R2-1 Which of the following uses risk scenarios when estimating the likelihood and

impact of significant risk to the organization?

A. An IT audit
B. A security gap analysis
C. A threat and vulnerability assessment
D. An IT security assessment

C is the correct answer.

C. A threat and vulnerability assessment typically evaluates all elements of a business
process for threats and vulnerabilities and identifies the likelihood of occurrence and
the business impact if the threats were realized.
R2-2 Because of its importance to the business, an enterprise wants to quickly implement a
technical solution that deviates from the company's policies. The risk practitioner
should:
A. recommend against implementation because it violates the company's policies.
B. recommend revision of the current policy.
C. conduct a risk assessment and allow or disallow based on the outcome.
D. recommend a risk assessment and subsequent implementation only if residual risk is
accepted.

D is the correct answer.

D. A risk assessment should be conducted to clarify the risk" whenever the company's
policies cannot be followed. The solution should only be implemented if the related risk is
formally accepted by the business.
R2-3 Which of the following will produce comprehensive results when performing a
qualitative risk analysis?
A. A vulnerability assessment
B. Scenarios with threats and impacts
C. The value of information assets
D. Estimated productivity losses

B is the correct answer.

B. Using a list of possible scenarios with threats and impacts will better frame the range
of risk and facilitate a more informed discussion and decision.
R2-4 In the risk management process, a cost-benefit analysis is MAINLY performed:
A. as part of an initial risk assessment.
B. as part of risk-response planning.
C. during an information asset valuation.
D. when insurance is calculated for risk transfer.

B is the correct answer.

B. In risk response, a range of controls will be identified that can mitigate risk; however,
a cost-benefit analysis in this process will help identify the right controls that will
address the risk at acceptable levels within the budget.
R2-5 A PRIMARY reason for initiating a policy-exception process is when:
A. the risk is justified by the benefit.
B. policy compliance is difficult to enforce.
C. operations are too busy to comply.
D. users may initially be inconvenienced.

A is the correct answer.

A. Exceptions to policies are warranted in circumstances in which the benefits outweigh
the costs of policy compliance; however, the enterprise needs to asses both the tangible
and intangible risk and evaluate both in the context of existing risk.
R2-6 Which of the following provides the MOST valuable input to incident-response
efforts?
A. Qualitative analysis of threats
B. The annual loss expectancy
C. A vulnerability assessment
D. Penetration testing

A is the correct answer.

A. Qualitative analysis of threats reflects an intuitive view of the outcome of various
threat sources. Knowing the kinds of incidents that may occur in order of consequence
will be of great benefit to incident-response efforts.
R2-7 Which of the following BEST describes the risk-related roles and responsibilities of an
organizational business unit (BU)? The BU management team:
A. owns the mitigation plan for the risk belonging to their BU, while board members are
responsible for identifying and assessing risk as well as reporting on that risk to the
appropriate support functions.
B. owns the risk and is responsible for identifying, assessing and mitigating risk as well as
reporting on that risk to the appropriate support functions and the board of directors.
C. carries out the respective risk-related responsibilities, but ultimate accountability for the day-
to-day work of risk management and goal achievement belongs to the board members.
D. is ultimately accountable for the day-to-day work of risk management and goal achievement,
and board members own the risk.

B is the correct answer.

B. The BU is responsible for owning the risk and its resulting actions. Risk owners have the
responsibility of identifying, measuring, monitoring controlling and reporting on risk to executive
management as established by the corporate risk framework.
R2-8 Risk assessment techniques should be used by a risk practitioner to:
A. maximize the return on investment
B. provide documentation for auditors and regulators.
C. justify the selection of risk mitigation strategies.
D. quantify the risk that would otherwise be subjective.

C is the correct answer.

C. A risk practitioner should use risk assessment techniques to justify and implement a
risk mitigation strategy as efficiently as possible.
R2-9 A procurement employee notices that new printer models offered by the vendor
keep a copy of all printed documents on an internal hard disk. Considering the risk
of unintentionally disclosing confidential data, the employee should:
A. proceed with the order and configure printers to automatically wipe all data on disks
after each print job.
B. notify the security manager to conduct a risk assessment for the new equipment.
C. seek another vendor that offers printers without built-in hard disk drives.
D. procure printers with built-in hard disks and notify staff to wipe hard disks when
decommissioning the printer.

B is the correct answer.

B. Risk assessment is most appropriate because it yields risk mitigation techniques that are
appropriate for organizational risk context and appetite.
R2-10 Risk assessments should be repeated at regular intervals because:
A. omissions 'in earlier assessments can be addressed.
B. periodic assessments allow various methodologies.
C. business threats are constantly changing.
D. they help raise risk awareness among staff.

C is the correct answer.

C. As business objectives and methods change, the nature and relevance of threats also
change.