Isaca Certification CRISC Book

 A vulnerability is a weakness or flaw that can be exploited by a threat to cause harm or damage to an asset. Employees holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges, is a behavior that best represents a vulnerability, as it bypasses the security control of the ID badge system, and allows unauthorized or unauthenticated access to the premises. This behavior can increase the risk of physical or logical security breaches, such as theft, vandalism, sabotage, or espionage. References = CRISC: Certified in Risk & Information Systems Control Sample Questions, Question 258. Most Asked CRISC Exam Questions and Answers, Question 10. ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, Question 258. CRISC by Isaca Actual Free Exam Q&As, Question 9.

 The primary role of a data custodian in the risk management process is to ensure that data is protected according to the classification. A data custodian is a person or entity that has the responsibility for implementing and maintaining the security controls for the data, such as access rights, encryption, backup, or disposal. A data custodian acts as an agent of the data owner, who is the person or entity that has the authority and accountability for the data. A data custodian should ensure that data is protected according to the classification, which is the process of assigning a level of sensitivity and criticality to the data, based on the impact of its loss, disclosure, or modification. Data classification helps to determine the appropriate security controls and risk responses for the data, and to comply with the relevant laws, regulations, or contractual obligations. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 3, Section 3.2.1, page 1271

The control owner is the person who is accountable for ensuring that a control is designed, implemented, and operated effectively to mitigate risk. The control owner is also responsible for monitoring the performance of the control and reporting any issues or deficiencies. The risk manager is the person who oversees the risk management process and ensures that risks are identified, assessed, and treated appropriately. The control operator is the person who executes the control activities on a day-to-day basis. The risk treatment owner is the person who is accountable for implementing the risk response strategy and ensuring that the residual risk is within the acceptable level. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.2.1, p. 181.

A retention policy is a set of rules and guidelines that define how long and under what conditions the information should be kept or disposed of by the organization, based on its value, sensitivity, and legal or regulatory requirements.

When information is no longer required to support business objectives, the first thing that should be done is to assess the information against the retention policy. This means that the information should be reviewed and evaluated to determine if it should be retained or deleted, and for how long and by whom.

Assessing the information against the retention policy helps to ensure that the information is managed and disposed of in a consistent and compliant manner, that the information is protected from unauthorized access, use, disclosure, modification, or destruction, and that the information is available for future reference or audit purposes if needed.

The other options are not the first things that should be done when information is no longer required to support business objectives. They are either secondary or not essential for information management.

The references for this answer are:

Risk IT Framework, page 28

Information Technology & Security, page 22

Risk Scenarios Starter Pack, page 20