Online CRISC Questions Video

According to the CRISC Review Manual (Digital Version), threat analysis would be the most helpful when estimating the likelihood of negative events, as it involves identifying and evaluating the sources and causes of potential harm or loss to the IT assets and processes. Threat analysis helps to:

Determine the frequency and probability of occurrence of different types of threats, such as natural disasters, human errors, malicious attacks, system failures, etc.

Assess the impact and severity of the threats on the confidentiality, integrity and availability of the IT assets and processes

Prioritize the threats based on their likelihood and impact

Develop appropriate risk response strategies to prevent, mitigate, transfer or accept the threats

References = CRISC Review Manual (Digital Version), Chapter 1: IT Risk Identification, Section 1.5: IT Risk Identification Methods and Techniques, pp. 35-361

An IT risk and control self-assessment (RCSA) is a process that helps organizations identify and evaluate operational risks and assess the effectiveness of their control measures12. It is a structured approach that involves identifying, assessing, mitigating, and monitoring risks across all levels of an organization12.

A report to senior management is a document that summarizes and communicates the results and findings of the RCSA, and provides recommendations and action plans for improving the risk management and control processes34.

The most important aspect of an IT risk and control self-assessment to include in a report to senior management is an increase in residual risk, which is the risk remaining after risk treatment, and represents the exposure or potential impact of the risk on the organization’s objectives56.

An increase in residual risk is the most important aspect because it indicates the level of risk that the organization is willing to accept or tolerate, and the gap between the current and desired risk profile56.

An increase in residual risk is also the most important aspect because it requires the attention and decision of the senior management, who are responsible for defining the organization’s risk appetite, strategy, and criteria, and for ensuring that the residual risk is within the acceptable range56.

The other options are not the most important aspects, but rather possible components or outcomes of an IT risk and control self-assessment that may support or complement the report to senior management. For example:

Changes in control design are components of an IT risk and control self-assessment that involve modifying or updating the control measures to address the changes in the risk environment or the organization’s objectives56. However, changes in control design are not the most importantaspect because they do not measure or reflect the residual risk, which is the ultimate goal of the risk treatment56.

A decrease in the number of key controls is an outcome of an IT risk and control self-assessment that indicates the improvement or optimization of the control processes, and the reduction of the complexity or redundancy of the control measures56. However, a decrease in the number of key controls is not the most important aspect because it does not indicate or imply the residual risk, which may depend on other factors such as the effectiveness or efficiency of the controls56.

Changes in control ownership are components of an IT risk and control self-assessment that involve assigning or reassigning the responsibility and accountability for the control processes to the appropriate individuals or groups within the organization56. However,changes in control ownership are not the most important aspect because they do not affect or determine the residual risk, which is independent of the control owners56. References =

1: Risk and control self-assessment - KPMG Global1

2: Control Self Assessments - PwC2

3: How-To Guide: Implementing Risk Control Self-Assessment Steps4

4: RISK MANAGEMENT SELF-ASSESSMENT TEMPLATE - Smartsheet5

5: Risk IT Framework, ISACA, 2009

6: IT Risk Management Framework, University of Toronto, 2017

A technical vulnerability is a weakness or flaw in the design or implementation of an information system or resource that can be exploited or compromised by a threat or source of harm that may affect the organization’s objectives or operations. A technical vulnerability may be caused byvarious factors, such as human error, system failure, process inefficiency, resource limitation, etc.

A vulnerability assessment is a process of identifying and evaluating the technical vulnerabilities that exist or may arise in the organization’s information systems or resources, and determining their severity and impact. A vulnerability assessment can help the organization to assess and prioritize the risks, and to design and implement appropriate controls or countermeasures to mitigate or prevent the risks.

The best response to the scenario of a recently discovered technical vulnerability being actively exploited is to conduct a vulnerability assessment, because it can help the organization to address the following questions:

What is the nature and extent of the technical vulnerability, and how does it affect the functionality or security of the information system or resource?

How is the technical vulnerability being exploited or compromised, and by whom or what?

What are the potential consequences or impacts of the exploitation or compromise of the technical vulnerability for the organization and its stakeholders?

How can the technical vulnerability be detected and reported, and what are the available or feasible options or solutions to address or correct it?

Conducting a vulnerability assessment can help the organization to improve and optimize the information system or resource quality and performance, and to reduce or eliminate the technical vulnerability. It can also help the organization to align the information system or resource with the organization’s objectives and requirements, and to comply with the organization’s policies and standards.

The other options are not the best responses to the scenario of a recently discovered technical vulnerability being actively exploited, because they do not address the main purpose and benefit of conducting a vulnerability assessment, which is to identify and evaluate the technical vulnerability, and to determine its severity and impact.

Assessing the vulnerability management process is a process of evaluating and verifying the adequacy and effectiveness of the process that is used to identify, analyze, evaluate, and communicate the technical vulnerabilities, and to align them with the organization’s objectives and requirements. Assessing the vulnerability management process can help the organization to improve and optimize the process, and to reduce or eliminate the gaps or weaknesses in the process, but it is not the best response to the scenario, because it does not indicate the nature and extent of the technical vulnerability, and how it affects the organization and its stakeholders.

Conducting a control self-assessment is a process of evaluating and verifying the adequacy and effectiveness of the controls that are intended to ensure the confidentiality, integrity, availability, and reliability of the information systems and resources, using the input and feedback from the individuals or groups that are involved or responsible for the information systems activities or functions. Conducting a control self-assessment can help the organization to identify and document the control deficiencies, and to align them with the organization’s objectives and requirements, but it is not the best response to the scenario, because it does not indicate thenature and extent of the technical vulnerability, and how it affects the organization and its stakeholders.

Reassessing the inherent risk of the target is a process of reevaluating and recalculating the amount and type of risk that exists in the absence of any controls, and that is inherent to the nature or characteristics of the target, which is the information system or resource that is affected by the technical vulnerability. Reassessing the inherent risk of the target can help the organization to understand and document the risk exposure or level, and to align it with the organization’s risk appetite and tolerance, but it is not the best response to the scenario, because it does not indicate the nature and extent of the technical vulnerability, and how it affects the organization and its stakeholders. References =

ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 40-41, 47-48, 54-55, 58-59, 62-63

ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 195

CRISC Practice Quiz and Exam Prep

 According to the CRISC Review Manual (Digital Version), an effective control environment is best indicated by controls that manage risk within the organization’s risk appetite, as this reflects the alignment of thecontrol objectives and activities with the organization’s strategic goals and risk preferences. The risk appetite is the amount and type of risk that the organization is willing to accept in pursuit of its objectives. Managing risk within the organization’s risk appetite helps to:

Balance the potential benefits and costs of risk-taking and risk response

Optimize the use of the organization’s resources and capabilities

Enhance the value and performance of the organization

Foster a risk-aware culture that supports the organization’s vision and mission

References = CRISC Review Manual (Digital Version), Chapter 2: IT Risk Assessment, Section 2.3: IT Risk Assessment Process, pp. 93-941