CRISC Exam Dumps - Certified in Risk and Information Systems Control

 A compensating control is a temporary or alternative control that is implemented when the primary control for mitigating a risk is not feasible or available. A compensating control should provide a similar level of protection and assurance as the primary control, and should be aligned with the risk appetite and tolerance of the organization. The risk practitioner’s best course of action when a compensating control needs to be applied is to obtain the risk owner’s approval. The risk owner is the person who has the authority and accountability for managing a specific risk, and who is responsible for ensuring that the risk is within the acceptable level. The risk practitioner should consult with the risk owner to explain the situation, proposethe compensating control, and seek their approval before implementing it. This way, the risk practitioner can ensure that the compensating control is appropriate, effective, and acceptable for the risk owner, and that the risk owner is aware of and agrees with the change in the risk treatment. The other options are not the best course of action, as they do not involve the risk owner’s approval or input. Recording the risk as accepted in the risk register implies that the risk is not treated or reduced, which may not be the case with a compensating control. Informing senior management may be a good practice, but it does not ensure that the risk owner is involved or agrees with the compensating control. Updating the risk response plan may be a necessary step after implementing the compensating control, but it does not require the risk owner’s approval or consultation. References = 5 Key Risk Mitigation Strategies (With Examples), Risk Management 101: Process, Examples, Strategies

 The control owner should be responsible for evaluating the residual risk after a compensating control has been implemented. A compensating control is a control that provides an alternative or additional measure of protection when the primary or preferred control is not feasible or effective. A residual risk is the risk that remains after the risk response or mitigation has beenapplied. The control owner is the person who has the authority and responsibility for designing, implementing, and monitoring the controls that enforce the policy. The control owner can assess the impact and effectiveness of the compensating control on the residual risk, and report the results and recommendations to the risk owner or the risk practitioner. The other options are not as responsible as the control owner, as they are related to the compliance, ownership, or management of the risk, not the evaluation of the control. References = Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.4: Key Control Indicators, page 211.

Testing is completed by IT support users without input from end users should be of most concern to a risk practitioner reviewing the system development life cycle (SDLC). This is because testing without input from end users can result in poor quality, usability, and functionality of the system, as well as increased errors, defects, and rework. Testing without input from end users can also lead to user dissatisfaction, resistance, and non-compliance, as well as misalignment with the business requirements and objectives. According to the CRISC Review Manual 2022, one of the key risk identification techniques for IT projects is to involve the end users and other relevant parties in the testing process1. According to the CRISC Review Questions, Answers & Explanations Manual 2022, testing without input from end users is the correct answer to this question2.

Testing in phases, overriding segregation of duties controls, and using data anonymization are not the most concerning issues for a risk practitioner reviewing the SDLC. These are possible practices or techniques that can be used in the testing process, but they do not necessarily pose significant risks or problems. Testing in phases can help ensure that the system meets the technical and functional specifications, as well as the user acceptance criteria, at each stage of the development. Overriding segregation of duties controls can be justified and authorized during the testing phases, as long as the controls are restored and verified before the system goes live. Using data anonymization can help protect the privacy and security of the data used in the testing process, as well as comply with the relevant regulations and standards.

The most important factor when identifying an organization’s risk exposure associated with IoT devices is visibility into all networked devices. This means having a comprehensive inventory of all the IoT devices connected to the organization’s network, as well as their configurations, functions, and security status. Visibility enables the organization to identify the potential threats and vulnerabilities that IoT devices pose, as well as the impact and likelihood of those risks. Visibility also helps the organization to monitor the behavior and performance of IoT devices, detect any anomalies or incidents, and respond accordingly. Without visibility, the organization may be unaware of the existence, location, or condition of some IoT devices, which could lead to undetected breaches, data loss, or operational disruptions. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.4: IT Risk Identification Methods and Techniques, Page 28; 8 Internet of Things Threats and Risks to Be Aware of - SecurityScorecard Blog.

ï‚· Understanding the Question:

The question is about mitigating the impact of social engineering attacks that use AI technology to impersonate senior management personnel.

ï‚· Analyzing the Options:

A. Training and awareness of employees for increased vigilance:This is the most proactive approach. Educating employees about the risks and signs of social engineering attacks enhances their ability to recognize and respond appropriately to such threats.

B. Increased monitoring of executive accounts:Useful but reactive; it doesn't prevent initial attempts.

C. Subscription to data breach monitoring sites:Helps detect breaches but doesn’t directly mitigate impersonation attacks.

D. Suspension and takedown of malicious domains or accounts:Reactive measure and might not be immediate or comprehensive.

ï‚·

Importance of Training:Employees are often the first line of defense against social engineering attacks. Regular training ensures they are aware of the tactics used in such attacks, including those leveraging AI, and how to respond effectively.

Proactive Measure:Training increases vigilance and the likelihood of early detection, reducing the potential impact of the attack.

An updatedrisk registerensures that decision-makers have accurate, timely information about current risks, enabling informed, risk-based decisions that align with organizational priorities and changes in the environment.

Using aconsistent risk taxonomyensures that IT risks can be aggregated and compared with enterprise-level risks in a meaningful way. ISACA emphasizes that standardized risk language and categories are critical to integrating IT risk with ERM processes.

===========

Modifying logs before analysis compromises the integrity and reliability of monitoring processes. This action creates a risk of inaccurate data feeding into key risk indicators, which undermines the effectiveness of monitoring and decision-making. Maintaining log integrity is a foundational practice inRisk Monitoring and Reporting.