CRISC Exam Dumps - Certified in Risk and Information Systems Control

Risk and control self-assessments (RCSAs) are designed to helpbusiness units evaluate their own risks and controls, leading to a deeperunderstanding of inherent and residual riskand more accurate risk profiles.

Key risk indicators (KRIs) are metrics that provide information about the level of exposure to a specific risk or a group of risks.

The most important factor to the effective monitoring of KRIs is determining threshold levels. This means that the acceptable or unacceptable values or ranges of the KRIs are defined and agreed upon by the relevant stakeholders.

Determining threshold levels helps to evaluate the actual performance and impact of the risks, compare them with the risk appetite and tolerance of the organization, identify any deviations or breaches that may require attention or action, and report them to the appropriate parties for decision making or improvement actions.

The other options are not the most important factors to the effective monitoring of KRIs. They are either secondary or not essential for KRIs.

The references for this answer are:

Risk IT Framework, page 15

Information Technology & Security, page 9

Risk Scenarios Starter Pack, page 7

Corrective controls are designed to correct errors or deviations after they occur. If failed changes frequently require re-implementation, this means corrective measures (e.g., testing, change rollback, error correction) are not functioning effectively.

CRISC guidance defines:

Preventive controls: stop incidents from occurring.

Detective controls: identify incidents when they occur.

Corrective controls: restore systems or data after incidents occur.

An increasing KPI (failed changes) means the corrective mechanism is weak, hence C is the correct answer.

CRISC Reference: Domain 4 – Risk and Control Monitoring, Topic: Control Effectiveness Evaluation.

The best indicator that additional or improved controls are needed in the environment is when risk events and losses exceed risk tolerance. Risk tolerance is the acceptable level of variation in performance or outcomes relative to the achievement of objectives. Risk events and losses are the negative consequences of risk that have occurred or are expected to occur. When risk events and losses exceed risk tolerance, it means that the existing controls are not sufficient or effective to prevent or mitigate the risk, and that the organization is exposed to unacceptable levels of risk that could impair its ability to achieve its objectives. Therefore, additional or improved controls are needed to reduce the risk to an acceptable level. Management decreasing organizational risk appetite, the risk register and portfolio not including all risk scenarios, and emerging risk scenarios being identified are not as clear and direct indicators that additional or improved controls are needed in the environment, as they do not necessarily reflect the actual performance or outcomes of the risk management process. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 41.

 Business process re-engineering is the radical redesign of a business process to achieve significant improvements in performance, quality, cost, or customer satisfaction. Business process re-engineering can introduce new or modified risks to the organization, as well as affectthe existing controls and responses. Therefore, the best way to help ensure risk will be managed properly after a business process has been re-engineered is to reassess the control effectiveness of the process, meaning that the organization should evaluate whether the controls are still adequate, appropriate, and functioning as intended to mitigate the risks. Reassessing the control effectiveness can help to identify any gaps or weaknesses in the control environment, as well as to implement any necessary changes or improvements to the controls. References = Risk and Information Systems Control Study Manual, Chapter 5, Section 5.2.2, p. 229-230

Risk owner approval ensures accountability and alignment of the changes with the enterprise’s risk management strategy. It reflects adherence to the principles ofRisk Ownership and Governance, critical for maintaining control over mitigation activities.

 Key control indicators (KCIs) are metrics that provide information on the extent to which a given control is meeting its intended objectives in terms of loss prevention, reduction, etc. In order to provide such information, the control effectiveness indicator has to have an explicit relationship to both the specific control and to the specific risk against which the control has been implemented1. Therefore, the best source for identifying KCIs is to use controls mapped to organizational risk scenarios, which can help define the control objectives, the expectedoutcomes, and the relevant indicators for each risk scenario. This approach can also help align the KCIs with the organizational goals and strategy, and enable the monitoring and reporting of the control effectiveness23.

The other options are not the best sources for identifying KCIs, because:

Privileged user activity monitoring controls are specific types of controls that aim to prevent unauthorized access or misuse of sensitive data or systems by privileged users. They are not a sourcefor identifying KCIs, but rather a possible subject of KCIs. For example, a KCI for this type of control could be the number of privileged user accounts that have not been reviewed or revoked within a specified period4.

Recent audit findings of control weaknesses are useful for identifying the gaps or deficiencies in the existing control environment, and for recommending corrective actions or improvements. However, they are not a source for identifying KCIs, but rather an input for evaluating or revising the existing KCIs. For example, if an audit finding reveals that a control is not operating as intended, or that a KCI is not providing reliable or timely information, then the control or the KCI may need to be modified or replaced5.

A list of critical security processes is a high-level overview of the key activities or functions that are essential for maintaining the security of the organization’s assets and information. It is not a source for identifying KCIs, but rather a starting point for defining the control objectives and requirements. For example, a critical security process could be incident response, which requires a set of controls to ensure the timely and effective detection, containment, analysis, and recovery of security incidents. The KCIs for this process could be the number of incidents detected, the average time to resolve incidents, or the percentage of incidents that resulted in data breaches6.

References =

Key Control Indicator (KCI) - CIO Wiki

How to Develop Key Control Indicators to Improve Security Risk Monitoring - Gartner

Indicators - Program Evaluation - CDC

Privileged User Monitoring: What Is It and Why Is It Important? - LogRhythm

Internal Audit Key Performance Indicators (KPIs) - AuditBoard

Hierarchy of Controls - NIOSH - CDC