Isaca Certification CRISC Isaca Study Notes

Embedding risk management into day-to-day business processes reflects organizational maturity and integration. It ensures employees consider risk in operational decisions and continuously support the risk management framework.

A standardized risk taxonomy is a common language and structure for identifying, analyzing, and reporting risks across the enterprise. It enables consistent and comparable risk assessment and aggregation, as well as clear communication and coordination among different divisions. A list of control deficiencies, an enterprise risk ownership policy, and an updated risk tolerance metric are not sufficient to enable management of risk at the enterprise level, as they do not address the issue of risk alignment and integration among divisions. References = [CRISC Review Manual (Digital Version)], page 42; CRISC by Isaca Actual Free Exam Q&As, question 197.

The greatest concern for the risk practitioner when a big data project has resulted in the creation of an application used to support important investment decisions is the data quality. Data quality is the degree to which the data is accurate, complete, consistent, reliable, relevant, and timely. Data quality is essential for the success of any big data project, as it affects the validity and reliability of the analysis and the outcomes. Poor data quality could lead to erroneous or misleading results, which could have negative consequences for the investment decisions and the organization’s performance and reputation. The other options are not as concerning as the data quality, although they may also pose some challenges or risks for the big data project. Maintenance costs, data redundancy, and system integration are all factors that could affect the efficiency and effectiveness of the big data project, but they do not directly affect the accuracy and reliability of the analysis and the outcomes. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.3.1, page 3-20.

 Role of the Control Owner:

The control owner is responsible for the design, implementation, and maintenance of a specific control.

They have detailed knowledge of the control’s purpose, its intended functionality, and its operational context within the organization.

 Responsibility for Remediation:

When a penetration testing team discovers an ineffectively designed access control, it is the control owner’s responsibility to ensure the design gap is remediated.

The control owner must assess the findings, determine the root cause of the ineffectiveness, and take necessary actions to redesign or enhance the control to address the identified weaknesses.

 Steps to Remediate Control Design Gap:

Assess the Findings:Understand the specific issues identified by the penetration testing team.

Redesign the Control:Modify the control design to address the identified gaps and ensure it meets security requirements.

Implement Changes:Apply the redesigned control and test its effectiveness.

Continuous Monitoring:Regularly review the control to ensure it remains effective over time.

 Comparing Other Roles:

Risk Owner:Manages overall risk but does not directly handle control design.

IT Security Manager:Oversees the security posture but delegates specific control responsibilities to control owners.

Control Operator:Operates the control but is not responsible for its design or remediation.

 References:

The CRISC Review Manual emphasizes the control owner's responsibility in maintaining and improving control effectiveness (CRISC Review Manual, Chapter 3: Risk Response and Mitigation, Section 3.7 Control Design and Selection)​​.