Isaca Updated CRISC Exam Questions and Answers by elle

Whenever there is achange in sourcing strategy, such as moving from cloud to internal hosting, thefirst stepis to reassess theeffectiveness and completeness of existing risk responsesand confirm that they still mitigate the risks appropriately.

CRISC emphasizes:

“When transitioning services or changing control environments, practitioners should reassess risk responses and validate that previously identified risks and vulnerabilities remain properly addressed.”

Only after reassessment should the practitioner proceed to update registers, controls, and audit plans.

Hence,Ais the correct answer.

CRISC Reference:Domain 3 – Risk Response and Mitigation, Topic: Managing Control Changes.

The correct answer is D because inherent risk is assessed before considering additional controls. For a cloud service provider, the SLA helps define the nature of the service, expected availability, responsibilities, dependencies, and service commitments. These elements help determine the exposure created by using the provider. The uploaded CRISC notes support this by stating that the greatest risk when engaging a cloud provider is an ambiguous SLA and that SLAs address threats such as financial losses from service interruption.

A CASB is a security tool/control used to track cloud use, reveal noncompliance, and help secure data, so it is more relevant to monitoring or mitigation than determining inherent risk. ISACA describes CASBs as tools for tracking authorized/unauthorized cloud application use, revealing possible regulatory noncompliance, and helping secure cloud data.

C, cloud service attestation, is useful for assurance over the provider’s control environment, but that relates more to control assurance/current or residual risk than inherent risk. ISACA notes that third-party risk management may involve evidence such as SOC reports, ISO 27001, and other attestation reports, but these are used as evidence of controls and compliance.

===========

The correct answer isAbecause the greatest risk when using apublic AI systemto process credit card transactions is thepotential exposure of sensitive information. Credit card data is highly sensitive, and use of a public AI platform can introduce serious confidentiality, privacy, and data handling concerns. Exposure of that data can lead to fraud, regulatory issues, contractual violations, and significant business impact.

The other options are important, but not the greatest primary risk:

B. Use of financial data to train the AI modelis a specific form of data misuse, but it falls within the broader and more critical risk of sensitive information exposure.

C. Noncompliance with security standardsis also significant, but it is often a consequence of exposing or improperly handling sensitive payment data.

D. AI hallucinations and biasare important AI risks, but they are not the primary concern in payment card processing.

Exact Extracts supporting the answer:

“The MOST important consideration when transmitting personal information across networks is ensuring the privacy of the personal information.”

“The data security control that BEST protects the confidentiality of data stored on backup media in transit to a third-party storage facility is encryption.”

“The MOST significant risk associated with handling credit card data through a web application is failure to store credit card data in a secure area segregated from the demilitarized zone.”

“To determine the level of protection required for securing personally identifiable information a risk practitioner should PRIMARILY consider the sensitivity property of the information.”

These extracts support that the primary concern with payment-card-related processing is protecting the confidentiality of sensitive data. Therefore, the greatest risk is thepotential exposure of sensitive information.

===========

 A control is a measure or action that is implemented to reduce the likelihood or impact of a risk event, or to enhance the benefits or opportunities of a risk event. A control owner is a person who is assigned the responsibility and authority for the design, implementation, operation, and maintenance of a control. The most appropriate person to be assigned ownership of a control is the individual accountable for monitoring control effectiveness, which is the process of measuring and evaluating the performance and compliance of the control. By assigning the control ownership to the individual accountable for monitoring control effectiveness, the organization can ensure that the control is aligned with the risk objectives, operates as intended, and delivers the expected results. References = 4