CRISC Exam Questions Tutorials

 Key risk indicators (KRIs) are metrics that provide an early warning of increasing risk exposure in various areas of the organization. They help to monitor changes in the level of risk and enable timely actions to mitigate the risk. The major advantage of using KRIs is that they identify when risk exceeds defined thresholds, which are the acceptable or tolerable levels of risk that the organization has established. By identifying when risk exceeds defined thresholds, the KRIs can alert the management and stakeholders of the need to take corrective or preventive measures, and avoid or reduce the potential losses or damages. References = 3

A three lines of defense structure is a model that defines the roles and responsibilities of different functions and levels within an organization for risk management and control. The first line of defense is the operational management, which is responsible for owning and managing the risks. The second line of defense is the risk management and compliance functions, which are responsible for overseeing and supporting the risk management processes. The third line of defense is the internal audit function, which is responsible for providing independent assurance on the effectiveness of the risk management and control systems. The greatest benefit of a three lines of defense structure is that it provides clear accountability for risk management processes, as it clarifies who is responsible for what, and how they interact and communicate with each other. This can help to avoid duplication, confusion, or gaps in the risk management activities, and ensure that the risks are properly identified, assessed, treated, monitored, and reported. References = CRISC Review Manual, 7th Edition, page 107.

The best way to provide assurance of the effectiveness of vendor security controls is to require independent control assessments. Independent control assessments are evaluations of the vendor’s security controls by a third-party auditor or assessor, such as an external auditor, a certification body, or a testing laboratory. Independent control assessments provide an objective and unbiased opinion on the adequacy and performance of the vendor’s security controls, as well as the compliance with relevant standards and regulations. Independent control assessments can also provide evidence and assurance to the customers of the vendor’s security posture and capabilities. Reviewing vendor control self-assessments (CSA), vendor service level agreement (SLA) metrics, or vendor references from existing customers are not as reliable or credible as independent control assessments, because they may be biased, incomplete, or outdated.

The primary reason for sharing risk assessment reports with senior stakeholders is to support decision-making for risk response. Risk assessment reports are documents that summarize the results of the risk assessment process, such as the risk sources, causes, impacts, likelihood, and levels. Risk assessment reports also provide recommendations for risk response options, such as avoiding, reducing, transferring, or accepting the risk. Sharing risk assessment reports with senior stakeholders helps to inform them of the current risk situation, and to solicit their input, feedback, or approval for the risk response actions. The other options are not the primary reason for sharing risk assessment reports, although they may be secondary reasons or outcomes. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.2.1, page 4-13.