1. Which formula is typically used to describe the components ofinformation security risks?

A)	Risk = Likelihood X Vulnerability
B)	Risk = Threat X Vulnerability
C)	Risk = Threat X Likelihood
D)	Risk = Vulnerability X Cost

Question 2

Earl is preparing a risk register for his organization's riskmanagement program. Which data element is LEAST likely to beincluded in a risk register?

A)	Description of the risk
B)	Expected impact
C)	Risk survey results
D)	Mitigation steps

Question 3

Alan is developing a business impact assessment for hisorganization. He is working with business units to determine themaximum allowable time to recover a particular function. What valueis Alan determining?

A)	Recovery time objective (RTO)
B)	Recovery point objective (RPO)
C)	Business recovery requirements
D)	Technical recovery requirement

Question 4

Which one of the following is an example of a direct cost thatmight result from a business disruption?

A)	Damaged reputation
B)	Lost market share
C)	Lost customers
D)	Facility repair

Question 5

Tom is the IT manager for an organization that experienced aserver failure that affected a single business function. What typeof plan should guide the organization's recovery effort?

A)	Disaster recovery plan (DRP)
B)	Business impact analysis (BIA)
C)	Business continuity plan (BCP)
D)	Service level agreement (SLA)

Question 6

Dawn is selecting an alternative processing facility for herorganization's primary data center. She would like to have afacility that balances cost and switchover time. What would be thebest option in this situation?

A)	Hot site
B)	Warm site
C)	Cold site
D)	Primary site

Question 7

Holly would like to run an annual major disaster recoverytest that is as thorough and realistic as possible. She also wantsto ensure that there is no disruption of activity at the primarysite. What option is best in this scenario?:

A)	Checklist test
B)	Full interruption test
C)	Parallel test
D)	Simulation test

Question 8

George is the risk manager for a U.S. federal government agency.He is conducting a risk assessment for that agency's IT risk. Whatmethodology is best suited for George's use?

A)	Risk Management Guide for Information Technology Systems (NISTSP800-30)
B)	CCTA Risk Analysis and Management Method (CRAMM)
C)	Operationally Critical Threat, Asset, and VulnerabilityEvaluation (OCTAVE)
D)	ISO/IEC 27005, “Information Security Risk Management”

Question 9

A hospital is planning to introduce a new point-of-sale systemin the cafeteria that will handle credit card transactions. Whichone of the following governs the privacy of information handled bythose point-of-sale terminals?

A)	Health Insurance Portability and Accountability Act (HIPAA)
B)	Payment Card Industry Data Security Standard (PCI DSS)
C)	Federal Information Security Management Act (FISMA)
D)	Federal Financial Institutions Examination Council (FFIEC)

Question 10

What is NOT one of the three tenets of information security?

A)	Confidentiality
B)	Integrity
C)	Safety
D)	Availability

Question 11

Which one of the following is an example of a logical accesscontrol?

A)	Key for a lock
B)	Password
C)	Access card
D)	Fence

Question 12

During which phase of the access control process does the systemanswer the question, "What can the requestor access?"

A)	Identification
B)	Authentication
C)	Authorization
D)	Accountability

Question 13

Ed wants to make sure that his system is designed in a mannerthat allows tracing actions to an individual. Which phase of accesscontrol is Ed concerned about?

A)	Identification
B)	Authentication
C)	Authorization
D_	Accountability