Isaca Updated CRISC Exam Questions and Answers by isla-rose

 According to the CRISC Review Manual (Digital Version), the business significance of the information is the most important criterion when developing a response to an attack that would compromise data, as it determines the impact and severity of the attack on the organization’s objectives and performance. The business significance of the information helps to:

Assess the value and sensitivity of the data that is compromised or at risk of compromise

Evaluate the potential losses or damages that the organization may incur due to the data compromise

Prioritize the data recovery and restoration activities based on the criticality and urgency of the data

Communicate and coordinate the data breach response and notification with the relevant stakeholders, such as the data owners, the customers, the regulators, and the media

Enhance the data protection and security measures to prevent or mitigate future data compromise incidents

References = CRISC Review Manual (Digital Version), Chapter 3: IT Risk Response, Section 3.3: Risk Response Options, pp. 174-1751

Segregation of duties is a key control for preventing and detecting fraudulent transactions, especially in a large organization where there are many employees and transactions involved. Segregation of duties means that no single person has the authority or ability to initiate, approve, execute, and record a transaction without the involvement or oversight of another person. This reduces the opportunity and incentive for fraud, as well as the risk of errors or omissions. Segregation of duties also facilitates the detection of fraud by creating an audit trail and increasing the likelihood of whistleblowing.

The other options are not as effective as segregation of duties for mitigating risk related to fraudulent transactions. Monetary approval limits (B) are useful for controlling the amount and frequency of transactions, but they do not prevent unauthorized or fraudulent transactions from occurring. Clear roles and responsibilities © are important for defining the expectations and accountabilities of employees, but they do not ensure that employees comply with them or that their actions are monitored and verified. Password policies (D) are essential for securing access to systems and data, but they do not prevent fraudsters from exploiting weak or compromised passwords or from using legitimate passwords for fraudulent purposes.

The likelihood rating in the risk register is a measure of how probable it is that a risk event will occur, given the current conditions and controls. The risk practitioner should change the likelihood rating if there is a significant change in the effectiveness of the controls that are implemented to prevent or reduce the risk. For example, if a control becomes obsolete, ineffective, or bypassed, the likelihood rating should increase, as the risk event becomes more likely to happen. Conversely, if a control becomes more efficient, reliable, or robust, the likelihood rating should decrease, as the risk event becomes less likely to happen. The other options are not likely to cause a change in the likelihood rating, as they are not directly related to the probability of the risk event. Risk appetite is the amount of risk that an organization is willing to accept in pursuit of its objectives. Control cost is the amount of resources that are required to implement and maintain a control. Risk tolerance is the acceptable level of variation that an organization is willing to allow for a risk to deviate from its desired level or expected outcome. These factors may influence the risk response or the risk acceptance, but not the likelihood rating. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.4: Risk Register, p. 25-26.

 The most important factor to ensure when reviewing an organization’s risk register is that the risk ownership is recorded, as it indicates the authority and responsibility for managing the risk and its associated controls, and facilitates the communication and accountability of the risk management process and activities. The other options are not the most important factors, as they are more related to theidentification, classification, or measurement of the risk, respectively, rather than the management of the risk. References = CRISC Review Manual, 7th Edition, page 101.