Isaca Updated CRISC Exam Questions and Answers by macsen

The business process owner should own the risk of customer data leakage caused by the service provider, as they have the responsibility and authority over the design, execution, and performance of the business process. The business process owner is also accountable for the risks and controls associated with their process, and they can provide valuable input and feedback on the likelihood and impact of customer data leakage on the process outcomes and objectives.

The other options are not the best choices for owning the risk of customer data leakage caused by the service provider. The service provider is responsible for delivering and supporting the billing function and ensuring the security and privacy of the customer data, but they may not have the full visibility or understanding of the business process and objectives. The vendor risk manager is responsible for managing and monitoring the vendor relationship and performance, but they may not have the direct involvement or influence on the business process and its risks and controls. The legal counsel is responsible for providing legal advice and guidance on the contractual and regulatory obligations and implications of the outsourcing arrangement, but they may not have the detailed knowledge or experience of the business process and its risks and controls. References = Guide to Vendor Risk Assessment | Smartsheet, IT Risk Resources | ISACA, Data Ownership: Considerations for Risk Management - ISACA

The first step to reduce the likelihood of infection from the attack is to identify systems that are vulnerable to being exploited by the attack. This would help the organization to assess the scope and severity of the risk, and to prioritize the systems that need immediate protection. Identifying systems that are vulnerable to being exploited by the attack would also help the organization to apply the appropriate patches, updates, or configurations to prevent or mitigate the attack, and to isolate or disconnect the systems that are already infected or compromised. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.2, page 60123

Being the first to market is a competitive advantage that can help an organization gain market share, customer loyalty, and brand recognition. However, this advantage can be lost if the project is delayed and the competitors catch up or surpass the organization. Therefore, the project delivery time is of greatest concern to senior management, as it directly affects the strategic objective of the project. The other options are less critical, as they can be managed or mitigated by the project team. More time for testing can improve the quality and reliability of the product, a new project manager can bring fresh ideas and perspectives, and the cost overrun can be justified by the expected benefits and revenues of the product. References = Project Initiation: The First Step to Project Management [2023] • Asana, 12 Steps to Initiate and Plan a Successful Project

The best practice to mitigate risk related to enterprise-wide ethical decision making in a multi-national organization is to provide ongoing awareness training to support a common risk culture. A common risk culture is a set of shared values, beliefs, and behaviors that influence how the organization identifies, analyzes, responds to, and monitors risks. Ongoing awareness training can help to promote a common risk culture by educating the employees about the enterprise’s risk management objectives, policies, procedures, roles, and responsibilities, as well as the ethical standards and expectations that apply to their work. Ongoing awareness training can also help to reinforce the benefits of ethical decision making and the consequences of unethical behavior. Customized regional training on local laws and regulations, policies requiring central reporting of potential procedure exceptions, and zero-tolerance policies for risk taking by middle-level managers are also useful practices, but they are not as effective as ongoing awareness training to support a common risk culture. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 37.