Pearson CRISC New Attempt

Open communication of risk reporting is the most important factor for promoting a risk-aware culture, because it fosters trust, transparency, and accountability among all stakeholders. It also enables timely and informed decision-making, feedback, and learning from risk events. Regular testing of risk controls, communication of audit findings, and procedures for security monitoring are all important aspects of risk management, but they do not necessarily create a risk-aware culture, which requires a shared understanding and commitment to risk management across the organization. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.2.2, page 1-9.

The internal auditor is the best suited to provide objective input when updating residual risk to reflect the results of control effectiveness. The internal auditor is an independent and impartial function that evaluates the adequacy and effectiveness of the internal controls and reports on the findings and recommendations. The internal auditor can provide an unbiased and reliable assessment of the residual risk, which is the risk that remains after the controls are applied. The other options are not as objective as the internal auditor, as they may have vested interests or conflicts of interest in the control environment. References = Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.4: IT Risk Response, page 87.

Before assigning sensitivity levels to information, it is most important to define the information classification policy. The information classification policy is a document that establishes the criteria, categories, roles, responsibilities, and procedures for classifying information according to its sensitivity, value, and criticality. The information classification policy provides the basis, guidance, and consistency for assigning sensitivity levels to information, and ensures that the information is protected and handled appropriately. The other options are not as important as defining the information classification policy, as they are related to the specific steps, activities, or outputs of the information classification process, not the overall structure and quality of the information classification process. References = Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.4: Key Control Indicators, page 211.

 The best way to facilitate the implementation of data classification requirements is to assign a data owner. A data owner is a person who has the authority and responsibility for defining, classifying, and protecting the data. A data owner can help to facilitate the implementation of data classification requirements by providing the criteria, categories, roles, and procedures for classifying the data according to its sensitivity, value, and criticality. A data owner can also ensure that the data is handled and stored appropriately, and that the data classification policy is enforced and monitored. The other options are not as effective as assigning a data owner, as they are related to the prevention, audit, or control of the data, not the classification or protection of the data. References = Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.4: Key Control Indicators, page 211.