CRISC Exam Dumps - Certified in Risk and Information Systems Control

According to the CRISC Review Manual, the primary reason to periodically review key performance indicators (KPIs) is to identify trends, because it helps to monitor the changes and patterns in the performance and effectiveness of the risk management processes and controls. KPIs are metrics that measure the achievement of the objectives and targets of the risk management activities. Periodically reviewing KPIs allows the organization to evaluate the progress and results of the risk management strategies and actions, and to identify any gaps, issues, or opportunities for improvement. The other options are not the primary reason to periodically review KPIs, as they are related to other aspects or outcomes of the risk management process. Ensuring compliance is the reason to review key risk indicators (KRIs), which are metrics that measure the level of risk exposure and the occurrence of risk events.Promoting a risk-aware culture is the reason to review key goal indicators (KGIs), which are metrics that measure the alignment of the risk management with the business goals and values. Optimizing resources needed for controls is the reason to review key control indicators (KCIs), which are metrics that measure the efficiency and adequacy of the risk controls. References = CRISC Review Manual, 7th Edition, Chapter 3, Section 3.3.2, page 143.

The most important factor when developing risk scenarios is obtaining input from key stakeholders. A risk scenario is a description of a possible event or situation that could affect the enterprise’s objectives, processes, or resources. Obtaining input from key stakeholders, such as business owners, process owners, subject matter experts, or external parties, helps to ensure that the risk scenarios are realistic, relevant, and comprehensive. It also helps to identify the sources, drivers, indicators, likelihood, impact, and responses of the risk scenarios, and to align them with the enterprise’s risk appetite and tolerance. Obtaining input from key stakeholders also fosters a collaborative and participatory approach to risk management, and enhances the risk awareness and ownership among the stakeholders. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.3, page 621

 The control owner is the person who has the authority to approve an exception to a control. A control is a policy, procedure, or technical measure that is implemented to prevent or mitigate a risk. A control owner is responsible for the design, implementation, operation, and maintenance of the control, as well as for monitoring and reporting its performance and effectiveness. A control owner is also accountable for the approval of any changes or exceptions to the control, based on the risk assessment and business justification. An information security manager, a risk owner, and a risk manager are not the best choices, as they do not have the same level of authority, responsibility, and knowledge as the control owner in relation to the control. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 35.

The best way to prevent future occurrences of active network accounts belonging to former employees is to conduct a comprehensive review of access management processes. This review should include verifying that the access rights of all employees are updated regularly, especially when they change roles or leave the organization. The review should also ensure that there are clear policies and procedures for granting, modifying, and revoking access rights, and that these are followed consistently and documented properly. The review should also identify and address any gaps or weaknesses in the access management processes that could lead to unauthorized or inappropriate access. By conducting a comprehensive review of access management processes, the organization can improve its security posture and reduce the risk of data breaches or misuse of resources. References = IT audit: The ultimate guide [with checklist] | Zapier, IT auditing and controls – planning the IT audit [updated 2021]

According to the CRISC Review Manual, a root cause analysis is a technique that identifies the underlying causes of an event or a problem. It helps to determine the most effective actions to prevent or mitigate the recurrence of the event or problem. A root cause analysis is the best approach for the risk practitioner to take in this scenario, because it will help to understand why the number of emergency changes has increased substantially and what can be done to address the issue. The other options are not the best approaches, because they do not address the underlying causes of the problem. Temporarily suspending emergency changes may disrupt the business operations and create more risks. Documenting the control deficiency in the risk register is a passive action that does not resolve the problem. Continuing monitoring change management metrics is an ongoing activity that does not provide any insight into the problem. References = CRISC Review Manual, 7th Edition, Chapter 3, Section 3.2.4, page 130.

According to the CRISC Review Manual1, impact analysis is the process of estimating and evaluating the potential effects of a risk event on the organization’s objectives, processes, resources, and risks. Impact analysis helps to quantify and qualify the severity and likelihood of the risk, and to identify the possible consequences and implications for the organization. Impact analysis is the first step that should be done when a risk practitioner learns about a new threat, as it helps to assess the current level of risk exposure and the urgency of the risk response. Impact analysis also helps to communicate and report the risk to the relevant stakeholders, and to facilitate risk-based decision making and action planning. References = CRISC Review Manual1, page 208.

The business process owner should own the risk of customer data leakage caused by the service provider, as they have the responsibility and authority over the design, execution, and performance of the business process. The business process owner is also accountable for the risks and controls associated with their process, and they can provide valuable input and feedback on the likelihood and impact of customer data leakage on the process outcomes and objectives.

The other options are not the best choices for owning the risk of customer data leakage caused by the service provider. The service provider is responsible for delivering and supporting the billing function and ensuring the security and privacy of the customer data, but they may not have the full visibility or understanding of the business process and objectives. The vendor risk manager is responsible for managing and monitoring the vendor relationship and performance, but they may not have the direct involvement or influence on the business process and its risks and controls. The legal counsel is responsible for providing legal advice and guidance on the contractual and regulatory obligations and implications of the outsourcing arrangement, but they may not have the detailed knowledge or experience of the business process and its risks and controls. References = Guide to Vendor Risk Assessment | Smartsheet, IT Risk Resources | ISACA, Data Ownership: Considerations for Risk Management - ISACA

Conducting phishing exercises would best help minimize the risk associated with social engineering threats, because they can help to raise awareness and educate employees about the common techniques and tactics used by social engineers, such as sending deceptive emails or text messages that ask for sensitive information or direct users to malicious websites. Phishing exercises are simulated attacks that test the employees’ ability to recognize and respond to social engineering attempts, and provide feedback and guidance on how to improve their security behavior. By conducting phishing exercises, the organization can measure and improve the employees’ level of security awareness and resilience, and reduce the likelihood and impact of falling victim to social engineering attacks. The other options are less effective ways to minimize the risk associated with social engineering threats. Enforcing employees’ sanctions can help to deter and punish employees who violate the security policies or procedures, but it may not prevent or reduce the occurrence of social engineering attacks, as they may target employees who are unaware, careless, or coerced by the attackers. Enforcing segregation of duties can help to prevent or limit the damage caused by social engineering attacks, by restricting the access and authority of employees to perform certain tasks or functions, but it may not address the root cause or source of the attacks, which is the human factor. Reviewing the organization’s risk appetite can help to define and communicate the amount and type of risk that the organization is willing to accept in pursuit of its objectives, but it may not directly affect or influence the employees’ behavior or attitude toward social engineering threats, which may depend on their individual or situational factors. References = How to Prevent and Mitigate Social Engineering Attacks 1