Full Access Isaca CRISC Tutorials

The risk register is a document that records the identified risks, their analysis, and their responses. It is a useful tool for monitoring and controlling the risks throughout the project lifecycle. However, the risk register is not a static document and it should be updated regularly to reflect the changes in the risk environment and the project status. Therefore, when reviewing the risk register, a risk practitioner should not only look at the risk ratings, but also the assumptions and the rationale behind them. Different business units may have different perspectives, contexts, and data sources for the same risk scenario, which can result in significant variances in inherent risk. Inherent risk is the risk level before considering the existing controls or responses. Therefore, the best course of action is to review the assumptions of both risk scenarios to determine whether the variance is reasonable or not. This can help to identify any errors, inconsistencies, or biases in the risk assessment process, and to ensure that the risk register reflects the current and accurate state of the risks. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.2.1, p. 106-107

Shadow systems are IT systems, solutions, devices, or technologies used within an organization without the knowledge and approval of the corporate IT department1. They are often the result of employees trying to address specific functionality gaps in the organization’s official systems, such as the ERP system. However, shadow systems can pose significant risks to the organization, such as:

Data security and privacy breaches, as shadow systems may not comply with the organization’s security policies and standards, or may expose sensitive data to unauthorized parties2.

Data quality and integrity issues, as shadow systems may not synchronize or integrate with the organization’s official systems, or may create data inconsistencies or redundancies3.

Compliance and regulatory violations, as shadow systems may not adhere to the organization’s legal or contractual obligations, or may create audit or reporting challenges4.

Cost and resource inefficiencies, as shadow systems may duplicate or conflict with the organization’s official systems, or may consume more IT resources than necessary5.

The best way to reduce the risk associated with shadow systems is to implement an enterprise architecture (EA), which is a comprehensive framework that defines the structure, processes, principles, and standards of the organization’s IT environment6. By implementing an EA, the organization can:

Align the IT systems with the organization’s goals and strategy, and ensure that they support the business needs and requirements6.

Establish a governance structure and process for IT decision making, and ensure that all IT systems are approved, monitored, and controlled by the IT department7.

Enhance the communication and collaboration between the IT department and the business units, and ensure that the IT systems meet the expectations and preferences of the end users5.

Optimize the performance and efficiency of the IT systems, and ensure that they are scalable, flexible, and interoperable6.

References =

Shadow IT: What Are the Risks and How Can You Mitigate Them? - Ekran System

How to Reduce Risks of Shadow IT by Applying Governance to Public Clouds – BMC Software | Blogs

What is shadow IT? - Article | SailPoint

The Risks of Shadow IT and How to Avoid Them | SiteSpect

Start reducing your organization’s Shadow IT risk in 3 steps

What is enterprise architecture (EA)? - Definition from WhatIs.com

Enterprise Architecture Governance - CIO Wiki

 The risk practitioner’s best recommendation is to consider providing additional system resources to this job, as this would help to reduce the likelihood and impact of the risk of delaying financial reporting. Providing additional system resources, such as memory, CPU, disk space, or bandwidth, can improve the performance and efficiency of the application and the scheduled job. This can also help to avoid potential errors, failures, or interruptions that could affect the quality and timeliness of the financial data and reporting.

The other options are not the best recommendations for this situation. Implementing database activity and capacity monitoring is a good practice to identify and analyze the root causes of performance issues, but it does not directly address the risk of delaying financial reporting. Ensuring the business is aware of the risk is an important step to communicate and escalate the risk, but it does not provide a solution or mitigation strategy. Ensuring the enterprise has a process to detect such situations is a preventive measure to avoid or minimize the occurrence of the risk, but it does not eliminate or reduce the risk. References = Practical Recommendations for Better Enterprise Risk Management - ISACA, HR Risk Management: A Practitioner’s Guide - AIHR, Isaca CRISC today updated questions - Verified by Isaca Experts

 The most important consideration for protecting data assets in a business application system is to ensure that the application controls are aligned with the data classification rules. Data classification rules define the level of sensitivity, confidentiality, and criticality of the data, and the corresponding security requirements and controls. Application controls are the policies, procedures, and technical measures that are implemented at the application level to ensure the security, integrity, and availability of the data. Application controls should be designed and configured to match the data classification rules, so that the data is protected according to its value and risk. For example, if the data is classified as highly confidential, the application controls should enforce strong authentication, encryption, access control, logging, and auditing mechanisms. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 214.