1. In risk assessment, after the identification of threats to organizational assets, the information security manager would:

A) evaluate the controls currently in place.
B) implement controls to achieve target risk levels.
C) request funding for the security program.
D) determine threats to be reported to upper management.



2. During a security assessment, an information security manager finds a number of security patches were not installed on a critical business application. The application owner did not approve the patch installation to avoid interrupting the application.Which of the following should be the information security manager's FIRST course of action?

A) Escalate the risk to senior management.
B) Communicate the potential impact to the application owner.
C) Report the risk to the information security steering committee.
D) Determine mitigation options with IT management.



3. Risk identification, analysis, and mitigation activities can BEST be integrated into business life cycle processes by linking them to:

A) compliance testing
B) configuration management
C) continuity planning
D) change management



4. Which of the following is the PRIMARY reason for performing an analysis of the threat landscape on a regular basis?

A) To determine the basis for proposing an increase in security budgets.
B) To determine if existing business continuity plans are adequate.
C) To determine if existing vulnerabilities present a risk.
D) To determine critical information for executive management.



5. Which of the following would BEST justify spending for a compensating control?

A) Threat analysis
B) Risk analysis
C) Peer benchmarking
D) Vulnerability analysis