Isaca CRISC Questions Answers

An information asset inventory is a list of all the information assets that an organization owns or uses. It includes information such as the asset name, description, owner, location, classification, value, and dependencies. The primary objective of maintaining an information asset inventory is to provide input to business impact analyses (BIAs), which are used to identify the criticality and recovery priorities of information assets in the event of a disruption. By having an updated and accurate information asset inventory, an organization can ensure that the BIAs reflect the current state and needs of the business processes that rely on the information assets. References = CRISC Review Manual, 7th Edition, page 74.

The most critical factor to consider when determining an organization’s risk appetite is the management culture. The management culture reflects the values, beliefs, and attitudes of the senior management and the board of directors toward risk management. The management culture influences how the organization defines, communicates, and implements its risk appetite and tolerance. Fiscal management practices, business maturity, and budget for implementing security are other factors that may affect the risk appetite, but they are not as critical as the management culture. References = ISACA Certified in Risk andInformation Systems Control (CRISC) Certification Exam Question and Answers, question 8; CRISC Review Manual, 6th Edition, page 97.

Robotic process automation (RPA) is the use of software robots or artificial intelligence (AI) agents to automate repetitive, rule-based tasks that are normally performed by humans. RPA can improve efficiency, accuracy, and scalability of business processes, but it can also introduce new risks or change the existing risk profile. Therefore, the risk practitioner’s best course of action is to reassess whether the mitigating controls that were designed for the human-performed processes are still effective and adequate for the RPA-enabled processes. This may involve reviewing the control objectives, testing the control performance, identifying the control gaps, and recommending the control enhancements or modifications. References = CRISC Review Manual, 7th Edition, page 177.

The best recommendation for a risk practitioner upon learning that an employee inadvertently disclosed sensitive data to a vendor is to invoke the incident response plan. An incident response plan is a document that defines the roles, responsibilities, procedures, and resources fordetecting, analyzing, containing, eradicating, recovering, and reporting on security incidents that could affect the organization’s IT systems or data. An incident response plan helps to protect and restore the confidentiality, integrity, and availability of the organization’s information assets, and to comply with the relevant laws, regulations, standards, and contracts. Invoking the incident response plan is the best recommendation, because it helps to respond to and mitigate the security incident, and to minimize the damage and impact of the data disclosure. Invoking the incident response plan also helps to communicate and coordinate the incident response actions and strategies with the internal and external stakeholders, such as the data owners, users, custodians, and regulators, and to report and disclose the incident as required. The other options are not as effective as invoking the incident response plan, although they may be part of or derived from the incident response plan. Enrolling the employee in additional security training, conducting an internal audit, and instructing the vendor to delete the data are all examples of corrective or preventive actions, which may help to prevent or deter the recurrence of the data disclosure, or to verify or validate the data security, but they do not necessarily address or resolve the current security incident. References = Risk and Information Systems Control Study Manual, Chapter 5, Section 5.4.1, page 5-32.