1. It is important to validate audit interviews by other means. Why is that the case and what can happen if this is not done?
2. Risk assessments always embody some form of probability estimate. Why is that necessary and what does it prevent?
3. What is the role of Annualized Exposure Loss in security system formulation? What may happen if the ALE is ignored?
4. Forms and checklists are important in all types of assessments. Why is that the case and what do they essentially provide for the process?
5. Security audits are different from risk assessments in that they are regular and ongoing. What is the primary benefit of a continuous process?
6. Gap analyses are most easily accomplished if they are based on standards. Explain why?
7. Certification is a very useful aspect of the risk process. Explain how certification can assure against risk?
8. One of the most important aspects of the practical security process is the risk mitigation report. Explain what purpose it serves and why it is a key element of security.
9. How does risk assessment relate to the information identification process?
10. What is the role of risk identification in the overall process? Why is risk identification a necessary step?