Isaca Updated CRISC Exam Questions and Answers by aminah

An anti-virus program is a software that detects and removes malicious software, such as viruses, worms, or ransomware, from the IT assets, such as computers, servers, or networks. The effectiveness of an anti-virus program can be measured by the key performance indicators (KPIs) that reflect the achievement of the program objectives and the alignment with the enterprise’s risk appetite and tolerance. The best KPI to measure the effectiveness of an anti-virus program is the percentage of IT assets with current malware definitions. Malware definitions are the files or databases that contain the signatures or patterns of the known malicious software, and they are used by the anti-virus program to scan and identify the malware. The percentage of IT assets with current malware definitions indicates how well the anti-virus program is able to protect the IT assets from the latest or emerging threats, and reduce the exposure and impact of the risks associated with the malware. The other options are not as good as the percentage of IT assets with current malware definitions, as they may not reflect the quality or timeliness of the protection, or the alignment with the enterprise’s risk appetite and tolerance. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.3.2.1, pp. 171-172.

When an organization restructures its business processes, the first step in revising the BCP is to identify new potentially disruptive scenarios that may affect the continuity of the critical functions and processes. This can be done by conducting a risk assessment or a business impact analysis (BIA) to determine the likelihood and impact of various threats and vulnerabilities onthe organization’s objectives and operations. By identifying new potentially disruptive scenarios, the organization can then update its recovery strategies, objectives, and plans accordingly.

 A risk treatment plan is a document that describes the actions and resources required to implement the chosen risk response for a specific risk scenario. A risk response can be to accept, avoid, transfer, or mitigate the risk. The effectiveness of a risk treatment plan can be measured by how well it reduces the risk exposure and achieves the desired outcomes. The best evidence that a selected risk treatment plan is effective is to evaluate the residual risk level, which is the remaining risk after the risk treatment plan has been implemented. The residual risk level should be within the organization’s risk appetite and tolerance, and should reflect the actual risk reduction and value creation of the risk treatment plan. Evaluating the residual risk level can also help to identify any gaps or issues that need to be addressed, and to monitor and report on the risk performance and improvement. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.2.2, p. 108-109

 The number of projects going live without a security review is the best key control indicator (KCI) to indicate whether security requirements are identified and managed throughout a project life cycle, because it measures the compliance and effectiveness of the security review process. A security review is a process that ensures that the security requirements are defined, implemented, tested, and verified for each project, and that any security risks or issues are identified and resolved before the project is deployed. The number of projects going live without a security review should be minimized or eliminated, as it indicates afailure or weakness of the security review process. The other options are not the best KCIs, because they do not directly measure the identification and management of security requirements. The number of employees completing project-specific security training, the number of security projects started in core departments, and the number of security-related status reports submitted by project managers areexamples of input or output indicators that measure the activities or results of the project, but not the security requirements. References = CRISC: Certified in Risk & Information Systems Control Sample Questions