Isaca CRISC Questions Answers

Assessing the threat and associated impact is the next thing that a risk practitioner should do after learning that Internet of Things (IoT) devices installed in the production environment lack appropriate security controls for sensitive data. This is because assessing the threat and associated impact can help determine the level and nature of the risk posed by the IoT devices, as well as the potential consequences and costs of a security breach or incident. Assessing the threat and associated impact can also provide the basis for further risk analysis and response steps, such as evaluating risk appetite and tolerance levels, recommending device management controls, or enabling role-based access control. According to the CRISC Review Manual 2022, assessing the threat and associated impact is one of the key steps in the IT risk assessment process1. According to the web search results, assessing the threat and associated impact is a common and recommended practice for addressing the security risks of IoT devices

 Segmenting the application within the existing network is the most effective control to manage a legacy application that relies on software that has reached the end of extended support, as it isolates the application from the rest of the network and reduces the attack surface and the potential impact of a compromise. Subscribing to threat intelligence, applying patches for a newer version of the application, and increasing the frequency of regular system and data backups are not the most effective controls, as they may not address the root cause of the risk, or may introduce additional costs or complexities, respectively. References = CRISC Review Manual, 7th Edition, page 153.

Performing a threat assessment is the best course of action for a risk practitioner upon learning that regulatory authorities have concerns with an emerging technology that the organization is considering, because it helps to identify and analyze the sources and types of threats that may exploit the vulnerabilities or weaknesses of the technology, and to estimate their likelihood and impact. A threat is a potential event or action that may cause harm or damage to the organization or its objectives, such as a natural disaster, a cyberattack, or a human error. A threat assessment is a process of systematically identifying and assessing the threats that an organization faces, and estimating their probability and severity. An emerging technology is a new or innovative technology that has the potential to disrupt or transform the existing markets, industries, or practices, such as artificial intelligence, blockchain, or biotechnology. An emerging technology may offer benefits such as competitive advantage, efficiency, or creativity, but it may also pose risks such as technical complexity, interoperability issues, regulatory uncertainty, or ethical dilemmas. Therefore, performing a threat assessment is the best course of action, as it helps to understand and evaluate the threats and their consequences, and to determine the appropriate controls or mitigating factors to reduce or eliminate them. Redesigning key risk indicators (KRIs), updating risk responses, and conducting a SWOT analysis are all possible courses of action to perform after performing a threat assessment, but they are not the best course of action, as they depend on the results and recommendations of the threat assessment. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.2.2, page 87

Preparing a risk response that is aligned to the organization’s risk tolerance is the next step after completing a risk assessment and reporting the validated vulnerability findings that require mitigation to the application owner, because it helps to define and implement the appropriate actions to reduce or eliminate the risk, or to prepare for and recover from the potential consequences. A risk response is a strategy or tactic for managing the identified risks, such as avoiding, transferring, mitigating, or accepting the risk. A risk response should be aligned to the organization’s risk tolerance, which is the acceptable level of variation from the organization’s objectives or expectations. A vulnerability is a weakness or flaw in an IT system or application that can be exploited by a threat or attack to cause harm or damage. A vulnerability finding is a result of a vulnerability assessment, which is a process of identifying and evaluating the vulnerabilities in an IT system or application. A vulnerability finding requires mitigation, which is a type of risk response that involves applying controls or countermeasures to reduce the likelihood or impact of the risk. Therefore, preparing a risk response that is aligned to the organization’s risk tolerance is the next step, as it helps to address the vulnerability findings and to achieve the desired level of risk. Reporting the findings to executive management, reassessing each vulnerability, and conducting a penetration test are all possible steps to perform after preparing a risk response, but they are not the next step, as they depend on the results and approval of the risk response. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.4.2, page 103