In an organization with a mature risk management program, which of the following would provide the BEST evidence that the IT risk profile is up to date?
Risk questionnaire
Risk register
Management assertion
Compliance manual
A risk register is a tool that records and tracks the risks that may affect the organization, as well as the actions that are taken or planned to manage them1. A risk register provides the best evidence that the IT risk profile is up to date, because it reflects the current and potential IT risks that the organization faces, as well as their likelihood, impact, severity, owner, status, and response2. An IT risk profile is a document that describes the types, amounts, and priority of IT risk that the organization finds acceptable and unacceptable3. An IT risk profile is developed collaboratively with various stakeholders within the organization, including business leaders, data and process owners, enterprise risk management, internal and external audit, legal, compliance, privacy, and IT risk management and security4. By maintaining and updating the risk register regularly, the organization can ensure that the IT risk profile is aligned with the changing IT risk environment, and that the IT risk management activities and performance are consistent and effective. The other options are not the best evidence that the IT risk profile is up to date, as they are either less comprehensive or less relevant than the risk register. A risk questionnaire is a tool that collects and analyzes the opinions and perceptions of the stakeholders about the risks that may affect the organization5. A risk questionnaire can help to identify and assess the risks, as well as to communicate and report on the risk status and issues. However, a risk questionnaire is not the best evidence that the IT risk profile is up to date, as it may not capture all the IT risks that the organization faces, or reflect the actual or objective level and nature of the IT risks. A management assertion is a statement or declaration made by the management about the accuracy and completeness of the information or data that they provide or report. A management assertion can help to increase the confidence and trust of the stakeholders and auditors in the information or data, as well as to demonstrate the accountability and responsibility of the management. However, a management assertion is not the best evidence that the IT risk profile is up to date, as it does not provide the details or outcomes of the IT risk management activities or performance, or verify the validity and reliability of the IT risk information or data. A compliance manual is a document that contains the policies, procedures, and standards that the organization must follow to meet the legal, regulatory, or contractual requirements that apply to its activities or operations. A compliance manual can help to ensure the quality and consistency of the organization’s compliance activities or performance, as well as to avoid or reduce the penalties or sanctions for non-compliance. However, a compliance manual is not the best evidence that the IT risk profile is up to date, as it does not address the IT risks that the organization faces, or the IT risk management activities or performance. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.5, Page 55.
Calculation of the recovery time objective (RTO) is necessary to determine the:
time required to restore files.
point of synchronization
priority of restoration.
annual loss expectancy (ALE).
The recovery time objective (RTO) is a metric that defines the maximum acceptable time frame for restoring a system or service after a disruption. The RTO is determined by the business impact and requirements of the system or service, as well as the risk appetite and tolerance of the organization. The calculation of the RTO is necessary to determine the priority of restoration, which means the order and urgency of recovering the systems or services based on their criticality and dependency. The priority of restoration helps to optimize the use of resources and minimize the downtime and losses during a disaster recovery. The other options are not the correct answers, as they are not the main purpose of calculating the RTO. The time required to restore files is a factor that affects the RTO, but it is not the outcome of the RTO calculation. The point of synchronization is the point in time to which the data must be restored to ensure consistency and accuracy. The point of synchronization is related to the recovery point objective (RPO), not the RTO. The annual loss expectancy (ALE) is a measure of the expected loss per year due to a specific risk or threat. The ALE is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). The ALE is not directly related to the RTO, although it may influence the RTO determination. References = Recovery Time Objective (RTO) - What Is It, Examples, Calculation; CRISC Review Manual, pages 197-1981; CRISC Review Questions, Answers & Explanations Manual, page 842
Which of the following should be the PRIMARY consideration when implementing controls for monitoring user activity logs?
Ensuring availability of resources for log analysis
Implementing log analysis tools to automate controls
Ensuring the control is proportional to the risk
Building correlations between logs collected from different sources
The primary consideration when implementing controls for monitoring user activity logs is ensuring that the control is proportional to the risk, because this helps to optimize the balance between the benefits and costs of the control, and to avoid over- or under-controlling the risk. User activity logs are records of the actions or events performed by users on IT systems, networks, or resources, such as accessing, modifying, or transferring data or files. Monitoring user activity logs can help to detect and prevent potential threats, such as unauthorized access, data leakage, or malicious activity, and to support the investigation and remediation of incidents. However, monitoring user activity logs also involves certain costs and challenges, such as collecting, storing, analyzing, and reporting large amounts of log data, ensuring the accuracy, completeness, and timeliness of the log data, protecting the privacy and security of the log data, and complying with the relevant laws and regulations. Therefore, when implementing controls for monitoring user activity logs, the organization should consider the level and impact of the risk that the control is intended to address, and the value and effectiveness of the control in reducing the risk exposure and impact. The organization should also consider the costs and feasibility of implementing and maintaining the control, and the potential negative consequences or side effects of the control, such as performance degradation, user dissatisfaction, or legal liability. By ensuring that the control is proportional to the risk, the organization can achieve the optimal level of risk management, and avoid wasting resources or creating new risks. References = Risk IT Framework, ISACA, 2022, p. 151
A trusted third-party service provider has determined that the risk of a client's systems being hacked is low. Which of the following would be the client's BEST course of action?
Perform their own risk assessment
Implement additional controls to address the risk.
Accept the risk based on the third party's risk assessment
Perform an independent audit of the third party.
A risk assessment is a process that identifies, analyzes, and evaluates the risks that an organization faces in relation to its objectives, assets, and operations. A risk assessment helps to determine the likelihood and impact of potential threats, as well as the adequacy and effectiveness of existing controls. A risk assessment also provides the basis for risk treatment, which involves selecting and implementing the appropriate risk responses, such as avoiding, transferring, mitigating, or accepting the risk. The client’s best course of action in this scenario is to perform their own risk assessment, rather than relying on the third-party service provider’s risk assessment. This is because the third-party service provider may have different risk criteria, assumptions, methods, or perspectives than the client, and may not fully understand or address the client’s specific risk context, needs, and expectations. The third-party service provider’s risk assessment may also be biased, outdated, or inaccurate, and may not reflect the current or future risk environment. By performing their own risk assessment, the client can ensure that the risk of their systems being hacked is properly identified, measured, and managed, and that the risk level is acceptable and aligned with their risk appetite and tolerance. The other options are not the best courses of action for the client, as they may expose the client to unnecessary or unacceptable risk. Implementing additional controls to address the risk may be costly, ineffective, or redundant, and may not be justified by the actual risk level. Accepting the risk based on the third-party service provider’s risk assessment may be risky, as the client may not have a clear or accurate understanding of the risk exposure or consequences. Performing an independent audit of the third party may be useful, but it may not be sufficient or timely to assess and address the risk of the client’s systems being hacked. References = CRISC Review Manual, pages 38-391; CRISC Review Questions, Answers & Explanations Manual, page 792
Copyright © 2021-2025 CertsTopics. All Rights Reserved
