Isaca Updated CRISC Exam Questions and Answers by camilla

The MOST critical requirement to include in the contract is the confidentiality of customer data, because it is a legal and ethical obligation of the bank to protect the privacy and security of its customers’ personal and financial information. Outsourcing the statement printing function to an external service provider exposes the customer data to potential unauthorized access, disclosure, or misuse by the service provider or its sub-contractors. Therefore, the contract should specify the terms and conditions for the handling, storage, and disposal of the customer data, as well as the penalties for any breach of confidentiality. The other options are not as critical as the confidentiality of customer data, because:

Option A: Monitoring of service costs is an important requirement to ensure that the service provider delivers the statement printing function within the agreed budget and scope, but it is not as critical as the confidentiality of customer data, which has legal and reputational implications for the bank.

Option B: Provision of internal audit reports is a useful requirement to verify that the service provider complies with the internal and external standards and regulations for the statement printing function, but it is not as critical as the confidentiality of customer data, which is a core value of the bank and its customers.

Option C: Notification of sub-contracting arrangements is a relevant requirement to ensure that the service provider does not delegate the statement printing function to another party without the bank’s consent and oversight, but it is not as critical as the confidentiality of customer data, which is the primary responsibility of the bank and its service provider. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 197.

 The best recommendation to the control owner when an existing control has deteriorated over time is to discuss risk mitigation options with the risk owner. This is because the risk owner is the person or entity who has the authority and accountability to make decisions and take actions regarding the risk, including the selection and implementation of the risk response strategies. The control owner is the person or entity who is responsible for the design, operation, and maintenance of the control, but not for the overall risk management. By discussing risk mitigation options with the risk owner, the control owner can communicate the current status and performance of the control, and collaborate on finding the most appropriate and effective solution to address the risk and the control deterioration. The other options are not the best recommendation to the control owner, because they do not involve the risk owner, who is the key stakeholder in the risk management process, as explained below:

A. Implement compensating controls to reduce residual risk is not the best recommendation, because it may not be feasible, efficient, or sufficient to address the risk and the control deterioration. Compensating controls are additional or alternative controls that are implemented to mitigate the risk when the primary control is not available, adequate, or effective. However, implementing compensating controls without discussing with the risk owner may result in wasting resources, duplicating efforts, or conflicting objectives, and may not align with the risk appetite or strategy of the organization.

B. Escalate the issue to senior management is not the best recommendation, because it may not be necessary, timely, or appropriate to involve senior management in the risk and control deterioration issue. Senior management is the highest level of authority and oversight in the organization, and may not have the detailed or operational knowledge or involvement in the risk and control management. Escalating the issue to senior management without discussing with the risk owner may create confusion, delay, or misunderstanding, and may not result in the optimal risk mitigation solution.

D. Certify the control after documenting the concern is not the best recommendation, because it may not be accurate, honest, or compliant to certify the control when it has deteriorated over time. Certifying the control is the process of attesting that the control is designed and operating effectively and efficiently, and meets the established criteria and standards. Certifying the control after documenting the concern may not reflect the true status and performance of the control, and may not comply with the internal or external audit or regulatory requirements. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.2.1, page 115. Roles and Responsibilities in Risk Management, Risk Owner vs. Control Owner: What’s the Difference?, Control Deterioration: How to Avoid It and What to Do About It

 A vulnerability is a system flaw or weakness that can be exploited by a threat actor, potentially leading to a security breach or incident. A vulnerability that has been exploited means that a threat actor has successfully taken advantage of the vulnerability and compromised the system or network. Implementing controls can help reduce the impact of a vulnerability that has been exploited, by limiting or preventing the damage or loss caused by the security breach or incident. Controls are the mechanisms or procedures that ensure the security, reliability, and quality of an IT system or process. Controls can be classified into different types, depending on their purpose and function. The four types of controls mentioned in the question are:

Detective control: A control that monitors and detects the occurrence or attempt of a security breach or incident, and alerts the appropriate personnel or system. For example, a log analysis tool that identifies and reports any unauthorized access or activity on the system or network.

Deterrent control: A control that discourages or prevents a threat actor from exploiting a vulnerability or performing a malicious action, by increasing the perceived difficulty, risk, or cost of doing so. For example, a warning message that informs the user of the legal consequences of unauthorized access or use of the system or network.

Preventive control: A control that blocks or stops a threat actor from exploiting a vulnerability or performing a malicious action, by eliminating or reducing the vulnerability or the opportunity. For example, a firewall that filters and blocks any unwanted or malicious traffic from entering or leaving the system or network.

Corrective control: A control that restores or repairs the system or network to its normal or desired state, after a security breach or incident has occurred, by fixing or removing the vulnerability or the impact. For example, a backup and recovery tool that restores the data or functionality of the system or network that has been corrupted or lost due to the security breach or incident.

The best type of control for reducing the impact of a vulnerability that has been exploited is the corrective control, because it directly addresses the damage or loss caused by the security breach or incident, and restores the system or network to its normal or desired state. Corrective controls can help minimize the negative consequences of a security breach or incident, such as downtime, data loss, reputational harm, legal liability, or regulatory sanctions. Corrective controls can also help prevent or reduce the recurrence of the security breach or incident, by fixing or removing the vulnerability that has been exploited. References = Types of Security Controls, Security Controls: What They Are and Why You Need Them, Security Controls: Definition, Types & Examples.

A purchase order approval process is a set of procedures that companies use to authorize the purchase of goods or services from suppliers1. This process typically involves multiple levels of approvals, ensuring that purchases are compliant with company regulations and policies, and within budget limitations1. Sometimes, a department may be granted an exception to bypass the existing approval process for purchase orders, for example, due to urgency, emergency, or special circumstances2. However, such exceptions should not compromise the effectiveness and integrity of the purchase order approval process, and should be properly documented and justified2. Therefore, the risk practitioner should verify that the exception has been approved by senior management, as they are ultimately responsible for setting and overseeing the purchase order approval process, and for ensuring that the exceptions are reasonable and aligned with the company’s objectives and risk appetite3. Internal audit is not the correct answer, as they are not involved in approving the purchase order approval process or its exceptions. Internal audit’s role is to provide independent assurance and advice on the adequacy and effectiveness of the purchase order approval process and its controls, and to report any issues or recommendations for improvement4. Control owner is not the correct answer, as they are not involved in approving the purchase order approval process or its exceptions. Control owner’s role is to design, implement, and operate the controls that support the purchase order approval process, and to monitor and report on the performance and compliance of the controls5. Risk manager is not the correct answer, as they are not involved in approving the purchase order approval process or its exceptions. Risk manager’s role is to identify, assess, and mitigate the risks associated with the purchase order approval process, and to communicate and report on the risk status and issues6. References = 1: A Step-by-Step Guide to a Purchase Order Approval Process2: Purchase Order Exceptions | Fordham3: Purchase Order (PO) Approval Process and Approval Workflow - ProcureDesk4: IT Risk Resources | ISACA5: CRISC Resources [updated 2021] | Infosec6: Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.2: Risk Monitoring, pp. 189-191.