isaca crisc practice test

Asdffgghhjjk

C. Establishing key risk indicators (KRIs)

A. Maintaining the risk register

Key Risk Indicators (KRIs) are metrics used to provide early signals of increasing risk exposures in various areas of an organization. KRIs help organizations detect potential issues before they become actual problems, allowing for proactive risk management and mitigation. This makes them most helpful in preventing risk events from materializing.

Here's how the other options compare:

A. Maintaining the risk register: Important for documentation and tracking known risks, but it is more about record-keeping than prevention.

B. Reviewing and analyzing security incidents: Valuable for reactive analysis and improving future defenses, but it addresses risks after they have occurred.

D. Prioritizing and tracking issues: Useful for managing known issues, not for early identification or preventing potential risks.

Key Risk Indicators (KRIs) are early warning signals used to help identify potential risk events before they occur. They are proactive tools that monitor changes in risk exposure and trigger timely mitigation actions.

Let’s break down the other options:

A. Maintaining the risk register
→ This is important for documentation and tracking, but it is largely a reactive tool. It helps manage known risks but doesn’t actively prevent them from occurring.

B. Reviewing and analyzing security incidents
→ Valuable for lessons learned and improving future responses, but again, this is after-the-fact, not preventative.

D. Prioritizing and tracking issues
→ Important for response and resolution, but this comes into play once the risk has materialized.

The correct answer is: A. Perform an analysis of the new regulation to ensure current risk is identified.

✅ Explanation:
When a new regulation is introduced, especially one that has a geographic impact on the organization's operations (like production facilities), the first and most critical step is to understand the new regulation itself. Without knowing the requirements and implications of the regulation, it’s impossible to:

Know what new risks are introduced

Determine if current controls are adequate

Decide whether new assessments or tests are necessary

This makes Option A the most foundational and strategic step.

Let’s evaluate the other choices:

B. Evaluate if the existing risk responses to the previous regulation are still adequate
→ This assumes the old regulation is still relevant and similar to the new one. Without analyzing the new regulation, this could lead to blind spots.

C. Assess the validity and perform update testing on data privacy controls
→ This is a good st

The correct answer is: D. Directive

✅ Explanation:
A directive control is designed to guide or influence behavior in line with policies, procedures, or laws. Providing legal text that outlines user rights and expected behaviors is a classic example of a directive control, as it communicates what users should or should not do—often seen in the form of:

Acceptable Use Policies (AUPs)

Privacy Notices

Terms of Use

Warning Banners

These do not block or detect behavior but aim to shape user behavior in advance.

Let’s compare the other options:

A. Detective
→ These controls identify events that have already occurred (e.g., logs, alerts). This option is incorrect as the legal text does not detect anything.

B. Preventive
→ Preventive controls stop an event from occurring (e.g., firewalls, access restrictions). While directive controls may support prevention, they are not inherently preventive.

C. Compensating
→ These are alternative controls used when primary controls are not feasible

The correct answer is: A. Undefined assignment of responsibility

✅ Explanation:
In an incident response plan (IRP), the assignment of responsibility is critical. If roles and responsibilities are not clearly defined, the entire response effort can fall apart during a real incident—causing delays, confusion, and ineffective containment or remediation.

Why this is the MOST significant risk:

During an incident, timing is critical. If it's unclear who is responsible for what, the response will be disorganized, potentially escalating the impact.

It affects all phases of incident response: detection, containment, eradication, recovery, and communication.

Even with well-written procedures, lack of ownership renders them useless in practice.

Let’s review the other options:

B. Obsolete response documentation
→ Important, but less critical than undefined responsibilities. Outdated documents can be compensated for if roles are clear and experienced responders are involved.

C. Increased st

The correct answer is: C. Data backups

✅ Explanation:
Data backups are the most effective control for limiting the impact of a ransomware attack. Ransomware typically encrypts data and demands payment (usually in cryptocurrency) to unlock it. If you have secure, recent, and tested backups, you can:

Restore affected systems without paying the ransom.

Minimize downtime and data loss.

Avoid validating the attacker's business model by refusing to pay.

Let’s evaluate the other choices:

A. End user training
→ Very important for preventing ransomware (by avoiding phishing clicks, etc.), but once an attack occurs, training does not limit the impact.

B. Cyber insurance
→ Helps mitigate financial losses after an attack, but does not limit operational or data impact during the attack.

D. Cryptocurrency reserve
→ Suggests preparing to pay the ransom. This is not recommended by authorities and doesn't reduce the impact, just enables payment — and even then, recovery isn't guaranteed.

The correct answer is: B. Update the software with the latest patches and updates

✅ Explanation:
Applying latest patches and updates is the most effective and practical way to prevent technical vulnerabilities from being exploited in third-party software like a CRM system.

Here’s why:

Vendors often release patches to fix known security flaws.

Unpatched software is one of the top attack vectors for cybercriminals.

Timely updates close security gaps before they can be exploited in the wild.

Let’s assess the other options:

A. Verify the software agreement indemnifies the company from losses
→ This is a legal protection, not a technical control. It may help post-incident, but it doesn’t prevent exploitation.

C. Review the source code and error reporting of the application
→ For third-party commercial software, source code is rarely available. Even if it is, code review isn't as effective as regular patching.

D. Implement code reviews and quality assurance on a regular basis
→ This

The correct answer is: C. Conduct a risk assessment with stakeholders

✅ Explanation:
When evaluating a new technology or integration—such as a third-party blockchain platform—in the context of value and risk appetite, the first and most important step is to perform a risk assessment involving key stakeholders.

This is the best course of action because it allows the risk practitioner to:

Understand the business objectives and value proposition.

Identify risks related to integration, security, compliance, and third-party exposure.

Align the decision with the organization’s risk appetite.

Get input from relevant stakeholders, including IT, legal, compliance, and business units.

Let’s evaluate the other options:

A. Update the risk register with the process changes
→ This comes after the risks have been assessed and validated. It's documentation, not decision-making.

B. Review risk related to standards and regulations
→ Important, but it’s just one part of a comprehensive risk asse

The correct answer is: A. Facilitate risk response decisions

✅ Explanation:
The primary reason for prioritizing risk scenarios is to enable informed decision-making about which risks to respond to first—based on their impact, likelihood, and alignment with business objectives.

By prioritizing, organizations can:

Allocate resources efficiently.

Focus on the most critical risks.

Decide on the most appropriate response (e.g., mitigate, accept, transfer, or avoid).

Let’s evaluate the other options:

B. Support risk response tracking
→ Tracking happens after the response has been decided and implemented. It's important, but not the primary reason for prioritization.

C. Assign risk ownership
→ Ownership is important, but prioritization is not a prerequisite to assigning owners. In fact, ownership might be assigned even before full prioritization.

D. Provide an enterprise-wide view of risk
→ An enterprise-wide view is a result of consolidated risk analysis, but prioritization is done

The correct answer is: C. Authorizing user access requests

✅ Explanation:
Authorizing user access requests is a sensitive decision-making responsibility that should always remain within the organization, even if provisioning or technical actions are outsourced to a third party.

Here’s why:

Authorization requires business context—only someone inside the organization knows whether a user should have access based on their role, responsibilities, or need-to-know basis.

Delegating this decision to an external party could result in unauthorized access, violating least privilege or compliance requirements (e.g., SOC 2, ISO 27001).

Now, evaluating the other options:

A. Reviewing access control lists
→ Can be outsourced as it is more operational and can be done with agreed criteria or oversight.

B. Performing user access recertification
→ Can involve both internal and external parties, though typically led by internal managers or auditors.

D. Terminating inactive user access
→ Can be au

The correct answer is: D. Understand the risk tolerance

✅ Explanation:
To determine if a risk is under-controlled, a risk practitioner must understand the organization’s risk tolerance—i.e., how much risk the organization is willing to accept.

A risk is considered under-controlled if its residual risk (after controls) exceeds the organization's tolerance.

Knowing tolerance levels allows the practitioner to compare current risk exposure and decide if more controls are needed.

Let’s assess the other options:

A. Determine the sufficiency of the IT risk budget
→ Budget affects implementation but doesn’t tell you whether the current risk exceeds tolerance.

B. Monitor and evaluate IT performance
→ IT performance metrics don't necessarily reflect risk posture or control effectiveness.

C. Identify risk management best practices
→ Best practices are useful, but they don’t reflect your organization's unique tolerance levels.

The correct answer is: C. Threat and vulnerability assessment

✅ Explanation:
A Threat and Vulnerability Assessment directly evaluates the conditions that could lead to a risk materializing, making it the best method to quantify the likelihood of a risk event.

Threats represent potential causes of unwanted incidents (e.g., hackers, natural disasters).

Vulnerabilities are weaknesses that could be exploited.

The combination of a credible threat and an exploitable vulnerability gives a measurable indication of likelihood.

Let’s assess the other options:

A. Balanced scorecard
→ Used for strategic performance measurement, not risk likelihood.

B. Business Impact Analysis (BIA)
→ Identifies impact if a risk materializes, but not how likely it is to occur.

D. Compliance assessments
→ Focus on adherence to regulations. May indicate gaps, but don’t directly quantify likelihood of threats exploiting vulnerabilities.