Isaca Updated CRISC Exam Questions and Answers by siyana

The information classification policy is the most important document regarding the treatment of sensitive data, because it defines the categories and criteria for classifying data according to their sensitivity, confidentiality, and value to the organization, and specifies the appropriate handling and protection measures for each category. Sensitive data are data that contain personal, proprietary, or confidential information that may cause harm or damage to the organization or its stakeholders if disclosed, modified, or destroyed without authorization. An information classification policy helps to ensure that sensitive data are identified and treated in a consistent and secure manner, and that the organization complies with the applicable laws and regulations regarding data protection and privacy. An encryption policy, an organization risk profile, and a digital rights management policy are all useful documents for the treatment of sensitive data, but they are not the most important document, as they do not directly address the classification and handling of sensitive data. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.2, page 158

The best course of action when a new application is added to the environment after testing of the SSO control has been completed is to initiate a retest of the full control, as it may reveal any new issues or gaps that the new application may introduce to the SSO control, and ensure that the control remains effective and adequate. Retesting the control using the new application as the only sample, reviewing the corresponding change control documentation, and re-evaluating the control during the next assessment are not the best courses of action, as they may not provide sufficient assurance, evidence, or timeliness of the control testing, respectively. References = CRISC Review Manual, 7th Edition, page 154.

The status of identified risk scenarios, because it helps to monitor and track the current level and direction of the IT risks, and to determine whether the risk responses and controls are adequate and effective. An IT risk register is a document that records and tracks the key IT risks that an organization faces, along with their likelihood, impact, and response strategies. An IT risk scenario is a hypothetical situation or event that describes the source, cause, consequence, and impact of an IT risk. The status of identified risk scenarios is the most important factor, as it reflects the actual and potential outcomes of the IT risks, and the performance and progress of the risk management process. The costs associated with mitigation options, the cost-benefit analysis of each risk response, and the timeframes for risk response actions are all possible factors to review when evaluating the ongoing effectiveness of the IT risk register, but they are not the most important factor, as they do not directly measure and report the status of the IT risk scenarios.

The most useful tool for measuring the existing risk management process against a desired state is the capability maturity model, as it provides a structured and standardized way to assess the current and target levels of maturity, performance, and effectiveness of the risk management process, and to identify the gaps and improvement opportunities. The balanced scorecard, the risk management framework, and the risk scenario analysis are not the most useful tools, as they are more related to the evaluation, design, or identification of the risk management process, respectively, rather than the measurement of the risk management process. References = CRISC Review Manual, 7th Edition, page 154.