Isaca Updated CRISC Exam Questions and Answers by timur

A multinational organization that operates in different countries should be aware of the legal and regulatory requirements of each jurisdiction. Some countries may have strict privacy laws that prohibit or limit the collection and use of personal information of employees, such as their criminal records, credit history, or medical conditions. Therefore, implementing standard background checks for all new employees may violate the laws in some countries and expose the organization to legal risks and reputational damage. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.4: IT Risk Factors, page 31.

A private cloud is a type of cloud computing deployment that provides the consumer exclusive access to a pool of computing resources that are owned, managed, and operated by the consumer or a third-party provider on behalf of the consumer.

A private cloud provides the consumer the greatest degree of control over the environment, because the consumer can customize and configure the resources according to their specific needs and preferences, and can apply their own security and governance policies and standards.

The other options are not the types of cloud computing deployment that provide the consumer the greatest degree of control over the environment. They are either shared or limited by the provider’s settings and rules.

The references for this answer are:

Risk IT Framework, page 23

Information Technology & Security, page 17

Risk Scenarios Starter Pack, page 15

The most important factors to consider when evaluating a number of potential controls for treating risk are the residual risk and the cost of control. Residual risk is the risk that remains after the implementation of the controls. Cost of control is the amount of resources and efforts required to implement and maintain the controls. By considering the residual risk and the cost of control, the organization can optimize the balance between the risk exposure and the control investment, and choose the most effective and efficient controls. Risk appetite and control efficiency, inherent risk and control effectiveness, and risk tolerance and control complexity are other possible factors, but they are not as important as residual risk and cost of control. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 8; CRISC Review Manual, 6th Edition, page 97.

The percentage of unpatched DMZ servers is a critical KCI for preventing cyber risk events on external-facing infrastructure. Unpatched servers are vulnerable to exploitation, and monitoring this indicator helps ensure timely application of security updates, reducing the risk of successful attacks.