CRISC Exam Dumps - Certified in Risk and Information Systems Control

A post-implementation review (PIR) is a process to evaluate whether the objectives of the project were met and whether the project delivered the expected benefits and outcomes1. The primary objective of a risk practitioner performing a PIR of an IT risk mitigation project is to verify that the risk level has been lowered as a result of the project implementation2. This can be done by comparing the actual risk level with theexpected risk level, assessing the effectiveness and efficiency of the risk mitigation controls, and identifying any residual or emergingrisks3. Documenting project lessons learned, validating the project completion, and confirming the project budget are important aspects of a PIR, but they are not the primary objective for a risk practitioner, as they do not directly measure the impact of the project on the risk level4. References = Risk and Information Systems Control Study Manual, Chapter 5: Risk Response and Mitigation, Section 5.4: Post-Implementation Review, pp. 239-241.

The policy has not been approved by the organization’s board should be of most concern, as it indicates a lack of governance and oversight for the organization’s cybersecurity posture. The board is ultimately responsible for setting the strategic direction, objectives, and risk appetite of the organization, and for ensuring that the cybersecurity policy aligns with them. Without the board’s approval, the policy may not reflect the organization’s vision, mission, values, and culture, and may not be communicated, implemented, or enforced effectively. The board’s approval also demonstrates the commitment and support of the senior management for the cybersecurity program, and enhances the accountability and responsibility of the stakeholders involved.

IT disaster recovery point objectives (RPOs) should be based on the:

B. maximum tolerable loss of data.

RPOs are determined by how much data loss an organization can withstand in the event of a disaster. It’s a measure of the maximum age of files that an organization must recover from backup storage for normal operations to resume after a disaster. Therefore, RPOs are directly related to the maximum tolerable loss of data.

According to the CRISC Review Manual (Digital Version), risk management strategies are primarily adopted to achieve acceptable residual risk levels, which are the remaining risk levels after implementing risk response actions. Residual risk levels should be aligned with the organization’s risk appetite and risk tolerance, which are the amount and type of risk that the organization is willing to accept in pursuit of its objectives and the acceptable variation in outcomes related to specific performance measures linked to objectives. Risk management strategies are the approaches or methods used to address risks, such as avoidance, mitigation, transfer, sharing, or acceptance. Risk management strategies should be based on a cost-benefit analysis of the alternatives available and the value of the assets at risk.

References = CRISC Review Manual (Digital Version), Chapter 3: IT Risk Response, Section 3.3: Risk Response Options, pp. 166-1691

To reduce risk impact, the best course of action is to implement corrective measures, which are actions taken to eliminate or minimize the negative effects of a risk event after it has occurred12.

Corrective measures can include restoring normal operations, repairing or replacing damaged assets, recovering lost data, compensating affected stakeholders, and implementing lessons learned12.

Corrective measures can reduce risk impact by minimizing the duration, severity, and scope of the consequences of a risk event, as well as preventing recurrence or escalation of similar risks in the future12.

The other options are not the best course of action to reduce risk impact, but rather different types of risk responses that may have different objectives and effects. For example:

Creating an IT security policy is an example of a preventive measure, which is an action taken to avoid or reduce the likelihood of a risk event before it occurs12. A preventive measure can reduce risk exposure, but not risk impact.

Implementing detective controls is an example of a monitoring measure, which is an action taken to identify and measure the occurrence or status of a risk event during or after it occurs12. A monitoring measure can provide timely information and feedback, but not reduce risk impact.

Leveraging existing technology is an example of a mitigation measure, which is an action taken to reduce the likelihood or impact of a risk event before it occurs12. A mitigation measure can reduce risk exposure, but not necessarily risk impact. References =

1: Risk Management Guide for Information Technology Systems, NIST Special Publication 800-30, July 2002

2: Project Risk Management Handbook, California Department of Transportation, June 2011

The best approach to ensure the effectiveness of risk awareness training is to create modules for targeted audiences. This means that the risk awareness training should be customized and tailored to the specific needs, roles, and responsibilities of different groups of staff, such as business owners, process owners, IT staff, or external parties. Creating modules for targeted audiences helps to ensure that the risk awareness training is relevant, engaging, and applicable to the participants, and that it covers the appropriate level of detail and complexity. It also helps to enhance the learning outcomes and retention of the risk awareness training, and to foster aculture of risk awareness and responsibility within the enterprise. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 5, Section 5.4.1, page 2491

When evaluating new technology or tools for risk mitigation, the practitioner must ensure that the benefits justify the cost.

CRISC states:

“Risk practitioners should perform a cost-benefit analysis to determine the feasibility and value of implementing new controls or technologies.”

Governance or best practices are general references.

The cost-benefit analysis directly supports decision-making and accountability.

Hence, D is correct.

CRISC Reference: Domain 3 – Risk Response and Mitigation, Topic: Control Selection and Cost-Effectiveness.