Passed Exam Today CRISC

Inherent risk is the most likely to increase as a result of the new initiative, because it is the risk that exists before any controls or mitigating factors are applied. Inherent risk reflects the natural or raw level of exposure that the organization faces from a given risk source or scenario. Accepting credit card payments from customers via the corporate website introduces new sources and types of risk, such as fraud, theft, data breach, or non-compliance, that increase the inherent risk level of the organization. Risk tolerance, risk appetite, and residual risk are all related to the risk management process, but they are not the most likely to increase as a result of the new initiative, as they depend on the organization’s risk strategy, objectives, and controls. References = Risk and Information Systems Control Study Manual, Chapter 2, Section 2.3.1, page 51

KRI thresholds are the levels or points that trigger an action or a response when a KRI reaches or exceeds them. They reflect the risk appetite of the organization, which is the amount and type of risk that it is willing to accept in pursuit of its objectives. A new privacy regulation may reduce the risk appetite of the organization, as it may impose stricter requirements and penalties for non-compliance. Therefore, the organization may need to adjust its KRI thresholds to lower levels, to ensure that it can identify and manage privacy risks more effectively and proactively

This KPI measures how well the server patch management process meets the agreed-upon standards and expectations for timeliness, quality, and security. It reflects the efficiency and effectiveness of the patch deployment and the compliance with the patch policy. It also helps to identify and address any issues or delays that may affect the patching performance.

References

•Patch Management KPI Metrics - Motadata

•KPI Examples for Patch and Vulnerability Management - Heimdal Security

•Measuring the Effectiveness of Your Patch Management Strategy - Automox

According to the CRISC exam content outline2, one of the tasks of a risk practitioner is to “report on risk, in line with organizational reporting requirements, to enable decision making and escalation”. Therefore, the first thing that the risk practitioner should do after discovering a policy violation is to report the incident to the appropriate authority, such as the IT security manager or the risk management committee. This will ensurethat the incident is properly documented, investigated, and resolved, and that any potential impact or consequences are minimized.

The other options are not the first actions that the risk practitioner should take. Planning a security awareness session (B) may be a preventive measure to avoid future incidents, but it does not address the current one. Assessing the new risk © may be part of the risk response process, but it should be done after reporting the incident and gathering more information. Updating the risk register (D) may be a result of the risk assessment and response, but it should not be done before reporting the incident and following the organizational procedures.