Which term BEST describes a practice used to detect fraud for users or a user by forcing them to be away from
the workplace for a while?

Regarding risk reduction, which of the following answers is BEST defined by the process of giving only just
enough access to information necessary for them to perform their job functions?

Which of the following answer BEST relates to the type of risk analysis that involves committees, interviews,
opinions and subjective input from staff?

Which of the following answers is the BEST example of Risk Transference?

Which of the following provides enterprise management with a prioritized list of time-critical business
processes, and estimates a recovery time objective for each of the time critical processes and the components
of the enterprise that support those processes?

Which of the following steps is NOT one of the eight detailed steps of a Business Impact Assessment (BIA)?

The control measures that are intended to reveal the violations of security policy using software and hardware
are associated with:

The Widget Company decided to take their company public and while they were in the process of doing so had
an external auditor come and look at their company. As part of the external audit they brought in a technology
expert, who incidentally was a new CISSP. The auditor’s expert asked to see their last risk analysis from the
technology manager. The technology manager did not get back to him for a few days and then the Chief
Financial Officer gave the auditors a 2 page risk assessment that was signed by both the Chief Financial
Officer and the Technology Manager. While reviewing it, the auditor noticed that only parts of their financial data
were being backed up on site and nowhere else; the Chief Financial Officer accepted the risk of only partial
financial data being backed up with no off-site copies available.
Who owns the risk with regards to the data that is being backed up and where it is stored?

Which Security and Audit Framework has been adopted by some organizations working towards Sarbanes—
Oxley Section 404 compliance?

Which type of security control is also known as “Logical” control?