Most Recent Isaca CRISC Exam Dumps

A risk register is a tool that records and tracks the identified risks, their causes, impacts, likelihood, responses, and owners. A decentralized risk register is maintained by each business unit or function, while a consolidated risk register is maintained at the enterprise level. The greatest concern with maintainingdecentralized risk registers instead of a consolidated risk register is that the aggregated risk may exceed the enterprise's risk appetite and tolerance. Risk appetite is the amount and type of risk that an enterprise is willing to accept in pursuit of its objectives, while risk tolerance is the acceptable level of variation around the objectives. If the risk registers are not consolidated, the enterprise may not have a holistic view of its risk profile and may not be able to prioritize and allocate resources effectively. The other options are also concerns, but they are not as significant as the potential misalignment between the aggregated risk and the enterprise's risk appetite and tolerance.Reference:= Risk and Information Systems Control Study Manual, 7th Edition, Chapter 1, Section 1.2.2.2, pp. 21-22.

Unavailability of critical IT systems poses the greatest risk to an organization's operations during a major IT transformation, because it can disrupt the business continuity, productivity, and performance of the organization. Unavailability of critical IT systems can also cause financial, reputational, or legal damages to the organization, and affect the quality and delivery of products or services to the customers. The other options are not the greatest risks, although they may also pose some challenges or threats to the organization during a major IT transformation. Lack of robust awareness programs, infrequent risk assessments of key controls, and rapid changes in IT procedures are examples of management or process risks that can affect the planning, execution,or monitoring of the IT transformation, but they do not have the same impact or severity as the unavailability of critical IT systems.Reference:=CRISC: Certified in Risk & Information Systems Control Sample Questions

The most important concern to address when formulating a social media policy to address information leakage is sharing company information on social media. Information leakage is the unauthorized or unintentional disclosure of confidential or sensitive information to unauthorized parties. Social media is a platform that enables the users to create and share content, such as text, images, videos, or links, with other users or the public. Sharing company information on social media is the most important concern, as it could expose the company's trade secrets, intellectual property, customer data, financial data, or strategic plans to competitors, hackers, or regulators. Sharing company information on social media could also damage the company's reputation, trust, or credibility, and result in legal or regulatory penalties, fines, or lawsuits. Therefore, a social media policy should clearly define what constitutes company information, and what are the rules and guidelines for sharing or not sharing company information on social media. A social media policy should also specify the roles and responsibilities of the employees, managers, and the social media team, and the consequences and sanctions for violating the policy. Sharing personal information on social media, using social media to maintain contact with business associates, and using social media for personal purposes during working hours are not as important as sharing company information on social media, as they do not directly involve the leakage of company information, and they may not have significant impact or risk on the company.Reference:= CRISC Review Manual, 6th Edition, ISACA, 2015, page 217

Business process owners would provide the most important input when identifying IT risk scenarios.IT risk scenarios are the situations or events that may affect the organization's objectives, operations, or performance due to the use of information andtechnology1.Identifying IT risk scenarios means finding,recognizing, and describing the IT risks that the organization faces, as well as their sources, drivers, consequences, and responses2.Business process owners are the persons or entities who are responsible for the design, implementation, and operation of the business processes that support the organization's goals and values3. Business process owners would provide the most important input when identifying IT risk scenarios, because they can:

Provide the context and perspective of the business objectives, strategies, and requirements that are affected or supported by the IT risks and controls;

Identify and prioritize the IT risks that are relevant and significant to their business processes, as well as the IT assets and resources that are involved or impacted by the IT risks;

Evaluate and communicate the likelihood and impact of the IT risks on their business processes, as well as the risk appetite and tolerance of their business units;

Suggest and implement the most suitable and effective IT risk response actions or measures to mitigate the IT risks, as well as monitor and report on the IT risk and control performance;

Align and integrate the IT risk management activities and outcomes with the business risk management framework, policies, and standards. The other options are not the most important roles for providing input when identifying IT risk scenarios, as they are either less relevant or less specific than business process owners.Information security managers are the persons or entities who are responsible for the planning, implementation, and maintenance of the information security measures and controls that protect the confidentiality, integrity, and availability of the organization's data and systems4. Information security managers can provide input when identifying IT risk scenarios, because they can:

Provide the expertise and guidance on the information security risks and controls that are related to the use of information and technology;

Identify and assess the information security vulnerabilities and threats that may affect the organization's data and systems, as well as the information security assets and resources that are involved or impacted by the information security risks;

Recommend and implement the most appropriate and effective information security risk response actions or measures to reduce or eliminate the information security risks, as well as monitor and report on the information security risk and control performance;

Align and integrate the information security risk management activities and outcomes with the information security framework, policies, and standards. However, information security managers are not the most important roles for providing input when identifying IT risk scenarios, because they may not have the full understanding or visibility of the business objectives, strategies, and requirements that are affected or supported by the IT risks and controls, or the risk appetite and tolerance of the business units.Internal auditors are the persons or entities who areresponsible for theindependent and objective assurance and consulting on the effectiveness and efficiency of the organization's governance, risk management, and internal control system5. Internal auditors can provide input when identifying IT risk scenarios, because they can:

Provide the assurance and validation on the design and operation of the IT risks and controls that are related to the use of information and technology;

Identify and evaluate the IT risk and control gaps or deficiencies that may affect the organization's objectives, operations, or performance, as well as the IT risk and control objectives and activities that are involved or impacted by the IT risk and control gaps or deficiencies;

Report and recommend improvements or enhancements to the IT risks and controls, as well as follow up and verify the implementation and effectiveness of the IT risk and control improvements or enhancements;

Align and integrate the IT risk and control assurance and consulting activities and outcomes with the internal audit framework, policies, and standards. However, internal auditors are not the most important roles for providing input when identifying IT risk scenarios, because they may not have the authority or responsibility to implement or operate the IT risks and controls, or to decide or prioritize the IT risk response actions or measures.Operational risk managers are the persons or entities who are responsible for the identification, analysis, evaluation, and treatment of the risks that arise from the failures or inadequacies of the organization's people, processes, systems, or external events6. Operational risk managers can provide input when identifying IT risk scenarios, because they can:

Provide the oversight and coordination of the operational risk management activities and performance across the organization, including the IT risks and controls that are related to the use of information and technology;

Identify and prioritize the operational risks that are relevant and significant to the organization, as well as the operational assets and resources that are involved or impacted by the operational risks;

Evaluate and communicate the likelihood and impact of the operational risks on the organization, as well as the risk appetite and tolerance of the organization;

Suggest and implement the most suitable and effective operational risk response actions or measures to mitigate the operational risks, as well as monitor and report on the operational risk and control performance;

Align and integrate the operational risk management activities and outcomes with the operational risk management framework, policies, and standards. However, operational risk managers are not the most important roles for providing input when identifying IT risk scenarios, because they may not have the specific knowledge or expertise on the IT risks and controls that are related to the use of information and technology, or the context and perspective of the business processes that are affected or supported by the IT risks and controls.Reference:= Risk and Information Systems Control Study Manual, 7th Edition, Chapter 3, Section 3.1.1, Page 85.