Complete CRISC Isaca Materials

Preventive controls are the best types of controls to minimize the risk associated with a vulnerability, because they aim to avoid or reduce the occurrence of a threat or an exploit. Preventive controls can include physical, technical, or administrative measures, such as locks, firewalls, encryption, policies, training, or backup. Preventive controls can also involve eliminating or substituting the source of the vulnerability, such as outdated software or hardware.

References

•ISACA CRISC Review Manual, 7th Edition, Domain 3: Risk Response, Section 3.2.1: Control Types

•Hazard Controls - Princeton University

•Risk Control | Techniques and Importance of Risk Control - EDUCBA

Data classification is the process of assigning labels or categories to data based on its sensitivity, value, and criticality to the organization. Data classification is the first consideration when analyzing the risk associated with the web application hosted by a cloud service, as it determines the level of protection and controls required for the data. Data classification can help the organization to comply with legal, regulatory, and contractual obligations, such as GDPR, CCPA, and PCI DSS, and to prevent data breaches, leaks, or losses. Data classification can also help the organization to evaluate the suitability and trustworthiness of the cloud service provider, and to negotiate the terms and conditions of the service level agreement (SLA).

References:

•ISACA, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives, 2009, p. 141

•ISACA, Data Classification: What It Is, Why You Should Care and How to Perform It2

Involve the development team in planning is the best recommendation to help reduce IT risk associated with scheduling overruns when starting a new application development project. This is because involving the development team in planning can help ensure that the project scope, requirements, resources, and timeline are realistic, feasible, and agreed upon by all stakeholders. It can also help improve the communication, collaboration, and commitment of the development team, as well as identify and mitigate potential risks and issues early in the project life cycle. According to the CRISC Review Manual 2022, one of the key risk identification techniques for IT projects is to involve the project team and other relevant parties in the risk assessment process1. According to the CRISC Review Questions, Answers & Explanations Manual 2022, involving the development team in planning is the correct answer to this question2.

Implementing a tool to track the development team’s deliverables, reviewing the software development life cycle, and assigning more developers to the project team are not the best recommendations to help reduce IT risk associated with scheduling overruns. These are possible actions that can be taken during or after the planning phase, but they do not address the root cause of the risk, which is the lack of involvement of the development team in planning. Implementing a tool to track the development team’s deliverables can help monitor the project progress and performance, but it does not guarantee that the deliverables are aligned with the project objectives and expectations. Reviewing the software development life cycle can help ensure that the project follows a structured and standardized process, but it does not account for the specific needs and challenges of the project. Assigning more developers to the project team can help increase the project capacity and productivity, but it can also introduce new risks such as coordination, communication, and quality issues.

The integrity of data should be the greatest concern for a risk practitioner upon learning of failures in a data migration activity, because it affects the accuracy, completeness, and consistency of the data that are transferred from one system or format to another. Data integrity is a property of data that ensures that the data are valid, reliable, and trustworthy, and that they have not been altered or corrupted by unauthorized or accidental means. Data migration is a process of moving or copying data from one system or format to another, usually as part of a system upgrade, consolidation, or transformation. Data migration can pose risks to the integrity of data, such as data loss, duplication, inconsistency, or corruption, due to factors such as incompatible formats, human errors, technical glitches, or malicious attacks. Therefore, the integrity of data should be the greatest concern, as it impacts the quality and usability of the data, and the performance and functionality of the system. The availability of test data, the cost overruns, and the system performance are all possible concerns for a risk practitioner, but they are not the greatest concern, as they do not directly affect the integrity of data. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.2, page 158