Which of the following is a specific concern related to machine learning algorithms?
Low software quality
Lack of access controls
Data breaches
Data bias
Detailed Explanation:Data biasin machine learning algorithms can lead to inaccurate predictions or decisions, as biases in training data are amplified in the output. Addressing bias is essential for ethical and reliable algorithm performance.
The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner s BEST recommendation?
Perform a root cause analysis
Perform a code review
Implement version control software.
Implement training on coding best practices
A root cause analysis is a process of identifying and understanding the underlying or fundamental causes or factors that contribute to or result in a problem or incident that has occurred or may occur in the organization. A root cause analysis can provide useful insights and solutions on the origin and nature of the problem or incident, and prevent or reduce its recurrence or impact.
Performing a root cause analysis is the risk practitioner’s best recommendation when the number of tickets to rework application code has significantly exceeded the established threshold, because it can help the organization to address the following questions:
Why did the application code require rework?
What were the errors or defects in the application code?
How did the errors or defects affect the functionality or usability of the application?
Who was responsible or accountable for the application code development and testing?
When and how were the errors or defects detected and reported?
What were the costs or consequences of the rework for the organization and its stakeholders?
How can the errors or defects be prevented or minimized in the future?
Performing a root cause analysis can help the organization to improve and optimize the application code quality and performance, and to reduce or eliminate the need for rework. It can also help the organization to align the application code development and testing with the organization’s objectives and requirements, and to comply with the organization’s policies and standards.
The other options are not the risk practitioner’s best recommendations when the number of tickets to rework application code has significantly exceeded the established threshold, because they do not address the main purpose and benefit of performing a root cause analysis, which is to identify and understand the underlying or fundamental causes or factors that contribute to or result in the problem or incident.
Performing a code review is a process of examining and evaluating the application code for its quality, functionality, and security, using the input and feedback from the peers, experts, or tools. Performing a code review can help the organization to identify and resolve the errors or defects in the application code, but it is not the risk practitioner’s best recommendation, because it doesnot indicate why the application code required rework, and how the errors or defects affected the organization and its stakeholders.
Implementing version control software is a process of using a software tool to manage and track the changes and modifications to the application code, and to ensure the consistency and integrity of the application code. Implementing version control software can help theorganization to control and monitor the application code development and testing, but it is not the risk practitioner’s best recommendation, because it does not indicate why the application code required rework, and how the errors or defects affected the organization and its stakeholders.
Implementing training on coding best practices is a process of providing and facilitating the learning and development of the skills and knowledge on the principles, guidelines, and standards for the application code development and testing. Implementing training on coding best practices can help the organization to enhance the competence and performance of the application code developers and testers, but it is not the risk practitioner’s best recommendation, because it does not indicate why the application code required rework, and how the errors or defects affected the organization and its stakeholders. References =
ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 40-41, 47-48, 54-55, 58-59, 62-63
ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 189
CRISC Practice Quiz and Exam Prep
Which of the following is the MOST important consideration when multiple risk practitioners capture risk scenarios in a single risk register?
Aligning risk ownership and control ownership
Developing risk escalation and reporting procedures
Maintaining up-to-date risk treatment plans
Using a consistent method for risk assessment
A risk register is a document that records and tracks the information and status of the identified risks and their responses. It includes the risk description, category, source, cause, impact, probability, priority, response, owner, action plan, status, etc.
A risk scenario is a description or representation of a possible or hypothetical situation or event that may cause or result in a risk for the organization. A risk scenario usually consists of three elements: a threat or source of harm, a vulnerability or weakness, and an impact or consequence.
Multiple risk practitioners are the individuals or groups that are involved or responsible for the identification, analysis, evaluation, and communication of the risks and their responses. They may include the risk owners, risk managers, risk analysts, risk consultants, risk auditors, etc.
A single risk register is a risk register that is shared or used by multiple risk practitioners across the organization, and that contains the information and status of all the risks and their responses that are relevant or applicable to the organization.
The most important consideration when multiple risk practitioners capture risk scenarios in a single risk register is using a consistent method for risk assessment, which is the process of determining the significance and urgency of the risks that may affect the organization’s objectives and operations. Risk assessment involves measuring and comparing the likelihood and impact of various risk scenarios, and prioritizing them based on their magnitude and importance.
Using a consistent method for risk assessment when multiple risk practitioners capture risk scenarios in a single risk register ensures that the risk scenarios are captured and recorded in a uniform and standardized way, and that they are comparable and compatible with each other. It alsohelps to avoid or reduce the inconsistencies, discrepancies, or conflicts that may arise from the different perspectives, assumptions, or judgments of the multiple risk practitioners, and to ensure the accuracy, reliability, and validity of the risk register.
The other options are not the most important considerations when multiple risk practitioners capture risk scenarios in a single risk register, because they do not address the main challenge or issue that may arise from the multiple risk practitioners capturing risk scenarios in a single risk register, which is the lack of consistency or standardization in the risk assessment method.
Aligning risk ownership and control ownership means ensuring that the individuals or groups that are accountable and responsible for the risks and their responses are clearly defined and assigned, and that they have the authority and resources to perform their roles and duties. Aligning risk ownership and control ownership is important when multiple risk practitioners capture risk scenarios in a single risk register, but it is not the most important consideration, because it does not ensure that the risk scenarios are captured and recorded in a uniform and standardized way, and that they are comparable and compatible with each other.
Developing risk escalation and reporting procedures means establishing and implementing the processes and guidelines for communicating and sharing the information and status of the risks and their responses among the relevant stakeholders, and for escalating or transferring the risks and their responses to the appropriate levels or parties when necessary or required. Developing risk escalation and reporting procedures is important when multiple risk practitioners capture riskscenarios in a single risk register, but it is not the most important consideration, because it does not ensure that the risk scenarios are captured and recorded in a uniform and standardized way, and that they are comparable and compatible with each other.
Maintaining up-to-date risk treatment plans means updating and revising the actions or plans that are selected and implemented to address or correct the risks and their responses, based on the changes or developments that may occur in the risk environment or performance. Maintaining up-to-date risk treatment plans is important when multiple risk practitioners capture risk scenarios in a single risk register, but it is not the most important consideration, because it does not ensure that the risk scenarios are captured and recorded in a uniform and standardized way, and that they are comparable and compatible with each other. References =
ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 19-20, 23-24, 27-28, 31-32, 40-41, 47-48, 54-55, 58-59, 62-63
ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 178
CRISC Practice Quiz and Exam Prep
Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?
Vulnerability and threat analysis
Control remediation planning
User acceptance testing (UAT)
Control self-assessment (CSA)
Information systems control deficiencies are the weaknesses or flaws in the design or implementation of the controls that are intended to ensure the confidentiality, integrity, availability, and reliability of the information systems and resources. Information systems control deficiencies may reduce the effectiveness or efficiency of the controls, and expose the organization to various risks, such as unauthorized access, data loss, system failure, etc.
Reviewing results from control self-assessment (CSA) is the best way to identify information systems control deficiencies, because CSA is a process of evaluating and verifying the adequacy and effectiveness of the information systems controls, using the input and feedback from the individuals or groups that are involved or responsible for the information systems activities or functions. CSA can help the organization to identify and document the information systems control deficiencies, and to align them with the organization’s information systems objectives and requirements.
CSA can be performed using various techniques, such as questionnaires, surveys, interviews, workshops, etc. CSA can also be integrated with the organization’s governance, risk management, and compliance functions, and aligned with the organization’s policies and standards.
The other options are not the best ways to identify information systems control deficiencies, because they do not provide the same level of detail and insight that CSA provides, and they may not be relevant or actionable for the organization.
Vulnerability and threat analysis is a process of identifying and evaluating the weaknesses or flaws in the organization’s assets, processes, or systems that can be exploited or compromised by the potential threats or sources of harm that may affect the organization’s objectives or operations. Vulnerability and threat analysis can help the organization to assess and prioritize the risks, and to design and implement appropriate controls or countermeasures to mitigate or prevent the risks, but it is not the best way to identify information systems control deficiencies, because it does not indicate whether the existing information systems controls are adequate and effective, and whether they comply with the organization’s policies and standards.
Control remediation planning is a process of selecting and implementing the actions or plans to address or correct the information systems control deficiencies that have been identified, analyzed, and evaluated. Control remediation planning involves choosing one ofthe following types of control responses: mitigate, transfer, avoid, or accept. Control remediation planning can help the organization to improve and optimize the information systems controls, and to reduce or eliminate the information systems control deficiencies, but it is not the best way to identify information systems control deficiencies, because it is a subsequent or follow-up process that depends on the prior identification of the information systems control deficiencies.
User acceptance testing (UAT) is a process of verifying and validating the functionality and usability of the information systems and resources, using the input and feedback from the endusers or customers that interact with the information systems and resources. UAT can help the organization to ensure that the information systems and resources meet the user or customer expectations and requirements, and to identify and resolve any issues or defects that may affect the user or customer satisfaction, but it is not the best way to identify information systems control deficiencies, because it does not focus on the information systems controls, and it may not cover all the relevant or significant information systems control deficiencies that may exist or arise. References =
ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 40-41, 47-48, 54-55, 58-59, 62-63
ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 186
CRISC Practice Quiz and Exam Prep
Copyright © 2021-2025 CertsTopics. All Rights Reserved
