Section: Volume D

Section: Volume C
Explanation:
Risk avoidance involves changing the project management plan to eliminate the threat entirely. The project manager may also isolate the project objectives from the risk's impact or change the objective that is in jeopardy. Examples of this include extending the schedule, changing the strategy, or reducing the scope. The most radical avoidance strategy is to shut down the project entirely. Some risks that arise early in the project can be avoided by clarifying requirements, obtaining information, improving communication, or acquiring expertise.
Incorrect Answers:
A: Exploit risk response is used for positive risk or opportunity, not for negative risk.
B: This risk response does require a change request, in some instances, but it's the avoidance risk response and not just a change request.
D: Transference allows the risk to be transferred, not removed from the project, to a third party. Transference usually requires a contractual relationship with the third party.

First-hand direct observation of the controls in operation is the best way to confirm the existence and operating effectiveness of information systems controls because it provides the auditor with the most reliable and persuasive evidence. Direct observation involves inspecting the physical and logical aspects of the controls, such as the hardware, software, network, data, procedures, and personnel involved in the information systems.
Direct observation also allows the auditor to verify that the controls are functioning as intended, and to identify any deviations or weaknesses that may affect the reliability of the information systems. Direct observation can be performed by using various techniques, such as walkthroughs, inquiries, inspections, reperformance, and analytical procedures1. References = Auditing Standard No. 13, The Auditor's Responses to the Risks of Material Misstatement, PCAOB, 20101

NIST SP 800-53 is used to review security in any organization, that is, in reviewing physical security. The Physical and Environmental Protection family includes 19 different controls. Organizations use these controls for better physical security. These controls are reviewed to determine if they are relevant to a particular organization or not. Many of the controls described include additional references that provide more details on how to implement them. The National Institute of Standards and Technology (NIST) SP 800-53 rev 3 identifies 18 families of controls. It groups these controls into three classes: Technical Operational Management

The number of projects going live without a security review is the best key control indicator (KCI) to indicate whether security requirements are identified and managed throughout a project life cycle, because it measures the compliance and effectiveness of the security review process. A security review is a process that ensures that the security requirements are defined, implemented, tested, and verified for each project, and that any security risks or issues are identified and resolved before the project is deployed. The number of projects going live without a security review should be minimized or eliminated, as it indicates a failure or weakness of the security review process. The other options are not the best KCIs, because they do not directly measure the identification and management of security requirements. The number of employees completing project-specific security training, the number of security projects started in core departments, and the number of security-related status reports submitted by project managers are examples of input or output indicators that measure the activities or results of the project, but not the security requirements. References = CRISC:
Certified in Risk & Information Systems Control Sample Questions