CRISC Exam Dumps - Certified in Risk and Information Systems Control

According to the CRISC Review Manual (Digital Version), the primary goal of a risk awareness program is to reduce the risk to an acceptable level by increasing the knowledge and understanding of the risk among the stakeholders. A risk awareness program should:

Educate the stakeholders about the sources, types and impacts of IT-related risks

Explain the roles and responsibilities of the stakeholders in the risk management process

Promote a risk-aware culture that supports the risk appetite and risk tolerance of the organization

Provide guidance and tools for identifying, assessing, responding and monitoring IT-related risks

Encourage the reporting and escalation of risk issues and incidents

Reinforce the benefits and value of effective risk management

References = CRISC Review Manual (Digital Version), Chapter 4: IT Risk Monitoring and Reporting, Section 4.2: IT Risk Reporting, pp. 224-2251

IT risk scenarios are hypothetical situations that describe the sources, causes, and consequences of IT-related risks, and the potential impacts on the organization’s objectives, performance, and value creation12.

A corporate risk register is a document that records and tracks the significant risks that the organization faces, and the responses and actions that are taken to address them34.

The greatest benefit of incorporating IT risk scenarios into the corporate risk register is that exposure is integrated into the organization’s risk profile, which is a comprehensive and integrated representation of the risks that may affect the organization’s objectives, performance, and value creation56.

Exposure is integrated into the organization’s risk profile means that the organization has a complete and consistent view of the IT risk landscape, and the potential impacts andinterdependencies of IT risks on other types of risks, such as financial, operational, strategic, or reputational risks56.

Exposure is integrated into the organization’s risk profile also means that the organization can make informed and balanced decisions on the risk responses and actions, and allocate the appropriate resources and priorities to the IT risk management and control processes56.

The other options are not the greatest benefit, but rather possible outcomes or consequences of incorporating IT risk scenarios into the corporate risk register. For example:

Corporate incident escalation protocols are established is an outcome of incorporating IT risk scenarios into the corporate risk register that indicates the organization has defined and implemented the procedures and mechanisms for reporting and resolving IT-related incidents, and for escalating them to the appropriate authorities or levels when necessary78. However, this outcome does not measure or reflect the exposure or the risk profile of the organization, which may depend on other factors such as the frequency, severity, or complexity of the incidents78.

Risk appetite cascades to business unit management is a consequence of incorporating IT risk scenarios into the corporate risk register that indicates the organization has communicated and aligned the risk appetite, which is the amount and type of risk that the organization is willing to accept or pursue, to the business unit management, who are responsible for executing the risk strategy and objectives at the operational level . However, this consequence does not indicate or imply the exposure or the risk profile of the organization, which may vary depending on the context, environment, or stakeholder expectations .

The organization-wide control budget is expanded is an outcome of incorporating IT risk scenarios into the corporate risk register that indicates the organization has increased the amount of resources and funds that are allocated to the control processes, which are the procedures and activities that aim to ensure the effectiveness and efficiency of the organization’s operations, the reliability of its information, and the compliance with its policies and regulations . However, this outcome does not affect or determine the exposure or the risk profile of the organization, which is independent of the control budget . References =

1: IT Risk Scenarios - Morland-Austin3

2: Risk Scenarios Toolkit, ISACA, 2019

3: Risk Register Template and Examples | Prioritize and Manage Risk1

4: Risk Register Examples for Cybersecurity Leaders4

5: Risk IT Framework, ISACA, 2009

6: IT Risk Management Framework, University of Toronto, 2017

7: Security Incident Reporting and Response, University of Toronto, 2017

8: Security Incident Reporting and Response, ISACA, 2019

Risk Appetite: Linking Strategy, Risk and Performance, ISACA, 2012

Risk Appetite and Tolerance, ISACA Journal, Volume 4, 2013

The Control Process | Principles of Management2

Control Management: What it is + Why It’s Essential | Adobe Workfront5

 The primary consideration when implementing controls for monitoring user activity logs is ensuring that the control is proportional to the risk, because this helps to optimize the balance between the benefits and costs of the control, and to avoid over- or under-controlling the risk. User activity logs are records of the actions or events performed by users on IT systems, networks, or resources, such as accessing, modifying, or transferring data or files. Monitoring user activity logs can help to detect and prevent potential threats, such as unauthorized access, data leakage, or malicious activity, and to support the investigation and remediation of incidents. However, monitoring user activity logs also involves certain costs and challenges, such as collecting, storing, analyzing, and reporting large amounts of log data, ensuring the accuracy, completeness, and timeliness of the log data, protecting the privacy and security of the log data, and complying with the relevant laws and regulations. Therefore, when implementing controls for monitoring user activity logs, the organization should consider the level and impact of the risk that the control is intended to address, and the value and effectiveness of the control in reducing the risk exposure and impact. The organization should also consider the costs and feasibility of implementing and maintaining the control, and the potential negative consequences or side effects of the control, such as performance degradation, user dissatisfaction, or legal liability. By ensuring that the control is proportional to the risk, the organization can achieve the optimal level of risk management, and avoid wasting resources or creating new risks. References = Risk IT Framework, ISACA, 2022, p. 151

Authentication is a control that verifies the identity of a user or a system that tries to access a computer system or network. Authentication can be based on something the user or system knows (such as a password or a PIN), something the user or system has (such as a token or a smart card), or something the user or system is (such as a fingerprint or a retina scan). Authentication is a crucial control for preventing unauthorized or malicious access to a system or network, as well as for ensuring the accountability and traceability of the actions performed by the user or system. If the authentication control is compromised, it means that the user or system can bypass or break the verification process and gain access to the system or network without being identified or authorized. This can expose the system or network to various threats, such as data theft, data corruption, data leakage, or denial of service. Therefore, the authentication control has most likely been compromised if a system administrator identifies unusual activity indicating an intruder within a firewall. A firewall is a device or a software that monitors and filters the incoming and outgoing network traffic based on predefined rules and policies. A firewall can help to protect the system or network from external or internal attacks by blocking or allowing the traffic based on the source, destination, protocol, or content. However, a firewall cannot prevent an intruder from accessing the system or network if the intruder has already authenticated or impersonated a legitimate user or system. The other options are not the most likely controls to be compromised if a system administrator identifies unusual activity indicating an intruder within a firewall, although they may be affected or related. Data validation is a control that checks the accuracy, completeness, and quality of the data that is entered, processed, or stored by a system or anetwork. Data validation can help to prevent or detect data errors, anomalies, or inconsistencies that may affect the performance, functionality, or reliability of the system or network. However, data validation does not prevent or detect unauthorized or malicious access to the system or network, as it only focuses on the data, not the user or system. Identification is a control that assigns a unique identifier to a user or a system that tries to access a computer system or network. Identification can be based on a username, an email address, a phone number, or a certificate. Identification is a necessary but not sufficient control for preventing unauthorized or malicious access to a system or network, as it only declares who or what the user or system is, but does not prove it. Identification needs to be combined with authentication to verify the identity of the user or system. Data integrity is a control that ensures that the data is accurate, consistent, and complete throughout its lifecycle. Data integrity can be achieved by implementing various controls, such as encryption, hashing, checksum, digital signature, or backup. Data integrity can help to protect the data from unauthorized or accidental modification, deletion, or corruption that may affect the value, meaning, or usability of the data. However, data integrity does not prevent or detect unauthorized or malicious access to the system or network, as it only protects the data, not the user or system. References = CRISC Review Manual, pages 164-1651; CRISC Review Questions, Answers &Explanations Manual, page 952; What is Authentication? - Definition from Techopedia3; What is a Firewall? - Definition from Techopedia4

The most important requirement for monitoring key risk indicators (KRIs) using log analysis is providing accurate logs in a timely manner, because this ensures that the risk data is reliable, relevant, and up-to-date. Logs are records of events or activities that occur in IT systems, such as network traffic, user actions, system errors, or security incidents. Log analysis is the process of reviewing and interpreting logs to identify and assess risks, such as performance issues, operational failures, compliance violations, or cyberattacks. By providing accurate logs in a timely manner, an organization can monitor the current status and trends of its KRIs, which are metrics that measure the level and impact of risks. Accurate logs mean that the logs are complete, consistent, and free of errors or anomalies that may distort the risk data. Timely logs mean that the logs are available as soon as possible after the events or activities occur, and that they are updated frequently to reflect the latest changes. Providing accurate logs in a timely manner can help an organization to detect and respond to risks promptly, and to support risk-based decision making and reporting. References = Risk IT Framework, ISACA, 2022, p. 22

The most effective way for a large and diversified organization to minimize risk associated with unauthorized software on company devices is to scan end points for applications not included in the asset inventory. An asset inventory is a document that records and tracks all the hardware and software assets that are owned, used, or managed by the organization, such as laptops, tablets, smartphones, servers, applications, etc. An asset inventory helps to identify and classify the assets based on their type, model, location, owner, status, etc. An asset inventory also helps to monitor and control the assets, such as enforcing security policies, applying patches and updates, detecting and resolving issues, etc. Scanningend points for applications not included in the asset inventory helps to minimize the risk of unauthorized software, because it helps to discover and remove any software that is not approved, authorized, or licensed by the organization, and that may pose security, legal, or operational risks, such as malware, spyware, pirated software, etc. The other options are not as effective as scanning end points for applications not included in the asset inventory, although they may provide some protection or compliance for the software assets. Prohibiting the use of cloud-based virtual desktop software, conducting frequent reviews of software licenses, and performing frequent internal audits of enterprise IT infrastructure are all examples of preventive or detective controls, which may help to prevent or deter the installation or use of unauthorized software, or to verify or validate the software assets, but they do not necessarily discover or remove the unauthorized software. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.2.1, page 3-11.

A cost-benefit analysis is the best guidance when selecting an appropriate risk treatment plan. A risk treatment plan is a document that describes the actions or measures that are taken or planned to modifythe risk, such as reducing, avoiding, transferring, or accepting the risk1. Selecting an appropriate risk treatmentplan means choosing the most suitable and effective option for addressing the risk, based on the organization’s objectives, strategies, and risk criteria2. A cost-benefit analysis is a method of comparing the benefits and costs of different alternatives or options, and selecting the one that maximizes the net benefit or value3. A cost-benefit analysis is the best guidance when selecting an appropriate risk treatment plan, because it helps to:

Evaluate the feasibility, effectiveness, and efficiency of the risk treatment options, and compare them against the organization’s risk appetite and tolerance;

Balance the benefits and costs of the risk treatment options, and consider both the quantitative and qualitative aspects of the risk and the risk response;

Optimize the use of the organization’s resources and capabilities, and ensure that the risk treatment options are aligned and integrated with the organization’s goals and values;

Support the risk decision making and prioritization, and provide a rational and transparent basis for selecting the best risk treatment option. The other options are not the best guidance when selecting an appropriate risk treatment plan, as they are either less comprehensive or less relevant than a cost-benefit analysis. A risk mitigation budget is a document that allocates the financial resources for implementing and maintaining the risk mitigation actions or measures4. A risk mitigation budget can help to ensure the availability and adequacy of the funds for the risk treatment options, as well as to monitor and control the risk treatment expenditures. However, a risk mitigation budget is not the best guidance when selecting an appropriate risk treatment plan, as it does not address the benefits or value of the risk treatment options, or the suitability or effectiveness of the risk treatment options. A business impact analysis is a method of estimating the potential effects or consequences of a risk on the organization’s objectives, operations, or performance5. A business impact analysis can help to assess the severity and priority of the risk, as well as to identify the critical assets and resources that are involved or impacted by the risk. However, a business impact analysis is not the best guidance when selecting an appropriate risk treatment plan, as it does not address the costs or feasibility of the risk treatment options, or the alternatives or options for the risk treatment. A return on investment is a metric that measures the profitability or efficiency of an investment, project, or activity, by comparing the benefits and costs of the investment, project, or activity6. A return on investment can help to evaluate the performance and effectiveness of the risk treatment options, as well as to compare the risk treatment options with other investments, projects, or activities. However, a return on investment is not the best guidance when selecting an appropriate risk treatment plan, as it does not address the qualitative or intangible aspects of the risk and the risk response, or the risk appetite and tolerance of the organization. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.8, Page 61.

A risk map, also known as a risk heat map, is a visual tool that helps an enterprise prioritize risk scenarios by plotting them on a matrix based on their likelihood and impact. A risk map can help to compare and contrast different risk scenarios, as well as to identify the most critical and urgent risks that require attention. A risk map can also help to communicate and report the risk profile and status to the stakeholders and decision makers. Therefore, the placement on the risk map would best help an enterprise prioritize risk scenarios. The other options are not the best ways to help an enterprise prioritize risk scenarios, although they may be relevant and useful. Industry best practices are the standards or guidelines that are widely accepted and followed by the organizations in a specific industry or domain. Industry best practices can help to benchmark and improve the risk management process and performance, but they may not reflect the specific risk context and needs of the enterprise. Degree of variances in the risk is the measure of the variability or uncertainty of the risk, which may affect the accuracy or reliability of the risk assessment and response. Degree of variances in the risk can help to adjust and refine the risk analysis and treatment, but it may not indicate the priority or importance of the risk. Cost of risk mitigation is the amount of resources or expenses that are required or allocated to implement the risk response actions, such as avoiding, transferring, mitigating, or accepting the risk. Cost of risk mitigation can help to evaluate and optimize therisk response options, but it may not determine the priority or urgency of the risk. References = CRISC Review Manual, pages 38-391; CRISC Review Questions, Answers & Explanations Manual, page 892