CRISC Reviews Questions

Authentication logs are records of the attempts and results of logging into an IT system, network, or application, such as the user name, password, date, time, location, or device1. Authentication logs can help to verify and audit the identity and access of the users, and to detect and investigate any unauthorized or suspicious login activities, such as failed or repeated attempts, or unusual patterns or locations2.

Among the four options given, the discovery that authentication logs have been disabled should be of greatest concern to the organization. This is because disabling authentication logs can:

Prevent or hinder the organization from monitoring and controlling the access and activity of the users, especially the disgruntled, terminated IT administrator who may have malicious intentions or insider knowledge

Enable or facilitate the disgruntled, terminated IT administrator or other attackers to bypass or compromise the authentication mechanisms or policies, and gain unauthorized or elevated access to the IT systems, networks, or applications

Conceal or erase the evidence or traces of the login attempts or actions of the disgruntled, terminated IT administrator or other attackers, and make it difficult or impossible to identify, investigate, or prosecute them

Indicate or imply that the disgruntled, terminated IT administrator or other attackers have already breached or compromised the IT systems, networks, or applications, and have disabled the authentication logs to cover their tracks or avoid detection3

References = What is Authentication Logging?, Authentication Logging - Wikipedia, Fired admin cripples former employer’s network using old credentials

The greatest concern for a risk practitioner reviewing current key risk indicators (KRIs) is that the KRIs’ source data lacks integrity, as this means that the data is inaccurate, incomplete, inconsistent, or outdated, and therefore cannot provide reliable and valid information on the risk level and performance. The KRIs are metrics that measure and monitor the changes in the risk exposure and the effectiveness of the risk response over time. The KRIs’ source data should be collected and verified from credible and relevant sources, and should be updated and maintained regularly. The KRIs’ source data should also be aligned and integrated with the enterprise’s data governance and quality standards. The other options are not the greatest concerns for a risk practitioner reviewing current key risk indicators (KRIs), although they may pose some challenges or limitations. The KRIs are not automated is a concern for the efficiency and timeliness of the KRI reporting and analysis, but it does not affect the integrity of the KRI sourcedata. The KRIs are not quantitative is a concern for the objectivity and comparability of the KRI measurement and prioritization, but it does not affect the integrity of the KRI source data. The KRIs do not allow for trend analysis is a concern for the usefulness and relevance of the KRI communication and decision making, but it does not affect the integrity of the KRI source data. References = Risk and Information Systems Control Study Manual, Chapter 5: Risk and Control Monitoring and Reporting, page 183.

Assigning ownership to each risk scenario is fundamental in risk management. Without designated owners, there is a lack of accountability, which can lead to risks not being adequately managed or mitigated. The absence of assigned owners means that no one is responsible for monitoring, reporting, or addressing the risk, increasing the likelihood of adverse outcomes.

 The risk treatment response that should be reflected in the risk register when an IT department decides to keep the data center in-house instead of outsourcing it to an overseas location is risk avoidance. Risk avoidance is a risk response strategy that involves eliminating the source of the risk, or changing the plan or scope of the activity, to avoid the risk altogether. Risk avoidance can help to reduce the risk exposure and impact to zero, by removing the possibility of the risk occurrence. In this case, the IT department avoids the risk of outsourcing the data center to an overseas location, which could involve various threats, vulnerabilities, and uncertainties, such as data security, legal compliance, service quality, communication, or cultural issues. By keeping the data center in-house, the IT department maintains the control and ownership of the data center, and eliminates the potential risk associated with the outsourcing. Risk mitigation, risk acceptance, and risk transfer are not the correct risk treatment responses, as they do not reflect the actual decision and action taken by the IT department, and they do not eliminate the risk source or occurrence. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 51.