Isaca Certification CRISC Updated Exam

A web-based service provider is an organization that offers online services or applications to its customers or users, such as e-commerce, social media, cloud computing, etc. A web-based service provider depends on the availability, reliability, and security of its web servers, networks, and systems to deliver its services or applications.

A low risk appetite for system outages means that the organization is not willing to accept a high level or frequency of system outages, which are interruptions or disruptions in the normal operation or functionality of the web servers, networks, or systems. System outages can cause customer dissatisfaction, revenue loss, reputation damage, or legal liability for the web-based service provider.

A current risk profile for online security is the current state or condition of the online security risks that may affect the web-based service provider’s objectives and operations. It includes the identification, analysis, and evaluation of the online security risks, and the prioritization and response to them based on their significance and urgency.

The most relevant observation to escalate to senior management is an increase in attempted distributed denial of service (DDoS) attacks, which are malicious attacks that aim to overwhelm or overload the web servers, networks, or systems with a large volume or frequency of requests or traffic, and prevent them from responding to legitimate requests or traffic. An increase in attempted DDoS attacks indicates a high likelihood and impact of system outages, and a high level of threat or vulnerability for the web-based service provider’s online security. Escalating this observation to senior management can help them to understand the severity and urgency of the risk, and to decide on the appropriate risk response and allocation of resources.

The other options are not the most relevant observations to escalate to senior management, because they do not indicate a high likelihood or impact of system outages, and they may not be relevant or actionable for senior management.

An increase in attempted website phishing attacks means an increase in malicious attempts to deceive or trick the web-based service provider’s customers or users into providing their personal or financial information, such as usernames, passwords, credit card numbers, etc., by impersonating the web-based service provider’s website or email. An increase in attempted website phishing attacks indicates a high level of threat or vulnerability for the web-based service provider’s online security, but it may not directly cause system outages, unless the phishing attacks are used to compromise the web servers, networks, or systems. Escalating this observation to senior management may not be the most relevant, because it may not reflect the web-based service provider’s risk appetite for system outages, and it may not require senior management’s involvement or approval.

A decrease in achievement of service level agreements (SLAs) means a decrease in the extent or degree to which the web-based service provider meets or exceeds the agreed or expected standards or criteria for the quality, performance, or availability of its services or applications, as specified in the contracts or agreements with its customers or users. A decrease in achievement of SLAs indicates a low level of customer satisfaction, retention, or loyalty, and a low level of competitiveness or profitability for the web-based service provider. Escalating this observation to senior management may not be the most relevant, because it may not reflect the web-based service provider’s risk appetite for system outages, and it may not require senior management’s involvement or approval.

A decrease in remediated web security vulnerabilities means a decrease in the number or percentage of web security vulnerabilities that have been identified and resolved or mitigated by the web-based service provider. Web security vulnerabilities are weaknesses or flaws in the web servers, networks, or systems that can be exploited by malicious attackers to compromise or damage the web-based service provider’s online security. A decrease in remediated web security vulnerabilities indicates a low level of effectiveness or efficiency for the web-based service provider’s web security controls or processes. Escalating this observation to senior management may not be the most relevant, because it may not reflect the web-based service provider’s risk appetite for system outages, and it may not require senior management’s involvement or approval. References =

ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 19-20, 23-24, 27-28, 31-32, 40-41, 47-48, 54-55, 58-59, 62-63

ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 161

CRISC Practice Quiz and Exam Prep

The business process owner should be the risk owner for the risk exposure due to weak technical controls in a newly implemented HR system, because they are responsible for the performance and outcomes of the HR business process, and they understand the business requirements, expectations, and impact of the HR system. The business process owner can also evaluate the trade-offs between the potential benefits and costs of the HR system, and the potential risks and consequences of a failure or breach of the system. The business process owner can also communicate and justify their risk acceptance or mitigation decision to the senior management and other stakeholders, and ensure that the risk is monitored and reviewed regularly. The other options are less appropriate to be the risk owner for this risk exposure. The chief risk officer is responsible for overseeing the enterprise-wide risk management framework and process, which includesensuring the identification, assessment, and reporting of risks. However, they are not the owner of the HR system or the HR business process, and they may not have the full knowledge or authority to accept or mitigate the risk on behalf of the business. The project manager is responsible for managing the implementation of the HR system, which includes ensuring the delivery of the system within the scope, time, and budget constraints. However, they are not the owner of the HR system or the HR business process, and they may not have the full knowledge or authority to accept or mitigate the risk on behalf of the business. The chief information officer is responsible for managing the IT function and resources, which includes providing the technical support and security for the HR system. However, they are not the owner of the HR system or the HR business process, and they may not have the full knowledge or authority to accept or mitigate the risk on behalf of the business. References = Getting risk ownership right 1

A security incident handling process is a set of procedures and activities that aim to identify, analyze, contain, eradicate, recover from, and learn from security incidents that affect the confidentiality, integrity, or availability of information assets12.

The maturity of a security incident handling process is the degree to which the process is defined, managed, measured, controlled, and improved, and the extent to which it meets the organization’s objectives and expectations34.

The best key performance indicator (KPI) to measure the maturity of a security incident handling process is the number of recurring security incidents, which is the frequency or rate of security incidents that are repeated or reoccur after being resolved or closed56.

The number of recurring security incidents is the best KPI because it reflects the effectiveness and efficiency of the security incident handling process, and the ability of the process to prevent or reduce the recurrence of security incidents through root cause analysis, corrective actions, and continuous improvement56.

The number of recurring security incidents is also the best KPI because it is directly related to the organization’s objectives and expectations, such as minimizing the impact and cost of security incidents, enhancing the security posture and resilience of the organization, and complying with the relevant standards and regulations56.

The other options are not the best KPIs, but rather possible metrics that may support or complement the measurement of the maturity of the security incident handling process. For example:

The number of security incidents escalated to senior management is a metric that indicates the severity or complexity of security incidents, and the involvement or awareness of the senior management in the security incident handling process56. However, this metric doesnot measure the effectiveness or efficiency of the process, or the ability of the process to prevent or reduce security incidents56.

The number of resolved security incidents is a metric that indicates the output or outcome of the security incident handling process, and the performance or productivity of the security incident handling team56. However, this metric does not measure the quality or sustainability of the resolution, or the ability of the process to prevent or reduce security incidents56.

The number of newly identified security incidents is a metric that indicates the input or demand of the security incident handling process, and the capability or capacity of the security incident detection and identification mechanisms56. However, this metric does not measure the effectiveness or efficiency of the process, or the ability of the process to prevent or reduce security incidents56. References =

1: Computer Security Incident Handling Guide, NIST Special Publication 800-61, Revision 2, August 2012

2: ISO/IEC 27035:2016 Information technology — Security techniques — Information security incident management

3: Capability Maturity Model Integration (CMMI) for Services, Version 1.3, November 2010

4: COBIT 2019 Framework: Introduction and Methodology, ISACA, 2018

5: KPIs for Security Operations & Incident Response, SecurityScorecard Blog, June 7, 2021

6: Key Performance Indicators (KPIs) for Security Operations and Incident Response, DFLabs White Paper, 2018

The recovery time objective (RTO) is a metric that defines the maximum acceptable time frame for restoring a system or service after a disruption. The RTO is determined by the business impact and requirements of the system or service, as well as the risk appetite and tolerance of the organization. The calculation of the RTO is necessary to determine the priority of restoration, which means the order and urgency of recovering the systems or services based on their criticality and dependency. The priority of restoration helps to optimize the use of resources and minimize the downtime and losses during a disaster recovery. The other options are not the correct answers, as they are not the main purpose of calculating the RTO. The time required to restore files is a factor that affects the RTO, but it is not the outcome of the RTO calculation. The point of synchronization is the point in time to which the data must be restored to ensure consistency and accuracy. The point of synchronization is related to the recovery point objective (RPO), not the RTO. The annual loss expectancy (ALE) is a measure of the expected loss per year due to a specific risk or threat. The ALE is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). The ALE is not directly related to the RTO, although it may influence the RTO determination. References = Recovery Time Objective (RTO) - What Is It, Examples, Calculation; CRISC Review Manual, pages 197-1981; CRISC Review Questions, Answers & Explanations Manual, page 842