Isaca Certification CRISC Updated Exam

 Business Impact Assessment (BIA):

BIA identifies and evaluates the potential effects of interruptions to critical business operations. It helps determine the priority of risk mitigation efforts based on the potential impact on business functions.

BIA provides detailed information on which processes and systems are most critical to the organization's operations and their respective impact levels.

 Prioritizing Risk Mitigation:

The results of a BIA guide decision-makers in prioritizing which risks to address first based on their potential to disrupt critical business operations.

Risks that could cause significant operational, financial, or reputational damage are prioritized higher.

 Comparing Other Factors:

Cost of Risk Mitigation:Important but secondary to understanding the impact on business operations.

Asset Criticality:Relevant but typically part of the BIA process.

Acceptable Risk Level:Defines the threshold but does not prioritize specific risks.

 References:

The CRISC Review Manual discusses how BIA facilitates risk prioritization by identifying critical processes and their impacts (CRISC Review Manual, Chapter 2: IT Risk Assessment, Section 2.7 Business Impact Analysis)​​.

Several network user accounts were recently created without the required management approvals. This indicates that there is a risk of unauthorized access, use, disclosure, modification, or destruction of the network resources or data, which may affect the confidentiality, integrity, and availability of the network.

The best recommendation to address this situation is to investigate the root cause of noncompliance. This means that the risk practitioner should analyze the factors or reasons that led to the creation of the network user accounts without the required management approvals, such as human error, negligence, malice, system failure, process flaw, etc.

Investigating the root cause of noncompliance helps to identify and correct the source of the problem, prevent or reduce the recurrence of the problem, and improve the compliance and security of the network user accounts.

The other options are not the best recommendations to address this situation. They are either secondary or not effective for noncompliance.

The references for this answer are:

Risk IT Framework, page 31

Information Technology & Security, page 25

Risk Scenarios Starter Pack, page 23

•Risk acceptance is a status quo risk response, where the risk owner acknowledges the risk exists but accepts it with minimal response1. Risk acceptance may be appropriate when the cost of other risk responses exceeds the value that would be gained, or when the risk is below the risk acceptance criteria2.

•Risk acceptance criteria are the criteria used as a basis for decisions about acceptable risk2. They should be established before conducting a risk assessment, and they may be influenced by factors such as utility, equality, technology, and risk perception2. Different organizations and countries may have different risk acceptance criteria, depending on their context and values3.

•In this scenario, the organization has conducted a risk assessment for regulatory compliance, and has identified only one possible mitigating control. However, the cost of the control is higher than the penalty of noncompliance, which implies that the risk is below the risk acceptancecriteria. Therefore, the best recommendation is to accept the risk with management sign-off, which means that the management agrees to take the risk and is accountable for the consequences.

•Ignoring the risk until the regulatory body conducts a compliance check (option B) is not a good recommendation, as it may expose the organization to legal, financial, or reputational damage. Moreover, ignoring the risk may violate the principle of risk reduction, which states that risks should be reduced wherever practicable2.

•Mitigating the risk with the identified control (option C) is not a good recommendation, as it may not be cost-effective or efficient for the organization. The cost of the control is higher than the penalty ofnoncompliance, which means that the organization would spend more resources than necessary to reduce the risk. Moreover, mitigating the risk may not be aligned with the principle of utility, which states that resources should be used as efficiently as possible for the society as a whole2.

•Transferring the risk by buying insurance (option D) is not a good recommendation, as it may not be feasible or beneficial for the organization. Transferring the risk means that the organization shifts the responsibility or burden of the risk to another party, such as an insurer, a contractor, or a partner1. However, transferring the risk does not eliminate the risk, and it may incur additional costs or complications for the organization. Moreover, transferring the risk may not be possible or acceptable for some types of regulatory compliance risks, such as those related to health, safety, or environmental standards3.

 Information security policies are the foundation of an organization’s security program, as they define the objectives, roles, responsibilities, and standards for protecting the information assets and systems. However, information security policies are not static, and they need to be reviewed and updated regularly to reflect the changes in the organization’s environment, risk profile, and compliance requirements. Therefore, the best course of action when conducting an organization-wide risk assessment is to review the policies against current needs to determine adequacy. This means comparing the policies with the current threats, vulnerabilities, controls, and best practices, and identifying any gaps or weaknesses that need to be addressed. The other options are not the best course of action, as they do not consider the current needs of the organization. Reviewing and updating the policies to align with industry standards may not be sufficient, as the organization may have specific or unique needs that are not covered by the standards. Determining that the policies should be updated annually may not be realistic, as the frequency of updates may depend on the nature and complexity of the policies and the organization. Reporting that the policies are adequate and do not need to be updated frequently may not be accurate, as the policies may be outdated or ineffective, and may expose the organization to unnecessary risks. References = Risk Assessment and Analysis Methods: Qualitative and Quantitative - ISACA, Does Your Organization Need a Security Risk Assessment? - ISACA, SP 800-39, Managing Information Security Risk: Organization, Mission …