CRISC Isaca Exam Lab Questions

The recovery time objective (RTO) is the planned recovery time for a process or system which should occur before reaching the business process’s maximum tolerable downtime (MTD) or maximum allowable outage (MAO). The RTO must be aligned with the MAO to ensure that the continuity of the business process is not compromised by a prolonged outage. The RTO is determined by the business impact analysis (BIA) based on the criticality and urgency of the business process and its dependencies. The RTO also helps to select and implement appropriate recovery methods and procedures for the process or system. References = Risk and Information Systems Control Study Manual, Chapter 6: IT Risk Monitoring and Reporting, Section 6.2: ITRisk Reporting, Page 307; What is the difference between RPO, RTO, and MTD? - Tandem Blog.

The type of control that has been applied when an organization provides legal text explaining the rights and expected behavior of users accessing a system from geographic locations that have strong privacy regulations is directive. A directive control is a control that guides or instructs the users or the staff on the policies, procedures, or standards that they need to follow or comply with when performing their tasks or activities. A directive control can help to prevent or reduce the risk of non-compliance, errors, or violations, by ensuring that the users or the staff are aware and informed of the expectations and requirements of the organization or the system. A directive control can also help to enforce the accountability and responsibility of the users or the staff, and to support the audit and monitoring of their actions and behaviors. Providing legal text explaining the rights and expected behavior of users accessing a system from geographic locations that have strong privacy regulations is an example of a directive control, as it informs the users of the legal obligations and consequences of using the system, and instructs them on how to protect their privacy and the privacy of others. Detective, preventive, and compensating are not the correct types of control, as they do not match the definition or the purpose of the control that has been applied. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 217.

The best way to mitigate the risk of reputational damage from inappropriate use of social media sites by employees is to implement training and awareness programs that educate them on the acceptable andunacceptable use of social media, the potential consequences of violating the policy, and the best practices for protecting the organization’s reputation and information. Training and awareness programs can also help to foster a culture of risk awareness and responsibility among employees, and encourage them to report any incidents or issues related to social media use. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 3, Section 3.2.4, page 131.