Isaca Updated CRISC Exam Questions and Answers by kaiden

 The most important factor when deciding on a control to mitigate risk exposure is the cost-benefit analysis. This is a process that compares the costs and benefits of implementing a control, and determines whether the control is worth the investment. A cost-benefit analysis helps to ensure that the control is efficient and effective in reducing the risk to an acceptable level, and that it does not introduce new risks or adversely affect other objectives. A cost-benefit analysis also helps to prioritize the controls based on their value and feasibility, and to allocate the resources accordingly. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.2.5, page 1861

The best way to mitigate the risk to IT infrastructure availability is to establish a disaster recovery plan (DRP), because a DRP is a document that defines the procedures and resources needed to restore the IT infrastructure and resume the critical business functions in the event of a disaster or disruption. A DRP helps to minimize the downtime, data loss, and financial impact of a disaster, and ensures the continuity of operations and services. The other options are not the best ways to mitigate the risk to IT infrastructure availability, although they may also be helpful in supporting the DRP. Establishing recovery time objectives (RTOs), maintaining a current list of staff contact details, and maintaining a risk register are examples of planning or monitoring activities that aim to define the requirements, roles, and responsibilities for the disaster recovery process, but they do not address the actual implementation or execution of the DRP. References = CRISC: Certified in Risk & Information Systems Control Sample Questions

Security awareness training is a process of educating and informing the users about the security policies, procedures, and best practices of the organization, and the potential threats and risks that may affect the confidentiality, integrity, and availability of the information and systems.

The best indicator of whether security awareness training is effective is user behavior after training. This means that the users demonstrate and apply the knowledge and skills that they have learned from the training, such as following the security rules and guidelines, reporting any security incidents or issues, avoiding any risky or malicious actions, etc.

User behavior after training helps to measure the actual impact and outcome of the training, compare them with the expected or desired objectives and standards, identify any gaps or issues that may affect the training effectiveness or efficiency, and take appropriate actions to address them.

The other options are not the best indicators of whether security awareness training is effective. They are either subjective or not essential for security awareness training.

The references for this answer are:

Risk IT Framework, page 30

Information Technology & Security, page 24

Risk Scenarios Starter Pack, page 22

The best recommendation to address an organization’s need to secure multiple systems with limited IT resources is to perform a vulnerability analysis. A vulnerability analysis is a process of identifying, assessing, and prioritizing the weaknesses or flaws in the systems that could be exploited by threats or risks. A vulnerability analysis helps to determine the level and nature of the exposure and impact of the systems, and to select and implement the appropriate security controls or mitigations. Performing a vulnerability analysis is the best recommendation, as it helps to optimize the use of the limited IT resources, by focusing on the most critical or significant vulnerabilities, and by applying the most effective or efficient security solutions. Performing a vulnerability analysis also helps to improve the security posture and performance of the systems, and to reduce the likelihood and consequences of security incidents or breaches. Applying available security patches, scheduling a penetration test, and conducting a business impact analysis (BIA) are not the best recommendations, as they are either the outputs or the inputs of the vulnerability analysis process, and they do not address the primary need of securing the systems with limited IT resources. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 217.