Isaca Updated CRISC Exam Questions and Answers by indy

 Residual risk is the risk that remains after applying controls to mitigate the inherent risk. Inherent risk is the risk that exists before considering the controls. Risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. Risk tolerance is the acceptable level of variation from the risk appetite. Improvements in the design and implementation of a control will most likely result in an update to the residual risk, because they will reduce the likelihood and impact of the risk event, and therefore lower the risk exposure and value. By improving the design and implementation of a control, the organization can enhance the effectiveness and efficiency of the control, and ensure that it is aligned with the risk objectives, expectations, and outcomes. The improvement can also address any gaps, overlaps, redundancies, or conflicts among the controls, and any changes or enhancements that are needed to optimize the controls. The other options are less likely to be updated due to improvements in the design and implementation of a control. The inherent risk will not change, as it is based on the nature and value of the asset and the threats and vulnerabilities that exist. The risk appetite and the risk tolerance will also not change, as they are based on the organization’s culture, strategy, and stakeholder expectations. Therefore, the most likely factor to be updated is the residual risk, as it reflects the actual risk level that the organization faces after applying the controls. References = Risk IT Framework, ISACA, 2022, p. 131

The percentage of system availability is the most important key performance indicator (KPI) to establish in the service level agreement (SLA) for an outsourced data center. This KPI measures the uptime or reliability of the systems hosted by the data center provider, and reflects the ability of the provider to meet the customer’s expectations and requirements for system performance and accessibility. A high percentage of system availability indicates that the provider is delivering consistent and quality service, while a low percentage of system availability indicates that the provider is experiencing frequent or prolonged system failures or disruptions, which can negatively affect the customer’s business operations and reputation. Therefore, the percentage ofsystem availability is a critical factor for evaluating the effectiveness and efficiency of the data center provider, and should be clearly defined and monitored in the SLA. The other options are not the most important KPIs to establish in the SLA for an outsourced data center, as they do not directly measure the quality or reliability of the service provided. The percentage of systems included in recovery processes is a measure of the scope or coverage of the disaster recovery plan (DRP) of the data center provider, but it does not indicate how well the provider can execute the DRP or restore the systems in the event of a disaster. The number of key systems hosted is a measure of the capacity or utilization of the data center provider, but it does not indicate how efficiently or securely the provider can manage the systems. The average response time to resolve system incidents is a measure of the responsiveness or agility of the data center provider, but it does not indicate how effectively or proactively the provider can prevent or mitigate system incidents. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 3, Section 3.2.3.4, Page 140.

 The primary purpose of vulnerability assessments is to detect weaknesses that could lead to system compromise. A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed1. By identifying and prioritizing the vulnerabilities, a vulnerability assessment helps to prevent or reduce the risk of cyberattacks that could exploit the vulnerabilities and compromise the system. The other options are not the primary purpose, but they may be secondary or tertiary outcomes or benefits of a vulnerability assessment. Providing clear evidence that the system is sufficiently secure is a result of a successful vulnerability assessment and remediation process, but it is not the main objective. Determining the impact of potential threats is a part of the risk assessment process, which complements the vulnerability assessment process, but it is not the same as detecting the vulnerabilities. Testing intrusion detection systems (IDS) and response procedures is a part of the penetration testing process, which simulates a real-world attack on the system to evaluate its security posture, but it is not the same as scanning the system for vulnerabilities. References = What is Vulnerability Assessment | VA Tools and Best Practices - Imperva