List the five functions that the EBK specifies for the evaluation function.

What will be an ideal response?

1. Assess effectiveness of the risk management program, and implement changes where required
2. Review the performance of, and provide recommendations for, risk management (e.g., security controls as well as policies/procedures that make up risk management program) tools and techniques
3. Assess residual risk in the information infrastructure used by the organization
4. Assess the results of threat and vulnerability assessments to identify security risks, and regularly update applicable security controls
5. Identify changes to risk management policies and processes that will enable them to remain current with the emerging risk and threat environment