Isaca Updated CRISC Exam Questions and Answers by elian

The greatest risk associated with inappropriate classification of data is users having unauthorized access to sensitive information. Proper data classification ensures that access controls are applied appropriately, protecting sensitive data from unauthorized access.

Importance of Data Classification

Data classification involves categorizing data based on its level of sensitivity and the impact that unauthorized access, disclosure, modification, or destruction would have on the organization.

It ensures that appropriate security measures are applied according to the data's classification.

Risks of Inappropriate Classification

Unauthorized Access: If data is not classified correctly, sensitive information may not receive the necessary protections, leading to unauthorized access.

Lack of Accountability: Misclassification can result in unclear responsibilities for data protection, but the primary concern remains unauthorized access.

Inaccurate Recovery Time Objectives (RTOs): While important, this is secondary to the risk of unauthorized access.

Inaccurate Record Management Data: This can affect operational efficiency but is not as critical as unauthorized access.

Implementing Effective Classification

Organizations must have a clear data classification policy and ensure it is followed consistently.

Regular audits and reviews should be conducted to verify that data is classified appropriately and that access controls are enforced.

References

CISM Review Manual Full text.html, emphasizing the importance of proper data classification and the risks associated with misclassification, especially unauthorized access to data​​.

Corrective controls are designed to correct errors or deviations after they occur. If failed changes frequently require re-implementation, this means corrective measures (e.g., testing, change rollback, error correction) are not functioning effectively.

CRISC guidance defines:

Preventive controls: stop incidents from occurring.

Detective controls: identify incidents when they occur.

Corrective controls: restore systems or data after incidents occur.

An increasing KPI (failed changes) means the corrective mechanism is weak, hence C is the correct answer.

CRISC Reference: Domain 4 – Risk and Control Monitoring, Topic: Control Effectiveness Evaluation.

Single sign-on (SSO)simplifies authentication but introduces asingle point of failure. If the SSO mechanism is compromised or goes down, it can result in the loss of access across multiple systems, leading to widespread business disruption or security breaches.

System owners hold ultimate accountability for managing risks associated with their systems, including vulnerability mitigation.

ISACA CRISC defines:

“The system owner is responsible for ensuring that security controls are implemented and that vulnerabilities identified in their systems are addressed.”

System administrators perform mitigation activities, but accountability (oversight and confirmation) remains with the system owner.

A: Data owners focus on data classification.

B: InfoSec managers oversee policy, not execution.

C: Admins implement controls but don’t own the risk.

D is correct because ownership equates to accountability.

CRISC Reference: Domain 1 – IT Risk Governance, Topic: Roles and Responsibilities in Risk Management.