Isaca Updated CRISC Exam Questions and Answers by aminah

The best type of indicators to measure the effectiveness of an organization’s firewall rule set are key control indicators (KCIs). A firewall is a device or software that filters the network traffic based on a set of rules or policies. A firewall rule set is the configuration of the firewall that defines the criteria for allowing or blocking the traffic. A key control indicator is a metric that measures the performance and effectiveness of a control in achieving its objectives and mitigating the risks. A key control indicator can help to evaluate the adequacy and efficiency of the firewall rule set, and to identify any gaps, weaknesses, or issues that need to be addressed.Key risk indicators (KRIs), key management indicators (KMIs), and key performance indicators (KPIs) are not as suitable as key control indicators, as they measure different aspects of the risk management process, such as the level and nature of the risk exposure, the alignment and integration of the risk management activities, and the achievement of the risk management goals and targets. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 220.

The process owner is the stakeholder who is responsible for the business process that will be supported by the new IT solution. The process owner has the best knowledge of the businessrequirements, objectives, and risks associated with the process. The process owner can provide the most relevant information for analyzing the risk associated with the new IT solution, such as the expected benefits, costs, performance, functionality, security, and compliance of the solution. The process owner can also help to identify and evaluate the potential impact and likelihood of the risk scenarios related to the new IT solution. The other stakeholders may have some information or insights, but they are not as directly involved or affected by the new IT solution as the process owner. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.3.1.1, pp. 58-59.

 The most important key performance indicator (KPI) to monitor the effectiveness of disaster recovery processes is the percentage of IT systems meeting the recovery time objective (RTO) during the disaster recovery test. The RTO is the maximum acceptable time that a system orprocess can be unavailable after a disruption. The disaster recovery test is a simulation of a disaster scenario to evaluate the readiness and capability of the organization to restore its critical functions and systems. By measuring the percentage ofIT systems meeting the RTO during the test, the organization can assess how well the disaster recovery processes meet the predefined objectives and standards. Percentage of IT systems recovered within the mean time to restore (MTTR), percentage of issues arising from the disaster recovery test resolved on time, and percentage of IT systems included in the disaster recovery test scope are other possible KPIs, but they are not as important as the percentage of IT systems meeting the RTO. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 12; CRISC Review Manual, 6th Edition, page 215.

The most relevant source to reference when updating security awareness training materials is the recent security incidents reported by competitors. This can help to illustrate the real-world threats and consequences of poor security practices, and to motivate the employees to follow the security policies and procedures. Risk management framework, risk register, and global security standards are other sources that may be useful, but they are not as relevant as the recent security incidents. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 9; CRISC Review Manual, 6th Edition, page 214.