Governance, Risk, and Compliance (D486)

Correct Answer

D. Preventive

Explanation

A preventive control is one that stops an incident from happening. A cable lock physically prevents unauthorized access or theft of a laptop, making it a preventive security control. The lock ensures that the laptop remains secure even when the user is not present, reducing the risk of theft.

Why Other Options Are Wrong

A. Administrative

Administrative controls refer to policies, procedures, and guidelines (such as security training or access control policies). Since the cable lock is a physical security measure, it does not fall under administrative controls.

B. Compensating

A compensating control is an alternative security measure used when the primary control is not feasible or available. There is no indication that the cable lock is being used as a backup measure, so it is not compensating.

C. Deterrent

A deterrent control discourages potential attackers but does not physically prevent access. A cable lock actively prevents theft rather than just discouraging it, making it preventive rather than deterrent.

Correct Answer

D. All of the above

Explanation

A disaster recovery plan (DRP) is a comprehensive document that outlines an organization’s strategy for handling and recovering from disasters. It includes steps to prepare for, respond to, and recover from disruptions to ensure business continuity.

1. Before the disaster – Organizations assess risks, implement preventive measures, and create recovery plans. This includes setting up backup systems, training employees, and testing response procedures.

2. During the disaster – The DRP provides guidance on how to respond to the crisis in real time, ensuring systems are contained, critical operations are maintained, and damage is minimized.

3. After the disaster – The recovery phase focuses on restoring normal business operations, analyzing the incident, and improving future preparedness based on lessons learned.

Why Other Options Are Wrong

A. What to do before the disaster

While prevention is a crucial aspect of disaster recovery, only focusing on preparation ignores the importance of an immediate response and post-disaster recovery.

B. What to do during the disaster

A DRP must cover more than just the response phase—it must also include prevention and recovery plans to ensure a structured approach.

C. What to do after the disaster

Recovery is a critical phase, but without proper preparation and immediate response measures, damage could be significantly worse. A full DRP must address all phases of disaster handling.

Correct Answer

D. Purchase cybersecurity insurance

Explanation

Risk transfer is a risk management strategy where an organization shifts financial responsibility for potential losses to a third party. Cybersecurity insurance is a common method of risk transfer, as it helps cover costs related to data breaches, legal fees, regulatory fines, and business interruptions caused by cyber incidents. By purchasing insurance, an organization can mitigate the financial impact of a breach.

Why Other Options Are Wrong

A. Explain to her management that breaches will occur

Acknowledging that breaches can happen is part of risk assessment, but it does not transfer risk—it only raises awareness. The organization must take action to manage the risk effectively.

B. Blame future breaches on competitors

Shifting blame to competitors is not a valid risk management strategy and does not protect the organization from financial or legal consequences.

C. Sell her organization's data to another organization

Selling data does not transfer security risks; instead, it could result in severe legal consequences for violating data protection regulations like GDPR or CCPA.

Correct Answer

C. MTBF (Mean Time Between Failures)

Explanation

MTBF (Mean Time Between Failures) is a metric that measures the average time a hardware component, such as a hard drive, operates before experiencing failure. It is commonly used to estimate hardware reliability and predict maintenance schedules.

Why Other Options Are Wrong

A. MTTR (Mean Time to Repair)

MTTR measures the average time required to repair a failed system and restore it to operational status. It does not indicate how reliable a hard drive is before failure.

B. RPO (Recovery Point Objective)

RPO refers to the maximum acceptable amount of data loss in the event of a failure. It is related to data recovery policies rather than the reliability of a hard drive.

D. ALE (Annualized Loss Expectancy)

ALE calculates the expected annual cost of security incidents based on risk assessments. It is a financial metric, not a measure of hardware reliability.

Correct Answer

C. Control risk

Explanation

Control risk refers to the likelihood that a control, such as a policy, procedure, or configuration, fails to prevent or detect an error or fraud. In this case, the misconfigured financial accounting software is failing to prevent incorrect data from being reported, indicating a control failure.

Why Other Options Are Wrong

A. Inherent risk is incorrect because inherent risk refers to the natural level of risk present in an activity before any controls are applied. This situation is about a control failing, not an inherent risk.

B. Residual risk is incorrect because residual risk is the remaining risk after all controls have been applied. Here, the issue stems from a faulty control rather than being an accepted residual risk.

D. Transparent risk is incorrect because transparent risk is not a commonly recognized risk category in risk management frameworks.

Correct Answer

A. Potential fine

Explanation

Regulations like the General Data Protection Regulation (GDPR) enforce strict penalties for non-compliance, making potential fines a major factor in an organization’s risk assessment. Under GDPR, organizations can face fines up to 4% of their annual global revenue or €20 million (whichever is higher) for serious violations. This financial risk incentivizes companies to align their policies with compliance requirements to avoid legal and monetary consequences. Additionally, organizations may suffer reputational damage and legal action from data breaches, further increasing the risk.

Why Other Options Are Wrong

B. Their annual loss expectancy (ALE)

ALE is a metric used in risk assessment to estimate expected financial losses from security incidents. While GDPR fines can impact financial risk calculations, compliance is primarily driven by legal obligations rather than internal financial projections like ALE.

C. Their recovery time objective (RTO)

RTO refers to the time it takes for systems to be restored after a disruption. While disaster recovery and business continuity are important, they are not the primary drivers of regulatory compliance. GDPR and similar regulations focus more on data protection and privacy laws than system recovery.

D. The likelihood of occurrence

While organizations assess risks based on how likely a security incident or data breach is to happen, GDPR compliance is required regardless of the probability of a breach. The severity of non-compliance penalties makes it a priority, even if the risk of a breach seems low.

Correct Answer

A. Escalated the investigation

Explanation

Escalating the investigation involves bringing in higher authorities or external entities, such as law enforcement, when an internal investigation uncovers significant criminal activity. In this case, Sally's decision to involve the police means she has escalated the investigation to a legal and criminal level.

Why Other Options Are Wrong

B. Public notification refers to informing affected individuals and stakeholders about a data breach. While notifying the public may eventually be necessary, Sally’s immediate action was to escalate the case to law enforcement.

C. Outsourced the investigation would mean hiring an external cybersecurity firm or private investigator to handle the case. However, Sally contacted the police, which is a legal escalation rather than outsourcing.

D. Tokenized the data involves replacing sensitive data with non-sensitive placeholders to reduce the risk of data exposure. This is a preventative security measure, not an investigative step.

Correct Answer

B. Single loss expectancy (SLE) x annual rate of occurrence (ARO)

Explanation

Annual Loss Expectancy (ALE) is calculated by multiplying Single Loss Expectancy (SLE) by the Annual Rate of Occurrence (ARO). This formula helps organizations estimate the potential financial impact of security threats per year. SLE represents the expected loss from a single incident, while ARO estimates how often the incident might occur annually.

Why Other Options Are Wrong

A. Exposure factor (EF) / single loss expectancy (SLE)

The exposure factor (EF) represents the percentage of loss expected if a threat materializes. Dividing EF by SLE does not result in ALE and is not a valid formula for risk assessment.

C. Asset value (AV) x exposure factor (EF)

This calculation determines the Single Loss Expectancy (SLE), not the Annual Loss Expectancy (ALE). ALE requires multiplying SLE by ARO to account for the frequency of the loss.

D. Single loss expectancy (SLE) / exposure factor (EF)

Dividing SLE by EF does not provide meaningful risk analysis. ALE is determined by multiplying SLE by ARO, not dividing it by the exposure factor.

Correct Answer

C. Financial information

Explanation

Control risk refers to the possibility that internal controls fail to prevent or detect errors or fraud, particularly in financial reporting. It is a key consideration in financial audits and risk management frameworks. Organizations implement internal controls to minimize financial risks such as fraud, misstatements, and non-compliance with regulations.

Why Other Options Are Wrong

A. Health information is incorrect because control risks focus on financial oversight rather than specific protections for health-related data, which is more closely governed by regulations like HIPAA.

B. Personally identifiable information (PII) is incorrect because control risks primarily deal with financial information, while PII security falls under privacy controls and cybersecurity measures.

D. Intellectual property is incorrect because IP risks are more related to trade secret protection, legal protections, and cybersecurity rather than internal financial controls.