CRISC Exam Dumps - Certified in Risk and Information Systems Control

The legal and regulatory risk associated with business conducted over the Internet is driven by the laws and regulations of each individual country. Legal and regulatory risk is the risk of non-compliance or violation of the applicable laws and regulations that govern the business activities, operations, or transactions. Business conducted over the Internet involves the use of the global network of interconnected computers and devices to exchange information, goods, or services across the geographic boundaries. Business conducted over the Internet may expose the enterprise to various legal and regulatory risks, such as data protection, privacy, security, intellectual property, consumer protection, taxation, or jurisdiction issues. The legal and regulatory risk associated with business conducted over the Internet is driven by the laws and regulations of each individual country, as each country may have different or conflicting laws and regulations that apply to the business conducted over the Internet, and that may change or vary over time. The laws and regulations of each individual country may also impose different or additional obligations, requirements, or restrictions on the enterprise, and may subject the enterprise to different or multiple enforcement actions, penalties, or disputes. The jurisdiction in which an organization has its principal headquarters, international law and a uniform set of regulations, and international standard-setting bodies are not the drivers of the legal and regulatory risk associated with business conducted over the Internet, as they do not reflect the diversity and complexity of the legal and regulatory landscape that the enterprise may face when conducting business over the Internet. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 217.

 According to the CRISC Review Manual, the greatest risk associated with the misclassification of data is unauthorized access, because it can result in the loss of confidentiality, integrity, and availability of the data. Data classification is the process of assigning categories to data based on its sensitivity and value to the organization. Data classification helps to determine the appropriate level of protection and handling for the data. If the data is misclassified, it may not receive the adequate level of security controls, and it may be accessed by unauthorized or inappropriate users. The other options are not the greatest risks associated with the misclassification of data, as they are less likely or less severe than unauthorized access. Inadequate resource allocation is the risk of not allocating sufficient resources to protect the data, which may affect its availability and performance. Data disruption is the risk of losing or corrupting the data, which may affect its integrity and availability. Inadequate retention schedules is the risk of not retaining the data for the required period of time, which may affect its compliance and usability. References = CRISC Review Manual, 7th Edition, Chapter 4, Section 4.1.1, page 161.

A recovery time objective (RTO) is the maximum acceptable time or duration that a business process or function can be disrupted or unavailable due to a disaster or incident, before it causes unacceptable or intolerable consequences for the organization. It is usually expressed in hours, days, or weeks, and it is aligned with the organization’s business continuity and disaster recovery objectives and requirements.

The primary factor in determining a RTO is the cost of downtime due to a disaster, which is the estimated loss or damage that the organization may suffer if a business process or function is disrupted or unavailable for a certain period of time. The cost of downtime can be expressed in terms of financial, operational, reputational, or legal consequences, and it can help the organization to assess the impact and urgency of the disaster, and to decide on the appropriate recovery strategy and resources.

The other options are not the primary factors in determining a RTO, because they do not address the fundamental question of how long the organization can tolerate the disruption or unavailability of a business process or function.

The cost of offsite backup premises is the cost of acquiring, maintaining, or using an alternative or secondary location or facility that can be used to resume or continue the business process or function in case of a disaster or incident. The cost of offsite backup premises is important to consider when selecting or implementing a recovery strategy, but it is not the primary factor in determining a RTO, because it does not indicate the impact or urgency of the disaster, and it may not reflect the organization’s business continuity and disaster recovery objectives and requirements.

The cost of testing the business continuity plan is the cost of conducting, evaluating, or improving the tests or exercises that are performed to verify or validate the effectiveness and efficiency of the business continuity plan, which is the document that describes the actions and procedures that the organization will take to recover or restore the business process or function in case of a disaster or incident. The cost of testing the business continuity plan is important to consider when developing or updating the business continuity plan, but it is not the primary factor in determining a RTO, because it does not indicate the impact or urgency of the disaster, and it may not reflect the organization’s business continuity and disaster recovery objectives and requirements.

The response time of the emergency action plan is the time or duration that it takes for the organization to initiate or execute the emergency action plan, which is the document that describes the immediate actions and procedures that the organization will take to protect the life, health, and safety of the people, and to minimize the damage or loss of the assets,in case of a disaster or incident. The response time of the emergency action plan is important to consider when preparing or reviewing the emergency action plan, but it is not the primary factor in determining a RTO, because it does not indicate the impact or urgency of the disaster, and it may not reflect the organization’s business continuity and disaster recovery objectives and requirements. References =

ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 62-63, 66-67, 70-71, 74-75, 78-79

ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 165

CRISC Practice Quiz and Exam Prep

Detailed Explanation:The next step is toidentify risk response optionsto address the noncompliance and mitigate its impact. This may include corrective actions, implementing controls, or negotiating terms to reduce exposure.

The most appropriate time for changes to be promoted to production is after they are approved by the business owner, who is the individual or group that is accountable and responsible for the business objectives and requirements that are supported or affected by the changes. The approval by the business owner ensures that the changes are aligned and compatible with the business objectives and requirements, and that they provide the expected or desired outcomes or benefits for the business.

The other options are not the most appropriate times for changes to be promoted to production, because they do not ensure that the changes are aligned and compatible with the business objectives and requirements, and that they provide the expected or desired outcomes or benefits for the business.

Communicating the changes to business management means informing or reporting the changes to the senior management or executives that oversee or direct the business activities or functions. Communicating the changes to business management is important for ensuring the awareness and support of the business management, but it is not the most appropriate time for changes to be promoted to production, because it does not indicatewhether the changes are approved or authorized by the business owner, who is accountable and responsible for the business objectives and requirements.

Testing the changes by business owners means verifying and validating the functionality and usability of the changes, using the input and feedback from the business owners. Testing the changes by business owners is important for ensuring the quality and performance of the changes, but it is not the most appropriate time for changes to be promoted to production, because it does not indicate whether the changes are approved or authorized by the business owner, who is accountable and responsible for the business objectives and requirements.

Initiating the changes by business users means requesting or proposing the changes by the end users or customers that interact with the information systems and resources that are affected by the changes. Initiating the changes by business users is important for ensuring the relevance and appropriateness of the changes, but it is not the most appropriate time for changes to be promoted to production, because it does not indicate whether the changes are approved or authorized by the business owner, who is accountable and responsible for the business objectives and requirements. References =

ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 40-41, 47-48, 54-55, 58-59, 62-63

ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 194

CRISC Practice Quiz and Exam Prep

According to the CRISC Review Manual1, controls are the policies, procedures, practices, and organizational structures that are designed and implemented to manage risk. The most important factor when defining controls is to align them with the business objectives, as this helps to ensure that the controls support the achievement of the organization’s strategy, goals, and values. Aligning controls with business objectives also helps to optimize the benefits and costs of controls, and to prioritize and allocate resources for control implementation and maintenance. References = CRISC Review Manual1, page 202.

A cyber intrusion is an unauthorized or malicious access to a computer system or network by an attacker. A cyber intrusion can compromise the confidentiality, integrity, or availability of the system or network, as well as the data and services that it hosts. A cyber intrusion can also cause damage, disruption, or theft to the organization or its stakeholders. One of the best ways to prevent cyber intrusion is to strengthen vulnerability remediation efforts, which means to identify and fix the weaknesses or flaws in the system or network that can be exploited by the attackers. Vulnerability remediation efforts can include conducting regularvulnerability assessments, applying security patches and updates, configuring security settings and policies, and implementing security controls and measures. By strengthening vulnerability remediation efforts, the organization can reduce the attack surface and the likelihood of cyber intrusion, as well as enhance the resilience and protection of the system or network. The other options are not the best recommendations for preventing cyber intrusion, although they may be helpful and complementary. Establishing a cyber response plan is a technique to prepare for and respond to a cyber incident, such as a cyber intrusion, by defining the roles, responsibilities, procedures, and resources that are needed to manage and recover from the incident. However, a cyber response plan is a reactive and contingency measure, while strengthening vulnerability remediation efforts is a proactive and preventive measure. Implementing data loss prevention (DLP) tools is a technology that tries to detect and stop sensitive data breaches, or data leakage incidents, in an organization. DLP tools can help to protect the data from being disclosed to an unauthorized person, whether it is deliberate or accidental. However, DLP tools do not prevent cyber intrusion itself, as they only focus on the data, not the system or network. Implementing network segregation is a method to divide a network into smaller segments or subnetworks, each with its own security policies and controls. Network segregation can help to isolate and contain the impact of a cyber intrusion, as well as to limit the access and movement of the attackers within the network. However, network segregation does not prevent cyber intrusion from occurring, as it does not address thevulnerabilities or flaws in the system or network. References = CRISC Review Manual, pages 164-1651; CRISC Review Questions, Answers & Explanations Manual, page 902; What Are Security Controls? - F53; Assessing Security Controls: Keystone of the Risk Management … - ISACA4

A risk register is a document that records and tracks the information about the risks that may affect the organization’s objectives, such as the risk description, category, source, cause, impact, probability, status, owner, response, etc.

When developing a new risk register, a risk practitioner should focus on risk identification. This is the process of finding, recognizing, and describing the risks that may affect the organization’s objectives, using various techniques, such as brainstorming, interviews, checklists, surveys, etc.

Risk identification helps to create a comprehensive and accurate list of the risks that need to be managed, and to provide the basis for the subsequent risk analysis and evaluation, risk response planning, and risk monitoring and control.

The other options are not the risk management activities that a risk practitioner should focus on when developing a new risk register. They are either subsequent or parallel to risk identification.

The references for this answer are:

Risk IT Framework, page 29

Information Technology & Security, page 23

Risk Scenarios Starter Pack, page 21