Vce CRISC Questions Latest

According to ISACA, a risk register is a tool to record and track the identified risks, their ratings, responses, and status. The primary purpose of a risk register is to provide a centralized view of risk for the organization, as it enables the consolidation, communication, and reporting of risk information across different levels, units, and functions. A risk register can also support the risk management process, such as risk identification, assessment, treatment, monitoring, and review.

References:

•ISACA, Risk IT Framework, 2nd Edition, 2019, p. 761

•ISACA, Capability Maturity Model and Risk Register Integration: The Right Approach to Enterprise Governance2

Availability requirements specify the expected level of service and the consequences of non-compliance. They are essential for ensuring that the SaaS provider can meet the business continuity and disaster recovery needs of the customer. Codifying them in the contract creates a clear and enforceable agreement that protects both parties.

References

•ISACA CRISC Review Manual, 7th Edition, Domain 3: Risk Response, Section 3.2.3: Business Continuity and Disaster Recovery

•Guideline for Completing Disaster Recovery Plans for SaaS and PaaS Applications (Yale-MSS-3.1 GD.02)

•How to Build a SaaS Disaster Recovery Plan | Acsense

The group that has primary ownership of reputational risk stemming from unethical behavior within the organization is A. Board of directors. According to the CFA Institute, the board of directors is responsible for setting the tone at the top and ensuring that the company adheres to high ethical standards and values. The board of directors also oversees the company’s culture, governance, and risk management practices, and holds the management accountable for any misconduct or breach of trust1 The board of directors may delegate some of its oversight functions to other committees, such as the human resources, risk management, or audit committee, but ultimately, the board of directors bears the ultimate responsibility for the company’s reputation and integrity

An increase in the number of security incidents is the most significant indicator of the need to perform a penetration test, because it suggests that the organization’s IT systems or networks are vulnerable to attacks and may not have adequate security controls in place. A penetration test is a simulated attack on an IT system or network to identify and exploit its weaknesses and evaluate its security posture. A penetration test can help to discover and remediate the vulnerabilities that may have caused or contributed to the security incidents, and to prevent or reduce the likelihood and impact of future incidents. An increase in the number of high-risk audit findings, an increase in the percentage of turnover in IT personnel, and an increase in the number of infrastructure changes are all possible indicators of the need to perform a penetration test, but they are not the most significant indicator, as they do not directly reflect the actual or potential occurrence of security incidents. References = Risk and Information Systems Control Study Manual, Chapter 5, Section 5.3.2, page 200