Isaca Updated CRISC Exam Questions and Answers by woody

 In an environment where reduced time-to-market for new software products is a top business priority, the risk practitioner’s greatest concern should be whether sufficient resources are assigned to IT development projects. Resources include human, financial, technical, and physical assets that are needed to plan, design, develop, test, and deliver high-quality software products in a timely manner. If the IT development projects are under-resourced, they may face challenges such as delays, errors, defects, rework, scope creep, or failure to meet customer expectations or requirements. These challenges can increase the risk of losing competitive advantage, market share, customer satisfaction, or reputation. The other options are less critical, as they are not directly related to the core business priority of reducing time-to-market for new software products. Customer support help desk staff training, email infrastructure rollback plans, and corporate email system phishing detection are important aspects of information security and customer service, but they are not the primary drivers of software product development and delivery. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Response, Section 3.2: Risk Response Options, p. 115-116.

The legal and regulatory risk associated with business conducted over the Internet is driven by the laws and regulations of each individual country. Legal and regulatory risk is the risk of non-compliance or violation of the applicable laws and regulations that govern the business activities, operations, or transactions. Business conducted over the Internet involves the use of the global network of interconnected computers and devices to exchange information, goods, or services across the geographic boundaries. Business conducted over the Internet may expose the enterprise to various legal and regulatory risks, such as data protection, privacy, security, intellectual property, consumer protection, taxation, or jurisdiction issues. The legal and regulatory risk associated with business conducted over the Internet is driven by the laws and regulations of each individual country, as each country may have different or conflicting laws and regulations that apply to the business conducted over the Internet, and that may change or vary over time. The laws and regulations of each individual country may also impose different or additional obligations, requirements, or restrictions on the enterprise, and may subject the enterprise to different or multiple enforcement actions, penalties, or disputes. The jurisdiction in which an organization has its principal headquarters, international law and a uniform set of regulations, and international standard-setting bodies are not the drivers of the legal and regulatory risk associated with business conducted over the Internet, as they do not reflect the diversity and complexity of the legal and regulatory landscape that the enterprise may face when conducting business over the Internet. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 217.

The best indicator to senior management that IT processes are improving is the changes in the position in the maturity model. A maturity model is a framework that defines the levels of capability and performance of a process, such as IT processes, based on the criteria such as governance, management, control, measurement, and improvement. A maturity model can help to assess the current state and the desired state of the IT processes, and to identify the gaps, strengths, and opportunities for improvement. A maturity model can also help to communicate the progress and the value of the IT processes to the senior management, and to support the strategic alignment and integration of the IT processes with the business objectives. Changes in the position in the maturity model indicate that the IT processes are improving, as they show that the IT processes are moving from a lower level to a higher level of maturity, and that they are achieving higher standards of quality, efficiency, and effectiveness. Changes in the number of intrusions detected, changes in the number of security exceptions, and changes to the structure of the risk register are not as good as changes in the position in the maturity model, as they do not provide a comprehensive and consistent measure of the IT processes improvement, and they may not reflect the actual impact and performance of the IT processes. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 36.

The three lines of defense model is a framework that defines the roles and responsibilities of different functions in an organization for managing risks and ensuring effective internal control1. The three lines of defense are:

The first line of defense: the operational management and staff who are responsible for implementing and maintaining the internal control system and managing the risks within their areas of activity

The second line of defense: the oversight functions, such as risk management, compliance, and quality assurance, who provide guidance, support, and monitoring to the first line of defense and ensure that the internal control system is designed and operating effectively

The third line of defense: the internal audit function, who provides independent and objective assurance to the board and senior management on the adequacy and effectiveness of the internal control system and the performance of the first and second lines of defense2

The three lines of defense model facilitates a completely independent review of test results for evaluating control effectiveness, because it ensures that the internal audit function, as the third line of defense, has the authority, independence, and competence to conduct objective and unbiased assessments of the internal control system and report its findings and recommendations to the board and senior management3. The internal audit function can also use the test results from the first and second lines of defense as inputs for its own audit planning and testing, and verify their validity and reliability4.

References = The Three Lines of Defense in Effective Risk Management and Control - IIA, The Three Lines Model - IIA, The Role of Internal Audit in the Three Lines of Defense - IIA, Evaluating and Improving Internal Control in Organizations - IFAC