Isaca CRISC Actual Questions

A risk assessment indicates the residual risk associated with a new bring your own device (BYOD) program is within organizational risk tolerance. This means that the potential benefits of BYOD outweigh the potential risks, and that the controls in place are adequate to mitigate those risks.

The next step for the risk practitioner is to identify log sources to monitor BYOD usage and risk impact. Log sources are records of events or activities that occur in a system or network, such as file access, network traffic, user behavior, etc. Log sources can provide valuable information about how BYOD devices are used, what data they access, what applications they run, what threats they encounter, etc.

By monitoring log sources, the risk practitioner can track and measure the actual performance and security of BYOD devices, compare them with the expected outcomes and standards,identify any deviations or anomalies that may indicate a breach or a vulnerability, and take appropriate actions to address them.

Therefore, identifying log sources to monitor BYOD usage and risk impact is a recommended action after a successful risk assessment.

The references for this answer are:

Risk IT Framework, page 10

Information Technology & Security, page 4

Risk Scenarios Starter Pack, page 2

The best way to facilitate the identification of appropriate key performance indicators (KPIs) for a risk management program is to evaluate KPIs in accordance with risk appetite. KPIs are metrics that measure the performance and effectiveness of the risk management program, and help monitor and report on the achievement of the risk objectives and outcomes. Risk appetite is the amount and type of risk that the organization is willing to accept or pursue in order to achieve its objectives. Evaluating KPIs in accordance with risk appetite helps to identify the appropriate KPIs, because it helps to align the KPIs with the organization’s mission, vision, values, and strategy, and to ensure that the KPIs reflect the organization’s risk tolerance and threshold. Evaluating KPIs in accordance with risk appetite also helps to communicate and coordinate the KPIs with the organization’s stakeholders, such as the board, management, and business units, and to facilitate the risk decision-making and reporting processes. The other options are not as effective as evaluating KPIs in accordance with risk appetite, although they may be part of or derived from the KPI identification process. Reviewing control objectives, aligning with industry best practices, and consulting risk owners are all activities that can help to define or refine the KPIs, but they are not the best way to facilitate the identification of appropriate KPIs. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.5.1, page 4-38.

The most helpful input to develop risk scenarios associated with hosting an organization’s key IT applications in a cloud environment is conducting a risk workshop with key stakeholders. A risk workshop is a facilitated session that involves brainstorming, discussing, and analyzing the potential risks and opportunities related to a specific topic or project. A risk workshop helps to identify and prioritize the most relevant and significant risk scenarios, as well as to explore the possible causes, impacts, and responses. A risk workshop also helps to engage and align the key stakeholders, such as the business owners, IT managers, cloud providers, and risk experts, and to leverage their knowledge, experience, and perspectives. The other options are not as helpful as conducting a risk workshop, although they may provide some inputor information for the risk scenario development. Reviewing the results of independent audits, performing a site visit to the cloud provider’s data center, and performing a due diligence review are all activities that can help to assess the current state and performance of the cloud environment, but they do not necessarily generate or evaluate the risk scenarios. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.2.1, page 4-13.

 Penetration test results are the most helpful resource to a risk practitioner when updating the likelihood rating in the risk register. Penetration testing is a method of simulating real-world attacks on an IT system or network to identify and exploit vulnerabilities and measure the potential impact. Penetration test results provide empirical evidence of the existence and severity of vulnerabilities, as well as the ease and probability of exploitation. These results can help the risk practitioner to update the likelihood rating of the risks associated with the vulnerabilities, and to prioritize the risk response actions. Risk control assessment, audit reports with risk ratings, and business impact analysis (BIA) are also useful resources for risk management, but they are not as directly related to the likelihood rating as penetration test results. References = Risk and Information Systems Control Study Manual, Chapter 2, Section 2.3.3, page 2-28.