CRISC Exam Dumps - Certified in Risk and Information Systems Control

According to the CRISC Review Manual (Digital Version), the next course of action when there is a gap between the acceptable downtime and the actual recovery time of an application is to prepare a cost-benefit analysis of alternatives available to reduce the gap. The cost-benefit analysis should compare the costs of implementing different risk response options, such as avoidance, mitigation, transfer or acceptance, with the benefits of reducing the impact and likelihood of the risk. The cost-benefit analysis should also consider the alignment of the risk response options with the enterprise’s risk appetite, business objectives and strategy. The cost-benefit analysis should help the application owner and the risk owner to select the most appropriate risk response option that optimizes the value of the application and minimizes the residual risk.

References = CRISC Review Manual (Digital Version), Chapter 3: IT Risk Response, Section 3.2: Risk Response Process, pp. 162-1631

When an organization has a policy prohibiting ransom payments in the event of a ransomware attack, the most effective control to support this policy is creating immutable backups. Here’s why:

Immutable Backups:

Definition:Immutable backups are backups that cannot be altered, deleted, or modified in any way once they are created. This ensures that a clean, untampered copy of data is always available.

Protection Against Ransomware:Ransomware attacks typically encrypt data and demand a ransom to decrypt it. With immutable backups, the organization can restore the affected systems using the backup without paying the ransom, thereby adhering to their policy.

Effectiveness:

Restoration Capability:Immutable backups provide a reliable means to restore data to its state before the ransomware attack. This restoration capability negates the need to consider paying the ransom to regain access to encrypted data.

Compliance with Policy:By having a secure and untouchable backup, the organization ensures compliance with its no-ransom policy as it can recover operations without engaging with the attackers.

Comparison with Other Options:

Vulnerability Scanning:While important, this primarily helps in identifying vulnerabilities and does not directly help in data recovery post-ransomware attack.

Patching:Regular patching reduces the risk of ransomware infection but does not aid in recovery if an attack occurs.

Intrusion Detection:Continuous monitoring can detect ransomware activities but does not provide a solution for restoring data after an attack.

An independent security audit report is a document that provides an objective and comprehensive assessment of the security posture and practices of a cloud service provider (CSP), based on a set of standards, criteria, or frameworks1. An independent security audit report can help an organization to evaluate the risks and benefits of using a CSP, and to ensure that the CSP meets the organization’s security and compliance requirements2.

If an organization receives an independent security audit report of its CSP that indicates significant control weaknesses, the next step that should be done in response to this report is to analyze the impact of the provider’s control weaknesses to the business. This means that the organization should:

Identify and prioritize the business processes, functions, or objectives that depend on or are affected by the CSP’s services

Assess the potential consequences and likelihood of the control weaknesses leading to security incidents, breaches, or losses

Estimate the financial, operational, reputational, or legal impacts of the security incidents, breaches, or losses

Compare the impacts with the organization’s risk appetite and tolerance, and determine the level of risk exposure and acceptance

Communicate the results of the analysis to the relevant stakeholders and decision-makers3

References = What is a Security Audit?, Cloud Security Audit: A 10-Step Checklist, Independent security audits are essential for cloud service providers. Here’s why

Annual loss expectancy (ALE) is a method to assign a monetary value to risk by multiplying the probability of a risk event by the potential loss associated with that event1. ALE can be used to compare the costs and benefits of different risk mitigation options and to determine the optimallevel of investment in riskmanagement2. Business impact analysis (BIA) is a process to identify and evaluate the potential effects of a disruption on the critical functions and processes of an organization3. BIA can help to forecast the impacts of a risk event, but it does not assign a monetary value to the risk itself. Cost-benefit analysis (CBA) is a technique to compare the costs and benefits of a project, decision, or action4. CBA can help to evaluate the feasibility and profitability of a risk mitigation option, but it does not assign a monetary value to the risk itself. Inherent vulnerabilities are the weaknesses or flaws in a system, process, or asset that expose it to potential threats5. Inherent vulnerabilities can increase the likelihood or impact of a risk event, but they do not assign a monetary value to the risk itself. References = Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.2: Risk Analysis, pp. 77-81.

A risk register is a document that contains information about potential cybersecurity risks that could threaten a project’s success, or even the business itself2. Therefore, it is important to protect the confidentiality and integrity of the risk register from unauthorized or inappropriate access, modification, or disclosure. One way to do this is to implement role-based access, which is a method of restricting access to the risk register based on the roles or responsibilities of the users1. This way, only authorized users who need to view or edit the risk register for legitimate purposes can do so, and the access rights can be revoked or modified as needed. This would most effectively reduce the potential for inappropriate exposure of vulnerabilities documented in the risk register. The other options are not as effective or feasible as option C, as they do not address the need to balance the security and availability of the risk register. Option A, limiting access to senior management only, would compromise the availability and usefulness of the risk register, as other stakeholders such as project managers, risk owners, or auditors may need to access therisk register for risk identification, analysis, response, or monitoring purposes3. Option B, encrypting the risk register, would enhance the security of the risk register, but it would not prevent authorized users from exposing the vulnerabilities to unauthorized parties, either intentionally or unintentionally. Encryption also adds complexity and cost to the risk register management process, and may affect the performance or usability of the risk register4. Option D, requiring users to sign a confidentiality agreement, would rely on the compliance and ethics of the users, but it would not prevent or detect any breaches of the agreement. A confidentiality agreement also does not specify the access rights or roles of the users, and may not be legally enforceable in some cases5.

The primary objective of promoting a risk-aware culture within an organization is enabling risk-based decision making, because this helps the organization to achieve its goals and objectives while managing its risks effectively and efficiently. A risk-aware culture is one where everyone understands the organization’s approach to risk, takes personal responsibility to manage risk in everything they do, and encourages others to follow their example. A risk-aware culture also fosters communication, collaboration, and learning about risk across the organization. By promoting a risk-aware culture, the organization can empower its employees to make informed and balanced decisions that consider both the potential benefits and the potential risks of their actions. This can enhance the organization’s performance, resilience, and competitiveness in a dynamic and uncertain environment. References = Risk IT Framework, ISACA, 2022, p. 17