1. Right Answer: B
Explanation: Senior management is responsible for the acceptance and mitigation of all risk. Hence they will also own the risk to an information system that supports a critical business process.Incorrect Answers:A: The system users are responsible for utilizing the system properly and following procedures, but they do not own the risk.C: The IT director manages the IT systems on behalf of the business owners.D: The risk management department determines and reports on level of risk, but does not own the risk. Risk is owned by senior management.

2. Right Answer: D
Explanation: Integrated change control is the component that is responsible for reviewing all aspects of a change's impact on a project - including risks that may be introduced by the new change.Integrated change control is a way to manage the changes incurred during a project. It is a method that manages reviewing the suggestions for changes and utilizing the tools and techniques to evaluate whether the change should be approved or rejected. Integrated change control is a primary component of the project's change control system that examines the affect of a proposed change on the entire project.Incorrect Answers:A: Configuration management controls and documents changes to the features and functions of the product scope.B: Scope change control focuses on the processes to allow changes to enter the project scope.C: Risk monitoring and control is not part of the change control system, so this choice is not valid.

3. Right Answer: A,B,D
Explanation: Threat is an act of coercion wherein an act is proposed to elicit a negative response. Threats are real, while the vulnerabilities are a possibility. They can result in risks from external sources, and can become imminent by time or can diminish.Incorrect Answers:C, E: These two are true for vulnerability, but not threat. Unlike the threat, vulnerabilities are possibility and can result in risks from internal sources. They will arise and stay in place until they are properly dealt.

4. Right Answer: C
Explanation: A policy is an executive mandate which helps in identifying a topic that contains particular risks to avoid or prevent. Policies are high-level documents signed by a person of high authority with the power to force cooperation. The policy is a simple document stating that a particular high-level control objective is important to the organization's success. Policies are usually only one page in length. The authority of the person mandating a policy will determine the scope of implementation.Hence in other words, policy is an overall statement of information security scope and direction.Incorrect Answers:A, B, D: These are not the valid definitions of the policy.

5. Right Answer: C,D
Explanation: Residual risk can be used by management to determine: Which areas require more control Whether the benefits of such controls outweigh the costs As residual risk is the output that comes after applying appropriate controls, so it can also estimate the area which need more sophisticated control. If the cost of control is large that its benefits then no control is applied, hence residual risk can determine benefits of these controls over cost.Incorrect Answers:A: Status of enterprise's risk can be determined only after risk monitoring.B: Appropriate control can only be determined as the result of risk assessment, not through residual risk.