CRISC Exam Questions Tutorials

The recovery time objective (RTO) is the planned recovery time for a process or system which should occur before reaching the business process’s maximum tolerable downtime (MTD) or maximum allowable outage (MAO). The RTO must be aligned with the MAO to ensure that the continuity of the business process is not compromised by a prolonged outage. The RTO is determined by the business impact analysis (BIA) based on the criticality and urgency of the business process and its dependencies. The RTO also helps to select and implement appropriate recovery methods and procedures for the process or system. References = Risk and Information Systems Control Study Manual, Chapter 6: IT Risk Monitoring and Reporting, Section 6.2: IT Risk Reporting, Page 307; What is the difference between RPO, RTO, and MTD? - Tandem Blog.

•A risk treatment plan is a document that describes the actions and resources needed to implement the chosen risk response strategy for each identified risk1. A risk response strategy is the way an organization decides to address a risk, such as avoiding, accepting, mitigating, or transferring it2.

•Sometimes, a risk treatment plan may not be completed on time due to various reasons, such as delays, resource constraints, technical issues, or changes in the risk environment. In such cases, the best approach is to implement compensating controls until the preferred action can be completed3.

•Compensating controls are alternative or additional controls that provide a similar level of assurance or protection as the original controls, when the latter are not feasible or sufficient3. Compensating controls can help to reduce the residual risk or maintain the risk within the acceptable level until the risk treatment plan is fully executed3.

•For example, if the risk treatment plan involves installing a firewall to protect the network from external threats, but the firewall is not available or compatible with the current system, a compensating control could be to use encryption, authentication, or monitoring tools to secure the network traffic until the firewall is installed3.

•Implementing compensating controls is better than the other options because it allows the organization to continue with the risk treatment plan while maintaining an adequate level of security and compliance. The other options are not advisable for the following reasons:

oReplacing the action owner with a more experienced individual (option A) may not solve the problem if the issue is not related to the action owner’s competence or performance. Moreover, replacing the action owner may cause disruption, confusion, or conflict in the risk management process.

oChanging the risk response strategy of the relevant risk to risk avoidance (option C) may not be possible or desirable if the risk is associated with a critical or beneficial activity or process. Risk avoidance means eliminating the source of the risk or discontinuing the activity that causes the risk2. This may result in losing opportunities, benefits, or value for the organization.

oDeveloping additional key risk indicators (KRIs) until the preferred action can be completed (option D) may not be effective or efficient if the existing KRIs are already sufficient to monitor and measure the risk. KRIs are metrics or data points that provide early warning signals or information about the level or trend of a risk456. Developing additional KRIs may not reduce the risk or improve the risk treatment plan, but may increase the complexity and cost of the risk management process.

References =

•Key Risk Indicators: Examples & Definitions - SolveXia

•Key Risk Indicators: A Practical Guide | SafetyCulture

•Complete Guide to Key Risk Indicators — RiskOptics

•Risk Response Plan in Project Management: Key Strategies & Tips

•Risk response strategies: mitigation, transfer, avoidance, acceptance - Twproject: project management software,resource management, time tracking, planning, Gantt, kanban

•Risk Response Strategies: A Guide to Navigating Uncertainty - Teamly

•Compensating Controls | Audit and Compliance | Pathlock

The product owner should own the associated risk when contracting with a cloud service provider to support the deployment of a new product. The product owner is the person who has the authority and responsibility for defining the product vision, requirements, and priorities. The product owner also has the accountability for the business value and outcomes of the product. Therefore, the product owner should be the one who identifies, assesses, and manages the risks related to the cloud service provider, such as security, compliance, performance, and quality. The product owner should also collaborate with the other stakeholders, such as the head of EA, the IT risk manager, and the information security manager, to ensure that the cloud service provider meets the organization’s standards and expectations. References = Risk and Information Systems Control Study Manual, Chapter 5: IT Risk Mitigation, Section 5.3: IT Risk Mitigation Strategies and Approaches, Page 254; Best Practices to Manage Risks in the Cloud - ISACA.

The operational risk associated with attacks on a web application should be owned by the individual in charge of the business function, because they are the primary stakeholder and beneficiary of the web application, and they are responsible for defining and achieving the business objectives and requirements that the web application supports or enables. An operational risk is a risk of loss or damage resulting from inadequate or failed internal processes, people, or systems, or from external events. An attack on a web application is a type of operational risk that involves a malicious or unauthorized attempt to compromise the confidentiality, integrity, or availability of the web application, such as a denial-of-service attack, a SQL injection attack, or a cross-site scripting attack. A web application is an application that runs on a web server and can be accessed or used through a web browser, such as an online shopping site, a social media platform, or a web-based email service. A business function is a set of activities or tasks that support or enable the organization’s vision, mission, and strategy, such as marketing, sales, or customer service. A risk owner is a person or role that has the authority and accountability to manage a specific risk, and to implement and monitor the risk response and controls. The individual in charge of the business function should be the risk owner, as they have the best understanding and interest of the web application and its business value and impact, and they have the ability and responsibility to manage the operational risk associated with the attacks on the web application. The individual in charge of network operations, the cybersecurity function, or application development are all possible candidates for the risk owner, but they are not the best choice, as they may not have the same level of stake and influence in the web application and its business objectives and requirements, and they may have different or conflicting priorities or perspectives on the operational risk and its management. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.4.1, page 101