CRISC Exam Dumps - Certified in Risk and Information Systems Control

The correct answer isDbecause controls should be specified during therequirements definitionstage of the SDLC. At this point, business, security, and control requirements are identified and documented so they can be designed into the system from the beginning rather than added later.

The other options are less appropriate:

A. project initiationbegins the project, but detailed control specification occurs later when requirements are defined.

B. business case developmentjustifies the project but does not specify controls in sufficient detail.

C. system integration testingis used to test implemented controls, not to specify them.

Exact Extracts supporting the answer:

“The system development life cycle stage MOST suitable for incorporating internal controls is design.”

“In the system development life cycle the risk practitioner should first become involved during the planning phase.”

“Initiation is the phase in the system development life cycle where risk related to system requirements should be determined.”

“Before moving on to the system design phase it MUST be accomplished that the risk associated with the proposed system and controls is accepted by management.”

These extracts show that controls must be identified before design and implementation, and among the answer choices,requirements definitionis the correct stage for specifying them.

===========

The primary focus of a risk owner once a decision is made to mitigate a risk is to ensure that the control design reduces the risk to an acceptable level. This means that the risk owner shouldverify that the control objectives, specifications, and implementation are aligned with the risk mitigation plan, and that the control is effective in reducing the risk exposure to within the risk appetite and tolerance of the enterprise. The risk owner should also ensure that the control design is consistent with the enterprise’s policies, standards, and procedures, and that it complies with any relevant laws, regulations, or contractual obligations. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.2.4, page 185.

The correct answer isBbecause findingsensitive data on discarded devicesis the clearest indication that the IT asset life cycle is poorly managed. This points to failure in end-of-life handling, media sanitization, disposal controls, ownership accountability, and policy enforcement. It is a direct indicator of life cycle control breakdown with significant security and compliance consequences.

The other options are less conclusive:

A. Increased hardware maintenance costsmay indicate inefficiency, but not necessarily poor life cycle control.

C. Lack of asset labelingis a weakness, but less severe and less direct than improper disposal of sensitive data.

D. Inadequate employee trainingmay contribute to problems, but it is not the strongest indicator by itself.

Exact Extracts supporting the answer:

“When data are no longer needed by a particular process they should be handled according to policy.”

“Information that is no longer required to support the main purpose of the enterprise from an information security perspective should be managed under the retention policy.”

“The data security control that BEST protects the confidentiality of data stored on backup media in transit to a third-party storage facility is encryption.”

“The BEST safeguard against a data breach is security awareness training.”

These extracts support that assets and the data on them must be handled according to policy throughout the life cycle, especially when no longer needed. Sensitive data remaining on discarded devices is therefore the strongest indication of poor asset life cycle management.

===========

The business process owner should own the risk of customer data leakage caused by the service provider, as they have the responsibility and authority over the design, execution, and performance of the business process. The business process owner is also accountable for the risks and controls associated with their process, and they can provide valuable input and feedback on the likelihood and impact of customer data leakage on the process outcomes and objectives.

The other options are not the best choices for owning the risk of customer data leakage caused by the service provider. The service provider is responsible for delivering and supporting the billing function and ensuring the security and privacy of the customer data, but they may not have the full visibility or understanding of the business process and objectives. The vendor risk manager is responsible for managing and monitoring the vendor relationship and performance, but they may not have the direct involvement or influence on the business process and its risks and controls. The legal counsel is responsible for providing legal advice and guidance on the contractual and regulatory obligations and implications of the outsourcing arrangement, but they may not have the detailed knowledge or experience of the business process and its risks andcontrols. References = Guide to Vendor Risk Assessment | Smartsheet, IT Risk Resources | ISACA, Data Ownership: Considerations for Risk Management - ISACA

Notifying the incident response team ensures immediate action to contain and remediate the malware spread, limiting further impact. This aligns withIncident Response and Containmentprotocols under risk management.

Specifying cloud service provider liability for data privacy breaches in the contract is the most effective control to address the risk associated with compromising data privacy within the cloud, because it establishes the roles and responsibilities of the cloud service provider and the customer in case of a data breach, and defines the compensation or remediation measures that the cloud service provider should provide. This control also creates an incentive for the cloud service provider to implement adequate security measures to protect the customer’s data and comply with the relevant laws and regulations. The other options are not the most effective controls, although they may also be helpful in reducing the risk of data privacy breaches. Establishing baseline security configurations with the cloud service provider, requiring the cloud service provider to disclose past data privacy breaches, and ensuring the cloud service provider performs an annual risk assessment are examples of preventive or detective controls that aim to reduce the likelihood or impact of a data breach, but they do not address the accountability or liability of the cloud service provider in case of a data breach. References = CRISC: Certified in Risk & Information Systems Control Sample Questions

Data classification is the process of organizing data in groups based on their attributes and characteristics, and then assigning class labels that describe a set of attributes that hold true for the corresponding data sets1. Data classification helps an organization understand the value of its data, determine whether the data is at risk, and implement controls to mitigate risks1. Data classification also helps an organization comply with relevant industry-specific regulatory mandates such as SOX, HIPAA, PCI DSS, and GDPR1.

The most important criteria to consider when developing a data classification scheme are the business criticality and sensitivity of the data2. Business criticality refers to the impact of data loss or compromise on the organization’s operations, reputation, and objectives2. Sensitivityrefers to the level of confidentiality, integrity, and availability required for the data2. Data that is highly critical and sensitive should be classified and protected accordingly, as it poses the highest risk to the organization if mishandled or breached2.

Some of the best practices for data classification are3:

Inventory your data: Identify all data assets within your organization.

Define data categories: Create a classification scheme that suits your organization’s needs.

Assign responsibility: Designate individuals or teams responsible for data classification.

Implement classification tools: Invest in tools and technologies that facilitate data classification.

Educate and train: Raise awareness and provide guidance on data classification policies and procedures.

Review and audit: Monitor and evaluate the effectiveness and compliance of data classification.

References = What is Data Classification? | Best Practices & Data Types | Imperva, What Is Data Classification? The 5 Step Process & Best Practices for Classifying Data | Splunk, Top 10 Best Practices for Securing Your Database - 2023

Multi-factor authentication is the most effective way to mitigate the risk of unauthorized access to the system, as it requires the users to provide more than one piece of evidence to prove their identity, such as a password, a token, a biometric feature, etc. This reduces the likelihood of compromising the credentials and ensures that only authorized users can perform maintenance on the system.

Single sign-on is a convenience feature that allows users to access multiple systems with one set of credentials, but it does not address the risk of sharing credentials among multiple users.

Audit trail review is a detective control that can help identify and investigate unauthorized access to the system, but it does not prevent or mitigate the risk of credential compromise.

Data encryption at rest is a security measure that protects the data stored on the system from unauthorized access, but it does not prevent or mitigate the risk of credential compromise. References = CRISC Review Manual, 7th Edition, ISACA, 2020, page 107-108.