CRISC Exam Dumps - Certified in Risk and Information Systems Control

 IT asset inventory is the process of tracking and managing the financial, physical, licensing, and contractual aspects of IT assets throughout their life cycle1. IT assets include hardware, software, and network components that an organization values and uses to achieve its objectives2. A complete and accurate IT asset inventory can help an organization to optimize its IT budget, reduce security risks, ensure compliance, and improve performance3.

One of the best controls to enable an organization to ensure a complete and accurate IT asset inventory is performing network scanning for unknown devices. Network scanning is the process of identifying and collecting information about the devices connected to a network, such as their IP addresses, operating systems, open ports, services, and vulnerabilities4. Network scanning can help an organization to:

Discover and inventory all the IT assets on the network, including those that are unauthorized, unmanaged, or hidden

Detect and remove any rogue or malicious devices that may pose a threat to the network security or performance

Update and verify the asset inventory data regularly and automatically, and alert on any changes or discrepancies

Support the asset lifecycle management and maintenance activities, such as patching, upgrading, or retiring assets5

References = IT Asset Valuation, Risk Assessment and Control Implementation Model, ITAM: The ultimate guide to IT asset management, Navigating Security Threats with IT Inventory Management, Network Scanning - Wikipedia, 8 Best IT Asset Management Software (2024)

According to the ISACA Risk and Information Systems Control study guide and handbook, the control owners in the IT department should determine whether risk responses still effectively address risk after a restructuring and outsourcing of certain functions. This is because the restructuring and outsourcing may have changed the risk profile, the control environment, and the control activities of the IT department. The control owners should review the existing risk responses and evaluate if they are still appropriate, adequate, and efficient in mitigating the risks associated with the outsourced functions. The control owners should also monitor the performance and compliance of the service providers and ensure that the contractual obligations and service level agreements are met12

1: ISACA Risk and Information Systems Control Study Guide, 4th Edition, page 33 2: ISACA Risk and Information Systems Control Handbook, 1st Edition, page 25

 Computer-enabled fraud is the use of information technology (IT) to commit or conceal fraudulent activities, such as theft, manipulation, or unauthorized access of data, systems, or networks. Computer-enabled fraud can pose significant risks to an organization, such as financial loss, reputational damage, legal liability, or regulatory sanctions. Therefore, an organization should establish a comprehensive and effective framework to prevent, detect, and respond to computer-enabled fraud. The framework should involve three lines of defense, which are theroles and responsibilities of different functions within theorganization to manage and control risks. The first line of defense consists of the business owners, whose role is to identify, assess, and manage risks, including computer-enabled fraud risks. The primary responsibility of the first line of defense related to computer-enabled fraud is to implement processes to detect and deter fraud. This means designing and executing controls that can prevent or reduce the occurrence of computer-enabled fraud, such as authentication, authorization, encryption, logging, orsegregation of duties. This also means monitoring and reporting any suspicious or anomalous activities or transactions that may indicate computer-enabled fraud, such as unusual patterns, volumes, or frequencies of data or system access or usage. Implementing processes to detect and deter fraud can help the first line of defense to protect the organization’s assets, data, and reputation from computer-enabled fraud, and to comply with the organization’s policies and regulations. References = Three Lines of Defence, Roles of Three Lines of Defense for Information Security and Governance, THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL, The Three Lines of Defense.

A risk practitioner is a person who is responsible for performing risk management activities, such as identifying, analyzing, evaluating, treating, monitoring, and communicating risks. When an organization is implementing a project to automate the purchasing process, including the modification of approval controls, the task that is the responsibility of the risk practitioner is to verify that the existing controls continue to properly mitigate the defined risk. This means thatthe risk practitioner should ensure that the automation and modification of the approval controls do not introduce new risks or change the existing risk profile, and that the controls are still effective and adequate for the purchasing process. The risk practitioner should also monitor the performance and compliance of the controls, and recommend any improvements or adjustments as needed. References = CRISC Review Manual, 7th Edition, page 177.

The data privacy officer is the best person to notify in case of a new malware that has severely impacted industry peers with data loss. The data privacy officer is responsible for ensuring that the enterprise complies with the applicable privacy laws and regulations, and that the personal data of the customers, employees, and other stakeholders are protected from unauthorized access, use, disclosure, or destruction. The data privacy officer can assess the potential impact of the malware on the enterprise’s data privacy obligations and risks, and coordinate the appropriate response and remediation actions. The customer database manager, the customer data custodian, and the audit committee are not the best persons to notify, as they do not have the same level of authority, responsibility, and expertise as the data privacy officer in dealing with data privacy issues. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 191.

IT risk is a subset of enterprise risk. Integration ensures IT risks arevisible and prioritizedalongside strategic and operational risks.

CRISC framework explains:

“Integration of IT risk management with ERM ensures that technology-related risks are appropriately represented in the overall corporate risk profile and reporting structure.”

Hence,Dis correct.

CRISC Reference:Domain 1 – IT Risk Governance, Topic: Enterprise and IT Risk Integration.

The best method for identifying vulnerabilities is periodic network scanning. Network scanning is a process of scanning and probing the network devices, systems, and applications to discover and analyze their security weaknesses, such as configuration errors, outdated software, or open ports. Network scanning can help to identify the vulnerabilities that could be exploited by attackers to gain unauthorized access, compromise data, or disrupt services. Periodic network scanning is the best method, because it can provide a regular and comprehensive view of the network security posture, and it can detect and address the new or emerging vulnerabilities in a timely manner. Periodic network scanning can also help to comply with the legal and regulatory requirements and standards for network security, such as the ISO/IEC 27001, the NIST SP 800-53, or the PCI DSS123. The other options are not the best method, although they may be useful or complementary to periodic network scanning. Batch job failure monitoring is a process of monitoring and reporting the failures or errors that occur during the execution of batch jobs, such as data processing, backup, or synchronization. Batch job failure monitoring can help to identify the operational or technical issues that affect the performance or availability of the network services, but it does not directly identify the security vulnerabilities or the potential threats. Annual penetration testing is a process of simulating a real-world attack on the network devices, systems, and applications to evaluate their security defenses and resilience. Penetration testing can help to identify and exploit the vulnerabilities that could be used by attackers to compromise the network security, and to provide recommendations for improvement. However, annual penetration testing is not the best method, because it is not frequent or consistent enough to keep up with the changing and evolving network security landscape, and it may not cover all thenetwork components or scenarios. Risk assessments are a process of identifying, analyzing, and evaluating the risks associated with the network devices, systems, and applications. Risk assessments can help to estimate the probability and impact of the vulnerabilities and the threats, and to prioritize and respond to the risks accordingly. However, risk assessments are not the same as or a substitute for vulnerability identification, as they rely on the vulnerability information as an input, rather than an output. References = Vulnerability Testing: Methods, Tools, and 10 Best Practices, ISO/IEC 27001 Information Security Management, NIST SP 800-53 Rev. 5