CRISC Isaca Exam Lab Questions

Low-probability, high-impact events are those that have a low chance of occurring but would cause significant harm if they do. These events are often difficult to predict and quantify, but they can have a major impact on the organization’s objectives, reputation, or operations. By including these events in a risk assessment, the organization can develop understandable and realistic risk scenarios that reflect the potential consequences of different outcomes1. This can help the organization to prioritize its risk management activities and allocate its resources accordingly.

References = Risk and Information Systems Control Study Manual, Chapter 5: Risk Assessment Process

 The most important consideration when implementing ethical remote work monitoring is to inform the employees of how they are being monitored, because this respects their privacy rights and expectations, and ensures their consent and compliance with the monitoring policy. Informing the employees of how they are being monitored also helps to build trust and transparency between the employer and the employees, and reduces the potential legal or ethical issues that may arise from the monitoring activities. The other options are not the most important considerations, although they may also be relevant for ethical remote work monitoring. Monitoring only during official hours of business, reporting on nonproductive employees to management, and integrating multiple data monitoring sources into security incident response procedures are examples of operational or technical aspects of remote work monitoring, notethical aspects. References = CRISC: Certified in Risk & Information Systems Control Sample Questions

The most important factor to consider when assessing the residual risk of implementing encryption for data at rest is the key management. Key management is the process of generating, storing, distributing, using, and destroying the cryptographic keys that are used to encrypt anddecrypt the data. Key management is essential for ensuring the security, availability, and integrity of the encrypted data, as well as for complying with the legal and regulatory requirements. Poor key management could result in the loss, theft, compromise, or corruption of the keys, which could lead to unauthorized access, data breach, data loss, or data recovery failure. Therefore, key management must be considered to assess the residual risk, which is the risk that remains after the risk treatment, such as encryption, is applied. Data retention requirements, data destruction requirements, and cloud storage architecture are not as important as key management, as they do not directly affect the encryption and decryption of the data, and they may not introduce significant residual risk. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 217.

 A risk practitioner is preparing a report to communicate changes in the risk and control environment, such as new or emerging risks, changes in risk levels, risk responses, or control effectiveness. The best way to engage stakeholder attention is to include a summary linking information to stakeholder needs, meaning that the report should highlight the key points and findings that are relevant and important for the stakeholder’s role, responsibility, and interest. The summary should also explain how the information affects the stakeholder’s objectives, expectations, and decisions. The summary should be concise, clear, and compelling, and should capture the stakeholder’s attention and interest. The report can also include detailed deviations from industry benchmarks, a roadmap to achieve operational excellence, or an option to publish the report on-demand for stakeholders, but these are not the best ways to engage stakeholder attention, as they may not be directly related to the stakeholder’s needs or may overwhelm the stakeholder with too much information. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.4.1, p. 124-125