Isaca Updated CRISC Exam Questions and Answers by mathias

The best option to protect against a future recurrence of unauthorized access by a service provider’s administrator is D. Contractual requirements. Data encryption, intrusion prevention system, and two-factor authentication are all technical measures that can enhance the security of the data stored in the Infrastructure as a Service (IaaS) model, but they do not prevent the service provider’s administrator from accessing the data if they have the necessary credentials, keys, or permissions. Contractual requirements, on the other hand, are legal obligations that bind the service provider to respect the customer’s privacy and confidentiality, and to limit the access to the data to only authorized and necessary personnel. Contractual requirements can also specify the penalties or remedies for any breach of contract, which can deter the service provider’s administrator from violating the terms of the agreement. Therefore, contractual requirements are the most effective way to protect against a future recurrence of unauthorized access by a service provider’s administrator12

1: What is Data Encryption? | Forcepoint 2: The elements of a contract: understanding contract requirements - Juro

Log modification undermines data integrity, which is critical for accurate risk monitoring. Ensuring log integrity supports reliable KRI assessments, a key focus within theRisk Monitoring and Reportingframework.

The risk owner is listed as the department responsible for decision making would pose the greatest concern for a risk practitioner who is reviewing accountability assignments for data risk in the risk register, as it indicates a lack of clarity and specificity on who is accountable for the risk and its response. The risk owner should be an individual, not a department, who has the authority and responsibility to manage the risk and its associated controls. The other options are not the greatest concern, as they do not necessarily imply a lack of accountability, but rather a possible difference in roles and responsibilities between the risk owner and the control owner, the business unit and the IT department, or the staff member and the department manager. References = CRISC Review Manual, 7th Edition, page 101.