Isaca Updated CRISC Exam Questions and Answers by dolcie

The most appropriate key risk indicator (KRI) for backup media that is recycled monthly is the percentage of failed restore tests. A KRI is a metric that measures the likelihood or impact of a risk, and provides an early warning signal of a potential risk event. The percentage of failed restore tests is a KRI that reflects the quality and reliability of the backup media, and indicates the possibility of data loss or corruption. A high percentage of failed restore tests would suggest that the backup media is not functioning properly, and that the risk of data unavailability is increasing. Therefore, this KRI would help the risk practitioner to monitor the risk and take corrective actions as needed. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 5, Section 5.2.2, page 235.

Data leakage is the unauthorized or accidental disclosure of sensitive or confidential data to unauthorized parties. Data leakage can cause serious damages or losses to the organization, such as data breaches, fines, lawsuits, reputational harm, or loss of customer trust. Data leakage can occur due to various reasons, such as human errors, malicious attacks, or inadequate controls1.

An organization that uses a vendor to destroy hard drives faces a risk of data leakage, as the vendor may not properly or securely destroy the hard drives, or may access or misuse the data stored on them. The best way to reduce this risk is to use an accredited vendor to dispose of the hard drives, because it means that the vendor:

Has been certified or verified by a reputable or recognized authority or organization, such as ISACA, NAID, or R2, to provide hard drive destruction services

Follows the industry standards and best practices for hard drive destruction, such as NIST 800-88 or DoD 5220.22-M, and ensures the compliance with the legal and regulatory requirements, such as HIPAA, PCI DSS, or GDPR

Provides a secure and transparent process for hard drive destruction, such as using a specialized shredder, issuing a certificate of destruction, or allowing the customer to witness the destruction

Maintains a high level of professionalism and integrity, and does not compromise the confidentiality or security of the customer’s data234

The other options are not the best ways to reduce the risk of data leakage, but rather some of the steps or aspects of hard drive destruction. Require the vendor to degauss the hard drives is a step that can help to erase the data on the hard drives by using a strong magnetic field. However, degaussing may not be effective or reliable for some types of hard drives, such as solid state drives (SSDs), and it may not prevent the vendor from accessing or misusing the data before degaussing5. Implement an encryption policy for the hard drives is an aspect that can help to protect the data on the hard drives by using a cryptographic algorithm to make it unreadable without a key. However, encryption may not be sufficient or applicable for some types of data, such as metadata, and it may not prevent the vendor from accessing or misusing the key or the encrypted data6. Require confirmation of destruction from the IT manager is a step that can help to verify that the hard drives have been destroyed by the vendor, and to document the process and the outcome. However, confirmation of destruction may not be accurate or authentic, and it may not prevent the vendor from accessing or misusing the data before destruction7. References =

Data Leakage - ISACA

Hard Drive Shredding Services | Hard Drive Destruction & Disposal

Hard Drive Shredding and Destruction Service | CompuCycle

Electronic Destruction & Recycling | Shred Nations

Degaussing - ISACA

Encryption - ISACA

Certificate of Destruction - ISACA

[CRISC Review Manual, 7th Edition]

 Accepting residual risk is the most important responsibility of a risk owner, as it implies that the risk owner is accountable for the risk and its impact on the enterprise’s objectives and operations. Residual risk is the risk that remains after the implementation of controls, and it should be aligned with the risk appetite and tolerance of the enterprise. The risk owner is responsible for implementing the risk response strategies and monitoring the risk status and outcomes, as well as for reporting and escalating the risk issues and incidents. Testing control design, establishing business information criteria, and establishing the risk register are not the most important responsibilities of a risk owner, but rather the tasks or activities that the risk owner may perform or delegate as part of the risk management process. References = CRISC Certified in Risk and Information Systems Control – Question218; ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 218.

The best way to mitigate the risk associated with infrastructure updates is to implement a change control process. A change control process is a set of procedures that ensures that any changes to the infrastructure are planned, approved, tested, implemented, and documented in a consistent and controlled manner. A change control process helps to reduce the risk of errors, conflicts, disruptions, or security breaches that could result from infrastructure updates. A change control process also helps to monitor and evaluate the impact and effectiveness of the changes, and to ensure that they align with the enterprise’s objectives and requirements. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 3, Section 3.3.1, page 1391