greater than the potential reward if the attacker is successful, or, conversely, the negativeimplications of a failed attack (or getting caught) outweigh the benefits of success. For example, by forcingthe identification and authentication of a user, service, or application, and all that it implies, the potential forincidents associated with the system is significantly reduced because an attacker will fear association withthe incident. If there are no controls for a given access path, the number of incidents and the potentialimpact become infinite. Controls inherently reduce exposure to risk by applying oversight for a process.This oversight acts as a deterrent, curbing an attacker’s appetite in the face of probable repercussions.The best example of a deterrent control is demonstrated by employees and their propensity to intentionallyperform unauthorized functions, leading to unwanted events.When users begin to understand that by authenticating into a system to perform a function, their activitiesare logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats arebased on the anonymity of the threat agent, and any potential for identification and association with theiractions is avoided at all costs.It is this fundamental reason why access controls are the key target of circumvention by attackers.https://www.certification-questions.com

Isaca CISADeterrents also take the form of potential punishment if users do something unauthorized. For example, ifthe organization policy specifies that an employee installing an unauthorized wireless access point will befired, that will determine most employees from installing wireless access points.Preventative ControlsPreventive controls are intended to avoid an incident from occurring. Preventative access controls keep auser from performing some activity or function. Preventative controls differ from deterrent controls in thatthe control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it iseasier to obey the controlrather than to risk the consequences of bypassing the control. In other words, the power for action resideswith the user (or the attacker). Preventative controls place the power of action with the system, obeying thecontrol is not optional. The only way to bypass the control is to find a flaw in the control’s implementation.Compensating ControlsCompensating controls are introduced when the existing capabilities of a system do not support therequirement of a policy. Compensating controls can be technical, procedural, or managerial. Although anexisting system may not support the required controls, there may exist other technology or processes thatcan supplement the existing e

John is the product manager for an information system. His product has undergone under security review by an IS auditor. John has decided to apply appropriate security controls to reduce the security risks suggested by an IS auditor. Which of the following technique is used by John to treat the identified risk provided by an IS auditor? Options: