CRISC Exam Question 591
An internally developed payroll application leverages Platform as a Service (PaaS) infrastructure from the cloud. Who owns the related data confidentiality risk?
Correct Answer: B
Data confidentiality risk is the risk that the data may be accessed, disclosed, or modified by unauthorized parties, resulting in breaches of privacy, trust, or compliance1. Platform as a Service (PaaS) is a cloud computing model that provides a platform for developing, testing, and deploying applications, without requiring the users to manage the underlying infrastructure2. An internally developed payroll application is an application that is created and maintained by the organization itself, rather than by a third-party vendor, and that is used to process and manage the payroll data of the organization's employees3. The owner of the data confidentiality risk is the person or entity that has the authority and accountability for the data and its protection, and that is responsible for identifying, assessing, and mitigating the risk. The owner of the data confidentiality risk related to an internally developed payroll application that leverages PaaS infrastructure from the cloud is the human resources head, as they are the person who oversees the human resources function and the payroll data of the organization. The human resources head has the best understanding of the sensitivity, value, and usage of the payroll data, and the potential impacts and implications of a data confidentiality breach. The human resources head also has the ability and responsibility to define and implement the policies, procedures, and controls that are necessary to protect the payroll data, and to monitor and report on the performance and compliance of the data confidentiality risk management. The IT infrastructure head, the supplier management head, and the application development head are not the best choices for owning the data confidentiality risk related to an internally developed payrollapplication that leverages PaaS infrastructure from the cloud, as they do not have the same level of authority and accountability as the human resources head. The IT infrastructure head is the person who oversees the IT infrastructure function and the PaaS infrastructure of the organization. The IT infrastructure head may be involved in providing input and feedback to the human resources head on the data confidentiality risk management, especially those related to the PaaS infrastructure, but they do not have the final say or the overall responsibility for the payroll data and its protection. The supplier management head is the person who oversees the supplier management function and the relationship with the cloud service provider that provides the PaaS infrastructure. The supplier management head may be involved in negotiating and enforcing the service level agreements and the security requirements with the cloud service provider, but they do not have the authority or the expertise to manage the data confidentiality risk of the payroll data. The application development head is the person who oversees the application development function and the development, testing, and deployment of the payroll application. The application development head may be involved in designing and implementing the security features and controls of the payroll application, but they do not have the perspective or the influence to manage the data confidentiality risk of the payroll data. References = 3: Payroll Software: What Is It & How Does It Work? | QuickBooks2: What is Platform as a Service (PaaS)? | IBM1: Data Confidentiality: Identifyingand Protecting Assets Against Data ... : [Risk Ownership - Risk Management] : [Human Resources and Payroll Security Policy - University of ...] : [Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.1: IT Risk Concepts, pp. 17-19.] : [Risk andInformation Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.1: Risk Identification, pp. 57-59.] : [Risk and Information Systems Control Study Manual, Chapter
4: Risk and Control Monitoring and Reporting, Section 4.2: Risk Monitoring, pp. 189-191.] : [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.1: Control Design, pp. 233-235.] : [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.2: Control Implementation, pp. 243-245.] : [Risk and Information Systems Control Study Manual, Chapter 5:
Information Systems Control Design and Implementation, Section 5.3: Control Monitoring and Maintenance, pp. 251-253.]
4: Risk and Control Monitoring and Reporting, Section 4.2: Risk Monitoring, pp. 189-191.] : [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.1: Control Design, pp. 233-235.] : [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.2: Control Implementation, pp. 243-245.] : [Risk and Information Systems Control Study Manual, Chapter 5:
Information Systems Control Design and Implementation, Section 5.3: Control Monitoring and Maintenance, pp. 251-253.]
CRISC Exam Question 592
Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?
Correct Answer: B
The risk practitioner's primary focus when determining whether controls are adequate to mitigate risk should be the level of residual risk, because this indicates the amount and type of risk that remains after applying the controls, and whether it is acceptable or not. Residual risk is the risk that is left over after the risk response actions have been taken, such as implementing or improving controls. Controls are the measures or actions that are designed and performed to reduce the likelihood and/or impact of a risk event, or to exploit the opportunities that a risk event may create. The adequacy of controls to mitigate risk depends on how well they address the root causes or sources of the risk, and how effectively and efficiently they reduce the risk exposure and value. The level of residual risk reflects the adequacy of controls to mitigate risk, as it shows the gap between the inherent risk and the actual risk, and whether it is within the organization's risk appetite and tolerance. The risk practitioner should focus on the level of residual risk when determining whether controls are adequate to mitigate risk, as it helps to evaluate and compare the benefits and costs of the controls, and to decide on the best risk response strategy, such as accepting, avoiding, transferring, or further reducing the risk. The other options are less important or relevant to focus on when determining whether controls are adequate to mitigate risk. Sensitivity analysis is a technique that measures how the risk value changes when one or more input variables are changed, such as the probability, impact, or control effectiveness. Sensitivity analysis can help to identify and prioritize the most influential or critical variables that affect the risk value, and to test the robustness or reliability of the risk assessment. However, sensitivity analysis does not directly indicate the adequacy of controls to mitigate risk, as it does not measure the level of residual risk or the risk acceptance criteria. Cost-benefit analysis is a technique that compares the expected benefits and costs of a control or a risk response action, and determines whether it is worthwhile or not. Cost-benefit analysis can help to justify and optimize the investment or resource allocation for the control or the risk response action, and to ensure that it is aligned with the organization's objectives and value. However, cost-benefit analysis does not directly indicate the adequacy of controls to mitigate risk, as it does not measure the level of residual risk or the risk acceptance criteria. Risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. Risk appetite can help to define and communicate the organization's risk preferences and boundaries, and to guide the risk decision-making and behavior. However, risk appetite does not directly indicate the adequacy of controls to mitigate risk, as it does not measure the level of residual risk or the actual risk performance. References = Risk IT Framework, ISACA, 2022, p. 131
CRISC Exam Question 593
Which of the following would require updates to an organization's IT risk register?
Correct Answer: A
An IT risk register is a document that records and tracks the identified IT risks, their likelihood, impact, and mitigation strategies. It is a living document that needs to be updated regularly to reflect the current risk profile of the organization. One of the situations that would require updates to the IT risk register is the discovery of an ineffectively designed key IT control, as this would increase the likelihood or impact of the related IT risk. Management review of key risk indicators (KRIs), changes to the team responsible for maintaining the register, and completion of the latest internal audit are not reasons to update the IT risk register, as they do not affect the identified IT risks or their mitigation strategies. References = [CRISC Review Manual (Digital Version)], page 97; CRISC: Certified in Risk & Information Systems Control Sample Questions, question 198.
CRISC Exam Question 594
An organization has been notified that a disgruntled, terminated IT administrator has tried to break into the corporate network. Which of the following discoveries should be of GREATEST concern to the organization?
Correct Answer: A
Authentication logs are records of the attempts and results of logging into an IT system, network, or application, such as the user name, password, date, time, location, or device1. Authentication logs can help to verify and audit the identity and access of the users, and to detect and investigate any unauthorized or suspicious login activities, such as failed or repeated attempts, or unusual patterns or locations2.
Among the four options given, the discovery that authentication logs have been disabled should be of greatest concern to the organization. This is because disabling authentication logs can:
Prevent or hinder the organization from monitoring and controlling the access and activity of the users, especially the disgruntled, terminated IT administrator who may have malicious intentions or insider knowledge Enable or facilitate the disgruntled, terminated IT administrator or other attackers to bypass or compromise the authentication mechanisms or policies, and gain unauthorized or elevated access to the IT systems, networks, or applications Conceal or erase the evidence or traces of the login attempts or actions of the disgruntled, terminated IT administrator or other attackers, and make it difficult or impossible to identify, investigate, or prosecute them Indicate or imply that the disgruntled, terminated IT administrator or other attackers have already breached or compromised the IT systems, networks, or applications, and have disabled the authentication logs to cover their tracks or avoid detection3 References = What is Authentication Logging?, Authentication Logging - Wikipedia, Fired admin cripples former employer's network using old credentials
Among the four options given, the discovery that authentication logs have been disabled should be of greatest concern to the organization. This is because disabling authentication logs can:
Prevent or hinder the organization from monitoring and controlling the access and activity of the users, especially the disgruntled, terminated IT administrator who may have malicious intentions or insider knowledge Enable or facilitate the disgruntled, terminated IT administrator or other attackers to bypass or compromise the authentication mechanisms or policies, and gain unauthorized or elevated access to the IT systems, networks, or applications Conceal or erase the evidence or traces of the login attempts or actions of the disgruntled, terminated IT administrator or other attackers, and make it difficult or impossible to identify, investigate, or prosecute them Indicate or imply that the disgruntled, terminated IT administrator or other attackers have already breached or compromised the IT systems, networks, or applications, and have disabled the authentication logs to cover their tracks or avoid detection3 References = What is Authentication Logging?, Authentication Logging - Wikipedia, Fired admin cripples former employer's network using old credentials
CRISC Exam Question 595
Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?
Correct Answer: A
The risk associated with malicious functionality in outsourced application development is that the vendor may introduce unauthorized or harmful code into the enterprise's system, which could compromise its security, integrity, or performance.
To mitigate this risk, the enterprise should perform an in-depth code review with an expert who can verify that the code meets the specifications, standards, and quality requirements, and that it does not contain any malicious or unwanted functionality.
A code review is a systematic examination of the source code of a software program, which can identify errors, vulnerabilities, inefficiencies, or deviations from best practices. A code review can also ensure that the code is consistent, readable, maintainable, and well-documented.
An expert is someone who has the knowledge, skills, and experience to perform the code review effectively and efficiently. An expert may be an internal or external resource, depending on the availability, cost, and independence of the reviewer.
A code review should be performed before the code is deployed to the production environment, and preferably at multiple stages of the development life cycle, such as design, testing, and integration.
A code review can also be complemented by other techniques, such as automated code analysis, testing, and scanning tools, which can detect common or known issues in the code. References = ISACA, CRISC Review Manual, 7th Edition, 2022, p. 143 ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 143
To mitigate this risk, the enterprise should perform an in-depth code review with an expert who can verify that the code meets the specifications, standards, and quality requirements, and that it does not contain any malicious or unwanted functionality.
A code review is a systematic examination of the source code of a software program, which can identify errors, vulnerabilities, inefficiencies, or deviations from best practices. A code review can also ensure that the code is consistent, readable, maintainable, and well-documented.
An expert is someone who has the knowledge, skills, and experience to perform the code review effectively and efficiently. An expert may be an internal or external resource, depending on the availability, cost, and independence of the reviewer.
A code review should be performed before the code is deployed to the production environment, and preferably at multiple stages of the development life cycle, such as design, testing, and integration.
A code review can also be complemented by other techniques, such as automated code analysis, testing, and scanning tools, which can detect common or known issues in the code. References = ISACA, CRISC Review Manual, 7th Edition, 2022, p. 143 ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 143
- Other Version
- 1718ISACA.CRISC.v2026-03-31.q857
- 2095ISACA.CRISC.v2026-01-15.q649
- 5005ISACA.CRISC.v2025-09-26.q726
- 4216ISACA.CRISC.v2025-08-27.q675
- 6069ISACA.CRISC.v2025-01-04.q999
- 3020ISACA.CRISC.v2024-06-13.q683
- 4278ISACA.CRISC.v2024-04-02.q999
- 4155ISACA.CRISC.v2023-07-10.q544
- 6747ISACA.CRISC.v2022-05-25.q338
- 76ISACA.Actual4dump.CRISC.v2022-04-12.by.newman.349q.pdf
- 6373ISACA.CRISC.v2022-02-22.q349
- 6631ISACA.CRISC.v2021-10-27.q295
- 42ISACA.Updatedumps.CRISC.v2021-09-05.by.bonnie.114q.pdf
- Latest Upload
- 126Pegasystems.PEGACPDC25V1.v2026-07-17.q45
- 207CompTIA.N10-009.v2026-07-17.q230
- 141EMC.D-PDM-DY-23.v2026-07-17.q66
- 141Salesforce.ADM-201.v2026-07-17.q63
- 299PMI.CAPM.v2026-07-17.q643
- 144Cisco.300-215.v2026-07-17.q60
- 315CollegeAdmission.PMHNP.v2026-07-17.q640
- 189Microsoft.MB-240.v2026-07-17.q174
- 125SAP.C_CE325_2601.v2026-07-17.q37
- 256Microsoft.AZ-900.v2026-07-16.q224
[×]
Download PDF File
Enter your email address to download ISACA.CRISC.v2026-07-15.q907 Practice Test
