Isaca Certification CRISC Release Date

An IT risk register is a document that records and tracks the IT-related risks that an organization faces, as well as the information and actions related to those risks, such as the risk description, assessment, response, status, and owner. An IT risk register is a valuable tool for managing andcommunicating IT risks and their impact on the organization’s objectives and operations. However, an IT risk register may also contain sensitive or confidential information that should not be disclosed or shared with unauthorized or irrelevant parties, as it may compromise the security, privacy, or reputation of the organization or its stakeholders. Therefore, the risk manager’s best approach to the request from the head of a business operations department to review the entire IT risk register is to determine the purpose of the request before sharing the register. This is a technique to understand and evaluate the reason and the need for the request, as well as the scope and the level of access that the requester requires or expects. By determining the purpose of therequest, the risk manager can ensure that the request is legitimate, appropriate, and relevant, and that the requester has a clear and valid interest or stake in the IT risk register. The risk manager can also ensure that the request is aligned with the organization’s policies, procedures, and standards for IT risk management and information sharing. The risk manager can also use the purpose of the request to decide what and how much information to share with the requester, and what conditions or restrictions to apply, such as confidentiality, accuracy, or timeliness. The other options are not the best approaches to the request from the head of a business operations department to review the entire IT risk register, as they may be premature, unnecessary, or ineffective. Escalating to senior management is a technique to involve or inform the higher-level authorities or decision makers about the request, which may be useful or required in some cases, but it may not be the first or the best step to take, as it may delay or complicate the process, or undermine the risk manager’s authority or responsibility. Requiring a nondisclosure agreement is a technique to protect the confidentiality and integrity of the information in the IT risk register by legally binding the requester to not disclose or misuse the information. However, a nondisclosure agreement may not be needed or appropriate in every case, and it may not prevent or address other issues or risks related to the information sharing, such as relevance, accuracy, or timeliness. Sanitizing portions of the register is a technique to remove or redact the sensitive or confidential information from the IT risk register before sharing it with the requester, which may be necessary or prudent in some cases, but it may not be sufficient or satisfactory, as it may affect the completeness, usefulness, or validity of the information, or raise questions or concerns from the requester.

 Risk impact is the potential loss or damage that a risk event can cause to an organization. Risk impact can be expressed in qualitative or quantitative terms, such as financial, reputational, operational, or legal. A risk register is a tool that records and tracks the key information about the identified risks, such as their description, likelihood, impact, response, and status. A risk register helps an organization to monitor and manage its risks effectively and efficiently. When there is a change in the external or internal environment that affects the organization’s risks, such as new regulations, the risk register should be updated to reflect this change. The most important element of the risk register to update in this case is the risk impact, because the new regulations have significantly increased the penalties for data breaches, which means that the potential loss or damage that a data breach can cause to the organization has also increased. By updating the risk impact, the organization can reassess the severity and priority of the data breach risk, and adjust its risk response accordingly. The other elements of the risk register are less important toupdate in this case. The risk trend shows the direction and rate of change of the risk over time, which may or may not be affected by the new regulations. The risk appetite is the amount and type of risk that the organization is willing to accept in pursuit of its objectives, which is unlikely to change due to the new regulations. The risk likelihood is the probability of a risk event occurring, which is also independent of the new regulations. References = Risk IT Framework, ISACA, 2022, p. 131

The level of risk in the IT risk profile is the aggregate measure of the likelihood and impact of IT-related risks that may affect the enterprise’s objectives and operations.

The risk appetite is the amount and type of risk that the enterprise is willing to accept in pursuit of its goals. It is usually expressed as a range or a threshold, and it is aligned with the enterprise’s strategy and culture.

If the level of risk in the IT risk profile has decreased and is now below management’s risk appetite, it means that the enterprise has more capacity and opportunity to take on additional risks that may offer higher rewards or benefits.

The best recommendation in this situation is to optimize the control environment, which is the set of policies, procedures, standards, and practices that provide the foundation for managing IT risks and controls. Optimizing the control environment means enhancing the efficiency and effectiveness of the controls, reducing the costs and complexity of compliance, and aligning the controls with the enterprise’s objectives and values.

Optimizing the control environment can help the enterprise to achieve the optimal balance between risk and return, and to leverage its risk management capabilities to create and protect value.

The other options are not the best recommendations, because they do not address the opportunity to improve the enterprise’s performance and resilience.

Realigning risk appetite to the current risk level may result in missing out on potential gains or advantages that could be obtained by taking more risks within the acceptable range.

Decreasing the number of related risk scenarios may reduce the scope and depth of risk analysis and reporting, and impair the enterprise’s ability to identify and respond to emerging or changing risks.

Reducing the risk management budget may compromise the quality and reliability of the risk management process and activities, and weaken the enterprise’s risk culture and governance. References =

ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 29-30, 34-35, 38-39, 44-45

ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 145

According to the Risk and Information Systems Control documents, implementing record retention tools and techniques is the best solution in this scenario. Record retention involves managing the lifecycle of records, including their creation, usage, storage, and disposal. By implementing record retention policies, organizations can define how long emails and other data should be retained before being deleted. This helps in efficiently managing storage space and reducing unnecessary storage costs.

Establishing e-discovery and data loss prevention (DLP) (Option B) focuses more on legal and compliance aspects and may not directly address the issue of reducing storage costs. Sending notifications when near storage quota (Option C) is a reactive approach and may not prevent the exponential increase in storage costs. Implementing a bring your own device (BYOD) policy (Option D) is unrelated to the issue of email storage costs.

References = Risk and Information Systems Control Study Manual