responsible in creating proper risk management policies.

               Understand the Delphi technique. The Delphi technique is
               simply an anonymous feedback-and-response process used to arrive at

               a consensus. Such a consensus gives the responsible parties the
               opportunity to properly evaluate risks and implement solutions.

               Know the options for handling risk. Reducing risk, or risk
               mitigation, is the implementation of safeguards and countermeasures.
               Assigning risk or transferring a risk places the cost of loss a risk
               represents onto another entity or organization. Purchasing insurance
               is one form of assigning or transferring risk. Accepting risk means the

               management has evaluated the cost/benefit analysis of possible
               safeguards and has determined that the cost of the countermeasure
               greatly outweighs the possible cost of loss due to a risk. It also means
               that management has agreed to accept the consequences and the loss
               if the risk is realized.

               Be able to explain total risk, residual risk, and controls gap.

               Total risk is the amount of risk an organization would face if no
               safeguards were implemented. To calculate total risk, use this formula:
               threats * vulnerabilities * asset value = total risk. Residual risk is the
               risk that management has chosen to accept rather than mitigate. The
               difference between total risk and residual risk is the controls gap,
               which is the amount of risk that is reduced by implementing

               safeguards. To calculate residual risk, use the following formula: total
               risk – controls gap = residual risk.

               Understand control types. The term control refers to a broad
               range of controls that perform such tasks as ensuring that only
               authorized users can log on and preventing unauthorized users from
               gaining access to resources. Control types include preventive,
               detective, corrective, deterrent, recovery, directive, and compensation.

               Controls can also be categorized by how they are implemented:
               administrative, logical, or physical.

               Know how to implement security awareness training and
               education. Before actual training can take place, awareness of
               security as a recognized entity must be created for users. Once this is
               accomplished, training, or teaching employees to perform their work