CRISC Exam Dumps : Certified in Risk and Information Systems Control

The effectiveness of anti-malware software is the degree to which it can detect, prevent, and remove malicious software (malware) from the system or network. Malware is any software that is designed to harm, exploit, or compromise the functionality, security, or privacy of the system or network1. Some common types of malware are viruses, worms, Trojans, ransomware, spyware, adware, and rootkits2.

One of the best indicators of the effectiveness of anti-malware software is the number of successful attacks by malicious software, which means the number of times that malware has managed to bypass, evade, or disable the anti-malware software and cause damage or disruption to the system or network. The lower the number of successful attacks, the higher the effectiveness of the anti-malware software. This indicator can measure the ability of the anti-malware software to protect the system or network from known and unknown malware threats, and to respond and recover from malware incidents34.

The other options are not the best indicators of the effectiveness of anti-malware software, because:

Number of staff hours lost due to malware attacks is a measure of the impact or consequence of malware attacks on the productivity or performance of the staff. It does not directly reflect the ability of the anti-malware software to detect, prevent, or remove malware, as there may be other factors that affect the staff hours lost, such as the severity of the attack, the availability of backup or recovery systems, or the skills and awareness of the staff5.

Number of downtime hours in business critical servers is a measure of the impact or consequence of malware attacks on the availability or reliability of the servers. It does not directly reflect the ability of the anti-malware software to detect, prevent, or remove malware, as there may be other factors that affect the downtime hours, such as the type of the server, the configuration of the network, or the maintenance of the hardware6.

Number of patches made to anti-malware software is a measure of the maintenance or improvement of the anti-malware software. It does not directly reflect the ability of the anti-malware software to detect, prevent, or remove malware, as there may be other factors that affect the number of patches, such as the frequency of the updates, the quality of the software, or the compatibility of the system7.

References =

What is Malware? - Definition from Techopedia

Common Types of Malware and Their Impact - Techopedia

What is Anti-Malware? Everything You Need to Know (2023) - SoftwareLab

The 10 Best Malware Protection Solutions Compared for 2024 - Techopedia

The Cost of Malware Attacks - Security Boulevard

The Impact of Malware on Business - Kaspersky

What is Patch Management? - Definition from Techopedia

Inherent risk rating is a measure of the natural level of risk that is part of an application, before any controls are applied1. Inherent risk rating helps to identify and prioritize the applications that pose the highest risk to the organization and require the most attention and resources for risk management2. The responsibility for determining the inherent risk rating of an application should belong to the risk practitioner, as they have the expertise and knowledge to perform a comprehensive and consistent risk assessment of the application, using a standard methodology and criteria3. The risk practitioner should also communicate and report the inherent risk rating of the application to the relevant stakeholders, such as the application owner, senior management, and business process owner, and provide recommendations for risk mitigation4. The application owner, senior management, and business process owner are not the best choices for determining the inherent risk rating of an application, as they may not have the same level of skill and objectivity as the risk practitioner. The application owner is the person who has the authority and accountability for the application and its performance5. The application owner may be involved in providing input and feedback to the risk practitioner during the risk assessment process, but they may not be able to assess the inherent risk rating of the application independently and impartially, as they may have a vested interest in the application’s success and reputation6. Senior management is the group of executives who set the strategic direction and objectives of the organization and oversee its performance7. Senior management may be involved in approving and endorsing the risk assessment process and its results, but they may not be able to assess the inherent risk rating of the application in detail and depth, as they may have a broader and higher-level perspective of the organization’s risk profile and priorities8. The business process owner is the person who has the authority and accountability for a business process that is supported or enabled by the application. The business process owner may be involved in providing input and feedback to the risk practitioner during the risk assessment process, but they may not be able to assess the inherent risk rating of the application accurately and comprehensively, as they may have a limited and specific view of the application’s functionality and value. References = 2: Introduction toapplication risk rating & assessment | Infosec3: Application Security Risk: Assessment and Modeling - ISACA4: Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.2: Risk Monitoring, pp. 189-191.1: Inherent Risk Rating - Shared Assessments - Third Party Risk Management5: [Application Owner - Gartner IT Glossary] 6: Perform Inherent Risk Analysis - Oracle7: [Senior Management - Definition, Roles and Responsibilities] 8: Rating Inherent and Residual Risk - Barn Owl : [Business Process Owner - Gartner IT Glossary] : [Business Process Owner - Roles and Responsibilities]

The most useful information to determine mitigating controls when a core data center went offline abruptly for several hours affecting many transactions across multiple locations is the root cause analysis. Root cause analysis is a technique that identifies the underlying factors or reasons that caused the problem or incident. Root cause analysis can help to understand the nature, scope, and impact of the problem or incident, and to prevent or reduce the recurrence or severity of the problem or incident in the future. Root cause analysis can also help to identify and prioritize the appropriate mitigating controls that address the root causes of the problem or incident. The other options are not as useful as root cause analysis, as they are related to the investigation, evaluation, or measurement of the problem or incident, not the resolution or prevention of the problem or incident. References = Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.4: Key Control Indicators, page 211.