CRISC Exam Dumps - Certified in Risk and Information Systems Control (CRISC)

mitigated

deferred

accepted.

transferred

Conduct interviews with key stakeholders.

Conduct a tabletop exercise.

Conduct a disaster recovery exercise.

Conduct a full functional exercise.

Prioritizing risk within each business unit

Reviewing risk ranking methodology

Promoting an organizational culture of risk awareness

Assigning risk ownership to appropriate roles

helping personnel make better-informed decisions

assisting the development of a risk register.

improving the effectiveness of IT controls.

increasing participation in the risk assessment process.

The volume of risk scenarios is too large

Risk aggregation has not been completed

Risk scenarios are not applicable

The risk analysts for each scenario is incomplete

Percentage of projects with key risk accepted by the project steering committee

Reduction in risk policy noncompliance findings

Percentage of projects with developed controls on scope creep

Reduction in audits involving external risk consultants

by the security administration team.

successfully within the expected time frame.

successfully during the first attempt.

without causing an unplanned system outage.

Identify new or emerging risk issues.

Satisfy audit requirements.

Survey and analyze historical risk data.

Understand internal and external threat agents.

Tokenized personal data only in test environments

Data loss prevention tools (DLP) installed in passive mode

Anonymized personal data in non-production environments

Multi-factor authentication for access to non-production environments

mitigation plans for threat events should be prepared in the current planning period.

this risk scenario is equivalent to more frequent but lower impact risk scenarios.

the current level of risk is within tolerance.

an increase in threat events could cause a loss sooner than anticipated.

Threat event

Inherent risk

Risk event

Security incident

Business continuity plan (BCP) testing results

Recovery lime objective (RTO)

Business impact analysis (BIA)

results Recovery point objective (RPO)

Risk owner

IT security manager

IT system owner

Control owner

IT system owner

Chief financial officer

Chief risk officer

Business process owner

Unknown vulnerabilities

Legacy technology systems

Network isolation

Overlapping threats

A comparison of current risk levels with established tolerance

A comparison of cost variance with defined response strategies

A comparison of current risk levels with estimated inherent risk levels

A comparison of accepted risk scenarios associated with regulatory compliance

Ensure compliance.

Identify trends.

Promote a risk-aware culture.

Optimize resources needed for controls

Review the risk of implementing versus postponing with stakeholders.

Run vulnerability testing tools to independently verify the vulnerabilities.

Review software license to determine the vendor's responsibility regarding vulnerabilities.

Require the vendor to correct significant vulnerabilities prior to installation.

reset the alert threshold based on peak traffic

analyze the traffic to minimize the false negatives

analyze the alerts to minimize the false positives

sniff the traffic using a network analyzer

Risk monitoring

Risk mitigation

Risk aggregation

Risk assessment

rolled back changes below management's thresholds.

change-related exceptions per month.

the average implementation time for changes.

number of user stories approved for implementation.

information security manager

Control owner

Risk owner

Risk manager

It provides a cost-benefit analysis on control options available for implementation.

It provides a view on where controls should be applied to maximize the uptime of servers.

It provides historical information about the impact of individual servers malfunctioning.

It provides a comprehensive view of the impact should the servers simultaneously fail.

cost-benefit analysis.

risk appetite.

regulatory guidelines

control efficiency

Develop a risk treatment plan.

Validate organizational risk appetite.

Review results of prior risk assessments.

Include the current and desired states in the risk register.

Key performance indicators (KPIs)

Risk heat maps

Internal audit findings

Periodic penetration testing

Prohibiting the use of personal devices for business

Performing network scanning for unknown devices

Requesting an asset list from business owners

Documenting asset configuration baselines

Perform a risk assessment.

Perform root cause analysis.

Initiate disciplinary action.

Update the incident response plan.

Communicate potential impact to decision makers.

Research the root cause of similar incidents.

Verify the response plan is adequate.

Increase human resources to respond in the interim.

Vulnerability scanning

Systems log correlation analysis

Penetration testing

Monitoring of intrusion detection system (IDS) alerts

Obtain industry benchmarks related to the specific risk.

Provide justification for the lower risk rating.

Notify the business at the next risk briefing.

Reopen the risk issue and complete a full assessment.

ensure compliance with IT governance strategy.

assist internal audit in evaluating and initiating remediation efforts.

benchmark IT controls with Industry standards.

facilitate the comparison of the current and desired states.

review and update the policies to align with industry standards.

determine that the policies should be updated annually.

report that the policies are adequate and do not need to be updated frequently.

review the policies against current needs to determine adequacy.

The third party's IT operations manager

The organization's process owner

The third party's chief risk officer (CRO)

The organization's risk practitioner

Number of training sessions completed

Percentage of staff members who complete the training with a passing score

Percentage of attendees versus total staff

Percentage of staff members who attend the training with positive feedback

Data owner

Control owner

Risk owner

System owner

IT service desk manager

Sales manager

Customer service manager

Access control manager

The audit plan for the upcoming period

Spend to date on mitigating control implementation

A report of deficiencies noted during controls testing

A status report of control deployment

Identify systems that are vulnerable to being exploited by the attack.

Confirm with the antivirus solution vendor whether the next update will detect the attack.

Verify the data backup process and confirm which backups are the most recent ones available.

Obtain approval for funding to purchase a cyber insurance plan.

Cost-benefit analysis

Alignment of investment with risk appetite

Elimination of compensating controls

Reduction in personnel costs

provide an enterprise-wide view of risk

support risk response tracking

assign risk ownership

facilitate risk response decisions.

Conduct a comprehensive review of access management processes.

Declare a security incident and engage the incident response team.

Conduct a comprehensive awareness session for system administrators.

Evaluate system administrators' technical skills to identify if training is required.

Monitoring is only conducted between official hours of business

Employees are informed of how they are bong monitored

Reporting on nonproductive employees is sent to management on a scheduled basis

Multiple data monitoring sources are integrated into security incident response procedures

detected incidents.

residual risk.

vulnerabilities.

inherent risk.

Conducting a business impact analysis (BIA)

Identifying the recovery response team

Procuring a recovery site

Assigning sensitivity levels to data

Identifying key risk indicators (KRIs)

Evaluating the return on investment (ROI)

Evaluating the residual risk level

Performing a cost-benefit analysis

include detailed deviations from industry benchmarks,

include a summary linking information to stakeholder needs,

include a roadmap to achieve operational excellence,

publish the report on-demand for stakeholders.

priority in the risk register.

business process owner.

enterprise risk profile.

appropriate level of protection.

Identify previous data breaches using the startup company’s audit reports.

Have the data privacy officer review the startup company’s data protection policies.

Classify and protect the data according to the parent company's internal standards.

Implement a firewall and isolate the environment from the parent company's network.

capability to implement new processes

evolution of process improvements

degree of compliance with policies and procedures

control requirements.

Automated access revocation

Daily transaction reconciliation

Rule-based data analytics

Role-based user access model

Review the cost-benefit of mitigating controls

Mark the risk status as unresolved within the risk register

Verify the sufficiency of mitigating controls with the risk owner

Update the risk register with implemented mitigating actions

Risk appetite

Control cost

Control effectiveness

Risk tolerance

Closed management action plans from the previous audit

Annual risk assessment results

An updated vulnerability management report

A list of identified generic risk scenarios

Reviewing database access rights

Reviewing database activity logs

Comparing data to input records

Reviewing changes to edit checks

Risk appetite statement

Enterprise risk management framework

Risk management policies

Risk register

The third party s management

The organization's management

The control operators at the third party

The organization's vendor management office

A control self-assessment

A third-party security assessment report

Internal audit reports from the vendor

Service level agreement monitoring

take necessary precautions for claims and losses.

achieve acceptable residual risk levels.

avoid risk for business and IT assets.

achieve compliance with legal requirements.

Escalate to senior management

Require a nondisclosure agreement.

Sanitize portions of the register

Determine the purpose of the request

Establishing business key performance indicators (KPIs)

Introducing an established framework for IT architecture

Establishing key risk indicators (KRIs)

Involving the business process owner in IT strategy

reduces risk to an acceptable level

quantifies risk impact

aligns with business strategy

advances business objectives.

A decrease in control layering effectiveness

An increase in inherent risk

An increase in control vulnerabilities

An increase in the level of residual risk

Assess the vulnerability management process.

Conduct a control serf-assessment.

Conduct a vulnerability assessment.

Reassess the inherent risk of the target.

Industry best practices

Placement on the risk map

Degree of variances in the risk

Cost of risk mitigation

Login attempts are reconciled to a list of terminated employees.

A list of terminated employees is generated for reconciliation against current IT access.

A process to remove employee access during the exit interview is implemented.

The human resources (HR) system automatically revokes system access.

Assess management's risk tolerance.

Recommend management accept the low risk scenarios.

Propose mitigating controls

Re-evaluate the risk scenarios associated with the control

Preventive

Directive

Detective

Compensating

Key risk indicator (KRI) thresholds

Inherent risk

Risk likelihood and impact

Risk velocity

Perform a risk assessment

Disable user access.

Develop an access control policy.

Perform root cause analysis.

map findings to objectives.

provide a quantified detailed analysts.

recommend risk tolerance thresholds.

quantify key risk indicators (KRls).

Average bandwidth usage

Peak bandwidth usage

Total bandwidth usage

Bandwidth used during business hours

The underlying data source for the KRI is using inaccurate data and needs to be corrected.

The KRI is not providing useful information and should be removed from the KRI inventory.

The KRI threshold needs to be revised to better align with the organization s risk appetite

Senior management does not understand the KRI and should undergo risk training.

minimize the number of risk scenarios for risk assessment.

aggregate risk scenarios identified across different business units.

build a threat profile of the organization for management review.

provide a current reference to stakeholders for risk-based decisions.

Document the finding in the risk register.

Invoke the incident response plan.

Re-evaluate key risk indicators.

Modify the design of the control.

Complexity of the IT infrastructure

Value of information assets

Management culture

Threats and vulnerabilities

Extending the date of a future action plan by two months

Retiring a risk scenario no longer used

Avoiding a risk that was previously accepted

Changing a risk owner

Increase in the frequency of changes

Percent of unauthorized changes

Increase in the number of emergency changes

Average time to complete changes

Emerging risk must be continuously reported to management.

New system vulnerabilities emerge at frequent intervals.

The risk environment is subject to change.

The information security budget must be justified.

Employ security guards.

Conduct security awareness training.

Install security cameras.

Require security access badges.

Leading industry frameworks

Business context

Regulatory requirements

IT strategy

Perform a background check on the vendor.

Require the vendor to sign a nondisclosure agreement.

Require the vendor to have liability insurance.

Clearly define the project scope

Business continuity director

Disaster recovery manager

Business application owner

Data center manager

Derive scenarios from IT risk policies and standards.

Map scenarios to a recognized risk management framework.

Gather scenarios from senior management.

Benchmark scenarios against industry peers.

inherent risk.

residual risk.

risk appetite

risk tolerance

The risk owner who also owns the business service enabled by this infrastructure

The data center manager who is also employed under the managed hosting services contract

The site manager who is required to provide annual risk assessments under the contract

The chief information officer (CIO) who is responsible for the hosted services

Repeatable

Automated

Quantitative

Qualitative

Service level agreement

Customer service reviews

Scope of services provided

Right to audit the provider

Threshold definition

Escalation procedures

Automated data feed

Controls monitoring

Implementing record retention tools and techniques

Establishing e-discovery and data loss prevention (DLP)

Sending notifications when near storage quota

Implementing a bring your own device 1BVOD) policy

Encrypted storage of data

Links to source data

Audit trails for updates and deletions

Check totals on data records and data fields

Describe IT risk scenarios in terms of business risk.

Recommend the formation of an executive risk council to oversee IT risk.

Provide an estimate of IT system downtime if IT risk materializes.

Educate business executives on IT risk concepts.

Cost of offsite backup premises

Cost of downtime due to a disaster

Cost of testing the business continuity plan

Response time of the emergency action plan

Benchmark of industry standards

Internal and external risk reports

Recommendations from IT risk experts

Outcome of control self-assessments

The manager responsible for IT operations that will support the risk mitigation efforts

The individual with authority to commit organizational resources to mitigate the risk

A project manager capable of prioritizing the risk remediation efforts

The individual with the most IT risk-related subject matter knowledge

Internal audit reports

Access reviews

Threat modeling

Root cause analysis

Self-assessments by process owners

Mitigation plan progress reports

Risk owner attestation

Change in the level of residual risk

Facilitating risk-aware decision making by stakeholders

Demonstrating management commitment to mitigate risk

Closing audit findings on a timely basis

Ensuring compliance to industry standards

Update residual risk levels to reflect the expected risk impact.

Adjust inherent risk levels upward.

Include it on the next enterprise risk committee agenda.

Include it in the risk register for ongoing monitoring.

Risk appetite

Audit risk

Residual risk

Detection risk

Managing third-party risk

Developing risk scenarios

Managing the threat landscape

Updating risk appetite

Involvement of internal audit

Involvement of process owner

Quantitative impact of the risk

Identification of key risk indicators

record risk scenarios in the risk register for analysis.

validate the risk scenarios for business applicability.

reduce the number of risk scenarios to a manageable set.

perform a risk analysis on the risk scenarios.

Vulnerability and threat analysis

Control remediation planning

User acceptance testing (UAT)

Control self-assessment (CSA)

Comparing the remediation cost against budget

Assessing changes in residual risk

Assessing the inherent risk

Monitoring changes of key performance indicators (KPIs)

KRI thresholds

Integrity of the source data

Control environment

Stakeholder requirements

The chief risk officer (CRO)

The board of directors

The chief executive officer (CEO)

The chief information officer (CIO)

Increasing senior management's understanding of IT operations

Increasing the frequency of data backups

Minimizing complexity of IT infrastructure

Decentralizing IT infrastructure

Threat to IT

Number of control failures

Impact on business

Risk ownership

Comparing the actual process with the documented process

Reviewing access logs for user activity

Reconciling a list of accounts belonging to terminated employees

Reviewing for compliance with acceptable use policy

Chief information officer (CIO)

Executive management team

Audit committee

Business process owner

Enforce criminal background checks.

Mask customer data fields.

Require vendor to sign a confidentiality agreement.

Restrict access to customer data on a "need to know'' basis.

Management has not determined a final implementation date.

Management has not completed an early mitigation milestone.

Management has not secured resources for mitigation activities.

Management has not begun the implementation.

Develop key risk indicators (KRIs).

Ensure sufficient pre-implementation testing.

Identify applicable risk scenarios.

Identify the organization's critical data.

Classification of the data

Type of device

Remote management capabilities

Volume of data

security department.

business unit

vendor.

IT department.

organizational risk appetite.

business sector best practices.

business process requirements.

availability of automated solutions

Organization's information security manager

Organization's risk function

Service provider's IT management

Service provider's information security manager

Cyber insurance

Cryptocurrency reserve

Data backups

End user training

Providing oversight of risk management processes

Implementing processes to detect and deter fraud

Ensuring that risk and control assessments consider fraud

Monitoring the results of actions taken to mitigate fraud

accountable for the affected processes.

members of senior management.

authorized to select risk mitigation options.

independent from the business operations.

the organization's risk culture

benchmarking results against similar organizations

industry-specific regulatory requirements

expertise available within the IT department

Significant increases in risk mitigation budgets

Large fluctuations in risk ratings between assessments

A steady increase in the time to recover from incidents

A large number of control exceptions

Decrease in the time to move changes to production

Ratio of emergency fixes to total changes

Ratio of system changes to total changes

Decrease in number of changes without a fallback plan

conduct an audit of files stored offsite.

interview employees to compare actual with expected procedures.

inspect a selection of audit trails and backup logs.

demonstrate a successful recovery from backup files.

An updated risk register

Risk assessment results

Technical control validation

Control testing results

using the same scales in assessing risk

utilizing industry benchmarks

using reliable qualitative data for risk Hems

including primarily low level risk factors

obtain management approval for policy exception.

develop an improved password software routine.

select another application with strong password controls.

continue the implementation with no changes.

Monitoring of high-risk areas

Classification of risk profiles

Periodic review of the risk register

Assignment of risk ownership

business owner

IT department

Risk manager

Third-party provider

the third-party website manager

the business process owner

IT security

the compliance manager

Senior management

Project manager

Project sponsor

IT risk manager

Monitoring of service costs

Provision of internal audit reports

Notification of sub-contracting arrangements

Confidentiality of customer data

IT risk manager

IT system owner

Information security manager

Business owner

Recommend a re-evaluation of the current threshold of the KRI.

Notify management that KRIs are being effectively managed.

Update the risk rating associated with the KRI In the risk register.

Update the risk tolerance and risk appetite to better align to the KRI.

Updating the threat inventory with new threats

Automating log data analysis

Preventing the generation of false alerts

Determining threshold levels

Internal audit

Control owner

Senior management

Risk manager

strategy.

profile.

process.

map.

ensure that the source code is valid and exists.

ensure that the source code is available if the vendor ceases to exist.

review the source code for adequacy of controls.

ensure the source code is available when bugs occur.

amount of risk reduced by compensating controls.

amount of risk present in the organization.

variance against objectives.

number of incidents.

External audit findings

Feedback from focus groups

Self-assessment reports

Changes in senior management

Review the design of the machine learning model against control objectives.

Adopt the machine learning model as a replacement for current manual access reviews.

Ensure the model assists in meeting regulatory requirements for access controls.

Discourage the use of emerging technologies in key processes.

Cost of controls

Annual loss expectancy (ALE)

Inherent risk

Residual risk

recommend a program that minimizes the concerns of that production system.

inform the process owner of the concerns and propose measures to reduce them.

inform the IT manager of the concerns and propose measures to reduce them.

inform the development team of the concerns and together formulate risk reduction measures.

Acquisition

Implementation

Initiation

Operation and maintenance

Business impact analysis (BIA) results

Risk scenario ownership

Risk thresholds

Possible causes of materialized risk

A decrease in threats

A change in the risk profile

An increase in reported vulnerabilities

An increase in identified risk scenarios

Process ownership

Risk appetite statement

Risk tolerance levels

Risk response options

minimum tolerable downtime

minimum tolerable loss of data.

maximum tolerable downtime.

maximum tolerable loss of data

Escalate to senior management.

Transfer the risk.

Implement monitoring controls.

Recalculate the risk.

Understanding and prioritization of critical processes

Completion of the business continuity plan (BCP)

Identification of regulatory consequences

Reduction of security and business continuity threats

capacity.

appetite.

management capability.

treatment strategy.

Prepare a business case for the response options.

Identify resources for implementing responses.

Develop a mechanism for monitoring residual risk.

Update the risk register with the results.

Configuration validation

Control attestation

Penetration testing

Internal audit review

Risk ownership is recorded.

Vulnerabilities have separate entries.

Control ownership is recorded.

Residual risk is less than inherent risk.

Gap analysis

Threat assessment

Resource skills matrix

Data quality assurance plan

Additional mitigating controls should be identified.

The system should not be used until the application is changed

The organization's IT risk appetite should be adjusted.

The associated IT risk should be accepted by management.

IT security manager

IT personnel

Data custodian

Data owner

The report was provided directly from the vendor.

The risk associated with multiple control gaps was accepted.

The control owners disagreed with the auditor's recommendations.

The controls had recurring noncompliance.

Developing an ongoing awareness and training program

Creating policies and standards that are easy to comprehend

Embedding risk management into the organization

Completing annual risk assessments on critical resources

Verify authorization by senior management.

Increase the risk appetite to align with the current risk level

Ensure the acceptance is set to expire over lime

Update the risk response in the risk register.

Transborder data transfer restrictions

Differences in regional standards

Lack of monitoring over vendor activities

Lack of after-hours incident management support

Threat

Risk

Vulnerability

Policy violation

Implement a release and deployment plan

Conduct comprehensive regression testing.

Develop enterprise-wide key risk indicators (KRls)

Include business management on a weekly risk and issues report

Determine whether risk responses are still adequate.

Analyze and update control assessments with the new processes.

Analyze the risk and update the risk register as needed.

Conduct testing of the control that mitigate the existing risk.

Secure encryption protocols are utilized.

Multi-factor authentication is set up for users.

The solution architecture is approved by IT.

A risk transfer clause is included in the contact

They support compliance with regulations.

They provide evidence of risk assessment.

They facilitate communication of risk.

They enable the use of key risk indicators (KRls)

Assess generic risk scenarios with business users.

Validate the generic risk scenarios for relevance.

Select the maximum possible risk scenarios from the list.

Identify common threats causing generic risk scenarios

revalidate current key risk indicators (KRIs).

revise risk management procedures.

review the data classification policy.

revalidate existing risk scenarios.

Recommend risk remediation

Change the level of risk appetite

Document formal acceptance of the risk

Reject the business initiative

Lack of a mature records management program

Lack of a dedicated asset management team

Decentralized asset lists

Incomplete asset inventory

Cable lock

Data encryption

Periodic backup

Biometrics access control

Promotion of a risk-aware culture

Compilation of a comprehensive risk register

Alignment of business activities

Facilitation of risk-aware decision making

The quantity of data logged by the attack control tools

Blocking the attack route immediately

The ability to trace the source of the attack

The timeliness of attack recognition

determine the risk appetite.

determine the budget.

define key performance indicators (KPIs).

optimize resource utilization.