Isaca Updated CRISC Exam Questions and Answers by ellen

A risk management program is a systematic and structured approach to identify, analyze, evaluate, treat, monitor, and communicate the risks that may affect the organization’s objectives and performance.

The greatest advantage of implementing a risk management program is enabling risk-aware decisions. This means that the organization incorporates the risk information and analysis into its decision making process, such as strategic planning, resource allocation, project management, etc.

Enabling risk-aware decisions helps to optimize the outcomes and benefits of the decisions, balance the opportunities and threats of the decisions, and align the decisions with the organization’s risk appetite and tolerance.

The other options are not the greatest advantages of implementing a risk management program. They are either secondary or not essential for risk management.

The references for this answer are:

Risk IT Framework, page 25

Information Technology & Security, page 19

Risk Scenarios Starter Pack, page 17

Performing risk prioritization would best help to improve the risk register, which is a document that records and summarizes the key information and data about the identified risks and the risk responses1. Risk prioritization is the process of ranking the risks according to their significance and urgency, based on their probability and impact2. By performing risk prioritization, the organization can:

Reduce the complexity and volume of the risk register, and focus on the most important and relevant risks that require immediate attention and action3.

Enhance the communication and understanding of the risks among the senior management and other stakeholders, and facilitate the decision-making and resource allocation for the risk responses4.

Improve the efficiency and effectiveness of the risk management process, and ensure that the risk register is aligned with the organization’s risk strategy, objectives, and appetite5.

The other options are not the best ways to improve the risk register, because:

Analyzing the residual risk components is not the best way, as it may not address the issue of the large volume of risk scenarios. Residual risk is the level of risk that remains after the implementation of risk responses6. Analyzing the residual risk components can help to measure the exposure or uncertainty of the assets, and to determine the need and extent of the risk responses. However, it may not reduce the complexity or volume of the risk register, as it may add more information or data to the risk register.

Validating the risk appetite level is not the best way, as it may not address the issue of the overwhelming risk scenarios. Risk appetite is the amount and type of risk that the organization is willing to accept or pursue in order to achieve its objectives7. Validating the risk appetite level can help to ensure that the risk register is consistent and proportional to the risk level, and that the risk responses are suitable and feasible. However, it may not reduce the complexity or volume of the risk register, as it may require more information or data to validate the risk appetite level.

Conducting a risk assessment is not the best way, as it may not address the issue of the existing risk scenarios. Risk assessment is the process of estimating the probability and impact of the risks, and prioritizing the risks based on their significance and urgency. Conducting a risk assessment can help to identify and analyze new or emerging risks, and to update or revise the risk register accordingly. However, it may not reduce the complexity or volume of the risk register, as it may introduce more information or data to the risk register.

References =

Risk Register - CIO Wiki

Risk Prioritization - CIO Wiki

Risk Prioritization: A Guide for Project Managers - ProjectManager.com

Risk Prioritization: How to Prioritize Risks in Project Management - Clarizen

Risk Prioritization: A Key Step in Risk Management - ISACA

Residual Risk - CIO Wiki

Risk Appetite - CIO Wiki

[Risk Assessment - CIO Wiki]

User accounts provisioning is the process of creating, managing, and modifying user accounts within a system or an application, based on the user’s roles, responsibilities, and requirements. User accounts provisioning is an essential part of identity and access management (IAM), which aims to ensure the confidentiality, integrity, and availability of the system or the application, and the information or resources that it handles or supports1.

The best key performance indicator (KPI) for monitoring adherence to an organization’s user accounts provisioning practices is the percentage of accounts without documented approval, because it can help to measure how well the organization follows the policies, standards, and procedures for user accounts provisioning, and how effectively the organization controls and audits the user accounts provisioning activities. The percentage of accounts without documented approval can indicate:

The level of compliance and accountability of the user accounts provisioning process, and the extent to which the user accounts provisioning requests and actions are authorized and verified by the appropriate parties, such as managers, IT staff, or security officers

The level of risk and exposure of the user accounts provisioning process, and the likelihood and impact of unauthorized or inappropriate user accounts provisioning, such as granting excessive or unnecessary access privileges, creating duplicate or fraudulent accounts, or violating legal or regulatory requirements

The level of quality and efficiency of the user accounts provisioning process, and the ability and capacity of the organization to manage and maintain the user accounts provisioning records and documents, such as forms, logs, or reports23

The other options are not the best KPIs for monitoring adherence to an organization’s user accounts provisioning practices, but rather some of the factors or outcomes of it. User accounts with default passwords are user accounts that have not changed their passwords from the initial or default values that are assigned by the system or the application. User accounts with default passwords are a factor that can increase the risk of unauthorized or malicious access to the system or the application, as the default passwords may be easily guessed or compromised by attackers. Active accounts belonging to former personnel are user accounts that have not been deactivated or deleted after the users have left the organization. Active accounts belonging to former personnel are an outcome of ineffective or inefficient user accounts deprovisioning, which is the process of revoking or removing the user accounts and access privileges when they are no longer needed or valid. Accounts with dormant activity are user accounts that have not been used or accessed for a long period of time. Accounts with dormant activity are an outcome of poor or inconsistent user accounts management, which is the process of updating or modifying the user accounts and access privileges according to the changes or needs of the users or the organization4. References =

User Provisioning for SaaS Apps: Top 10 Best Practices | Resmo

Top Identity and Access Management Metrics

KPI-driven approach to Identity & Access Management - Elimity

[CRISC Review Manual, 7th Edition]

A security log is a record of security-related events or activities that occur in an IT system, network, or application, such as user authentication, access control, firewall activity, or intrusion detection1. Security logscan help to monitor and audit the security posture and performance of the IT environment, and to detect and investigate any security incidents, breaches, or anomalies2.

The integrity of a security log refers to the accuracy and completeness of the log data, and the assurance that the log data has not been modified, deleted, or tampered with by unauthorized or malicious parties3. The integrity of a security log is essential for ensuring the reliability and validity of the log analysis and reporting, and for providing evidence and accountability for security incidents and compliance4.

Among the four options given, the most important factor to the integrity of a security log is the inability to edit. This means that the security log data should be protected from any unauthorized or accidental changes or alterations, such as adding, deleting, or modifying log entries, or changing the log format or timestamps5. The inability to edit can be achieved by implementing various controls and measures, such as:

Applying digital signatures or hashes to the log data to verify its authenticity and integrity

Encrypting the log data to prevent unauthorized access or disclosure

Implementing least privilege access to the log data to restrict who can view, modify, or delete the log data

Using write-once media or devices to store the log data, such as CD-ROMs or WORM drives

Sending the log data to a secure and centralized log server or repository, and using syslog or other protocols to ensure secure and reliable log transmission

Performing regular backups and archiving of the log data to prevent data loss or corruption

References = Security Log: Best Practices for Logging and Management, Security Audit Logging Guideline, Confidentiality, Integrity, & Availability: Basics of Information Security, Steps for preserving the integrity of log data, Guide to Computer Security Log Management