1. Right Answer: B
Explanation: As David is taking some operational controls to reduce the likelihood and impact of the risk, hence he is adopting risk mitigation. Risk mitigation means that actions are taken to reduce the likelihood and/or impact of risk.Incorrect Answers:A: Risk avoidance means that activities or conditions that give rise to risk are discontinued. But here, no such actions are taken, therefore risk in not avoided.C: Risk acceptance means that no action is taken relative to a particular risk; loss is accepted in case it occurs. As David has taken some actions in case to defend, therefore he is not accepting risk.D: David has not hired a vendor to manage the risk for his project; therefore he is not transferring the risk.

2. Right Answer: A
Explanation: The basic purpose of Information System control in an organization is to ensure that the business objectives are achieved and undesired risk events are detected and corrected. Some of the IS control objectives are given below: Safeguarding assets Assuring integrity of sensitive and critical application system environments Assuring integrity of general operating system Ensuring effective and efficient operations Fulfilling user requirements, organizational policies and procedures, and applicable laws and regulations Changing management Developing business continuity and disaster recovery plans Developing incident response and handling plansHence the most important objective is to ensure that business objectives are achieved and undesired risk events are detected and corrected.Incorrect Answers:B, C, D: These are also the objectives of the information system control but are not the best answer.

3. Right Answer: A
Explanation: The Business Continuity Strategy is an outline of the approach to ensure the continuity of Vital Business Functions in the case of disaster events. The BusinessContinuity Strategy is prepared by the business and serves as a starting point for producing the IT Service Continuity Strategy.Incorrect Answers:B: Index of Disaster-Relevant Information is a catalog of all information that is relevant in the event of disasters. This document is maintained and circulated by ITService Continuity Management to all members of IT staff with responsibilities for fighting disasters.C: Disaster Invocation Guideline is a document produced by IT Service Continuity Management with detailed instructions on when and how to invoke the procedure for fighting a disaster. Most importantly, the guideline defines the first step to be taken by the Service Desk after learning that a disaster has occurred.D: Availability/ ITSCM/ Security Testing Schedule is a schedule for the regular testing of all availability, continuity, and security mechanisms jointly maintained byAvailability, IT Service Continuity, and IT Security Management.

4. Right Answer: C
Explanation: An enterprise's risk management capability maturity level is 5 when real-time monitoring of risk events and control exceptions exists, as does automation of policy management.Incorrect Answers:A, D: In these levels real-time monitoring of risk events is not done.B: In level 0 of risk management capability maturity model, enterprise does not recognize the importance of considering the risk management or the business impact from IT risk.

5. Right Answer: A
Explanation: Cost performance index (CPI) is used to calculate performance efficiencies of project. It is used in trend analysis to predict future performance. CPI is the ratio of earned value to actual cost.If the CPI value is greater than 1, it indicates better than expected performance, whereas if the value is less than 1, it shows poor performance.Incorrect Answers:B: CPI is the ratio of earned value to actual cost, i.e., CPI = Earned Value (EV) / Actual Cost (AC).C: Cost performance index (CPI) is used to calculate performance efficiencies of project and not its schedule.D: The CPI value of 1 indicates that the project is right on target.