All CRISC Test Inside Isaca Questions

The most important consideration when establishing a contingency plan and an alternate processing site for a company that has located its computer center on a moderate earthquake fault is that the alternative site does not reside on the same fault no matter how far the distance apart, as it ensures that the alternative site is not affected by the same earthquake event that may disrupt the primary site, and that the business continuity and recovery objectives can be met. The other options are not the most important considerations, as they are more related to the backup, priority, or readiness of the alternative site, respectively, rather than the location of the alternative site. References = CRISC Review Manual, 7th Edition, page 111.

A KRI is a measure used by an organization to measure the health of a particular risk. In this case, the risk practitioner is developing a metric to measure the risk associated with security threats that were not identified by antivirus software12.

References

1Standardized Scoring for Security and Risk Metrics - ISACA

2Key Performance Indicators for Security Governance, Part 1 - ISACA

The best method for identifying vulnerabilities is periodic network scanning. Network scanning is a process of scanning and probing the network devices, systems, and applications to discover and analyze their security weaknesses, such as configuration errors, outdated software, or open ports. Network scanning can help to identify the vulnerabilities that could be exploited by attackers to gain unauthorized access, compromise data, or disrupt services. Periodic network scanning is the best method, because it can provide a regular and comprehensive view of the network security posture, and it can detect and address the new or emerging vulnerabilities in a timely manner. Periodic network scanning can also help to comply with the legal and regulatory requirements and standards for network security, such as the ISO/IEC 27001, the NIST SP 800-53, or the PCI DSS123. The other options are not the best method, although they may be useful or complementary to periodic network scanning. Batch job failure monitoring is a process of monitoring and reporting the failures or errors that occur during the execution of batch jobs, such as data processing, backup, or synchronization. Batch job failure monitoring can help to identify the operational or technical issues that affect the performance or availability of the network services, but it does not directly identify the security vulnerabilities or the potential threats. Annual penetration testing is a process of simulating a real-world attack on the network devices, systems, and applications to evaluate their security defenses and resilience. Penetration testing can help to identify and exploit the vulnerabilities that could be used by attackers to compromise the network security, and to provide recommendations for improvement. However, annual penetration testing is not the best method, because it is not frequent or consistent enough to keep up with the changing and evolving network security landscape, and it may not cover all thenetwork components or scenarios. Risk assessments are a process of identifying, analyzing, and evaluating the risks associated with the network devices, systems, and applications. Risk assessments can help to estimate the probability and impact of the vulnerabilities and the threats, and to prioritize and respond to the risks accordingly. However, risk assessments are not the same as or a substitute for vulnerability identification, as they rely on the vulnerability information as an input, rather than an output. References = Vulnerability Testing: Methods, Tools, and 10 Best Practices, ISO/IEC 27001 Information Security Management, NIST SP 800-53 Rev. 5

 A policy exception is a deviation from the established policies, standards, or procedures of the enterprise, such as the information security policy. A policy exception may be granted by the management when there is a valid business reason or justification for the deviation, and when the risk associated with the deviation is acceptable or mitigated. The best course of action when a business unit has decided to accept the risk of implementing an off-the-shelf, commercialsoftware package that uses weak password controls is to obtain management approval for policy exception. This will ensure that the business unit is aware of the implications and consequences of the policy exception, and that the management agrees with the risk acceptance and approves the policy exception. The other options are not the best course of action, as they involve different risk response strategies or outcomes:

Develop an improved password software routine means that the business unit modifies or enhances the password controls of the software package, such as by increasing the password length, complexity, or expiration. This may not be a feasible or effective way to address the risk of weak password controls, as it may violate the terms and conditions of the software vendor, or may not be compatible or consistent with the software package.

Select another application with strong password controls means that the business unit replaces the software package with another application that has better password controls, such as by using encryption, authentication, or authorization. This may not be a desirable or efficient way to address the risk of weak password controls, as it may incur additional costs, delays, or complexities, or may not meet the business requirements or expectations of the business unit.

Continue the implementation with no changes means that the business unit proceeds with the software package without any modifications or improvements to the password controls, or without any approval or documentation of the policy exception. This may not be a responsible or ethical way to address the risk of weak password controls, as it may expose the enterprise to legal, financial, or reputational risks, or may compromise the security or compliance of the enterprise. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 3, Section 3.4.1.1, pp. 121-122.