Isaca CRISC Online Access

The primary focus of management when key risk indicators (KRIs) begin to rapidly approach defined thresholds is to determine what has changed in the environment. KRIs are metrics that provide information and insight on the current level and trend of the risk exposure, and help to monitor and report the risk status and performance. Defined thresholds are the values or rangesof the KRIs that indicate the acceptable or unacceptable level of the risk exposure, and trigger the risk response actions. When KRIs begin to rapidly approach defined thresholds, it means that the risk exposure is increasing or decreasing significantly, and that the risk situation and status may have changed. Therefore, the primary focus of management is to determine what has changed in the environment, which is the internal or external context that influences or affects the risk exposure and impact. Determining what has changed in the environment helps to identify and analyze the causes, drivers, or factors of the risk change, and to evaluate the implications and consequences of the risk change. Determining what has changed in the environment also helps to update and adjust the risk assessment and response, and to communicate and escalate the risk change to the relevant stakeholders. Designing compensating controls, determining if KRIs have been updated recently, and assessing the effectiveness of the incident response plan are not the primary focus of management, as they are either the outputs or the inputs of the risk change analysis, and they do not address the primary need of understanding the risk change. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 50.

Perform a Risk Assessment:

Immediate Action: The first step when discovering a non-compliant implementation is to understand the potential risks it poses to the organization. This involves identifying threats, vulnerabilities, and potential impacts of the non-fungible token (NFT) asset program.

Risk Identification and Evaluation: Assess the new program’s impact on the organization’s risk profile. Determine if it introduces significant security, compliance, or operational risks.

Documentation and Reporting: Document the findings and present them to senior management along with recommendations for mitigation or further action.

Comparison with Other Options:

Report the Infraction: Reporting is necessary but should follow the risk assessment to provide a clear understanding of the implications and necessary mitigations.

Conduct Risk Awareness Training: Training is preventive and should be part of a long-term strategy, not the immediate response to a specific incident.

Discontinue the Process: Discontinuing the process may be a necessary step after assessing the risk, but the assessment must come first to justify such an action.

Best Practices:

Comprehensive Risk Assessment: Ensure that the risk assessment covers all aspects, including financial, reputational, and regulatory risks.

Stakeholder Involvement: Involve relevant stakeholders in the assessment process to gather diverse perspectives and ensure a thorough evaluation.

Actionable Recommendations: Provide clear, actionable recommendations based on the risk assessment findings.

The best type of indicators to measure the effectiveness of an organization’s firewall rule set are key control indicators (KCIs). A firewall is a device or software that filters the network traffic based on a set of rules or policies. A firewall rule set is the configuration of the firewall that defines the criteria for allowing or blocking the traffic. A key control indicator is a metric that measures the performance and effectiveness of a control in achieving its objectives and mitigating the risks. A key control indicator can help to evaluate the adequacy and efficiency of the firewall rule set, and to identify any gaps, weaknesses, or issues that need to be addressed.Key risk indicators (KRIs), key management indicators (KMIs), and key performance indicators (KPIs) are not as suitable as key control indicators, as they measure different aspects of the risk management process, such as the level and nature of the risk exposure, the alignment and integration of the risk management activities, and the achievement of the risk management goals and targets. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 220.

 In order to efficiently execute a risk response action plan, it is most important for the emergency response team members to understand their defined roles and responsibilities. This can help to ensure that the team members know what they are expected to do, how they should coordinate and communicate with each other, and how they should report the progress and outcome of therisk response. The system architecture in target areas, IT management policies and procedures, and business objectives of the organization are other important factors, but they arenot as important as the defined roles and responsibilities. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 12; CRISC Review Manual, 6th Edition, page 215.