CRISC Exam Questions Tutorials

The situation that presents the greatest challenge to creating a comprehensive IT risk profile of an organization is having inaccurate documentation of enterprise architecture (EA). EA is the blueprint that describes the structure and operation of an organization, including its business processes, information systems, technology infrastructure, and governance. EA helps to align the IT strategy and objectives with the business strategy and objectives, and to identify and manage the IT risks and opportunities. Having inaccurate documentation of EA could lead to incomplete, inconsistent, or misleading information about the organization’s IT environment, which could affect the quality and reliability of the IT risk profile. The other situations are not as challenging as having inaccurate documentation of EA, although they may also pose some difficulties or limitations for the IT risk profile. References = Risk and Information Systems Control Study Manual, Chapter 2, Section 2.2.1, page 2-12.

 The primary reason to report the information about the new risk scenarios identified after the implementation of Internet of Things (IoT) devices to risk owners is to confirm the impact to the risk profile. The risk profile is a summary of the level and nature of the risks that the organization faces or may face in the future. The risk profile reflects the risk appetite, tolerance, and capacity of the organization, and guides the risk management decisions and actions. The implementation of IoT devices may introduce new risks or increase the likelihood or impact of existing risks, such as data privacy, security, or interoperability issues. Therefore, the information about the new risk scenarios should be reported to the risk owners, who have the authority and responsibility for managing the risks and their responses, to confirm the impact to the risk profile and to determine the appropriate risk treatment plans. The other options are not as primary as confirming the impact to the risk profile, as they are related to the reevaluation, mitigation, or recommendation of the IoT devices, not the confirmation or assessment of the risk profile. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.2: IT Risk Register, page 19.

The most useful information for a risk practitioner when planning response activities after risk identification is the risk priorities. Risk priorities are the order or ranking of the risks based on their level of importance or urgency. Risk priorities help the risk practitioner to focus on the most critical risks, and allocate the resources and efforts accordingly. Risk priorities are usually determined by using a combination of factors, such as the likelihood and impact of the risks, the risk appetite and tolerance of the organization, and the cost and benefit of the risk responses. Theother options are not as useful as the risk priorities, although they may provide some input or context for the risk response planning. The risk register is the document that records the details of all identified risks, but it does not necessarily indicate the risk priorities. The risk appetite is the amount and type of risk that the organization is willing to pursue, retain, or take, but it does not specify the risk priorities. The risk heat maps are graphical tools that display the risk level of each risk based on the likelihood and impact, but they do not show the risk priorities. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.1, page 4-23.

The first step for the risk practitioner to address the situation of extended network outages that have exceeded tolerance is to recommend a root cause analysis of the incidents. A root cause analysis is a process of identifying and resolving the underlying causes of a problem or an event. By performing a root cause analysis, the risk practitioner can determine why the network outages occurred, what factors contributed to them, and how they can be prevented or reduced in the future. Recommending additional controls, updating the risk tolerance level, and updating the incident-related risk trend are possible steps that may follow the root cause analysis, but they are not the first step. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 4; CRISC Review Manual, 6th Edition, page 153.