Isaca Updated CRISC Exam Questions and Answers by cobie

Accepting risk is the only risk response strategy that could be applied to both positive and negative risk that has been identified. Accepting risk means taking no action to change the likelihood or impact of the risk, but being prepared to deal with the consequences if the risk occurs. Accepting risk is usually chosen when the risk is low, unavoidable, or outweighed by the benefits. For positive risks, accepting risk means taking advantage of the opportunities if they arise. For negative risks, accepting risk means setting aside contingency reserves or plans to cope with the threats. The other risk response strategies are specific to either positive or negative risks. Transfer, exploit, and mitigate are strategies for negative risks, while share, enhance, and avoid are strategies for positive risks. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.1, page 4-23.

The best way to mitigate the security risk associated with the inappropriate use of enterprise applications on the BYOD devices is to implement BYOD mobile device management (MDM) controls. MDM controls are software tools or services that allow the organization to remotely manage, monitor, and secure the BYOD devices and the enterprise applications and data on them. MDM controls can help to enforce security policies, restrict unauthorized access, encrypt sensitive data, wipe data in case of loss or theft, and update or patch applications. The other options are not as effective as implementing MDM controls, as they are related to the review, awareness, or recovery of the BYOD devices and applications, not the prevention or protection of the security risk. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Response, Section 3.3: IT Risk Response Implementation, page 145.

Risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. Risk appetite is influenced by various factors, such as the organization’s mission, vision, values, culture, stakeholders, resources, capabilities, etc. However, the factor that has the greatest influence on the organization’s risk appetite is the business objectives and strategies, which are the desired outcomes and the plans to achieve them. The business objectives and strategies define the direction and scope of the organization, and the risk appetite reflects the level of risk that the organization is prepared to take to accomplish them. The risk appetite should be aligned with the business objectives and strategies, and should provide guidance for the risk management activities and decisions. References = CRISC Review Manual, 7th Edition, page 61.

 Key risk indicators (KRIs) are metrics that provide an early warning of increasing risk exposure in various areas of the organization. They help to monitor changes in the level of risk and enable timely actions to mitigate the risk. The major advantage of using KRIs is that they identify when risk exceeds defined thresholds, which are the acceptable or tolerable levels of risk that the organization has established. By identifying when risk exceeds defined thresholds, the KRIs can alert the management and stakeholders of the need to take corrective or preventive measures, and avoid or reduce the potential losses or damages. References = 3