Isaca Updated CRISC Exam Questions and Answers by khalid

 Segmenting the application within the existing network is the most effective control to manage a legacy application that relies on software that has reached the end of extended support, as it isolates the application from the rest of the network and reduces the attack surface and the potential impact of a compromise. Subscribing to threat intelligence, applying patches for a newer version of the application, and increasing the frequency of regular system and data backups are not the most effective controls, as theymay not address the root cause of the risk, or may introduce additional costs or complexities, respectively. References = CRISC Review Manual, 7th Edition, page 153.

According to the CRISC Review Manual1, peer reviews are the process of evaluating the quality and validity of risk analysis by independent experts or colleagues. Peer reviews are conducted to ensure that the risk analysis is consistent, objective, and reliable, and that it follows the established standards and methods. The primary reason for conducting peer reviews of risk analysis is to minimize subjectivity of assessments, as peer reviews can help to reduce personal biases, preferences, and assumptions that may affect the risk analysis outcomes. Peer reviews can also help to identify and correct any errors, gaps, or inconsistencies in the risk analysis, and to improve the risk analysis skills and knowledge of the reviewers and the reviewees. References = CRISC Review Manual1, page 209.

 Controls are the mechanisms or procedures that ensure the security, reliability, and quality of an IT system or process. Controls can be preventive, detective, or corrective, and can be implemented at various levels, such as physical, logical, administrative, or technical. Controls should be defined during the design phase of system development because it is more cost-effective to determine controls in the early design phase. The design phase is the stage where the system requirements are translated into a detailed technical plan, which includes the system architecture, database structure, user interface, and system components. The design phase also defines the system objectives, goals, and performance criteria. Defining controls during the design phase can help ensure that the controls are aligned with the system requirements and objectives, and that they are integrated into the system design from the start. Defining controls during the design phase can also help avoid or reduce the costs and risks associated with implementing controls later in the development or operation phases, such as rework, delays, errors, failures, or breaches. References = THE SYSTEM DEVELOPMENT LIFE CYCLE (SDLC), p. 2-3, System Development LifeCycle - GeeksforGeeks, 7.3: Systems Development Life Cycle - Engineering LibreTexts, What Is SDLC? 7 Phases of System Development Life Cycle - Intetics.

 The primary purpose of vulnerability assessments is to detect weaknesses that could lead to system compromise. A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed1. By identifying and prioritizing the vulnerabilities, a vulnerability assessment helps to prevent or reduce the risk of cyberattacks that could exploit the vulnerabilities and compromise the system. The other options are not the primary purpose, but they may be secondary or tertiary outcomes or benefits of a vulnerability assessment. Providing clear evidence that the system is sufficiently secure is a result of a successful vulnerability assessment and remediation process, but it is not the main objective. Determining the impact of potential threats is a part of the risk assessment process, which complements the vulnerability assessment process, but it is not the same as detecting the vulnerabilities. Testing intrusion detection systems (IDS) and response procedures is a part of the penetration testing process, which simulates a real-world attack on the system to evaluate its security posture, but it is not the same as scanning the system for vulnerabilities. References = What is Vulnerability Assessment | VA Tools and Best Practices - Imperva