Section: Volume C
Explanation
Explanation:
Access control helps an organization implement effective access control. They ensure that users have the rights and permissions they need to perform their jobs, and no more. It includes principles such as least privilege and separation of duties.
Incorrect Answers:
A: System and Communications protection control is a large group of controls that cover many aspects of protecting systems and communication channels. Denial of service protection and boundary protection controls are included. Transmission integrity and confidentiality controls are also included.
B: Audit and Accountability control helps an organization implement an effective audit program. It provides details on how to determine what to audit. It provides details on how to protect the audit logs. It also includes information on using audit logs for non-repudiation.
D: Identification and Authentication control cover different practices to identify and authenticate users. Each user should be uniquely identified. In other words, each user has one account. This account is only used by one user. Similarly, device identifiers uniquely identify devices on the network.

Section: Volume A
Explanation:
Asset identification is the most crucial and first step in the risk assessment process. Risk identification, assessment and evaluation (analysis) should always be clearly aligned to assets. Assets can be people, processes, infrastructure, information or applications.

A critical threshold value for a key control indicator (KCI) is the value that indicates that the control is no longer performing its intended function of mitigating a risk. If the KCI reaches or exceeds this value, it means that the control effectiveness has failed and corrective actions are needed. The other options are not the best representations of a critical threshold value for a KCI, because they do not reflect the actual performance or outcome of the control. Thresholds benchmarked to peer organizations, a typical operational value, and a value that represents the intended control state are examples of target or acceptable values for a KCI, not critical or unacceptable values. References = CRISC: Certified in Risk & Information Systems Control Sample Questions

* An effective risk management program is a systematic and consistent process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks that may affect the achievement of the organization's objectives12.
* The best indication of an effective risk management program is that the residual risk, which is the risk remaining after risk treatment, is within the organizational risk appetite, which is the amount and type of risk that the organization is willing to accept in pursuit of its objectives12.
* This indicates that the organization has successfully implemented appropriate risk responses that align with its risk strategy and criteria, and that the organization is able to balance the potential benefits and
* costs of taking risks12.
* The other options are not the best indication, but rather components or outcomes of an effective risk management program. For example:
* Risk action plans are approved by senior management is an outcome of an effective risk management program that demonstrates the commitment and accountability of the leadership for risk management12.
* Mitigating controls are designed and implemented is a component of an effective risk management program that involves reducing the likelihood or impact of a risk event12.
* Risk is recorded and tracked in the risk register is a component of an effective risk management program that involves documenting and updating the risk information and status12. References =
* 1: Risk IT Framework, ISACA, 2009
* 2: IT Risk Management Framework, University of Toronto, 2017

is incorrect. This is an output of risk mitigation process,that is, after applying several
risk responses.