CRISC Exam Dumps - Certified in Risk and Information Systems Control

The criticality of the asset is the most important factor to consider when determining its value during the risk identification process, because it reflects how essential the asset is for the organization’s mission, objectives, and operations. The criticality of the asset can be measured by the potential impact of its loss or compromise on the organization’s performance, reputation, compliance, and continuity. The higher the criticality, the higher the value of the asset.

References

•IT Asset Valuation, Risk Assessment and Control Implementation Model - ISACA

•Identifying Assets for IT Risk Analysis — RiskOptics - Reciprocity

•Asset Valuation - Definition, Methods, and Importance

The principle of least privilege is a key concept in information security that aims to provide users with the minimum level of access—or permissions—necessary to perform their job functions. By ensuring that users only have the access they need, organizations can significantly reduce the risk associated with excessive access by authorized users.

Understanding Least Privilege

The principle of least privilege restricts access rights for users to the bare minimum permissions they need to perform their work. This minimizes the potential damage from accidents or malicious activities.

Least privilege should be applied to all user accounts, including administrative and service accounts.

Implementation

Implementing least privilege involves a detailed analysis of job functions and the necessary access required for each role.

Regularly review and update access permissions to ensure they remain aligned with current job responsibilities and organizational needs.

Mitigating Risk

By limiting access to only what is necessary, organizations can prevent users from having permissions that could be exploited, intentionally or unintentionally, to cause harm.

This also includes revoking unnecessary privileges when users change roles or no longer need access.

Comparison with Other Options

A. Monitoring user activity using security logs: While monitoring can detect inappropriate activity, it does not prevent it.

B. Revoking access for users changing roles: This is a necessary practice but does not address the initial allocation of excessive privileges.

D. Conducting periodic reviews of authorizations granted: Periodic reviews are important but are reactive rather than proactive.

References

Sybex-CISSP-Official-Study-Guide-9-Edition.pdf, p. 641, discussing the principle of least privilege and its implementation​​.

Reevaluating the design of the key risk indicators (KRIs) is the best recommendation when a KRI is generating an excessive volume of events, because it helps to determine whether the KRI is relevant, reliable, and valid, and whether it needs to be modified or replaced. A KRI is a metric or indicator that helps to monitor and evaluate the likelihood or impact of a risk, or the effectiveness or efficiency of a control. A KRI can be quantitative or qualitative, and can be derived from internal or external sources. An event is an occurrence or incident that may indicate a change or trend in the risk level or performance. A KRI that generates an excessive volume of events may indicate that the KRI is not well-designed or well-aligned with the risk objectives or criteria, and that it may produce false positives or negatives, or irrelevant or misleading information. Therefore, reevaluating the design of the KRIs is the best recommendation, as it helps to improve the quality and usefulness of the KRIs, and to avoid unnecessary or inappropriate actions or responses. Developing a corresponding key performance indicator (KPI), monitoring KRIs within a specific timeframe, and activating the incident response plan are all possible actions to perform after reevaluating the design of the KRIs, but they are not the best recommendation, as they do not address the root cause of the excessive volume of events. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.3.2, page 97

Risk avoidance involves ceasing activities that expose the organization to significant risks, such as shutting down the sales order system. This decision aligns with Risk Treatment Strategies aimed at eliminating exposure.

According to the ISACA Risk and Information Systems Control study guide and handbook, the control owners in the IT department should determine whether risk responses still effectively address risk after a restructuring and outsourcing of certain functions. This is because the restructuring and outsourcing may have changed the risk profile, the control environment, and the control activities of the IT department. The control owners should review the existing risk responses and evaluate if they are still appropriate, adequate, and efficient in mitigating the risks associated with the outsourced functions. The control owners should also monitor the performance and compliance of the service providers and ensure that the contractual obligations and service level agreements are met12

1: ISACA Risk and Information Systems Control Study Guide, 4th Edition, page 33 2: ISACA Risk and Information Systems Control Handbook, 1st Edition, page 25

Risk Treatment Strategy - Avoidance:

Definition: Risk avoidance involves taking actions to completely eliminate a risk by discontinuing the activities or conditions that give rise to it.

Application: In this case, the organization decided to shut down its online sales order system temporarily to avoid the risk of a data breach until sufficient controls are implemented.

Steps Involved:

Identifying the Risk: Recognizing the potential for a data breach due to inadequate controls.

Decision to Avoid: Determining that the best course of action is to shut down the system to prevent any possible breach.

Implementation: Taking immediate action to shut down the system and communicate this decision to relevant stakeholders.

Comparison with Other Options:

Transfer: Involves shifting the risk to another party (e.g., through insurance), which is not applicable here.

Mitigation: Involves reducing the impact or likelihood of the risk, but does not eliminate it completely as avoidance does.

Acceptance: Accepting the risk without taking action, which is not the chosen strategy here.

Best Practices:

Comprehensive Risk Assessment: Conduct thorough risk assessments to determine when risk avoidance is the most appropriate strategy.

Clear Communication: Ensure all stakeholders are informed about the decision and the reasons behind it.

CRISC Review Manual: Provides detailed explanations of different risk treatment strategies, including avoidance​​.

ISACA Guidelines: Highlight the importance of choosing the appropriate risk treatment strategy based on the specific risk scenario​​.

References:

The most appropriate action for the risk manager to take after undertaking a risk assessment of a production system is to inform the process owner of the concerns and propose measures to reduce them, as the process owner has the authority and responsibility to manage the production system and its associated risks and controls, and to decide on the optimal risk response. Recommending a program that minimizes the concerns of that production system, informing the IT manager of the concerns and proposing measures to reduce them, and informing the development team of the concerns and together formulating risk reduction measures are not the most appropriate actions, as they may not involve the process owner, who is the key stakeholder and decision maker for the production system and its risks. References = CRISC Review Manual, 7th Edition, page 101.

The most important information for the risk practitioner to communicate to senior management for contract negotiation purposes when the organization wants to transfer risk by purchasing cyber insurance is the current annualized loss expectancy report, as it provides an estimate of the potential financial loss or impact that the organization may incur due to a cyber risk event in a given year, and helps to determine the optimal coverage and premium of the cyber insurance. The other options are not the most important information, as they are more related to the audit, asset, or industry aspects of the cyber risk, respectively, rather than the financial aspect of the cyber risk. References = CRISC Review Manual, 7th Edition, page 111.