An organization has adopted an emerging technology without following proper processes. Which of the following is the risk practitioner's BEST course of action to address this risk?
Correct Answer: C
Conducting a risk assessment allows the organization to evaluate the exposure created by adopting the technology. This step ensures informed decision-making and aligns with the principles of Risk Identification and Assessment for managing emerging risks effectively.
CRISC Exam Question 227
During a risk assessment, what should an assessor do after identifying threats to organizational assets?
Correct Answer: D
The CRISC risk assessment process follows a sequence: * Identify assets # * Identify threats # * Identify vulnerabilities # * Evaluate existing controls # * Assess likelihood and impact. Per ISACA CRISC guidance: "After identifying threats, the next step is to evaluate the effectiveness of existing controls to determine residual risk." Implementing new controls (Option C) happens after risk evaluation and treatment planning. Hence, D. Evaluate the controls currently in place is correct. CRISC Reference: Domain 2 - IT Risk Assessment, Topic: Risk Identification and Control Evaluation Steps.
CRISC Exam Question 228
Which of the following is the MOST important reason to communicate control effectiveness to senior management?
Correct Answer: C
According to the ISACA Risk and Information Systems Control study guide and handbook, the most important reason to communicate control effectiveness to senior management is to ensure management understands the current risk status. Control effectiveness is a measure of how well a control reduces the likelihood or impact of a risk event. By communicating control effectiveness, risk managers can provide management with relevant and timely information about the residual risk level, the risk appetite and tolerance, and the potential gaps or weaknesses in the control environment. This can help management make informed decisions about risk response strategies, resource allocation, and risk oversight12 1: ISACA Risk and Information Systems Control Study Guide, 4th Edition, page 33 2: ISACA Risk and Information Systems Control Handbook, 1st Edition, page 25
CRISC Exam Question 229
An organization planning to transfer and store its customer data with an offshore cloud service provider should be PRIMARILY concerned with:
Correct Answer: B
The primary concern for an organization planning to transfer and store its customer data with an offshore cloud service provider is data privacy. Data privacy is the protection of personal information from unauthorized or unlawful access, use, disclosure, or transfer. Data privacy is governed by various laws, regulations, and standards that vary across different jurisdictions and sectors. An organization that transfers and stores its customer data with an offshore cloud service provider should ensure that the data privacy rights and obligations of the customers, the organization, and the cloud service provider are clearly defined and agreed upon, and that the data is protected according to the applicable data privacy requirements. An organization should also conduct due diligence and risk assessment on the offshore cloud service provider, and monitor and audit its performance and compliance on a regular basis. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 3, Section 3.2.1, page 127123
CRISC Exam Question 230
A risk practitioner is reporting on an increasing trend of ransomware attacks in the industry. Which of the following information is MOST important to include to enable an informed response decision by key stakeholders?
Correct Answer: D
The potential impact of events is the estimated magnitude and likelihood of the consequences that may result from a risk scenario. The potential impact of events can help key stakeholders understand the severity and urgency of the risk, and prioritize the appropriate response actions. The potential impact of events can be expressed in quantitative or qualitative terms, such as financial loss, operational disruption, reputational damage, legal liability, etc. The potential impact of events is the most important information to include when reporting on an increasing trend of ransomware attacks in the industry, as it can help stakeholders assess the level of risk exposure and the adequacy of the existing controls. References = Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.3: Risk Analysis, p. 87-89.