Section: Volume A
Explanation:
The Single Loss Expectancy (SLE) of this project will be $31,250.
Single Loss Expectancy is a term related to Quantitative Risk Assessment. It can be defined as the monetary value expected from the occurrence of a risk on an asset. It is mathematically expressed as follows:
Single Loss Expectancy (SLE) = Asset Value (AV) * Exposure Factor (EF)
where the Exposure Factor represents the impact of the risk over the asset, or percentage of asset lost. As an example, if the Asset Value is reduced two third, the exposure factor value is .66. If the asset is completely lost, the Exposure Factor is 1.0. The result is a monetary value in the same unit as the Single Loss Expectancy is expressed.
Therefore,
SLE = Asset Value * Exposure Factor
= 125,000 * 0.25
= $31,250
Incorrect Answers:
A, C, D: These are not SLEs of this project.

Explanation/Reference:
Explanation:
Using list of possible scenarios with threats and impacts will better frame the range of risk and hence can frame more informative result of qualitative analysis.
Incorrect Answers:
B: Cost and benefit analysis is used for taking financial decisions that can be formal or informal, such as appraisal of any project or proposal. The approach weighs the total cost against the benefits expected, and then identifies the most profitable option. It only decides what type of control should be applied for effective risk management.
C, D: These are not sufficient for producing detailed result.

Section: Volume D

Explanation/Reference:
Explanation:
The basic concepts related to data extraction, validation, aggregation and analysis is important as KRIs often rely on digital information from diverse sources. The phases which are involved in this are:
Requirements gathering: Detailed plan and project’s scope is required for monitoring risks. In the case

of a monitoring project, this step should involve process owners, data owners, system custodians and other process stakeholders.
Data access: In the data access process, management identifies which data are available and how

they can be acquired in a format that can be used for analysis. There are two options for data extraction:
– Extracting data directly from the source systems after system owner approval
– Receiving data extracts from the system custodian (IT) after system owner approval Direct extraction is preferred, especially since this involves management monitoring its own controls, instead of auditors/third parties monitoring management’s controls. If it is not feasible to get direct access, a data access request form should be submitted to the data owners that detail the appropriate data fields to be extracted. The request should specify the method of delivery for the file.
Data validation: Data validation ensures that extracted data are ready for analysis. One of its important

objective is to perform tests examining the data quality to ensure data are valid complete and free of errors. This may also involve making data from different sources suitable for comparative analysis.
Following concepts should be considered while validating data:
– Ensure the validity, i.e., data match definitions in the table layout
– Ensure that the data are complete
– Ensure that extracted data contain only the data requested
– Identify missing data, such as gaps in sequence or blank records
– Identify and confirm the validity of duplicates
– Identify the derived values
– Check if the data given is reasonable or not
– Identify the relationship between table fields
– Record, in a transaction or detail table, that the record has no match in a master table Data analysis: Analysis of data involves simple set of steps or complex combination of commands and

other functionality. Data analysis is designed in such a way to achieve the stated objectives from the project plan. Although this may be applicable to any monitoring activity, it would be beneficial to consider transferability and scalability. This may include robust documentation, use of software development standards and naming conventions.
Reporting and corrective action: According to the requirements of the monitoring objectives and the

technology being used, reporting structure and distribution are decided. Reporting procedures indicate to whom outputs from the automated monitoring process are distributed so that they are directed to the right people, in the right format, etc. Similar to the data analysis stage, reporting may also identify areas in which changes to the sensitivity of the reporting parameters or the timing and frequency of the monitoring activity may be required.
Incorrect Answers:
D: These are the phases that are involved in risk management.

Section: Volume D
Explanation:
A risk analysis deals with the potential size and likelihood of loss. A risk analysis involves identifying the most probable threats to an organization and analyzing the related vulnerabilities of the organization to these threats.
A risk from an organizational perspective consists of:
* Threats to various processes of organization.
* Threats to physical and information assets.
* Likelihood and frequency of occurrence from threat.
* Impact on assets from threat and vulnerability.
* Risk analysis allows the auditor to do the following tasks :
* Identify threats and vulnerabilities to the enterprise and its information system.
* Provide information for evaluation of controls in audit planning.
* Aids in determining audit objectives.
* Supporting decision based on risks.
Incorrect Answers:
A: Assuming equal degree of protection would only be rational in the rare event that all the assets are similar in sensitivity and criticality. Hence this is not practiced in risk analysis.
B: Since the likelihood determines the size of the loss, hence both elements must be considered in the calculation.
C: A risk analysis would not normally consider the benchmark of similar companies as providing relevant information other than for comparison purposes.

Section: Volume A
Explanation:
Risk transfer is the practice of passing risk from one entity to another entity. In other words, if a company is covered under a liability insurance policy providing various liability coverage for information security risks, including any physical damage of assets, hacking attacks, etc., it means it has transferred its security risks to the insurance company.
Incorrect Answers:
B: Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way.
C: Risk avoidance is the practice of not performing an activity that could carry risk. Avoidance may seem the answer to all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed.
D: Risk mitigation is the practice of reducing the severity of the loss or the likelihood of the loss from occurring.

Section: Volume D

C, and B are incorrect. These controls comes under technical class of control. The Technical class of controls includes four families. These families include over 75 individual controls. Following is a list of each of the families in the Technical class: Access Control (AC): This family of controls helps an organization implement effective access control. They ensure that users have the rights and permissions they need to perform their jobs, and no more. It includes principles such as least privilege and separation ofduties. Audit and Accountability (AU): This family of controls helps an organization implement an effective audit program. It provides details on how to determine what to audit. It provides details on how to protect the audit logs. It also includes information on using auditlogs for non-repudiation. Identification and Authentication (IA): These controls cover different practices to identify and authenticate users. Each user should be uniquely identified. In other words, each user has one account. This account is only used by one user. Similarly, device identifiers uniquely identify devices on the network. System and Communications Protection (SC): The SC family is a large group of controls that cover many aspects of protecting systems and communication channels. Denial of service protection and boundary protection controls are included. Transmission integrity and confidentiality controls are also included.

Section: Volume B
Explanation:
The output of the risk assessment process is identification of appropriate controls for reducing or eliminating risk during the risk mitigation process. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system.
Once risk factors have been identified, existing or new controls are designed and measured for their strength and likelihood of effectiveness. Controls are preventive, detective or corrective; manual or programmed; and formal or ad hoc.
Incorrect Answers:
A: Risk identification acts as input of the risk assessment process.
C: This is an output of risk mitigation process, that is, after applying several risk responses.
D: Residual risk is the latter output after appropriate control.

Section: Volume D

Explanation/Reference:
Explanation:
The configuration management system ensures that proposed changes to the project’s scope are reviewed and evaluated for their affect on the project’s product.
Configure management process is important in achieving business objectives. Ensuring the integrity of hardware and software configurations requires the establishment and maintenance of an accurate and complete configuration repository. This process includes collecting initial configuration information, establishing baselines, verifying and auditing configuration information, and updating the configuration repository as needed. Effective configuration management facilitates greater system availability minimizes production issues and resolves issues more quickly.
Incorrect Answers:
A: The cost change control system is responsible for reviewing and controlling changes to the project costs.
C: The scope change control system focuses on reviewing the actual changes to the project scope. When a change to the project’s scope is proposed, the configuration management system is also invoked.
D: Integrated change control examines the affect of a proposed change on the project as a whole.