Isaca Updated CRISC Exam Questions and Answers by millie-mae

The main purpose of aKey Risk Indicator (KRI)is to provide early warning of increased risk exposure tied tospecific risk scenarios.

CRISC defines KRIs as:

“Metrics that provide a signal of increasing risk exposure in relation to defined risk scenarios.”

Performance (A) is tracked via KPIs; threat measurement (C) is only one input.

Hence,B. Assess the risk associated with risk scenariosis correct.

CRISC Reference:Domain 4 – Risk and Control Monitoring and Reporting, Topic: Designing and Using KRIs.

 The most essential content to include in an IT risk awareness program is how to comply with the organization’s IT risk and information security policies. This will help to ensure that the staff members are aware of their roles and responsibilities, and that they follow the best practices andstandards to protect the organization’s information assets and systems. Compliance with the IT risk and information security policies also helps to reduce the likelihood and impact of IT-related incidents and breaches, and to align the IT activities with the organization’s objectives and strategies. Populating risk register entries, prioritizing IT-related actions, and defining the IT risk framework are important aspects of IT risk management, but they are not the most essential content to include in an IT risk awareness program. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 5, Section 5.1.1.2, page 2291

1: ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide, Answer to Question 646.

A business system is a set of interconnected processes, functions, or activities that support the operations and objectives of a business1. A security gap is a weakness or flaw in a business system that can be exploited by a threat to cause harm or gain unauthorized access2. A control is a measure or mechanism that reduces the likelihood or impact of a security gap or threat3.

The best way to determine whether new controls mitigate security gaps in a business system is to perform a vulnerability assessment. A vulnerability assessment is a process of identifying and evaluating the security gaps and threats in a business system, and testing the effectiveness and efficiency of the controls that are implemented to address them. A vulnerability assessment can help to:

Measure and compare the current and desired state of the security posture and performance of the business system

Detect and prioritize the most critical and urgent security gaps and threats that may compromise the business system or its objectives

Validate and validate the adequacy and reliability of the new controls and their ability to prevent, detect, or respond to security incidents or breaches

Provide feedback and recommendations for improving the security of the business system and enhancing the security awareness and culture of the organization

References = What is a Business System?, What is a Security Gap?, What is a Control?, [What is a Vulnerability Assessment?], [Vulnerability Assessment: A Guide for Business Leaders]

 Computer-enabled fraud is the use of information technology (IT) to commit or conceal fraudulent activities, such as theft, manipulation, or unauthorized access of data, systems, or networks. Computer-enabled fraud can pose significant risks to an organization, such as financial loss, reputational damage, legal liability, or regulatory sanctions. Therefore, an organization should establish a comprehensive and effective framework to prevent, detect, and respond to computer-enabled fraud. The framework should involve three lines of defense, which are theroles and responsibilities of different functions within theorganization to manage and control risks. The first line of defense consists of the business owners, whose role is to identify, assess, and manage risks, including computer-enabled fraud risks. The primary responsibility of the first line of defense related to computer-enabled fraud is to implement processes to detect and deter fraud. This means designing and executing controls that can prevent or reduce the occurrence of computer-enabled fraud, such as authentication, authorization, encryption, logging, orsegregation of duties. This also means monitoring and reporting any suspicious or anomalous activities or transactions that may indicate computer-enabled fraud, such as unusual patterns, volumes, or frequencies of data or system access or usage. Implementing processes to detect and deter fraud can help the first line of defense to protect the organization’s assets, data, and reputation from computer-enabled fraud, and to comply with the organization’s policies and regulations. References = Three Lines of Defence, Roles of Three Lines of Defense for Information Security and Governance, THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT AND CONTROL, The Three Lines of Defense.