ARM - Associate in Risk Management Cyber and Data Security Risk Questions and Answers

Question 1

A financial services firm discovers that an unauthorized third party accessed and potentially exfiltrated a database containing the names, addresses, and social security numbers of thousands of its customers. According to most U.S. state data breach notification laws, which of the following is the firm's most critical and immediate responsibility?

Accepted Answer

Notifying affected individuals, and potentially regulators, without unreasonable delay.

Answer

All 50 states have data breach notification laws that require organizations to inform affected individuals when their personally identifiable information (PII) is compromised. The primary and most urgent obligation is to notify these individuals and, in many cases, state regulators or attorneys general, so they can take steps to protect themselves from identity theft or fraud. While other actions are important parts of incident response, notification is the key legal requirement.

Question 2

A risk manager is developing a strategy to mitigate the risk of a successful phishing attack. Which of the following is the MOST effective control measure to address the human element of this risk?

Accepted Answer

Conducting regular, mandatory security awareness training and phishing simulations for all employees.

Answer

Phishing attacks primarily exploit human psychology to trick employees into divulging information or clicking malicious links. While technical controls like email filters and data encryption are essential layers of defense, the most direct and effective way to mitigate the human vulnerability is through ongoing training and realistic simulations. This educates employees to recognize and report suspicious attempts, turning a potential weakness into a line of defense.

Question 3

Which of the following best describes the primary purpose of network segmentation as a cyber risk control measure?

Accepted Answer

To contain the impact of a breach by limiting an attacker's ability to move laterally across the network.

Answer

Network segmentation involves dividing a computer network into smaller, isolated subnetworks. Its main security benefit is that if one segment is compromised, the breach can be contained within that subnetwork, preventing the attacker from easily accessing other parts of the organization's systems and data. This limits the overall impact of a security incident.

Question 4

A manufacturing company relies on a third-party cloud provider to host its critical production and inventory management software. A vulnerability in the cloud provider's platform leads to a significant data breach, exposing the manufacturer's sensitive operational data. This scenario is a prime example of which type of cyber risk?

Accepted Answer

Supply chain risk

Answer

This is a classic example of supply chain risk, where a vulnerability in a third-party vendor or partner creates a risk for the primary organization. The company's security is dependent on the security of its supplier (the cloud provider). The breach originated with a third party in the company's supply chain, not from an internal employee or a direct failure of its own operational processes.

Question 5

According to the NIST Risk Management Framework (RMF), what is the first step an organization should take when managing information security risk?

Accepted Answer

Categorize the information and the system based on its criticality and sensitivity.

Answer

The NIST Risk Management Framework (RMF) is a structured process for managing security and privacy risk. The first step in this multi-step process is to 'Categorize' the system and the information it processes, stores, and transmits. This categorization helps determine the potential impact of a loss of confidentiality, integrity, and availability, which then informs all subsequent steps, such as selecting appropriate controls.

ARM - Associate in Risk Management Practice Test

ARM - Associate in Risk Management Practice Test

ARM - Associate in Risk Management Cyber and Data Security Risk Questions and Answers