Isaca CRISC Online Access

 The best course of action for the risk practitioner who has identified that the agreed RTO with a SaaS provider is longer than the business expectation is to document the gap in the risk register and report to senior management. The risk register is the document that records the details of all identified risks, including their sources, causes, impacts, likelihood, and responses. The risk register should be updated regularly to reflect any changes in the risk environment or the risk status. Reporting to senior management is also important, because senior management is the highest level of authority and responsibility in the organization, and they are responsible for setting the strategic direction, objectives, and risk appetite of the organization. Senior management should also oversee the risk management process, and ensure that the risks are aligned with the organization’s goals and values. By documenting the gap in the risk register and reporting to senior management, the risk practitioner can communicate the issue clearly and effectively, and seek guidance and support for resolving the problem. Collaborating with the risk owner, including a right to audit clause, or advising the risk owner to accept the risk are not the best courses of action, because they may not be feasible, effective, or desirable in some situations, or they may require senior management approval or involvement. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.2.1, page 4-13.

The most important information to review when developing plans for using emerging technologies is the organizational strategic plan. The organizational strategic plan is a document that defines the vision, mission, goals, and objectives of the organization. It also outlines the strategies, actions, and resources that are needed to achieve them. The organizational strategic plan provides the direction, alignment, and guidance for the use of emerging technologies, and ensures that they are aligned with and support the organizational needs and priorities. The other options are not as important as the organizational strategic plan, as they are related to the current state, specific area, or potential issues of the use of emerging technologies, not the overall purpose and value of the use of emerging technologies. References = Risk and InformationSystems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.2: IT Risk Identification Methods, page 19.

 The best way to mitigate the ongoing risk associated with operating system (OS) vulnerabilities is to document and implement a patching process. A patching process is a set of procedures and guidelines that define how to identify, evaluate, test, apply, and monitor patches for the OS. Patches are updates or fixes that address the known vulnerabilities or bugs in the OS. By documenting and implementing a patching process, the organization can ensure that the OS is regularly updated and protected from the potential exploits or attacks that may exploit the vulnerabilities. The other options are not as effective as documenting and implementing a patching process, as they are related to the temporary, partial, or reactive measures to deal with the OS vulnerabilities, not the proactive and continuous measures to prevent or reduce the OS vulnerabilities. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Response, Section 3.3: IT Risk Response Implementation, page 145.