Domain 2 Capstone: Information Security Risk Management

This capstone integrates:

• Risk Identification
• Vulnerability & Control Deficiency Analysis
• Risk Assessment & Residual Risk
• Risk Treatment & Ownership
• Risk Monitoring & Reporting

Expect governance-driven decisions — not technical reflexes.

Question 1

A new industry attack targets a technology your organization uses extensively. No internal incidents have occurred.

What should occur FIRST?

A. Deploy emergency mitigation controls
B. Conduct exposure assessment and formal risk analysis
C. Shut down affected systems
D. Notify regulators

Question 2

A vulnerability scan shows critical findings on a non-revenue internal system with compensating controls.

What is the MOST appropriate action?

A. Immediate replacement
B. Assess residual risk considering business impact
C. Escalate to the board
D. Terminate vendor contract

Question 3

Residual risk exceeds approved tolerance after mitigation.

What must occur NEXT?

A. Informal acceptance
B. Escalate to risk owner for documented decision
C. Ignore until quarterly review
D. Decommission system

Question 4

Repeated patch failures occur across departments.

What is the PRIMARY issue?

A. Vendor weakness
B. Encryption gap
C. Systemic control deficiency
D. Monitoring failure

Question 5

A mitigation control is more expensive than potential financial loss.

What is the MOST appropriate response?

A. Implement anyway
B. Avoid the activity
C. Transfer immediately
D. Conduct cost-benefit analysis and consider acceptance

Question 6

A risk was formally accepted last year. Monitoring shows increased threat likelihood.

What should occur FIRST?

A. Maintain acceptance
B. Automatically mitigate
C. Reassess residual risk
D. Remove from register

Question 7

A business unit accepts risk without proper documentation.

What is the PRIMARY governance failure?

A. Encryption weakness
B. Control breakdown
C. Vendor oversight
D. Lack of formal risk acceptance process

Question 8

A new AI platform is adopted without security review.

What is the MOST appropriate FIRST action?

A. Conduct structured risk assessment
B. Ban usage
C. Deploy monitoring tools
D. Notify regulators

Question 9

Control testing shows rising failure rates but no business impact yet.

What should occur FIRST?

A. Ignore minor trend
B. Replace system
C. Conduct root cause analysis and reassess risk
D. Escalate to regulators

Question 10

Cyber insurance is purchased to address potential breach costs.

Which risk response strategy applies?

A. Avoidance
B. Mitigation
C. Acceptance
D. Transfer

Question 11

A high-impact regulatory risk has low likelihood.

What is the MOST appropriate action?

A. Document and escalate appropriately
B. Ignore due to low likelihood
C. Immediately avoid activity
D. Publicly disclose

Question 12

Security attempts to accept business risk independently.

What is the PRIMARY issue?

A. Encryption gap
B. Improper authority alignment
C. Insufficient mitigation
D. Monitoring failure

Question 13

Hundreds of vulnerabilities are reported, but impact analysis shows minimal exposure.

What is the MOST appropriate action?

A. Prioritize all equally
B. Conduct contextual risk prioritization
C. Replace affected systems
D. Increase scanning

Question 14

A revenue-generating system carries moderate risk within appetite.

What is the MOST appropriate response?

A. Recommend proportionate mitigation
B. Avoid activity
C. Shut system down
D. Ignore entirely

Question 15

No control owner is assigned for a critical security process.

What is the PRIMARY concern?

A. Lack of accountability
B. Reduced encryption
C. Vendor inefficiency
D. Monitoring delay

Question 16

Board reports include detailed technical metrics but no trend analysis.

What is missing?

A. More scan data
B. Vendor documentation
C. Increased frequency
D. Enterprise risk perspective

Question 17

Mitigation reduces risk below appetite but significantly impacts operational efficiency.

What should occur?

A. Remove mitigation
B. Escalate to regulators
C. Reevaluate cost-benefit alignment
D. Ignore impact

Question 18

A third-party breach occurs in your industry.

What is the MOST appropriate action?

A. Conduct targeted third-party risk reassessment
B. Replace all vendors
C. Ignore until internal incident
D. Notify regulators

Question 19

Residual risk is within appetite but trending upward.

What should occur?

A. Ignore trend
B. Shut down system
C. Continue monitoring and reassess periodically
D. Transfer risk

Question 20

Risk monitoring lacks defined escalation thresholds.

What is the PRIMARY governance weakness?

A. Encryption gap
B. Vendor oversight
C. Scanning frequency
D. Undefined escalation criteria

Domain 2 Executive Pattern Summary

In CISM Domain 2:

• Assess before reacting.
• Residual risk drives decisions.
• The business owns the risk.
• Documentation validates governance.
• Monitoring enforces accountability.
• Escalation protects enterprise alignment.

If an answer skips assessment or documentation, it is usually wrong.