Passed Exam Today CRISC

Residual risk is the level of risk that remains after applying controls or other risk treatments. A critical patch is a type of control that aims to reduce the risk of a known vulnerability being exploited by attackers. If the patch implementation fails, the control is ineffective and the risk is not reduced. Therefore, the residual risk is increased, as the organization is still exposed to the potential negative consequences of the vulnerability.

References:

•ISACA, Risk and Information Systems Control Review Manual, 7th Edition, 2020, p. 2111

•ISACA, Practical Patch Management and Mitigation2

Vulnerable firmware that lacks updates is a significant security risk, as it can be exploited by attackers. Addressing this issue aligns with Secure IoT Deployment Practices to reduce exposure.

The first step in selecting a risk response after a penetration test reveals several vulnerabilities in a web-facing application is to assess the level of risk associated with the vulnerabilities, as it involves evaluating the likelihood and impact of the vulnerabilities being exploited, and comparing them with the risk tolerance and appetite of the organization. Correcting the vulnerabilities, developing a risk response action plan, and communicating the vulnerabilities are possible steps in selecting a risk response, but they are not the first step, as they require the prior knowledge of the risk level and the optimal risk response. References = CRISC Review Manual, 7th Edition, page 108.

Change management is the best way to prevent an unscheduled application of a patch, because it ensures that any changes to the IT environment are planned, approved, tested, and documented. Change management is a process that controls the implementation of changes to IT systems, applications, infrastructure, or processes. It aims to minimize the risk of disruption, errors, or failures caused by changes. Applying a patch is a type of change that may affect the security, functionality, or performance of an IT system or application. Therefore, applying a patch should follow the change management process and schedule, and avoid any unscheduled or unauthorized patching. Network-based access controls, compensating controls, and segregation of duties are all useful controls to protect the IT environment from unauthorized or malicious access, but they do not prevent an unscheduled application of a patch, as they do not address the change management process. References = Risk and Information Systems Control Study Manual, Chapter 5, Section 5.4.2, page 211