A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:
conduct a gap analysis against compliance criteria.
identify necessary controls to ensure compliance.
modify internal assurance activities to include control validation.
collaborate with management to meet compliance requirements.
According to the CRISC Review Manual (Digital Version), the best course of action when a risk assessment has identified that an organization may not be in compliance with industry regulations is to conduct a gap analysis against compliance criteria, which is a method of comparing the current state of compliance with the desired or required state of compliance. Conducting a gap analysis against compliance criteria helps to:
Identify and evaluate the differences or discrepancies between the compliance requirements and the actual compliance practices and capabilities
Assess the impact and severity of the compliance gaps on the organization’s objectives and performance
Prioritize the compliance gaps based on their urgency and importance
Develop and implement appropriate actions or measures to close or reduce the compliance gaps
Monitor and measure the effectiveness and efficiency of the actions or measures taken to address the compliance gaps
References = CRISC Review Manual (Digital Version), Chapter 1: IT Risk Identification, Section 1.5: IT Risk Identification Methods and Techniques, pp. 34-351
Which of the following controls will BEST detect unauthorized modification of data by a database administrator?
Reviewing database access rights
Reviewing database activity logs
Comparing data to input records
Reviewing changes to edit checks
Unauthorized modification of data by a database administrator is a security risk that involves altering, deleting, or inserting data on a database without proper authorization or approval, by a person who has privileged access to the database, such as a database administrator12.
The best control to detect unauthorized modification of data by a database administrator is to review database activity logs, which are records that capture and store the details and history of the transactions or activities that are performed on the database, such as who, what, when, where, and how34.
Reviewing database activity logs is the best control because it provides evidence and visibility of the database operations, and enables the detection and reporting of any deviations, anomalies, or issues that may indicate unauthorized modification of data by a database administrator34.
Reviewing database activity logs is also the best control because it supports the accountability and auditability of the database operations, and facilitates the investigation and resolution of any unauthorized modification of data by a database administrator34.
The other options are not the best controls, but rather possible measures or techniques that may supplement or enhance the review of database activity logs. For example:
Reviewing database access rights is a measure that involves verifying and validating the permissions and privileges that are granted or revoked to the users or roles who can access or modify the data on the database56. However, this measure is not the best control because it does not directly detect unauthorized modification of data by a database administrator, especially if the database administrator has legitimate access rights to the data56.
Comparing data to input records is a technique that involves matching and reconciling the data on the database with the original or source data that are entered or imported into the database, and identifying and correcting any discrepancies or errors78. However, this technique is not the best control because it does not directly detect unauthorized modification of data by a database administrator, especially if the input records are also modified or compromised78.
Reviewing changes to edit checks is a technique that involves examining and evaluating the modifications or updates to the edit checks, which are rules or validations that are applied to the data on the database to ensure their accuracy, completeness, andconsistency9 . However, this technique is not the best control because it does not directly detect unauthorized modification of data by a database administrator, especially if the edit checks are bypassed or disabled9 . References =
1: Database Security: Attacks and Solutions | SpringerLink2
2: Unauthorised Modification of Data With Intent to Cause Impairment3
3: Database Activity Monitoring - Wikipedia4
4: Database Activity Monitoring (DAM) | Imperva5
5: Database Access Control - Wikipedia6
6: Database Access Control: Best Practices for Database Security7
7: Data Reconciliation - Wikipedia8
8: Data Reconciliation and Gross Error Detection9
9: Edit Check - Wikipedia
Edit Checks: A Data Quality Tool
Which of the following is the MOST important factor affecting risk management in an organization?
The risk manager's expertise
Regulatory requirements
Board of directors' expertise
The organization's culture
According to the CRISC Review Manual (Digital Version), the organization’s culture is the most important factor affecting risk management in an organization, as it influences the risk awareness, risk attitude, risk behavior and risk communication of all stakeholders. The organization’s culture is defined as the shared values, beliefs, norms and expectations that guide the actions and interactions of the members of the organization. The organization’s culture affects how risk management is perceived, supported, implemented and integrated within the organization. A strong risk culture is one that:
Aligns with the organization’s vision, mission, strategy and objectives
Promotes a common understanding of risk and its implications for the organization
Encourages the identification, assessment, response and monitoring of risks at all levels
Fosters a proactive, collaborative and transparent approach to risk management
Empowers and rewards the stakeholders for taking ownership and accountability of risks
Enables continuous learning and improvement of risk management capabilities and maturity
References = CRISC Review Manual (Digital Version), Chapter 1: IT Risk Identification, Section 1.3: IT Risk Culture, pp. 23-251
The MOST important characteristic of an organization s policies is to reflect the organization's:
risk assessment methodology.
risk appetite.
capabilities
asset value.
An organization’s policies are the set of rules and guidelines that define the organization’s objectives, expectations, and responsibilities for its activities and operations. They provide the direction and framework for the organization’s governance, risk management, and compliance functions.
The most important characteristic of an organization’s policies is to reflect the organization’s risk appetite, which is the amount and type of risk that the organization is willing to accept in pursuit of its goals. The risk appetite is usually expressed as a range or a threshold, and it is aligned with the organization’s strategy and culture.
Reflecting the organization’s risk appetite in its policies ensures that the policies are consistent, appropriate, and proportional to the level and nature of the risks that the organization faces, and that they support the organization’s objectives and values. It also helps to optimize the balance between risk and return, and to create and protect value for the organization and its stakeholders.
The other options are not the most important characteristic of an organization’s policies, because they do not address the fundamental question of whether the policies are suitable and acceptable for the organization.
The risk assessment methodology is the process of identifying, analyzing, and evaluating the risks that may affect the organization’s objectives and operations. It involves determining the likelihood and impact of various risk scenarios, and prioritizing them based on their significance and urgency. The risk assessment methodology is important to inform and support the organization’s policies, but it is not the most important characteristic of the policies, because it does not indicate whether the policies are aligned with the organization’s risk appetite.
The capabilities are the resources and abilities that the organization has or can acquire to achieve its objectives and manage its risks. They include the people, processes, technologies, and assets that the organization uses or relies on. The capabilities are important to enable and implement the organization’s policies, but they are not the most important characteristic of the policies, because they do not indicate whether the policies are aligned with the organization’s risk appetite.
The asset value is the worth or importance of the assets that the organization owns or controls, and that may be affected by the risks that the organization faces. The assets include the tangible and intangible resources that the organization uses or relies on, such as data, information, systems, infrastructure, reputation, etc. The asset value is important to measure and monitor the organization’s policies, but it is not the most important characteristic of the policies, because it does not indicate whether the policies are aligned with the organization’s risk appetite. References =
ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 29-30, 34-35, 38-39, 44-45, 50-51, 54-55
ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 148
CRISC Practice Quiz and Exam Prep
Copyright © 2021-2025 CertsTopics. All Rights Reserved
