Isaca Updated CRISC Exam Questions and Answers by lia

The risk practitioner’s next course of action should be to review the contract and SLAs with the third-party cloud provider, as they define the roles, responsibilities, expectations, and obligations of both parties regarding the backup and recovery procedures. The contract and SLAs should specify the scope, frequency, quality, security, availability, and performance of the backup and recovery services, as well as the reporting, monitoring, auditing, and remediation mechanisms. The risk practitioner should ensure that the contract and SLAs are aligned with the organization’s business continuity and disaster recovery requirements, and that they provide sufficient assurance and accountability for the third-party provider.

A high number of exceptions often indicate misalignment betweenpoliciesand business needs. Reviewing policies helps determine if they are overly restrictive or need adjustments to reduce exceptions while maintaining security.

Quantifying the value of a single asset helps the organization to understand the consequences of risk materializing, as it indicates how much impact or loss the organization would suffer if the asset is compromised, damaged, or destroyed by a threat. The value of an asset can be determined by various methods, such as the cost of acquisition, replacement, or restoration, the market value, the income or revenue generated, or the impact on the business objectives or reputation. The other options are not the best description of what quantifying the value of a single asset helps the organization to understand, as they are either too broad (overall effectiveness of risk management, necessity of developing a risk strategy) or not directly related to the asset value (organization’s risk threshold). References = IT Asset Valuation, Risk Assessment and Control Implementation Model; How to quantify assets?; Asset Valuation - Definition, Methods, and Importance

The best way to ensure ongoing control effectiveness is to measure trends in control performance. This will help to monitor and evaluate how well the controls are achieving their objectives, and to identify any deviations or anomalies that may indicate control failures or weaknesses. Measuring trends in control performance also helps to provide feedback and assurance to the stakeholders and decision makers, and to support continuous improvement andoptimization of the control environment. Establishing policies and procedures, periodically reviewing control design, and obtaining management control attestations are good practices, but they are not the best way to ensure control effectiveness. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 3, Section 3.1.1.2, page 1071

1: ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide, Answer to Question 650.