Isaca Updated CRISC Exam Questions and Answers by benji

Residual risk exceeds acceptable limits, because it indicates that the risk level is higher than the organization’s risk appetite or tolerance, and that the risk responses and controls are insufficient or ineffective. Residual risk is the level of risk remaining in a process or procedure following the implementation of risk controls to limit or remove it. Escalation is a process that increases theawareness and involvement of higher-level stakeholders or authorities in a risk issue or situation. Escalation is appropriate when the risk issue or situation is outside the scope or authority of the current risk owner or manager, and requires the attention or action of the senior management or the board of directors. Residual risk exceeding acceptable limits is the best situation to justify escalation, as it implies that the current risk owner or manager cannot manage the risk within the predefined boundaries or expectations, and that the senior management or the board of directors need to intervene or approve the risk acceptance or transfer.

Residual risk being inadequately recorded, residual risk remaining after controls have been applied, and residual risk equaling current risk are all possible situations that may require escalation, but they are not the best situations, as they do not necessarily indicate that the risk level is higher than the acceptable limits, and that the senior management or the board of directors need to be involved.

A risk assessment is a process of identifying, analyzing, and evaluating the risks that may affect the enterprise’s objectives and operations. It involves determining the likelihood and impact of various risk scenarios, and prioritizing them based on their significance and urgency.

A WiFi access point is a device that allows wireless devices to connect to a wired network using radio signals. It can provide convenience and flexibility for users, but it can also introduce security risks, such as unauthorized access, data leakage, malware infection, or denial of service attacks.

If departments have installed their own WiFi access points on the enterprise network, without proper authorization, configuration, or monitoring, it means that they have bypassed the network security policy and controls, and created potential vulnerabilities and exposures for the enterprise.

The most important information to include in a report to senior management is the potential business impact of this risk, which is the estimated loss or damage that the enterprise may suffer if the risk materializes. The potential business impact can be expressed in terms of financial, operational, reputational, or legal consequences, and it can help senior management to understand the severity and urgency of the risk, and to decide on the appropriate risk response and allocation of resources.

The other options are not the most important information to include in a report to senior management, because they do not convey the magnitude and significance of the risk, and they may not be relevant or actionable for senior management.

The network security policy is the set of rules and guidelines that define the security objectives, requirements, and responsibilities for the enterprise network. It is important to have a clear and comprehensive network security policy, and to ensure that it is communicated, enforced, and monitored across the enterprise, but it is not the most important information to include in a report to senior management, because it does not indicate the actual or potential impact of the risk, and it may not reflect the current or desired state of the network security.

The WiFi access point configuration is the set of parameters and settings that define the functionality, performance, and security of the WiFi access point. It is important to have a secure and consistent WiFi access point configuration, and to follow the best practices and standards for wireless network security, but it is not the most important information to include in a report to senior management, because it does not indicate the actual or potential impact of the risk, and it may not be relevant or understandable for senior management.

The planned remediation actions are the steps and measures that are intended to mitigate, transfer, avoid, or accept the risk, and to restore the normal operation and security of the enterprise network. It is important to have a feasible and effective plan for remediation actions, and to implement and monitor them in a timely and efficient manner, but it is not the most important information to include in a report to senior management, because it does not indicate the actual or potential impact of the risk, and it may not be feasible or appropriate without senior management’s approval or support. References =

ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 19-20, 23-24, 27-28, 31-32, 40-41, 47-48

ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 146

Regulatory requirements should be the primary basis for deciding whether to disclose information related to risk events that impact external stakeholders, because they define the rules or standards that the organization must comply with to meet the expectations of the regulators, such as government agencies or industry bodies, and to avoid legal or reputational consequences. A risk event is an occurrence or incident that may cause harm or damage to the organization or its objectives, such as a natural disaster, a cyberattack, or a human error. An external stakeholder is a person or group that has an interest or influence in the organization or its activities, but is not part of the organization, such as customers, suppliers, partners, investors, or regulators. Disclosing information related to risk events that impact external stakeholders is a process of communicating or reporting the relevant facts or details of the risk events to the affected or interested parties. Disclosing information related to risk events may have benefits, such as maintaining trust, transparency, and accountability, but it may also have drawbacks, such as exposing vulnerabilities, losing competitive advantage, or inviting litigation. Therefore, regulatory requirements should be the primary basis for deciding whether to disclose information, as they provide the legal and ethical obligations and boundaries for the disclosure process. Stakeholder preferences, contractual requirements, and management assertions are all possible factors for deciding whether to disclose information related to risk events, but they are not the primary basis, as they may vary or conflict depending on the situation or context, and may not override the regulatory requirements. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.2, page 158

Identifying and assessing the risk scenarios associated with IT strategic initiatives is the best risk management approach for the strategic IT planning process, because it helps to understand and evaluate the potential or actual threats or opportunities that may affect the achievement or implementation of the IT strategic initiatives, and to determine the appropriate risk responses and controls. A risk scenario is a hypothetical situation or event that describes the source, cause, consequence, and impact of a risk. A risk scenario can be positive or negative, depending on whether it represents an opportunity or a threat. An IT strategic initiative is a project or program that supports or enables the IT strategy, which is a plan that defines how IT supports and aligns with the organization’s vision, mission, and strategy. The strategic IT planning process is a process of developing, implementing, and monitoring the IT strategy and its associated IT strategic initiatives. Identifying and assessing the risk scenarios is the best risk management approach, as it helps to anticipate and prepare for the potential or actual outcomes of the IT strategic initiatives, and to optimize the risk-reward balance and the value delivery of IT. Establishing key performance indicators (KPIs) to track IT strategic initiatives, reviewing the IT strategic plan by the chief information security officer (CISO) and enterprise risk management (ERM), and developing the IT strategic plan from the organization-wide risk management plan are all possible risk management approaches for the strategic IT planning process, but they are not the best approach, as they do not directly address the identification and assessment of the risk scenarios associated with IT strategic initiatives. References = Risk and Information Systems Control Study Manual, Chapter 2, Section 2.1.1, page 37