and C are incorrect. These are the further steps that are taken after evaluating vulnerabilities. So, these are not immediate action after detecting vulnerabilities. Answer:B is incorrect. If detected vulnerabilities impose no/negligible threat on an enterprise then it is not cost effective to address it as risk.

Section: Volume C
Explanation:
Business process owners are in best position to judge the risks and impact, as they are most knowledgeable concerning their systems. Hence they are most suitable for developing and identifying risks on business.
Incorrect Answers:
A, B, D: Internal auditors, security managers, external regulators would not understand the impact on business to the extent that business owners could. Hence business owner is the best authority.

Section: Volume B
Explanation/Reference:
Explanation:
Inspection of FISMA is required to be done annually. Each year, agencies must have an independent evaluation of their program. The objective is to determine the effectiveness of the program. These evaluations include:
* Testing for effectiveness: Policies, procedures, and practices are to be tested. This evaluation does not test every policy, procedure, and practice. Instead, a representative sample is tested.
* An assessment or report: This report identifies the agency's compliance as well as lists compliance with FISMA. It also lists compliance with other standards and guidelines.
Incorrect Answers:
B, C, D: Auditing of compliance by external organization is done annually, not quarterly or every three years.

Section: Volume D
Explanation/Reference:

Explanation/Reference:
Explanation:
While defining the risk management strategies, risk professional should first identify and analyze the objectives of the organization and the risk tolerance. Once the objectives of enterprise are known, risk professional can detect the possible risks which can occur in accomplishing those objectives. Analyzing the risk tolerance would help in identifying the priorities of risk which is the latter steps in risk management.
Hence these two do the basic framework in risk management.
Incorrect Answers:
A: IT architecture complexity is related to the risk assessment and not the risk management, as it does much help in evaluating each significant risk identified.
D: Risk assessment is one of the various phases that occur while managing risks, which uses quantitative and qualitative approach to evaluate risks. Hence risk assessment criteria is only a part of this framework.