CRISC Exam Dumps - Certified in Risk and Information Systems Control

A key performance indicator (KPI) is a measurable value that demonstrates how effectively an organization is achieving its objectives. In the context of disaster recovery planning (DRP), a KPI should reflect the ability of the organization to recover its critical business processes and applications within the predefined time frames and service levels. One of the most important KPIs for DRP is the percentage of applications that met the recovery time objective (RTO) during DRP testing. The RTO is the maximum acceptable length of time that a business process or application can be down after a disaster. By measuring the percentage of applications that met the RTO during DRP testing, the organization can evaluate the performance and reliability of its DRP, identify any gaps or weaknesses, and implement corrective actions to improve its readiness and resilience. The other options are not the best KPIs for DRP, as they do not directly measure the effectiveness of the recovery process. The number of users that participated in the DRP testing is a measure of the involvement and awareness of the staff, but not of the outcome of the testing. The number of issues identified during DRP testing is a measure of the quality and completeness of the DRP, but not of the actual recovery time. The percentage of issues resolved as a result of DRP testing is a measure of the improvement and maturity of the DRP, but not of the current recovery capability. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 3, Section 3.2.3.3, Page 138.

The primary responsibility of senior management in risk management is to prioritize the risk scenarios based on severity. Risk scenarios are hypothetical events or situations that could affect the achievement of the objectives. Risk severity is a measure of the overall level of risk, based on the combination of the probability and impact of the risk scenario. Prioritizing the risk scenarios based on severity is the primary responsibility of senior management, because it helps to allocate the resources and actions to the most critical and urgent risks, and to align the risk management process with the organizational strategy and risk appetite. Senior management also has the authority and accountability to make the final decisions and approve the risk response plans for the prioritized risks. The other options are not the primary responsibility of senior management, although they may be involved or consulted in these activities. Bottom-up identification of emerging risks is a process of identifying and reporting the new or changing risks that may arise from the operational or tactical level of the organization. This is usually the responsibility of the risk owners or the risk practitioners, who have the knowledge and experience of the specific functions and processes. Categorization of risk scenarios against a standard taxonomy is a process of classifying and organizing the risk scenarios into predefined categories or groups, based on their nature, source, or impact. This is usually the responsibility of the risk analysts or the risk coordinators, who have the skills and tools to perform the risk analysis and assessment. Review of external loss data is a process of collecting and analyzing the data and information on the losses or incidents that occurred in other organizations or industries, due to similar or related risks. This is usually the responsibility of the risk researchers or the risk consultants, who have the access and expertise to obtain and interpret the external data and information. References = The Role of Executive Management in ERM - Corporate Compliance Insights, Guidelines on Risk Management Practices – Board and Senior Management, Risk Manager Job Description [+2023 TEMPLATE] - Workable

The issue of greatest concern when evaluating existing controls during a risk assessment is the presence of successive assessments with the same recurring vulnerabilities. This indicates that the controls are ineffective or inadequate in addressing the identified risks, and that the risk management process is not functioning properly. Recurring vulnerabilities expose the enterprise to potential losses, breaches, or incidents that could harm its objectives, reputation, or compliance. Therefore, it is essential to identify the root causes of the recurring vulnerabilities, implement corrective actions, and monitor the effectiveness ofthe controls on a regular basis. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.2.2, page 183.

The risk owner is the person who has the authority and accountability to manage a specific risk and its associated controls. The risk owner is also responsible for ensuring that the risk is within the acceptable level and that the risk response is effective and efficient. In this case, the risk owner is also the owner of the business service that depends on the managed hosting service. Therefore, the risk owner should be notified of the new information about the flood risk first, as they have the most interest and influence on the risk and its impact on the business objectives. The risk owner can then decide on the appropriate actions to take, such as reviewing the contract terms, requesting additional controls, or changing the service provider. The other options are not the correct answers because they are not the primary stakeholders of the risk and its consequences. The data center manager is an employee of the managed hosting service provider, not the organization that procured the service. The data center manager may not have the authority or the incentive to address the flood risk or inform the organization. The site manager is also an employee of the managed hosting service provider, and their role is to conduct annual risk assessments under the contract. The site manager may not be aware of the new information or have the responsibility to communicate it to the organization. The CIO is the senior executive who oversees the IT strategy and operations of the organization. The CIO may have a general interest in the managed hosting service and its risks, but they are not the direct owner or managerof the specific risk or the business service that relies on the service. References = CRISC Review Manual, pages 32-331; CRISC Review Questions, Answers & Explanations Manual, page 702

A security awareness training program is an educational program that aims to equip the organization’s employees with the knowledge and skills they need to protect the organization’s data and sensitive information from cyber threats, such as hacking, phishing, or other breaches12.

A risk-aware culture is a culture that values and promotes the understanding and management of risks, and encourages the behaviors and actions that support the organization’s risk objectives and strategy34.

The best indication of an improved risk-aware culture following the implementation of a security awareness training program for all employees is an increase in the number of incidents reported, which is the frequency or rate of security incidents that are detected and communicated by the employees to the appropriate authorities or channels56.

An increase in the number of incidents reported is the best indication because it shows that the employees have gained the awareness and confidence to recognize and report the security incidents that may affect the organization, and that they have the responsibility and accountability to contribute to the organization’s risk management and security posture56.

An increase in the number of incidents reported is also the best indication because it enables the organization to respond and recover from the security incidents more quickly and effectively, and to prevent or reduce the recurrence or escalation of similar incidents in the future56.

The other options are not the best indication, but rather possible outcomes or consequences of an improved risk-aware culture or a security awareness training program. For example:

A reduction in the number of help desk calls is an outcome of an improved risk-aware culture or a security awareness training program that indicates the employees have become more self-reliant and proficient in solving or preventing the common or minor IT issues or problems . However, this outcome does not measure the employees’ awareness or reporting of security incidents, which may be more serious or complex .

An increase in the number of identified system flaws is a consequence of an improved risk-aware culture or a security awareness training program that indicates the employees have become more vigilant and proactive in finding and reporting the vulnerabilities or weaknesses in the IT systems or processes . However, this consequence does not measure the employees’ awareness or reporting of security incidents, which may exploit or leverage the system flaws .

A reduction in the number of user access resets is an outcome of an improved risk-aware culture or a security awareness training program that indicates the employees have become more careful and responsible in managing and protecting their user credentials or accounts . However, this outcome does not measure the employees’ awareness or reporting of security incidents, which may compromise or misuse the user access . References =

1: Security Awareness Training - Cybersecurity Education Online | Proofpoint US5

2: What Is Security Awareness Training and Why Is It Important? - Kaspersky6

3: Risk IT Framework, ISACA, 2009

4: IT Risk Management Framework, University of Toronto, 2017

5: Security Incident Reporting and Response, University of Toronto, 2017

6: Security Incident Reporting and Response, ISACA, 2019

IT Help Desk Best Practices, ISACA Journal, Volume 2, 2018

IT Help Desk Best Practices, ISACA Now Blog, February 12, 2018

System Flaw Reporting and Remediation, University of Toronto, 2017

System Flaw Reporting and Remediation, ISACA, 2019

User Access Management and Control, University of Toronto, 2017

User Access Management and Control, ISACA, 2019

The source that provides the most reliable evidence to support conclusions after completing an information systems controls assessment is the information generated by the systems, as it reflects the actual and objective data and results of the system operations and performance, and can be verified and tested against the control objectives and criteria. The other options are not the most reliable sources, as they may be subjective, biased, or incomplete, and may not reflect theactual or current state of the system controls, respectively. References = CRISC Review Manual, 7th Edition, page 154.

Architecture is the design and structure of a system or a process, such as an IT system or a business process. Architecture documentation is the document that describes and explains the architecture, such as its components, functions, relationships, requirements, constraints, orstandards. Architecture documentation can help to understand, communicate, and improve the system or the process1.

An environment that lacks documentation of the architecture faces a great risk of unknown vulnerabilities, which are the weaknesses or flaws in the system or the process that could be exploited by threats or attackers, but are not identified or addressed by the organization. Unknown vulnerabilities can pose a serious risk to the organization, because they can:

Compromise the confidentiality, integrity, and availability of the system or the process, and the information or resources that it handles or supports

Cause financial, operational, reputational, or legal damages or losses to the organization, such as data breaches, fraud, errors, delays, or fines

Remain undetected or unresolved for a long time, and increase the exposure or impact of the risk over time

Require more resources or efforts to mitigate or recover from the risk, and reduce the efficiency or effectiveness of the risk management process23

Lack of documentation of the architecture can increase the risk of unknown vulnerabilities, because it can:

Prevent or hinder the identification and assessment of the vulnerabilities, and the evaluation and prioritization of the risks

Impede or delay the implementation and enforcement of the controls or safeguards to prevent or reduce the vulnerabilities, and the monitoring and reporting of the risk status and progress

Obstruct or limit the communication and coordination among the stakeholders, and the awareness and accountability of the risk owners and users

Restrict or hamper the review and improvement of the system or the process, and the learning and feedback of the risk management4

The other options are not the greatest risks associated with an environment that lacks documentation of the architecture, but rather some of the possible causes or consequences of it.Legacy technology systems are outdated or obsolete systems that are still in use by the organization, but are no longer supported or maintained by the vendors or developers. Legacy technology systems can be a cause of lack of documentation of the architecture, as they may have been developed or acquired without proper documentation, or the documentation may have been lost or discarded over time. Network isolation is the separation or segregation of a network or a system from other networks or systems, either physically or logically, to prevent or limit the access or communication between them. Network isolation can be a consequence of lack of documentation of the architecture, as it may result from the inability or difficulty to integrate or connect the system or the process with other systems or processes. Overlapping threats are threats that affect more than one system or process, or have similar or related sources or causes, such as natural disasters, cyberattacks, or human errors. Overlapping threats can be a consequence of lack of documentation of the architecture, as they may arise from the lack of understanding or coordination of the system or the process with other systems or processes. References =

Architecture Documentation - ISACA

Vulnerability - ISACA

The Risks of Not Having a Vulnerability Management Program

The Importance of Architecture Documentation - ISACA

[The Risk of Poor Document Control - ComplianceBridge]

[CRISC Review Manual, 7th Edition]

Internet of Things (IoT) is an emerging technology that refers to the network of devices, such as cameras, sensors, appliances, or vehicles, that can communicate and exchange data via the internet. IoT is frequently used for botnet distributed denial of service (DDoS) attacks, which are cyberattacks that aim to disrupt or disable a target’s online services by overwhelming them with traffic from multiple sources. IoT devices are often unsecured, unpatched, or misconfigured, which makes them vulnerable to being infected by malware and controlled by attackers. Attackers can use IoT devices to create large and powerful botnets that can launch DDoS attacks against various targets, such as websites, servers, or networks. According to the CRISC Review Manual 2022, IoT is one of the key emerging technologies that pose new IT risks, including DDoS attacks1. According to the CRISC Review Questions, Answers & Explanations Manual 2022, IoT is the correct answer to this question2. According to the web search results, IoT devices are commonly used for botnet DDoS attacks, such as the Mirai botnet, the Emotet botnet, and the BoT-IoT dataset345.