A bank recently incorporated blockchain technology with the potential to impact known risk within the organization. Which of the following is the risk practitioner's BEST course of action?
Correct Answer: C
CRISC Exam Question 297
When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:
Correct Answer: B
The most helpful factor to align when defining thresholds for control key performance indicators (KPIs) is the control performance with the risk tolerance of business owners. Control KPIs are metrics that measurethe effectiveness and efficiency of the controls that are implemented to mitigate the risks. By aligning the control performance with the risk tolerance of business owners, the thresholds for control KPIs can reflect the acceptable level of risk and the desired level of control for the business processes and objectives. Information risk assessments with enterprise risk assessments, key risk indicators (KRIs) with risk appetite of the business, andcontrol KPIs with audit findings are other possible factors to align, but they are not as helpful as control performance with risk tolerance of business owners. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 12; CRISC Review Manual, 6th Edition, page 215.
CRISC Exam Question 298
The GREATEST benefit of introducing continuous monitoring to an IT control environment is that it:
Correct Answer: A
Continuous monitoring systems automatically track key control indicators (KCIs) and risk metrics in real- time, enabling early identification of anomalies or emerging risks. ISACA CRISC states: "Continuous monitoring allows the enterprise to identify deviations and emerging risk conditions in a timely manner to take proactive corrective actions." Benchmarking and stakeholder mapping are secondary benefits. Thus, A. Enables timely detection of emerging risk is correct. CRISC Reference: Domain 4 - Risk and Control Monitoring and Reporting, Topic: Continuous Monitoring Benefits.
CRISC Exam Question 299
Which of the following is the BEST metric to demonstrate the effectiveness of an organization's patch management process?
Correct Answer: D
The percent of patches implemented within established timeframe is the best metric to demonstrate the effectiveness of an organization's patch management process, as it measures how well the organization meets its patching objectives and reduces its exposure to vulnerabilities. This metric reflects the timeliness, completeness, and quality of the patching process, and can be compared against the organization's patch management policy and standards. A high percent of patches implemented within established timeframe indicates that the organization has a mature and efficient patch management process that minimizes the risk of security breaches or operational disruptions due to unpatched systems. References: *ISACA, Risk and Information Systems Control Review Manual, 7th Edition, 2020, p. 2501 *ISACA, Practical Patch Management and Mitigation2 *NIST, Guide to Enterprise Patch Management Planning3
CRISC Exam Question 300
A risk practitioner observed Vial a high number of pokey exceptions were approved by senior management. Which of the following is the risk practitioner's BEST course of action to determine root cause?
Correct Answer: C
The best course of action to determine the root cause of the high number of policy exceptions approved by senior management is to interview the control owner. The control owner is the person who has the authority and responsibility for designing, implementing, and monitoring the controls that enforce the policy. The control owner can provide insight into the reasons, circumstances, and impacts of the policy exceptions, and the effectiveness and efficiency of the controls. The control owner can also suggest possible improvements or alternatives to the policy or the controls. The other options are not as useful as interviewing the control owner, as they are related to the review, analysis, or testing of the policy or the controls, not the investigation or understanding of the policy exceptions. References = Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.4: Key Control Indicators, page 211.