Isaca Updated CRISC Exam Questions and Answers by tymoteusz

The person or entity who should be primarily responsible for performing user entitlement reviews is the data owner. A user entitlement review is a process that verifies and validates the access rights and privileges of the users to the data and resources in the IT environment. A user entitlement review helps to ensure that the users have the appropriate and necessary access to perform their roles and functions, and to prevent or detect any unauthorized or inappropriate access. A data owner is the person or entity that has the authority and responsibility to define, classify, and protect the data and resources in the IT environment. A data owner helps to perform user entitlement reviews, because they help to establish and enforce the access policies and standards for the data and resources, and to approve or revoke the access requests and changes for the users. A data owner also helps to monitor and report on the access performance and compliance for the data and resources, and to identify and address any issues or gaps in the access management activities. The other options are not the primary responsible party for performing user entitlement reviews, although they may be involved in the process. IT security manager, IT personnel, and data custodian are all examples of roles or functions that can help tosupport or implement the user entitlement reviews, but they do not necessarily have the authority or responsibility to define, classify, or protect the data and resources. References = Risk and Information Systems Control Study Manual, Chapter 5, Section 5.2.1, page 5-14.

Information systems control deficiencies are the weaknesses or flaws in the design or implementation of the controls that are intended to ensure the confidentiality, integrity, availability, and reliability of the information systems and resources. Information systems control deficiencies may reduce the effectiveness or efficiency of the controls, and expose the organization to various risks, such as unauthorized access, data loss, system failure, etc.

Reviewing results from control self-assessment (CSA) is the best way to identify information systems control deficiencies, because CSA is a process of evaluating and verifying the adequacy and effectiveness of the information systems controls, using the input and feedback from the individuals or groups that are involved or responsible for the information systems activities or functions. CSA can help the organization to identify and document the information systems control deficiencies, and to align them with the organization’s information systems objectives and requirements.

CSA can be performed using various techniques, such as questionnaires, surveys, interviews, workshops, etc. CSA can also be integrated with the organization’s governance, risk management, and compliance functions, and aligned with the organization’s policies and standards.

The other options are not the best ways to identify information systems control deficiencies, because they do not provide the same level of detail and insight that CSA provides, and they may not be relevant or actionable for the organization.

Vulnerability and threat analysis is a process of identifying and evaluating the weaknesses or flaws in the organization’s assets, processes, or systems that can be exploited or compromised by the potential threats or sources of harm that may affect the organization’s objectives or operations. Vulnerability and threat analysis can help the organization to assess and prioritize the risks, and to design and implement appropriate controls or countermeasures to mitigate or prevent the risks, but it is not the best way to identify information systems control deficiencies, because it does not indicate whether the existing information systems controls are adequate and effective, and whether they comply with the organization’s policies and standards.

Control remediation planning is a process of selecting and implementing the actions or plans to address or correct the information systems control deficiencies that have been identified,analyzed, and evaluated. Control remediation planning involves choosing one ofthe following types of control responses: mitigate, transfer, avoid, or accept. Control remediation planning can help the organization to improve and optimize the information systems controls, and to reduce or eliminate the information systems control deficiencies, but it is not the best way to identify information systems control deficiencies, because it is a subsequent or follow-up process that depends on the prior identification of the information systems control deficiencies.

User acceptance testing (UAT) is a process of verifying and validating the functionality and usability of the information systems and resources, using the input and feedback from the endusers or customers that interact with the information systems and resources. UAT can help the organization to ensure that the information systems and resources meet the user or customer expectations and requirements, and to identify and resolve any issues or defects that may affect the user or customer satisfaction, but it is not the best way to identify information systems control deficiencies, because it does not focus on the information systems controls, and it may not cover all the relevant or significant information systems control deficiencies that may exist or arise. References =

ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 40-41, 47-48, 54-55, 58-59, 62-63

ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 186

CRISC Practice Quiz and Exam Prep

Cyber risk insurance is a type of insurance policy that provides coverage against losses and damages caused by cyber incidents such as data breaches, hacking, and other cyber attacks. When an organization decides to purchase cyber risk insurance, it transfers the risk of financial loss due to a cyber incident to the insurance company. In the scenario described in the question, the organization allowed its cyber risk insurance to lapse while seeking a new insurance provider. This means that the organization is currently not covered by any cyber risk insurance policy and is therefore exposed to financial losses due to cyber incidents. The risk practitioner should report to management that the risk has been accepted. Accepting risk means that the organization is aware of the potential consequences of the risk and has decided not to take any action to mitigate, transfer, or avoid it. The other options are not correct because they do not reflect the current situation of the organization. The organization has not transferred the risk to another party, as it has no cyber risk insurance policy in place. The organization has not mitigated the risk, as it has not implemented anycontrols or measures to reduce the likelihood or impact of the risk. The organization has not avoided the risk, as it has not eliminated the source or cause of the risk or changed its activities to prevent the risk from occurring. References = CRISC Review Manual, pages 32-331; CRISC Review Questions, Answers & Explanations Manual, page 752

Single sign-on (SSO)simplifies authentication but introduces asingle point of failure. If the SSO mechanism is compromised or goes down, it can result in the loss of access across multiple systems, leading to widespread business disruption or security breaches.