Isaca Updated CRISC Exam Questions and Answers by yasmine

The lack of due diligence for the recommended cloud vendor should be of greatest concern to the risk practitioner, because it exposes the organization to potential risks and issues related to the security, reliability, performance, and compliance of the cloud service provider. Due diligence is a process of conducting a thorough investigation and evaluation of a potential vendor or partner before entering into a contractual relationship. Due diligence helps to verify the vendor’s credentials, capabilities, reputation, and track record, and to identify any red flags or gaps that may affect the quality or suitability of the service. Cloud computing is a model of delivering IT services over the internet, where the service provider owns and manages the IT infrastructure, platforms, or applications, and the customer pays only for the resources or functions they use. Cloud computing can offer cost savings, scalability, and flexibility for the business, but it also introduces new risks and challenges, such as data privacy, security breaches, vendor lock-in, service outages, or regulatory compliance. Therefore, performing due diligence for the recommended cloud vendor is essential to ensure that the organization’s expectations and requirements are met, and that the risks and issues are identified and addressed. The business introducing new SaaS solutions without IT approval, the maintenance of IT infrastructure being outsourced to an IaaS provider, and the architecture responsibilities not being clearly defined are all possible concerns for the risk practitioner, but they are not the greatest concern, as they can be mitigated or resolved with appropriate controls, policies, or agreements. References = Risk and Information Systems Control Study Manual, Chapter 5, Section 5.2.1, page 183

Risk scenarios require the identification of specific risk events to ensure they are realistic and actionable. This process is fundamental to effective risk assessments and responses, forming a core part of the Risk Scenario Development methodology.

The data privacy manager is the best person to an application system used to process employee personal data, because they are responsible for ensuring that the organization complies with the applicable data protection laws and regulations, and that the personal data of employees are collected, stored, processed, and disposed of in a secure and ethical manner. The data privacy manager is also responsible for establishing and maintaining the data privacy policies, procedures, and controls, and for conducting data privacy impact assessments and audits. The compliance manager, the system administrator, and the human resources (HR) manager are all involved in the of the application system, but they are not the best person to it, as they do not have the primary accountability and expertise for data privacy. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.2, page 158

The risk practitioner’s best recommendation when one of an organization’s key IT systems cannot be patched because the patches interfere with critical business application functionalities is to identify additional mitigating controls, as they may reduce the likelihood or impact of the vulnerabilities being exploited, and align the residual risk with the risk tolerance and appetite of the organization. The other options are not the best recommendations, as they may not address the risk adequately, or may introduce unacceptable consequences, such as disrupting the business operations, changing the risk strategy, or accepting excessive risk. References = CRISC Review Manual, 7th Edition, page 111.