CRISC Exam Dumps - Certified in Risk and Information Systems Control

The best control to prevent the inappropriate disclosure of confidential information when print jobs containing confidential information are sent to a shared network printer located in a secure room is to require a printer access code for each user. A printer access code is a unique and secret code that the user needs to enter on the printer device to release and retrieve the print job. Requiring a printer access code for each user is the best control, as it helps to prevent or limit the unauthorized access, viewing, or copying ofthe confidential information on the print job, especially if the print job is left unattended or forgotten on the printer device. Requiring a printer access code for each user also helps to ensure the accountability and traceability of the user who sent the print job, and to support the audit and monitoring of the printer activity. Using physical controls to access the printer room, using video surveillance in the printer room, and ensuring printer parameters are properly configured are also useful controls, but they are not as effective as requiring a printer access code for each user, as they do not directly prevent or limit the inappropriate disclosure of confidential information on the print job, and they may not deter or detect the unauthorized access or misuse of the print job by the authorized users who have access to the printer room or device. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 217.

According to the CRISC Review Manual1, impact assessment is the process of identifying and evaluating the potential effects of changes to IT services on the organization’s business objectives, processes, resources, and risks. Impact assessment is essential for ensuring that the changes are aligned with the organization’s strategy, goals, and risk appetite, and that the benefits of the changes outweigh the costs and risks. Impact assessment also helps to prioritize, plan, and implement the changes effectively and efficiently, and to monitor and measure the outcomes of the changes. Therefore, the most important factor for a risk practitioner to consider when evaluating plans for changes to IT services is the impact assessment of the change. References = CRISC Review Manual1, page 224.

 Key control indicators (KCIs) are metrics that provide information on the extent to which a given control is meeting its intended objectives in terms of loss prevention, reduction, etc. In order to provide such information, the control effectiveness indicator has to have an explicit relationship to both the specific control and to the specific risk against which the control has been implemented1. Therefore, the best source for identifying KCIs is to use controls mapped to organizational risk scenarios, which can help define the control objectives, the expectedoutcomes, and the relevant indicators for each risk scenario. This approach can also help align the KCIs with the organizational goals and strategy, and enable the monitoring and reporting of the control effectiveness23.

The other options are not the best sources for identifying KCIs, because:

Privileged user activity monitoring controls are specific types of controls that aim to prevent unauthorized access or misuse of sensitive data or systems by privileged users. They are not a sourcefor identifying KCIs, but rather a possible subject of KCIs. For example, a KCI for this type of control could be the number of privileged user accounts that have not been reviewed or revoked within a specified period4.

Recent audit findings of control weaknesses are useful for identifying the gaps or deficiencies in the existing control environment, and for recommending corrective actions or improvements. However, they are not a source for identifying KCIs, but rather an input for evaluating or revising the existing KCIs. For example, if an audit finding reveals that a control is not operating as intended, or that a KCI is not providing reliable or timely information, then the control or the KCI may need to be modified or replaced5.

A list of critical security processes is a high-level overview of the key activities or functions that are essential for maintaining the security of the organization’s assets and information. It is not a source for identifying KCIs, but rather a starting point for defining the control objectives and requirements. For example, a critical security process could be incident response, which requires a set of controls to ensure the timely and effective detection, containment, analysis, and recovery of security incidents. The KCIs for this process could be the number of incidents detected, the average time to resolve incidents, or the percentage of incidents that resulted in data breaches6.

References =

Key Control Indicator (KCI) - CIO Wiki

How to Develop Key Control Indicators to Improve Security Risk Monitoring - Gartner

Indicators - Program Evaluation - CDC

Privileged User Monitoring: What Is It and Why Is It Important? - LogRhythm

Internal Audit Key Performance Indicators (KPIs) - AuditBoard

Hierarchy of Controls - NIOSH - CDC

The most important consideration when selecting a control to mitigate an identified risk is whether the cost of control exceeds the mitigation value, because this determines the cost-benefit ratio of the control. A control should not be implemented if the cost of implementing and maintaining it is higher than the expected benefit of reducing the risk exposure. The other options are not the most important considerations, although they may also influence the control selection process. The availability of internal resources, the potential compounding effects, and the possibility of eliminating the risk are secondary factors that depend on the cost and value of the control. References = CRISC: Certified in Risk & Information Systems Control Sample Questions

 The best way to facilitate the implementation of data classification requirements is to assign a data owner. A data owner is a person who has the authority and responsibility for defining, classifying, and protecting the data. A data owner can help to facilitate the implementation of data classification requirements by providing the criteria, categories, roles, and procedures for classifying the data according to its sensitivity, value, and criticality. A data owner can also ensure that the data is handled and stored appropriately, and that the data classification policy is enforced and monitored. The other options are not as effective as assigning a data owner, as they are related to the prevention, audit, or control of the data, not the classification or protection of the data. References = Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.4: Key Control Indicators, page 211.

 A risk register is a document that records and tracks the identified risks, their causes, impacts, likelihood, responses, and status. A risk register can help manage and communicate risks throughout the risk management process. A risk register should be updated regularly to reflect the current state of risks and their responses. Due to a change in business processes, an identified risk scenario may no longer require mitigation, as the risk level may have decreased or the risk may have been eliminated. However, the risk should remain in the risk register, as the most important reason is to monitor for potential changes to the risk scenario. This means keeping track of the internal and external factors that may affect the risk scenario, such as new threats, vulnerabilities, opportunities, or controls. Monitoring for potential changes to the risk scenario can help identify and respond to any emerging or reoccurring risks, and ensure that therisk register is accurate and complete. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.3: Risk Register, p. 41-43.

The primary reason to perform periodic vendor risk assessments is to monitor the vendor’s control effectiveness. A vendor risk assessment is a process of evaluating the risks associated with outsourcing a service or function to a third-party vendor. The assessment should be performed periodically to ensure that the vendor is complying with the contractual obligations, service level agreements, and security standards, and that the vendor’s controls are operating effectively to mitigate the risks. Providing input to the organization’s risk appetite, verifying the vendor’s ongoing financial viability, and assessing the vendor’s risk mitigation plans are otherpossible reasons, but they are not as important as monitoring the vendor’s control effectiveness. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 11; CRISC Review Manual, 6th Edition, page 144.