CRISC Leak Questions

Risk owner approval ensures accountability and alignment of the changes with the enterprise’s risk management strategy. It reflects adherence to the principles ofRisk Ownership and Governance, critical for maintaining control over mitigation activities.

Residual risk exceeds acceptable limits, because it indicates that the risk level is higher than the organization’s risk appetite or tolerance, and that the risk responses and controls are insufficient or ineffective. Residual risk is the level of risk remaining in a process or procedure following the implementation of risk controls to limit or remove it. Escalation is a process that increases theawareness and involvement of higher-level stakeholders or authorities in a risk issue or situation. Escalation is appropriate when the risk issue or situation is outside the scope or authority of the current risk owner or manager, and requires the attention or action of the senior management or the board of directors. Residual risk exceeding acceptable limits is the best situation to justify escalation, as it implies that the current risk owner or manager cannot manage the risk within the predefined boundaries or expectations, and that the senior management or the board of directors need to intervene or approve the risk acceptance or transfer.

Residual risk being inadequately recorded, residual risk remaining after controls have been applied, and residual risk equaling current risk are all possible situations that may require escalation, but they are not the best situations, as they do not necessarily indicate that the risk level is higher than the acceptable limits, and that the senior management or the board of directors need to be involved.

A spear phishing attack is a type of cyberattack that targets a specific individual or organization with a fraudulent email that appears to be from a trusted source, and attempts to trick the recipient into clicking amalicious link, opening a malicious attachment, or providing sensitive information. A spear phishing attack can compromise the security, confidentiality, integrity, or availability of the information systems and data of the individual or organization. The most effective way to mitigate the risk associated with spear phishing attacks is to implement a security awareness program, which is a program that educates and trains the employees and stakeholders of the organization about the security policies, procedures, and best practices, and the potential threats and risks that may affect the organization. A security awareness program can help to prevent or reduce the success of spear phishing attacks, as it can increase the knowledge and skills of the employees and stakeholders to recognize and avoid the fraudulent emails, and to report and respond to any suspicious or malicious activities. References = CRISC Review Manual, 7th Edition, page 181.

In addition to the risk register, which is a tool to document and monitor the risks that affect the organization, a risk practitioner should review the business objectives of the organization to develop an understanding of its risk profile. The risk profile is a description of the set of risks that the organization faces in relation to its goals and strategies. By reviewing the business objectives, the risk practitioner can identify the sources, drivers, and consequences of the risks, as well as the alignment, prioritization, and tolerance of the risks. The business objectives also provide the context and criteria for evaluating and managing the risks. The other options are not the best choices to review for developing an understandingof the organization’s risk profile, as they do not capture the full scope and nature of the risks. The control catalog is a list of the existing controls that are implemented to mitigate the risks, but it does not reflect the effectiveness, efficiency, or sufficiency of the controls. The asset profile is a description of the resources and capabilities that the organization possesses or relies on, but it does not indicate the value, vulnerability, or interdependency of the assets. The key risk indicators (KRIs) are metrics that measure the level and trend of the risks, but they do not explain the causes, impacts, orresponses to the risks. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.2, Page 49.