Helping Hand Questions for CRISC

Residual risk is the risk that remains after the risk response has been implemented. Risk tolerance is the acceptable level of variation from the desired outcome or objective. If the residual risk is within the risk tolerance, it means that the risk response has been effective in reducing the risk to an acceptable level.

References

•ISACA CRISC Review Manual, 7th Edition, Domain 3: Risk Response, Section 3.1.1: Residual Risk

•Residual Risk: Definition, Formula & Management - Video & Lesson Transcript | Study.com

•Risk Tolerance - ISACA

User acceptance testing (UAT) is a type of validation testing that ensures that the product meets the needs and expectations of the end users and the business stakeholders. UAT is usually conducted by the actual or representative users of the product, who perform various scenarios and tasks to verify that the product functions correctly and satisfies the business requirements. UAT is an important step in the software development life cycle, as it helps to identify and resolve any issues or gaps between the product and the requirements before the product is released.

If UAT is not conducted when implementing a new application, the greatest concern is that the application could fail to meet the defined business requirements, which could result in user dissatisfaction, loss of trust, reduced productivity, increased costs, and missed opportunities. The application may have technical defects, security vulnerabilities, or redundant processes, but these are not the primary purpose of UAT. UAT is focused on validating the business value and usability of the product, not the technical quality or security of the product. Therefore, the lack of UAT could have a significant impact on the alignment of the product with the business objectives and user needs.

The information classification policy is the most important document regarding the treatment of sensitive data, because it defines the categories and criteria for classifying data according to their sensitivity, confidentiality, and value to the organization, and specifies the appropriate handling and protection measures for each category. Sensitive data are data that contain personal, proprietary, or confidential information that may cause harm or damage to the organization or its stakeholders if disclosed, modified, or destroyed without authorization. An information classification policy helps to ensure that sensitive data are identified and treated in a consistent and secure manner, and that the organization complies with the applicable laws and regulations regarding data protection and privacy. An encryption policy, an organization risk profile, and a digital rights management policy are all useful documents for the treatment of sensitive data, but they are not the most important document, as they do not directly address the classification and handling of sensitive data. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.2, page 158