Isaca Updated CRISC Exam Questions and Answers by timur

The first activity that should be performed when the time required to complete daily processing for a legacy application is approaching a risk threshold is to conduct a root-cause analysis. This will help to identify the source of the problem and the factors that are contributing to the increased processing time. By conducting a root-cause analysis, the enterprise can determine the most appropriate and effective solution to address the problem and prevent it from recurring. Temporarily increasing the risk threshold, suspending processing to investigate the problem, and initiating a feasibility study for a new application are not the first activities that should be performed, as they may not resolve the underlying issue and may introduce additional risks or costs. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.2.1.2, page 193.

A managed security service provider (MSSP) is a third-party entity that offers network security services to an organization, such as firewall operation, administration, monitoring, and maintenance1. A firewall is a device or software that controls the incoming and outgoing network traffic based on predefined rules2. A firewall administrator is a person or entity that manages and maintains the firewall configuration, rules, and policies3. When an organization uses an MSSP as a firewall administrator, the greatest concern is the exposure of log data, because log data contains sensitive and valuable information about the organization’s network activity, such as source and destination IP addresses, ports, protocols, timestamps, and user identities4. If the log data is not protected properly by the MSSP, it could be accessed, modified, or stolen by unauthorized parties, such as hackers, competitors, or regulators, which could result in data breaches, compliance violations, reputational damage, or legal liabilities for the organization5. The other options are not as concerning as the exposure of log data, because they do not pose a direct and immediate threat to the organization’s data security and privacy, but rather affect the quality and efficiency of the firewall management, as explained below:

B. Lack of governance is a concern when an organization uses an MSSP as a firewall administrator, because it could lead to misalignment or inconsistency between the organization’s and the MSSP’s objectives, policies, and standards for firewall management. However, this concern can be mitigated by establishing a clear and comprehensive service level agreement (SLA) with the MSSP,which defines the roles, responsibilities, expectations, and performance indicators for the firewall management service6.

C. Increased number of firewall rules is a concern when an organization uses an MSSP as a firewall administrator, because it could create complexity, confusion, or duplication in the firewall configuration, which could affect the firewall performance and security. However, this concern can be mitigated by conducting regular firewall audits and reviews with the MSSP, which can help to rationalize, optimize, and update the firewall rules, and to ensure that they are relevant, effective, and efficient for the organization’s network environment.

D. Lack of agreed-upon standards is a concern when an organization uses an MSSP as a firewall administrator, because it could result in gaps or weaknesses in the firewall design and implementation, which could compromise the firewall functionality and security. However, this concern can be mitigated by adopting and following industry best practices, norms, and expectations for firewall management, such as the National Institute of Standards and Technology (NIST) guidelines, the Center for Internet Security (CIS) benchmarks, or the Payment Card Industry Data Security Standard (PCI DSS) requirements . References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.2.1, page 115. What Is A Managed Security Service Provider (MSSP)? - Fortinet, What is a Firewall? - Definition from Techopedia, Firewall Administrator Job Description - Betterteam, What is a Firewall Log? - Definition from Techopedia, Firewall Log Management: Why It’s Important and How to Do It Right, How to Write a Service Level Agreement (SLA) for an MSSP, [Firewall Auditing: Best Practices for Security and Compliance], [Guidelines on Firewalls and Firewall Policy | CSRC], [CIS Firewall Benchmark - CIS], [PCI DSS and Firewalls - PCI Security Standards Council]

 Emerging risk is a risk that is new or evolving, and has the potential to significantly affect the enterprise’s objectives, performance, or reputation. Emerging risk can arise from changes in the internal or external environment, such as technological innovations, regulatory developments, or social trends. The best way to support communication of emerging risk is to include it on the next enterprise risk committee agenda. The enterprise risk committee is a group of senior executives who oversee the enterprise-wide risk management program, and provide guidance and direction to the risk owners and practitioners. By including the emerging risk on the agenda, the risk practitioner can ensure that the enterprise risk committee is aware of the risk, its causes, impacts, and likelihood, and can decide on the appropriate risk response strategy and actions. The other options are not the best way to support communication of emerging risk, as they involve different aspects of the risk management process:

Update residual risk levels to reflect the expected risk impact means that the risk practitioner adjusts the risk levels after considering the existing or planned risk responses. This may not be feasible or accurate for emerging risk, as the risk responses may not be defined or implemented yet, or may not be effective for the new or evolving risk.

Adjust inherent risk levels upward means that the risk practitioner increases the risk levels before considering any risk responses. This may not reflect the true nature or magnitude of the emerging risk, as the inherent risk levels are based on the assumptions and estimates of the risk practitioner, and may not account for the uncertainties or complexities of the emerging risk.

Include it in the risk register for ongoing monitoring means that the risk practitioner records and tracks the emerging risk, its causes, impacts, likelihood, responses, and owners. This is an important step in the risk management process, but it does not necessarily support communication ofthe emerging risk, as the risk register may not be accessible or visible to all the relevant stakeholders, or may not be updated or reviewed frequently enough to capture the changes in the emerging risk. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 1, Section 1.2.2.2, pp. 21-22.

Senior management participation is essential for the success of an organization’s risk management framework, as it demonstrates the commitment, support, and leadership for the risk management activities. Senior management participation also ensures that the risk management framework is aligned with the organization’s strategy, objectives, and culture, and that the risk management roles and responsibilities are clearly defined and communicated. Senior management participation also facilitates the allocation of adequate resources, the establishment of risk appetite and tolerance, and the monitoring and reporting of risk performance. Therefore, the lack of senior management participation should be of greatest concern to a risk practitioner, as it indicates a low level of risk maturity and a high level of risk exposure. The other options are not as concerning as the lack of senior management participation, because they do not affect the risk management framework as significantly, and they can be addressed or improved with the involvement of senior management, as explained below:

A. Unclear organizational risk appetite is a deficiency that can affect the risk management framework, as it can lead to inconsistent or inappropriate risk decisions and responses. However, this deficiency can be resolved or mitigated with the participation of senior management, who can define and communicate the risk appetite and tolerance for the organization, and ensure that they are aligned with the organization’s strategy and objectives.

C. Use of highly customized control frameworks is a deficiency that can affect the risk management framework, as it can create complexity, confusion, or duplication in the control design and implementation. However, this deficiency can be resolved or mitigated with the participation of senior management, who can review and rationalize the control frameworks, and ensure that they are relevant, effective, and efficient for the organization’s risk profile and environment.

D. Reliance on qualitative analysis methods is a deficiency that can affect the risk management framework, as it can limit the accuracy, reliability, and comparability of the risk information and assessment. However, this deficiency can be resolved or mitigated with the participation of senior management, who can support and promote the use of quantitative analysis methods, such as the FAIR framework1, and provide the necessary data, tools, and skills for the risk analysis and evaluation. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.3.2, page 18.