CRISC Exam Dumps - Certified in Risk and Information Systems Control

According to the CRISC Review Manual (Digital Version), the next course of action when a risk practitioner finds the IT department’s recovery time objective (RTO) for a key system does not align with the enterprise’s business continuity plan (BCP) is to consult with the IT department to update the RTO. The RTO is the maximum acceptable time that an application, computer, network, or system can be down after an unexpected disaster, failure, or comparable event takes place. The RTO should be aligned with the BCP, which is a set of policies, procedures, and resources that enable the organization to continue or resume its critical business functions in the event of a disruption. Consulting with the IT department to update the RTO helps to:

Ensure that the RTO reflects the current business requirements and expectations for the availability and recovery of the key system

Evaluate the feasibility and cost-effectiveness of achieving the RTO with the existing IT resources and capabilities

Identify and implement the necessary changes or improvements in the IT infrastructure, processes, and controls to meet the RTO

Test and validate the RTO and the IT recovery procedures and verify their compatibility and consistency with the BCP

Communicate and coordinate the RTO and the IT recovery plan with the relevant stakeholders, such as the business owner, the risk owner, and the senior management

References = CRISC Review Manual (Digital Version), Chapter 3: IT Risk Response, Section 3.3: Risk Response Options, pp. 174-1751

 Business process owners would provide the most important input when identifying IT risk scenarios. IT risk scenarios are the situations or events that may affect the organization’s objectives, operations, or performance due to the use of information and technology1. Identifying IT risk scenarios means finding, recognizing, and describing the IT risks that the organization faces, as well as their sources, drivers, consequences, and responses2. Business process owners are the persons or entities who are responsible for the design, implementation, and operation of the business processes that support the organization’s goals and values3. Business process owners would provide the most important input when identifying IT risk scenarios, because they can:

Provide the context and perspective of the business objectives, strategies, and requirements that are affected or supported by the IT risks and controls;

Identify and prioritize the IT risks that are relevant and significant to their business processes, as well as the IT assets and resources that are involved or impacted by the IT risks;

Evaluate and communicate the likelihood and impact of the IT risks on their business processes, as well as the risk appetite and tolerance of their business units;

Suggest and implement the most suitable and effective IT risk response actions or measures to mitigate the IT risks, as well as monitor and report on the IT risk and control performance;

Align and integrate the IT risk management activities and outcomes with the business risk management framework, policies, and standards. The other options are not the most important roles for providing input when identifying IT risk scenarios, as they are either less relevant or less specific than business process owners. Information security managers are the persons or entities who are responsible for the planning, implementation, and maintenance of the information security measures and controls that protect the confidentiality, integrity, and availability of the organization’s data and systems4. Information security managers can provide input when identifying IT risk scenarios, because they can:

Provide the expertise and guidance on the information security risks and controls that are related to the use of information and technology;

Identify and assess the information security vulnerabilities and threats that may affect the organization’s data and systems, as well as the information security assets and resources that are involved or impacted by the information security risks;

Recommend and implement the most appropriate and effective information security risk response actions or measures to reduce or eliminate the information security risks, as well as monitor and report on the information security risk and control performance;

Align and integrate the information security risk management activities and outcomes with the information security framework, policies, and standards. However, information security managers are not the most important roles for providing input when identifying IT risk scenarios, because they may not have the full understanding or visibility of the business objectives, strategies, and requirements that are affected or supported by the IT risks and controls, or the risk appetite and tolerance of the business units. Internal auditors are the persons or entities who are responsible for the independent and objective assurance and consulting on the effectiveness and efficiency of the organization’s governance, risk management, and internal control system5. Internal auditors can provide input when identifying IT risk scenarios, because they can:

Provide the assurance and validation on the design and operation of the IT risks and controls that are related to the use of information and technology;

Identify and evaluate the IT risk and control gaps or deficiencies that may affect the organization’s objectives, operations, or performance, as well as the IT risk and control objectives and activities that are involved or impacted by the IT risk and control gaps or deficiencies;

Report and recommend improvements or enhancements to the IT risks and controls, as well as follow up and verify the implementation and effectiveness of the IT risk and control improvements or enhancements;

Align and integrate the IT risk and control assurance and consulting activities and outcomes with the internal audit framework, policies, and standards. However, internal auditors are not the most important roles for providing input when identifying IT risk scenarios, because they may not have the authority or responsibility to implement or operate the IT risks and controls, or to decide or prioritize the IT risk response actions or measures. Operational risk managers are the persons or entities who are responsible for the identification, analysis, evaluation, and treatment of the risks that arise from the failures or inadequacies of the organization’s people, processes, systems, or external events6. Operational risk managers can provide input when identifying IT risk scenarios, because they can:

Provide the oversight and coordination of the operational risk management activities and performance across the organization, including the IT risks and controls that are related to the use of information and technology;

Identify and prioritize the operational risks that are relevant and significant to the organization, as well as the operational assets and resources that are involved or impacted by the operational risks;

Evaluate and communicate the likelihood and impact of the operational risks on the organization, as well as the risk appetite and tolerance of the organization;

Suggest and implement the most suitable and effective operational risk response actions or measures to mitigate the operational risks, as well as monitor and report on the operational risk and control performance;

Align and integrate the operational risk management activities and outcomes with the operational risk management framework, policies, and standards. However, operational risk managers are not the most important roles for providing input when identifying IT risk scenarios, because they may not have the specific knowledge or expertise on the IT risks and controls that are related to the use of information and technology, or the context and perspective of the business processes that are affected or supported by the IT risks and controls. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 3, Section 3.1.1, Page 85.

When using a third party to perform penetration testing, the most important control to minimize operational impact is to clearly define the project scope. This means specifying the objectives, boundaries, methods, and deliverables of the testing, as well as the roles and responsibilities of the parties involved. A clear project scope helps to avoid misunderstandings, conflicts, and disruptions that could compromise the security, availability, or integrity of the systems under test. It also helps to ensure that the testing is aligned with the organization’s risk appetite and compliance requirements. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 3, Section 3.2.3.2, Page 137.

 The business application owner should have the authority to accept the associated risk, because they are responsible for the performance and outcomes of the critical application, and they understand the business requirements, expectations, and impact of the application. The business application owner can also evaluate the trade-offs between the potential benefits and costs of the application, and the potential risks and consequences of a disruption or failure of the application. The business application owner can also communicate and justify their risk acceptance decision to the senior management and other stakeholders, and ensure that the risk is monitored and reviewed regularly. The other options are less appropriate to have the authority to accept the associated risk. The business continuity director is responsible for overseeing the planning and execution of the business continuity strategy, which includes ensuring the availability and resilience of the critical business processes and applications. However, they are not the owner of the application, and they may not have the full knowledge or authority to accept the risk on behalf of the business. The disaster recovery manager is responsible for managing the recovery and restoration of the IT systems and applications in the event of a disaster or disruption. However, they are not the owner of the application, and they may not have the full knowledge or authority to accept the risk on behalf of the business. The data center manager is responsible for managing the operation and maintenance of the data center infrastructure, which includes providing the physical and environmental security, power, cooling, and network connectivity for the IT systems and applications. However, they are not the owner of the application, and they may not have the full knowledge or authority to accept the risk on behalf of the business. References = Risk IT Framework, ISACA, 2022, p. 181

 According to the CRISC Review Manual (Digital Version), an effective control environment is best indicated by controls that manage risk within the organization’s risk appetite, as this reflects the alignment of the control objectives and activities with the organization’s strategic goals and risk preferences. The risk appetite is the amount and type of risk that the organization is willing to accept in pursuit of its objectives. Managing risk within the organization’s risk appetite helps to:

Balance the potential benefits and costs of risk-taking and risk response

Optimize the use of the organization’s resources and capabilities

Enhance the value and performance of the organization

Foster a risk-aware culture that supports the organization’s vision and mission

References = CRISC Review Manual (Digital Version), Chapter 2: IT Risk Assessment, Section 2.3: IT Risk Assessment Process, pp. 93-941

The primary reason to perform ongoing risk assessments is that the risk environment is subject to change. The risk environment is the external and internal factors that influence the level and nature of the risks that the organization faces1. These factors include economic, political, social, technological, legal, and environmental aspects, as well as the organization’s objectives, strategies, culture, and resources2. The risk environment is dynamic and unpredictable, and may change due to various events, trends, or developments that create new or modify existing risks3. Therefore, it is important to perform ongoing risk assessments to identify, analyze, and evaluate the changes in the risk environment, and to adjust the risk response and management accordingly. Ongoing risk assessments help to ensure that the organization’s risk profile is up to date and reflects the current reality, and that the organization’s risk appetite and tolerance are aligned with the changing risk environment4. The other options are not the primary reason to perform ongoing risk assessments, as they are either less comprehensive or less relevant than the changing risk environment. Emerging risk must be continuously reported to management. This option is a consequence or outcome of performing ongoing risk assessments, not a reason for doing so. Emerging risk is a new or evolving risk that has the potential to affect the organization’s objectives, operations, or performance5. Ongoing risk assessments can help to identify and monitor emerging risks, and to report them to management for decision making and action. However, this is not the main reason for performing ongoing risk assessments, as it does not cover the existing or modified risks that may also change due to the risk environment. New system vulnerabilities emerge at frequent intervals. This option is a specific or narrow example of a changing risk environment, not a general or broad reason for performing ongoing risk assessments. System vulnerabilities are weaknesses or flaws in the design, implementation, or operation of information systems that can be exploited by threats to cause harm or loss6. Ongoing risk assessments can help to discover and assess new system vulnerabilities that may emerge due to technological changes, cyberattacks, or human errors. However, this is not the primary reason for performing ongoing risk assessments, as it does not encompass the other types or sources of risks that may also change due to the risk environment. The information security budget must be justified. This option is a secondary or incidental benefit of performing ongoing risk assessments, not a primary or essential reason for doing so. The information security budget is the amount of money that the organization allocates for implementing and maintaining information security measures and controls7. Ongoing risk assessments can help to justify the information security budget by demonstrating the value and effectiveness of the security measures and controls in reducing the risks, and by identifying the gaps or needs for additional or improved security measures and controls. However, this is not the main reason for performing ongoing risk assessments, as it does not address the purpose or objective of risk assessment, which is to identify, analyze, and evaluate the risks and their impact on the organization. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.1, Page 47.

Detailed Explanation:The latest security assessment provides a detailed evaluation of the control’s performance and identifies gaps or weaknesses. This is critical for determining the effectiveness of a system security control in mitigating threats.

 The analysis of logs and system events will best help validate whether suspicious network activity is malicious, because they provide detailed and timely information about the source, destination, content, and context of the network traffic. Logs and system events can be collected from various sources, such as firewalls, routers, switches, servers, applications, and endpoints, and can be correlated and analyzed using tools such as security information and event management (SIEM) systems. By analyzing logs and system events, an organization can identify anomalies, patterns, trends, and indicators of compromise (IOCs) that may signal malicious network activity, such as unauthorized access, data exfiltration, malware infection, denial-of-service attack, or lateral movement. Logs and system events can also help determine the scope, impact, and root cause of the malicious network activity, and support the incident response and remediation process. References = Risk IT Framework, ISACA, 2022, p. 221