Isaca Updated CRISC Exam Questions and Answers by tymoteusz

Software as a service (SaaS) is a cloud computing model that provides software applications over the internet, without requiring the customer to install or maintain them on their own devices1. SaaS applicationscan offer many benefits, such as scalability, accessibility, and cost-efficiency, but they also pose security risks, such as data breaches, unauthorized access, and compliance violations2.

One of the best ways to protect an organization against breaches when using a SaaS application is to use data loss prevention (DLP) tools. DLP tools are software solutions that monitor, detect, and prevent the unauthorized transmission or leakage of sensitive data from an organization’s network or devices3. DLP tools can help an organization to:

Identify and classify sensitive data, such as personal information, intellectual property, or financial records, and apply appropriate policies and controls to protect them

Encrypt data in transit and at rest, and use secure protocols and encryption keys to ensure data confidentiality and integrity

Block or alert on suspicious or malicious data transfers, such as unauthorized uploads, downloads, or sharing of data to external sources or devices

Audit and report on data activities and incidents, and provide evidence for compliance with data protection regulations and standards, such as GDPR, HIPAA, or PCI-DSS4

References = What is SaaS?, Top 7 SaaS Security Risks (and How to Fix Them), What is Data Loss Prevention (DLP)?, Data Loss Prevention (DLP) for SaaS Applications

 Cross-site scripting (XSS) and SQL injection are two common types of web application attacks that can compromise the confidentiality, integrity, and availability of data and systems. XSS allows an attacker to inject malicious code into a web page that is viewed by other users, while SQL injection allows an attacker to execute arbitrary commands on a database server by manipulating the input parameters of a web application. Both attacks can result in data theft, unauthorized access, defacement, denial of service, and more.

To mitigate these attacks, the best option is to require the software vendor to remediate the vulnerabilities by applying secure coding practices, such as input validation, output encoding, parameterized queries, and HTML sanitization. These techniques can prevent or limit the impact of XSS and SQL injection by ensuring that user input is not interpreted as code or commands by the web browser or the database server. The software vendor should also provide regular updates and patches to fix any known or newly discovered vulnerabilities.

The other options are not effective or acceptable ways to mitigate these attacks. Monitoring the databases for abnormal activity can help detect and respond to SQL injection attacks, but it does not prevent them from happening or address the root cause of the vulnerability. Approving an exception to allow the software to continue operating can expose the organization to unnecessary risks and liabilities, as well as violate compliance requirements and standards. Accepting the risk and letting the vendor run the software as is can also have serious consequences for the organization, as it implies that the potential impact and likelihood of the attacks are low or acceptable, which may not be the case. References =

IT Risk Resources | ISACA

CRISC Certification | Certified in Risk and Information Systems Control | ISACA

Cross Site Scripting Prevention Cheat Sheet - OWASP

A novel technique to prevent SQL injection and cross-site scripting attacks using Knuth-Morris-Pratt string match algorithm | EURASIP Journal on Information Security | Full Text

Difference Between XSS and SQL Injection - GeeksforGeeks

Residual risk is the risk that remains after applying risk responses, such as avoidance, mitigation, transfer, or acceptance. It represents the level of exposure that the organisation is willing to tolerate or assume. Residual risk should be aligned with the organisation’s risk appetite and risk tolerance, which are determined by senior management. Therefore, the best way to obtain senior management support for investment in a control implementation would be to articulate the reduction in residual risk that the control would achieve. This would demonstrate how the control would help the organisation meet its riskobjectives and reduce the likelihood or impact of adverse events. References = ISACA CRISC Review Manual, 7th Edition, Chapter 1, Section 1.3.2, page 25.

Insecure data transmission protocols should be of greatest concern when an organization is implementing internet of Things (IoT) technology to control temperature and lighting in its headquarters, because they can expose the IoT devices and data to unauthorized access, interception, or manipulation. Insecure data transmission protocols can also compromise the confidentiality, integrity, and availability of the IoT system and the information it collects and transmits. The other options are not the greatest concerns, although they may also pose some challenges or risks to the IoT implementation. Insufficient network isolation, impact on network performance, and lack of interoperability between sensors are examples of technical or operational issues that can affect the functionality, efficiency, or compatibility of the IoT system, but they do not have the same severity or impact as insecure data transmission protocols. References = CRISC Sample Questions 2024