Isaca Updated CRISC Exam Questions and Answers by pablo

According to the CRISC Review Manual, recovery time objectives (RTOs) are the maximum acceptable time that an IT system can be inoperable without causing significant damage to the business operations and objectives. RTOs are determined by the business impact analysis (BIA) and are used to define the recovery strategies and priorities. Therefore, if the RTOs do not meet the business requirements, it would be themost significant deficiency in the BCP, as it would imply that the recovery plan is not aligned with the business needs and expectations. The other options are not the most significant deficiencies, as they do not directly affect the recovery time and the business continuity. BCP testing is not necessarily done in conjunction with the DRP, as they have different scopes and objectives. BCP testing can use different methods, such as walk-through, simulation, or full interruption, depending on the purpose and scope of the test. Each business location can have separate BCPs, as long as they are consistent with the enterprise-wide BCP and the business requirements. References = CRISC Review Manual, 7th Edition, Chapter 5, Section 5.2.2, page 240.

 The most important consideration when implementing ethical remote work monitoring is to inform the employees of how they are being monitored, because this respects their privacy rights and expectations, and ensures their consent and compliance with the monitoring policy. Informing the employees of how they are being monitored also helps to build trust and transparency between the employer and the employees, and reduces the potential legal or ethical issues that may arise from the monitoring activities. The other options are not the most important considerations, although they may also be relevant for ethical remote work monitoring. Monitoring only during official hours of business, reporting on nonproductive employees to management, and integrating multiple data monitoring sources into security incident response procedures are examples of operational or technical aspects of remote work monitoring, not ethical aspects. References = CRISC: Certified in Risk & Information Systems Control Sample Questions

IT governance is the process of ensuring that IT supports the organization’s objectives and strategies, and that IT risks are managed appropriately. IT governance involves defining the roles, responsibilities, and accountabilities of the IT stakeholders, establishing the IT policies, standards, and procedures, and monitoring and evaluating the IT performance and outcomes1.

An organization that automatically approves exceptions to security policies on a recurring basis is most likely the result of ineffective IT governance, because it indicates that the organization:

Lacks a clear and consistent IT strategy and direction, and does not align IT with the business goals and needs

Fails to implement and enforce the IT policies, standards, and procedures, and does not ensure the compliance and accountability of the IT users and providers

Neglects to identify and assess the IT risks, and does not implement the appropriate risk responses and controls

Does not monitor and measure the IT performance and outcomes, and does not review and improve the IT processes and practices23

The other options are not the most likely results of ineffective IT governance, but rather some of the possible causes or consequences of it. A lack of mitigating actions for identified risk is a possible consequence of ineffective IT governance, as it implies that the organization does not have a systematic and proactiveapproach to IT risk management, and does not address the IT risks in a timely and effective manner. Decreased threat levels is a possible cause of ineffective IT governance, as it may create a false sense of security and complacency, and reduce the motivation and urgency to implement and follow the IT policies, standards, and procedures. Ineffective service delivery is a possible consequence of ineffective IT governance, as it means that the organization does not deliver the IT services that meet the expectations and requirements of the customers and stakeholders, and does not ensure the quality and reliability of the IT services. References =

IT Governance - ISACA

IT Governance: What It Is and Why You Need It

IT Governance: The Benefits of an Effective Enterprise IT Governance Framework

[CRISC Review Manual, 7th Edition]

The primary reason for prioritizing risk scenarios is to facilitate risk response decisions. Risk scenarios are hypothetical situations that describe the possible causes, events, and consequences of a risk. Prioritizing risk scenarios is the process of ranking the risk scenarios according to their level of importance, urgency, or impact. Prioritizing risk scenarios helps to facilitate risk response decisions, which are the choices made to address the risks, such as avoiding, transferring, mitigating, or accepting the risks. Prioritizing risk scenarios helps to allocate the resources and efforts to the most significant or critical risk scenarios, and to select the most appropriate and effective risk responses. Prioritizing risk scenarios also helps to communicate and justify the risk response decisions to the stakeholders, and to monitor and report the risk status and performance. Providing an enterprise-wide view of risk, supporting risk response tracking, and assigning risk ownership are not the primary reasons for prioritizing risk scenarios, as they are either theinputs or the outputs of the risk prioritization process, and they do not address the primary need of responding to the risks. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 50.