Isaca Updated CRISC Exam Questions and Answers by andrei

Ensuring that database changes are correctly applied is the primary reason for monitoring activities performed in a production database environment, as it helps to maintain the integrity, availability, and performance of the database and the applications that depend on it. Database changes are any modifications made to the database structure, configuration, data, or code, such as adding or deleting tables, columns, indexes, or triggers, updating or inserting data, or altering stored procedures or functions. Database changes can have significant impacts on the database functionality and behavior, and may introduce errors, inconsistencies, or vulnerabilities if not applied correctly. Therefore, monitoring database changes is essential to verify that the changes are implemented as intended, comply with the design specifications and standards, and do not cause any adverse effects or conflicts with the existing database or application components.

The other options are not the primary reasons for monitoring activities performed in a production database environment. Enforcing that changes are authorized is an important aspect of database change management, but it is not the main purpose of database monitoring. Database change management is the process of planning, reviewing, approving, and implementing database changes in a controlled and consistent manner. Database change management helps to ensure that the changes are authorized by the appropriate stakeholders, aligned with the business requirements and objectives, and documented and communicated to the relevant parties. Database monitoring can support database change management by providing information and feedback on the change implementation and performance, but it does not enforce the change authorization. Deterring illicit actions of database administrators is a possible benefit of database monitoring, but it is not the primary reason for it. Database administrators are the users who have the highest level of access and privilege to the database, and they are responsible for managing and maintaining the database operations and security. Database monitoring can help to deter illicit actions of database administrators by tracking and auditing their activities and actions on the database, and alerting or escalating any suspicious or malicious behavior. However, database monitoring is not the only or the most effective way to prevent or detect illicit actions of database administrators. Other measures, such as implementing the principle of least privilege, segregating duties, enforcing password policies, and encrypting data, are also necessary to protect the database from unauthorized or improper access or manipulation by database administrators or other users. Preventing system developers from accessing production data is a possible benefit of database monitoring, but it is not the primary reason for it. System developers are the users who design, develop, and test the applications that interact with the database. System developers should not have access to the production data, as it may contain sensitive or confidential information that could be compromised or misused by the developers. System developers should only use test or dummy data for their development and testing purposes. Database monitoring can help to prevent system developers from accessing production data by controlling and restricting their access and privilege to the database, and logging and reporting any unauthorized or inappropriate access attempts. However, database monitoring is not the only or the most effective way to prevent system developers from accessing production data. Other measures, such as implementing access control policies, masking or anonymizing data, and isolating development and production environments, are also necessary to safeguard the production data from system developers or other users. References = Database Monitoring: Basics & Introduction | Splunk, IT Risk Resources | ISACA, Best Practices for Database Performance Monitoring

Validating the risk scenarios is the most important time to involve business stakeholders, as they can provide feedback on the relevance, completeness, and accuracy of the scenarios. They can also help to ensure that the scenarios are aligned with the business objectives, context, and risk appetite. By involving business stakeholders in the validation process, the risk practitioner can increase the credibility and acceptance of the risk scenarios.

Updating the risk register, documenting the risk scenarios, and identifying risk mitigation controls are all important steps in the risk scenario development process, but they are not the most important time to involve business stakeholders. These steps can be performed by the risk practitioner with input from othersources, such as subject matter experts, historical data, industry standards, etc. References = CRISC Review Manual, 7th Edition, ISACA, 2020, page 47-481

The most important factor when developing risk scenarios is obtaining input from key stakeholders. A risk scenario is a description of a possible event or situation that could affect the enterprise’s objectives, processes, or resources. Obtaining input from key stakeholders, such as business owners, process owners, subject matter experts, or external parties, helps to ensure that the risk scenarios are realistic, relevant, and comprehensive. It also helps to identify the sources, drivers, indicators, likelihood, impact, and responses of the risk scenarios, and to align them with the enterprise’s risk appetite and tolerance. Obtaining input from key stakeholders also fosters a collaborative and participatory approach to risk management, and enhances the risk awareness and ownership among the stakeholders. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.3, page 621

According to the CRISC Review Manual, activity logging and monitoring is the best way to manage the risk associated with malicious activities performed by database administrators (DBAs), because it enables the detection and prevention of unauthorized or inappropriate actions on the database. Activity logging and monitoring involves capturing and reviewing the activities of the DBAs, such as the commands executed, the data accessed or modified, the privileges used, and the time and duration of the sessions. Activity logging and monitoring can also provide an audit trail for accountability and forensic purposes. The other options are not the best ways to manage the risk, because they do not directly address the malicious activities of the DBAs. Periodic access review is a control that verifies the appropriateness of the access rights granted to the DBAs, but it does not monitor their actual activities. Two-factor authentication is a control that enhances the security of the authentication process, but it does not prevent the DBAs from performing malicious activities once they are authenticated. Awareness training and background checks are controls that aim to reduce the likelihood of the DBAs engaging in malicious activities, but they do not guarantee their compliance or behavior. References = CRISC Review Manual, 7th Edition, Chapter 4, Section 4.1.3, page 166.