CRISC Exam Dumps - Certified in Risk and Information Systems Control

The type of control that has been applied when an organization provides legal text explaining the rights and expected behavior of users accessing a system from geographic locations that have strong privacy regulations is directive. A directive control is a control that guides or instructs the users or the staff on the policies, procedures, or standards that they need to follow or comply with when performing their tasks or activities. A directive control can help to prevent or reduce the risk of non-compliance, errors, or violations, by ensuring that the users or the staff are aware and informed of the expectations and requirements of the organization or the system. A directive control can also help to enforce the accountability and responsibility of the users or the staff, and to support the audit and monitoring of their actions and behaviors. Providing legal text explaining the rights and expected behavior of users accessing a system from geographic locations that have strong privacy regulations is an example of a directive control, as it informs the users of the legal obligations and consequences of using the system, and instructs them on how to protect their privacy and the privacy of others. Detective, preventive, and compensating are not the correct types of control, as they do not match the definition or the purpose of the control that has been applied. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 217.

Risk owner approval ensures accountability and alignment of the changes with the enterprise’s risk management strategy. It reflects adherence to the principles ofRisk Ownership and Governance, critical for maintaining control over mitigation activities.

The most important factor for sustainable development of secure IT services is security training for systems development staff. Security training helps to ensure that the staff members are aware of the security risks, requirements, and best practices that affect the IT services they develop. Security training also helps to improve the security skills and knowledge of the staff members,and to foster a security culture and behavior within the development team. Security training can also help to prevent or reduce security defects, vulnerabilities, or incidents in the IT services, and to enhance the security performance and quality of the IT services. Well-documented business cases, security architecture principles, and secure coding practices are also important factors for sustainable development of secure IT services, but they are not as important as security trainingfor systems development staff. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 5, Section 5.1.1.2, page 2291

1: ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide, Answer to Question 653.

Residual risk is the risk that remains after applying controls to mitigate the inherent risk. Inherent risk is the risk that exists before considering the controls. Key risk indicators (KRIs) are metricsthat measure the level and impact of risks. Risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. The failure of the data loss prevention (DLP) system to detect outgoing emails containing credit card data would most impact the residual risk, because it would increase the likelihood and impact of data leakage, data loss, and data exfiltration incidents. These incidents could cause financial, reputational, legal, and regulatory damages to the organization. The failure of the DLP system would also affect the KRIs, as they would show a higher level of risk exposure and a lower level of control effectiveness. However, the KRIs are not the risk itself, but rather the indicators of the risk. The failure of the DLP system would not directly impact the inherent risk or the risk appetite, as they are independent of the controls. The inherent risk would remain the same, as it is based on the nature and value of the data and the threats and vulnerabilities that exist. The risk appetite would also remain the same, as it is based on the organization’s culture, strategy, and stakeholder expectations. Therefore, the most impacted factor would be the residual risk, as it reflects the actual risk level that the organization faces after applying the controls. References = Risk IT Framework, ISACA, 2022, p. 131

The application risk profile should be updated when reviewing functional requirements. This will help to identify and assess the potential risks that may arise from the changes to the application, and to plan and implement appropriate risk responses. Updating the application risk profile at this stage will also help to ensure that the changes are aligned with the organization’s objectives, policies, and standards, and that they meet the stakeholders’ expectations and needs. Updating the application risk profile after user acceptance testing, upon release to production, or during backlog scheduling are not the best points to update the risk profile, as they may be too late or too early to capture the relevant risks and their impacts. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.1.1, page 511

1: ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide, Answer to Question 655.

Classifying information assets is a process of identifying and categorizing the data and information resources that are owned, controlled, or used by an organization, based on their value, sensitivity, and criticality.

Classifying information assets helps to determine the appropriate level of control that is needed to protect them from unauthorized access, use, disclosure, modification, or destruction. Control level refers to the degree of protection or assurance that a control provides against a risk.

Classifying information assets also helps to communicate risk to senior management, assign risk ownership, and facilitate internal audit. These are other benefits of risk management that are not directly related to determining the appropriate level of control.

The references for this answer are:

Risk IT Framework, page 11

Information Technology & Security, page 5

Risk Scenarios Starter Pack, page 3

A business case will BEST communicate the importance of risk mitigation initiatives to senior management, because it provides a clear and concise justification of the objectives, benefits, costs, and risks of the proposed initiatives. A business case helps to align the risk mitigation initiatives with the enterprise’s strategy and goals, and to obtain the necessary approval and support from senior management. The other options are not as effective as a business case, because:

Option B: A balanced scorecard is a tool to measure and monitor the performance of the enterprise across four perspectives: financial, customer, internal process, and learning and growth. It does not communicate the importance of risk mitigation initiatives, but rather the outcomes and impacts of them.

Option C: Industry standards are benchmarks or best practices that define the minimum requirements or expectations for a certain domain or activity. They do not communicate the importance of risk mitigation initiatives, but rather the compliance or alignment of them with the external environment.

Option D: A heat map is a tool to visualize and prioritize the risks based on their likelihood and impact. It does not communicate the importance of risk mitigation initiatives, but rather the severity and distribution of the risks. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 118.

Employee activity monitoring is the process of tracking and recording the actions and behaviors of employees on company owned IT systems, such as email, internet, applications, etc. Thepurpose of employee activity monitoring is to ensure compliance with the company’s policies and regulations, prevent data leakage and misuse, detect and deter inappropriate or malicious activities, and improve productivity and performance. The most likely way to deter an employee from engaging in inappropriate use of company owned IT systems is to communicate the employee activity monitoring policy and practice to the employees, and make them aware of the consequences of violating the policy. By doing so, the company can create a deterrent effect and discourage the employees from misusing the IT systems, as they know that their actions are being monitored and recorded, and that they will be held accountable for any misconduct. References = CRISC Review Manual, 7th Edition, page 181.