Isaca Updated CRISC Exam Questions and Answers by julian

The most helpful factor for an information security management team when allocating resources to mitigate exposures is the risk assessment results. The risk assessment results provide a comprehensive and objective analysis of the risks facing the enterprise, including their likelihood, impact, and root causes. The risk assessment results also help to identify the gaps and weaknesses in the existing controls, and to prioritize the risks based on their severity and urgency. The risk assessment results enable the information security management team to allocate the resources in a cost-effective and risk-based manner, and to implement the most appropriate risk responses to reduce the exposures to an acceptable level. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.1.1, page 1751

According to the CRISC Review Manual, activity logging and monitoring is the best way to manage the risk associated with malicious activities performed by database administrators (DBAs), because it enables the detection and prevention of unauthorized or inappropriate actions on the database. Activity logging and monitoring involves capturing and reviewing the activities of the DBAs, such as the commands executed, the data accessed or modified, the privileges used, and the time and duration of the sessions. Activity logging and monitoring can also provide an audit trail for accountability and forensic purposes. The other options are not the best ways to manage the risk, because they do not directly address the malicious activities of the DBAs. Periodic access review is a control that verifies the appropriateness of the access rights granted to the DBAs, but it does not monitor their actual activities. Two-factor authentication is a control that enhances the security of the authentication process, but it does not prevent the DBAs from performing malicious activities once they are authenticated. Awareness training and background checks are controls that aim to reduce the likelihood of the DBAs engaging in malicious activities, but they do not guarantee their compliance or behavior. References = CRISC Review Manual, 7th Edition, Chapter 4, Section 4.1.3, page 166.

A conflict of interest is a situation where a person’s personal or professional interests may interfere with their ability to act in the best interest of the organization or the project1. A conflict of interest can compromise the integrity, objectivity, and impartiality of the person, and create ethical or legal issues for the organization or the project2. In the context of due diligence, a conflict of interest can affect the quality and reliability of the information and analysis, and jeopardize the success and confidentiality of the acquisition3.

The best course of action for a member of the due diligence team who realizes a close acquaintance is a high-ranking IT professional at a subsidiary of the company about to be acquired is to disclose potential conflicts of interest. This means that the team member should inform the due diligence leader and the organization’s management about the relationship with the acquaintance, and explain how it may affect their role or responsibility in the due diligence process. By disclosing potential conflicts of interest, the team member can:

Demonstrate honesty and transparency, and uphold the ethical standards and values of the organization and the project4.

Enable the due diligence leader and the organization’s management to assess the situation and decide the appropriate course of action, such as reassigning the team member, implementing additional controls or safeguards, or obtaining consent or approval from the relevant parties5.

Avoid or minimize the negative consequences or risks that may arise from the conflict of interest, such as legal liability, reputational damage, or loss of trust and credibility6.

References =

Conflict of Interest - CIO Wiki

What is a Conflict of Interest? Give Me Some Examples - The Balance Careers

How to Avoid Conflicts of Interest in M&A Transactions - DealRoom

How to Handle Conflicts of Interest - Harvard Business Review

Conflict of Interest Policy - ISACA

Managing Conflicts of Interest in the Public Sector Toolkit - OECD

This can help to:

Ensure that the implemented measures are effective and efficient in reducing the risk level to an acceptable level, and that they are aligned with the risk appetite and tolerance of the organization2.

Identify and address any gaps, issues, or challenges that may arise from the deviation from the approved risk action plan, and recommend and implement appropriate improvement actions or contingency plans3.

Communicate and report the results and outcomes of the validation to the relevant stakeholders, such as the risk owner, the risk committee, or the chief risk officer, and obtain their feedback and approval4.

The other options are not the best course of action, because:

Reporting the observation to the chief risk officer (CRO) is not the best course of action, as it may not provide sufficient information or evidence to support the deviation from the approved risk action plan. The CRO may not be able to evaluate or approve the implemented risk mitigation measures without knowing their adequacy or impact on the risk level5.

Updating the risk register with the implemented risk mitigation actions is not the best course of action, as it may not reflect the current or accurate risk status or performance. The risk register is a document that records and summarizes the key information and data about the identified risks and the risk responses6. Updating the risk register without validating the adequacy of the implemented risk mitigation measures may create inconsistencies or inaccuracies in the risk register.

Reverting the implemented mitigation measures until approval is obtained is not the best course of action, as it may expose the organization to higher or unacceptable levels of risk. Reverting the implemented mitigation measures may undo or negate the benefits or outcomes of the risk mitigation, and may increase the likelihood or impact of the risk events7.

References =

ISACA Risk Starter Kit provides risk management templates and policies

Risk Appetite and Tolerance - CIO Wiki

Risk Monitoring and Review - The National Academies Press

Risk Reporting - CIO Wiki

Chief Risk Officer - CIO Wiki

Risk Register - CIO Wiki

Risk Mitigation - CIO Wiki