Selected CRISC Isaca Certification Questions Answers

The greatest concern for an IT risk practitioner when an employee transfers to another department is that unnecessary access permissions have not been removed. Unnecessary access permissions are the access rights or privileges that are no longer needed, relevant, or appropriate for the employee’s new role or responsibility. If these access permissions are not removed, they may pose a significant security risk, as the employee may be able to access, modify, or delete sensitive or critical data and systems that are not related to their current function. This may result in data leakage, fraud, sabotage, or compliance violations. The other options are not as concerning as unnecessary access permissions, as they are related to the organizational, operational, or knowledge aspects of the employee transfer, not the security or risk aspects of the employee transfer. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Response, Section 3.3: IT Risk Response Implementation, page 145.

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. The cloud computing architecture is the structure and design of the cloud environment, which includes the components, services, interfaces, standards, and configurations. The cloud computing architecture should be used as the primary basis for evaluating the state of an organization’s cloud computing environment against leading practices, as it determines the performance, security, reliability, scalability, and interoperability of the cloud services. By comparing the cloud computing architecture with the best practices and benchmarks in the industry, an organization can identify the gaps and weaknesses in the cloud environment and implement the necessary improvements and controls. References = CRISC Review Manual, 7th Edition, page 156.

When updating a risk register with the results of an IT risk assessment, the risk practitioner should log the known risk scenarios, because they are the risk scenarios that have been identified and assessed in the IT risk assessment process. The risk register should document and track the known risk scenarios, their characteristics, their status, and their responses. The other options are not the ones that should be logged, because:

Option A: High impact scenarios are the risk scenarios that have a high potential impact on the business objectives and processes, but they are not the only ones that should be logged. The risk register should include all the known risk scenarios, regardless of their impact level.

Option B: High likelihood scenarios are the risk scenarios that have a high probability of occurrence, but they are not the only ones that should be logged. The risk register should include all the known risk scenarios, regardless of their likelihood level.

Option C: Treated risk scenarios are the risk scenarios that have been addressed by the risk response actions, but they are not the only ones that should be logged. The risk register shouldinclude all the known risk scenarios, regardless of their treatment status. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 108.

According to the CRISC Review Manual1, a cable lock is a physical security device that attaches a laptop to a fixed object, such as a desk or a wall, to prevent unauthorized removal or theft. A cable lock is the best option to reduce the probability of laptop theft, as it acts as a deterrent and a barrier for potential thieves. A cable lock also helps to protect the confidentiality, integrity, andavailability of the data stored on the laptop, as well as the laptop itself. References = CRISC Review Manual1, page 253.