Isaca Updated CRISC Exam Questions and Answers by niall

The best recommendation to address an organization’s need to secure multiple systems with limited IT resources is to perform a vulnerability analysis. A vulnerability analysis is a process of identifying, assessing, and prioritizing the weaknesses or flaws in the systems that could be exploited by threats or risks. A vulnerability analysis helps to determine the level and nature of the exposure and impact of the systems, and to select and implement the appropriate security controls or mitigations. Performing a vulnerability analysis is the best recommendation, as it helps to optimize the use of the limited IT resources, by focusing on the most critical or significant vulnerabilities, and by applying the most effective or efficient security solutions.Performing a vulnerability analysis also helps to improve the security posture and performance of the systems, and to reduce the likelihood and consequences of security incidents or breaches. Applying available security patches, scheduling a penetration test, and conducting a business impact analysis (BIA) are not the best recommendations, as they are either the outputs or the inputs of the vulnerability analysis process, and they do not address the primary need of securing the systems with limited IT resources. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 217.

 A control is a measure or action that is implemented to reduce the likelihood or impact of a risk event, or to enhance the benefits or opportunities of a risk event. A control owner is a person who is assigned the responsibility and authority for the design, implementation, operation, and maintenance of a control. The most appropriate person to be assigned ownership of a control is the individual accountable for monitoring control effectiveness, which is the process of measuring and evaluating the performance and compliance of the control. By assigning the control ownership to the individual accountable for monitoring control effectiveness, the organization can ensure that the control is aligned with the risk objectives, operates as intended, and delivers the expected results. References = 4

According to the CRISC Review Manual (Digital Version), assessing changes in residual risk is the best approach for determining whether a risk action plan is effective, as it measures the impact and value of the risk response actions and controls on the risk level. Residual risk is the risk that remains after the risk response actions and controls have been implemented. Assessing changes in residual risk helps to:

Evaluate the extent to which the risk response actions and controls have reduced the likelihood and/or impact of the risk to an acceptable level

Identify and report any deviations, errors, or weaknesses in the risk response actions and controls and their performance

Recommend and implement corrective actions or improvement measures to address any issues or deficiencies in the risk response actions and controls

Monitor and measure the effectiveness and efficiency of the risk response actions and controls and their alignment with the organization’s risk appetite and risk tolerance

Update the risk register and the risk treatment plan to reflect the current risk status and the residual risk levels

References = CRISC Review Manual (Digital Version), Chapter 3: IT Risk Response, Section 3.2: Risk Response Process, pp. 161-1621

Role-based access controls (RBAC) are a type of preventive control that limit the access and actions of users based on their roles and responsibilities within the organization. RBAC can help to address the risk of malicious outsiders modifying application data by restricting their access to the data and the functions they can perform on it. RBAC can also enforce the principle of least privilege, which means that users only have the minimum level of access required to perform their tasks. RBAC can be implemented through policies, procedures, and technical mechanisms such as access control lists, encryption, and authentication. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.2.1.1, p. 178-179