Isaca Updated CRISC Exam Questions and Answers by andrei

The best tool to enable risk-based decision making in support of a business continuity plan (BCP) is an impact analysis. An impact analysis is a process of identifying and evaluating the potential effects of an interruption or disruption of business operations on the organization’s critical functions, processes, and resources. An impact analysis can help to determine the recovery priorities, objectives, and strategies for the BCP. Control analysis, root cause analysis, and threat analysis are other possible tools, but they are not as effective as an impact analysis. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 12; CRISC Review Manual, 6th Edition, page 215.

The best recommendation to reduce the risk associated with potential system compromise when a vendor stops releasing security patches and updates for a business-critical legacy system is to segment the system on its own network. Network segmentation is the process of dividing a network into smaller subnetworks or segments, based on different criteria, such as function, location, or security level. Network segmentation helps to isolate the system from the rest of the network, and limit the exposure and access to the system. Network segmentation also helps to improve the performance and security of the network, by reducing the network traffic and congestion, and enhancing the monitoring and control capabilities. The other options are not as effective as segmenting the system on its own network, although they may provide some additional protection or recovery options. Ensuring regular backups take place, virtualizing the system in the cloud, and installing antivirus software on the system are all measures that can help to reduce the risk of data loss or system damage, but they do not address the root cause of the risk, which is the lack of security patches and updates for the system. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.2.1, page 3-11.

The risk practitioner’s primary consideration when participating in development of a new IT risk strategy should be the risk culture of the organization. Risk culture is the set of values, beliefs, attitudes, and behaviors that shape how the organization perceives, manages, and responds to risks. Risk culture influences the organization’s risk appetite, risk objectives, risk policies, risk processes, and risk performance. The risk practitioner should consider the risk culture when developing a new IT risk strategy, because it helps to align the IT risk strategy with the organization’s mission, vision, values, and strategy, and to ensure that the IT risk strategy is supported and accepted by the organization’s stakeholders, such as the board, management, employees, customers, regulators, etc. The risk practitioner should also consider the risk culture when developing a new IT risk strategy, because it helps to identify and address any gaps, issues, or challenges that may affect the implementation and effectiveness of the IT risk strategy, such as lack of awareness, communication, coordination, or accountability. The other options are not the primary consideration for the risk practitioner, although they may be related to the IT risk strategy. Scale of technology, risk indicators, and proposed risk budget are all factors that could affect the feasibility and sustainability of the IT risk strategy, but they do not necessarily reflect or influence the organization’s risk culture. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.2.1, page 1-9.

A multinational organization that operates in different countries should be aware of the legal and regulatory requirements of each jurisdiction. Some countries may have strict privacy laws that prohibit or limit the collection and use of personal information of employees, such as their criminal records, credit history, or medical conditions. Therefore, implementing standard background checks for all new employees may violate the laws in some countries and expose the organization to legal risks and reputational damage. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.4: IT Risk Factors, page 31.