CRISC Exam Dumps - Certified in Risk and Information Systems Control

The percentage of unpatched systems is best classified as a Key Risk Indicator (KRI). KRIs are metrics used by organizations to provide an early signal of increasing risk exposures in various areas of the business. Here’s a

Understanding KRIs:

Definition: KRIs are specific metrics that provide insights into the risk level of an organization. They help in identifying potential risks that could impact the business negatively if not addressed promptly.

Purpose: KRIs are used to monitor the effectiveness of risk management strategies and to provide an early warning system for emerging risks.

Percentage of Unpatched Systems as a KRI:

Indicator of Vulnerability: The percentage of unpatched systems directly indicates how vulnerable an organization is to cyber threats. Unpatched systems are a common entry point for attackers, making this metric critical for assessing the organization ' s exposure to cyber risks.

Impact on Security Posture: A high percentage of unpatched systems can significantly increase the likelihood of security incidents, making it a valuable metric for risk management.

Proactive Risk Management: By monitoring this KRI, organizations can take proactive measures to address vulnerabilities before they are exploited.

Comparison with Other Options:

Threat Vector: A threat vector refers to the path or means by which a threat can reach and impact an asset. It is not a metric like the percentage of unpatched systems.

Critical Success Factor (CSF): CSFs are essential elements necessary for an organization to achieve its mission. While important, they are not specific metrics used to measure risk.

Key Performance Indicator (KPI): KPIs measure how effectively an organization is achieving its key business objectives. While related, KPIs focus on performance rather than risk exposure.

Data leakage is the unauthorized or accidental disclosure of sensitive or confidential data to unauthorized parties. Data leakage can cause serious damages or losses to the organization, such as data breaches, fines, lawsuits, reputational harm, or loss of customer trust. Data leakage can occur due to various reasons, such as human errors, malicious attacks, or inadequate controls1.

An organization that uses a vendor to destroy hard drives faces a risk of data leakage, as the vendor may not properly or securely destroy the hard drives, or may access or misuse the data stored on them. The best way to reduce this risk is to use an accredited vendor to dispose of the hard drives, because it means that the vendor:

Has been certified or verified by a reputable or recognized authority or organization, such as ISACA, NAID, or R2, to provide hard drive destruction services

Follows the industry standards and best practices for hard drive destruction, such as NIST 800-88 or DoD 5220.22-M, and ensures the compliance with the legal and regulatory requirements, such as HIPAA, PCI DSS, or GDPR

Provides a secure and transparent process for hard drive destruction, such as using a specialized shredder, issuing a certificate of destruction, or allowing the customer to witness the destruction

Maintains a high level of professionalism and integrity, and does not compromise the confidentiality or security of the customer’s data234

The other options are not the best ways to reduce the risk of data leakage, but rather some of the steps or aspects of hard drive destruction. Require the vendor to degauss the hard drives is a step that can help to erase the data on the hard drives by using a strong magnetic field. However,degaussing may not be effective or reliable for some types of hard drives, such as solid state drives (SSDs), and it may not prevent the vendor from accessing or misusing the data before degaussing5. Implement an encryption policy for the hard drives is an aspect that can help to protect the data on the hard drives by using a cryptographic algorithm to make it unreadable without a key. However, encryption may not be sufficient or applicable for some types of data, such as metadata, and it may not prevent the vendor from accessing or misusing the key or the encrypted data6. Require confirmation of destruction from the IT manager is a step that can help to verify that the hard drives have been destroyed by the vendor, and to document the process and the outcome. However, confirmation of destruction may not be accurate or authentic, and it may not prevent the vendor from accessing or misusing the data before destruction7. References =

Data Leakage - ISACA

Hard Drive Shredding Services | Hard Drive Destruction & Disposal

Hard Drive Shredding and Destruction Service | CompuCycle

Electronic Destruction & Recycling | Shred Nations

Degaussing - ISACA

Encryption - ISACA

Certificate of Destruction - ISACA

[CRISC Review Manual, 7th Edition]

Modifying logs before analysis compromises the integrity and reliability of monitoring processes. This action creates a risk of inaccurate data feeding into key risk indicators, which undermines the effectiveness of monitoring and decision-making. Maintaining log integrity is a foundational practice inRisk Monitoring and Reporting.

The best way to mitigate the risk of customer identity theft is to implement layered security. Layered security is a defense-in-depth approach that applies multiple and diverse security controls at different levels and stages of the information system and the data lifecycle. Layered security can include physical, technical, and administrative controls, such as locks, firewalls, encryption, authentication, authorization, backup, audit, and policy. Layered security can help to protect the customer data and identity from unauthorized access, use, modification, disclosure, or destruction, by creating multiple barriers and deterrents for potential attackers, and by reducing the impact and likelihood of a successful breach. Layered security can also help to comply with the legal and regulatory requirements and standards for data privacy and protection, such as the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), and the Payment Card Industry Data Security Standard (PCI DSS)123.The other options are not the best way to mitigate the risk of customer identity theft, although they may be useful or complementary to layered security. Implementing monitoring techniques is a part of the layered security approach, but it is not sufficient, as it mainly focuses on detecting and responding to the incidents, rather than preventing or deterring them. Outsourcing to a local processor is a business decision that may or may not improve the security of the customer data and identity, depending on the quality and reliability of the service provider, and the terms and conditions of the outsourcing contract. Conducting an awareness campaign is a good practice that can help to educate and inform the customers and the employees about the common types, methods, and indicators of identity theft, and the best practices and precautions to prevent or report it, but it does not directly apply or enforce any security controls to the information system or the data.

The greatest risk associated with inappropriate classification of data is users having unauthorized access to sensitive information. Proper data classification ensures that access controls are applied appropriately, protecting sensitive data from unauthorized access.

Importance of Data Classification

Data classification involves categorizing data based on its level of sensitivity and the impact that unauthorized access, disclosure, modification, or destruction would have on the organization.

It ensures that appropriate security measures are applied according to the data ' s classification.

Risks of Inappropriate Classification

Unauthorized Access: If data is not classified correctly, sensitive information may not receive the necessary protections, leading to unauthorized access.

Lack of Accountability: Misclassification can result in unclear responsibilities for data protection, but the primary concern remains unauthorized access.

Inaccurate Recovery Time Objectives (RTOs): While important, this is secondary to the risk of unauthorized access.

Inaccurate Record Management Data: This can affect operational efficiency but is not as critical as unauthorized access.

Implementing Effective Classification

Organizations must have a clear data classification policy and ensure it is followed consistently.

Regular audits and reviews should be conducted to verify that data is classified appropriately and that access controls are enforced.

References

CISM Review Manual Full text.html, emphasizing the importance of proper data classification and the risks associated with misclassification, especially unauthorized access to data​​.

A risk owner should be the person accountable for the business process that is affected by the risk, as they have the authority, responsibility, and knowledge to manage the risk effectively. The risk owner should collaborate with the risk practitioner, who facilitates the risk management process, and the risk action owners, who implement the risk response actions. The risk owner should also ensure that the controls are adequate and functioning properly to mitigate the risk. The other options are not the best description of what a risk owner should be accountable for, as they are either too broad (the risk management process), too narrow (managing controls or implementing actions), or not directly related to the risk (the businessprocess). References = Why Assigning a Risk Owner is Important and How to Do It Right; Definition of Risk Owner; What Is a Risk Owner in Project Management?

Instead of relying solely on the provider’s internal assessment, the client should validate control effectiveness throughindependent audit reports(e.g., SOC 2 Type II). These provide third-party assurance.

Whenever there is achange in sourcing strategy, such as moving from cloud to internal hosting, thefirst stepis to reassess theeffectiveness and completeness of existing risk responsesand confirm that they still mitigate the risks appropriately.

CRISC emphasizes:

“When transitioning services or changing control environments, practitioners should reassess risk responses and validate that previously identified risks and vulnerabilities remain properly addressed.”

Only after reassessment should the practitioner proceed to update registers, controls, and audit plans.

Hence,Ais the correct answer.

CRISC Reference:Domain 3 – Risk Response and Mitigation, Topic: Managing Control Changes.