Professional Documents
Culture Documents
a) Avoid: eliminate the risk by eliminating the cause Risk Management Process
➢ where feasible, choose not to
implement certain activities or ● Repeatable process to manage IT risk: should be
processes that would incur risk identified and established
1. ROI of IT Investment (Traditionally) considers already both the financial and nonfinancial benefits
such as the cost reductions and increases in revenues. ROI of IT Investment (Today) only considers
the financial benefits for the corporation.
a) Only the first statement is true.
b) Only the second statement is true.
c) Both statements are true.
d) Both statements are false.
3. These practices are developed for various IT-related management activities to reflect the
implementation of policies and procedures.
a) Financial management practices
b) IT-management practices
c) Corporate governance practices
d) Operational management practices
6. Which of the following statements about Information Security Management is most correct?
a) It requires companies to have a detailed understanding of their development efforts.
b) It must be able to develop a budget.
c) It ensures protection of information processing resources.
d) It involves the use of documented processes to identify and apply technology
improvements at the infrastructure and application levels which are beneficial to the
organization.
9. Proper scheduling provides more efficient operation and use of computing resources. It is also an
excellent source of information for IT governance purposes.
a) Only the first statement is true.
b) Only the second statement is true.
c) Both statements are true.
d) Both statements are false.
10. Which of the following is not a function of training?
a) It assures more effective and efficient use of IT resources.
b) It is important to IT professionals, due to rapid change in technology.
c) It has the advantage of decreasing dependence on one employee.
d) It includes relevant management, project management, and technical training.
11. Statement 1: Adequate awareness, education and training in security procedures and correct use
of IPFs should be provided to all employees alone.
Statement 2: Using performance as a basis of compensation cannot be used to gauge aspirations
and identify problems
a) Only Statement 1 is true
b) Only Statement 2 is true
c) Both statements are true
d) Both statements are false
13. This drives risk management efforts and, in an IT context, impacts future investments in
technology, the extent to which IT assets are protected and the level of assurance required.
a) Risk management
b) Risk Appetite
c) Effective risk management
d) None of the above
14. All of the following are examples of sharing or transferring risk, except for one:
a) Share risk with partners
b) Transfer via insurance
c) Contractual agreement
d) Acknowledge and monitor risk
15. This step will help the organization in identifying what resources need protection from threats
because of their vulnerability.
a) Asset Identification
b) Evaluation of Threats and Vulnerabilities to Assets
c) Evaluation of the Impact
d) Calculation of Risk
16. Threats are usually a result of a direct financial loss in the short term or an ultimate (indirect)
financial loss in the long term. The following are examples of such losses, except:
a) Loss of goodwill
b) Loss of money
c) Loss of investors
d) Loss of business opportunities
17. Project level focuses on the ability to understand and manage project complexity; if not done
effectively, project objectives will not be met. Strategic Level is concerned with the risk that could
compromise the ability to bypass system controls.
a) Only the first statement is true.
b) Only the second statement is true.
c) Both statements are true.
d) Both statements are false.
18. This should be evaluated, to know if there are excessive controls and if excessive controls can be
removed to save costs.
a) Acceptable level of risk
b) Risk below acceptable level
c) Risk in excess of acceptable level
d) Residual risk
19. This method is frequently used when it is impossible to use a quantitative method or reduce
subjectivity in qualitative methods.
a) Semiqualitative Analysis Method
b) Semiquantitative Analysis Method
c) Quasi-qualitative Analysis Method
d) Quasi-quantitative Analysis Method
20. Different individuals may assign the same values to different assets, depending on the relevance of
the information to the individuals. The risk management process should achieve a cost-effective
imbalance between the application of security controls as countermeasures and the significant
threats.
a) Only the first statement is true.
b) Only the second statement is true.
c) Both statements are true.
d) Both statements are false.
ANSWER KEY:
1. D 6. C 11. D 16. C
2. D 7. B 12. C 17. A
3. B 8. B 13. B 18. B
4. D 9. A 14. D 19. B
REFERENCES:
ISACA. (2019). CISA review manual (27th ed.).
PREPARED BY:
Aira Krishten J. Catibayan Jyruenth C. Llausas Sheila Mae DP. Tan
Justine Angela G. Cureg Julia J. Manlapaz Jenny Rose M. Villegas
Marian Martina E. Firme Kimberly R. Perez Nicole D. Vinuya
Kate Loushayne M. Gatapia April Bernadette Samantha B. Santia