A recent audit identified high-risk issues in a business unit though a previous control self-assessment (CSA) had good results. Which of the following is the MOST likely reason for the difference?
Correct Answer: D
* A compliance-based CSA focuses on ensuring that the business unit follows the policies and procedures established by the enterprise, regardless of the actual risk level or impact of the controls. * A risk-based CSA focuses on identifying and evaluating the risks that may affect the business unit's objectives, and designing and implementing controls that are appropriate to mitigate those risks. * A compliance-based CSA may not capture all the high-risk issues that exist in a business unit, especially if they are not aligned with the enterprise's standards or expectations. * A risk-based CSA may identify more high-risk issues than a compliance-based CSA, because it considers both internal and external factors that may affect the business unit's performance or security. * Therefore, a difference in results between a previous control self-assessment (CSA) and an audit indicates that either one of them was not risk-based, but rather compliance-based. The references for this answer are: * Risk IT Framework, page 9 * Information Technology & Security, page 3 * Risk Scenarios Starter Pack, page 1
CRISC Exam Question 452
An insurance company handling sensitive and personal information from its customers receives a large volume of telephone requests and electronic communications daily. Which of the following is MOST important to include in a risk awareness training session for the customer service department?
Correct Answer: C
Social engineering attacks are attempts to manipulate or deceive people into revealing confidential or personal information, such as passwords, account numbers, or security codes. Customer service representatives are often targeted by social engineering attacks, as they have access to sensitive customer data and may be pressured to provide quick and satisfactory service. Therefore, it is most important to include in a risk awareness training session for the customer service department how to identify and prevent social engineering attacks, such as phishing, vishing, baiting, or impersonation. References *The role of customer service in cybersecurity - Security Intelligence *How to Improve Risk Awareness in the Workplace [+ Template] - AlertMedia *Top 4 Risks For Customer Service Teams | Resolver
CRISC Exam Question 453
Which of the following, who should be PRIMARILY responsible for performing user entitlement reviews?
Correct Answer: D
The person or entity who should be primarily responsible for performing user entitlement reviews is the data owner. A user entitlement review is a process that verifies and validates the access rights and privileges of the users to the data and resources in the IT environment. A user entitlement review helps to ensure that the users have the appropriate and necessary access to perform their roles and functions, and to prevent or detect any unauthorized or inappropriate access. A data owner is the person or entity that has the authority and responsibility to define, classify, and protect the data and resources in the IT environment. A data owner helps to perform user entitlement reviews, because they help to establish and enforce the access policies and standards for the data and resources, and to approve or revoke the access requests and changes for the users. A data owner also helps to monitor and report on the access performance and compliance for the data and resources, and to identify and address any issues or gaps in the access management activities. The other options are not the primary responsible party for performing user entitlement reviews, although they may be involved in the process. IT security manager, IT personnel, and data custodian are all examples of roles or functions that can help to support or implement the user entitlement reviews, but they do not necessarily have the authority or responsibility to define, classify, or protect the data and resources. References = Risk and Information Systems Control Study Manual, Chapter 5, Section 5.2.1, page 5-14.
CRISC Exam Question 454
Which of the following scenarios is MOST likely to cause a risk practitioner to request a formal risk acceptance sign-off?
Correct Answer: A
Requesting a formal risk acceptance sign-off is the most likely scenario when the residual risk in excess of the risk appetite cannot be mitigated, because it indicates that the organization is willing to tolerate a higher level of risk than it normally would, and that the risk owner has the authority and accountability to accept the risk and its consequences. Risk acceptance is a risk response strategy that involves acknowledging the existence of a risk and deciding not to take any action to reduce it. Risk acceptance is usually chosen when the cost or effort of mitigating the risk outweighs the potential benefits, or when no feasible mitigation options are available. Residual risk is the risk that remains after applying controls or mitigating factors. Risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. Inherent risk, cancellation of an initiative, change of risk appetite, and constant residual risk are all possible scenarios that may affect the risk management process, but they are not the most likely to cause a risk practitioner to request a formal risk acceptance sign-off, as they do not necessarily involve a risk owner accepting a higher level of risk than the organization's risk appetite. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.4.2, page 103
CRISC Exam Question 455
Which of the following is the MOST effective way to reduce potential losses due to ongoing expense fraud?
Correct Answer: C
Developing and communicating fraud prevention policies is the most effective way to reduce potential losses due to ongoing expense fraud because it creates a culture of integrity and accountability, sets clear expectations and consequences for employees, and deters fraudulent behavior. Implementing user access controls, performing regular internal audits, and conducting fraud prevention awareness training are also important controls, but they are more reactive and detective than preventive. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.2, page 4-26.