CRISC Exam Dumps - Certified in Risk and Information Systems Control

Local laws and regulations should be the primary consideration when assessing the risk of using IoT devices to collect and process PII, because they define the legal obligations and liabilities of the organization and the individuals involved. Non-compliance with local laws and regulations can result in fines, lawsuits, reputational damage, and loss of trust. Therefore, it is essential to understand and adhere to the applicable laws and regulations in the jurisdictions where the IoT devices operate and where the PII is stored, processed, and transferred.

References

•Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks

•The Internet of Things (IoT) and Digitally Stored PII: Avoidable or Inevitable?

•Security Issues in IoT: Challenges and Countermeasures

In aZero Trustmodel, access is never implicitly trusted and must be continuously verified — makingprivileged access reviewcritical.

ISACA CRISC guidance:

“Under the Zero Trust model, continuous validation and review of privileged user access is essential to prevent privilege escalation and insider threats.”

Integration and segmentation are design concerns;privileged access managementis the ongoing control requirement.

Thus,Ais correct.

CRISC Reference:Domain 4 – Risk and Control Monitoring and Reporting, Topic: Zero Trust and Continuous Authorization.

Brainstorming sessions with key stakeholders are the best way to facilitate the development of relevant risk scenarios, as they can generate diverse and creative ideas, perspectives, and insights about the potential risks and their impact on the organization’s objectives and operations. Brainstorming sessions can also foster collaboration, communication, and engagement among the stakeholders, and help to identify and prioritize the most significant and realistic risk scenarios. Brainstorming sessions can be guided by an industry-recognized risk framework, such as ISACA’s Risk IT, and supported by qualitative or quantitative risk assessment methodologies, but they are not sufficient by themselves to develop relevant risk scenarios.

The best way to ensure data is properly sanitized while in cloud storage is to cryptographically scramble the data. Cryptographic scrambling is the process of transforming data into an unreadable form using a secret key or algorithm. Cryptographic scrambling protects the data from unauthorized access, modification, or deletion, even if the cloud storage provider or a third party gains access to the data. Cryptographic scrambling also ensures that the data can be restored to its original form using the same key or algorithm, if needed. The other options are not as effective as cryptographic scrambling, because they either do not completely remove the data,or they make it impossible to recover the data. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.3.1, page 3-21.

A security log is a record of security-related events or activities that occur in an IT system, network, or application, such as user authentication, access control, firewall activity, or intrusion detection1. Security logscan help to monitor and audit the security posture and performance of the IT environment, and to detect and investigate any security incidents, breaches, or anomalies2.

The integrity of a security log refers to the accuracy and completeness of the log data, and the assurance that the log data has not been modified, deleted, or tampered with by unauthorized or malicious parties3. The integrity of a security log is essential for ensuring the reliability and validity of the log analysis and reporting, and for providing evidence and accountability for security incidents and compliance4.

Among the four options given, the most important factor to the integrity of a security log is the inability to edit. This means that the security log data should be protected from any unauthorized or accidental changes or alterations, such as adding, deleting, or modifying log entries, or changing the log format or timestamps5. The inability to edit can be achieved by implementing various controls and measures, such as:

Applying digital signatures or hashes to the log data to verify its authenticity and integrity

Encrypting the log data to prevent unauthorized access or disclosure

Implementing least privilege access to the log data to restrict who can view, modify, or delete the log data

Using write-once media or devices to store the log data, such as CD-ROMs or WORM drives

Sending the log data to a secure and centralized log server or repository, and using syslog or other protocols to ensure secure and reliable log transmission

Performing regular backups and archiving of the log data to prevent data loss or corruption

References = Security Log: Best Practices for Logging and Management, Security Audit Logging Guideline, Confidentiality, Integrity, & Availability: Basics of Information Security, Steps for preserving the integrity of log data, Guide to Computer Security Log Management

The objective of aligning mitigating controls to risk appetite is to ensure that the cost of controls does not exceed the expected loss. The cost of controls is the amount of resources and efforts required to implement and maintain the controls that are designed to reduce the risk exposure. The expected loss is the estimated amount of loss or harm that may result from a risk event. Therisk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. By aligning mitigating controls to risk appetite, the organization can optimize the balance between the cost of controls and the expected loss, and avoid over- or under-investing in controls. Exposures being reduced to the fullest extent,exposures being reduced only for critical business systems, and insurance costs being minimized are other possible objectives, but they are not as relevant as the cost of controls not exceeding the expected loss. References = ISACA Certified in Risk and Information Systems Control (CRISC)Certification Exam Question and Answers, question 8; CRISC Review Manual, 6th Edition, page 97.

Social engineering attacks are attempts to manipulate or deceive people into revealing confidential or personal information, such as passwords, account numbers, or security codes. Customer service representatives are often targeted by social engineering attacks, as they have access to sensitive customer data and may be pressured to provide quick and satisfactory service. Therefore, it is most important to include in a risk awareness training session for the customer service department how to identify and prevent social engineering attacks, such as phishing, vishing, baiting, or impersonation.

References

•The role of customer service in cybersecurity - Security Intelligence

•How to Improve Risk Awareness in the Workplace [+ Template] - AlertMedia

•Top 4 Risks For Customer Service Teams | Resolver