CRISC Q&A

performance metrics and indicators.

policies and standards

recent audit findings and recommendations

system and its subsystems.

Escalation processes are defined

Process deviations are not allowed

Decisions are based on business impact

Senior management judgment is required

determining whether bar code readers are installed

conducting a physical count of the tape inventory

checking whether receipts and issues of tapes are accurately recorded.

determining whether the movement of tapes is authorized

An analytical review

Compliance testing

A system log analysis

A forensic analysis

Assignment of risk owners to identified risk

Ensuring compliance with regulatory requirements

Integration of risk management into operational processes

Implementation of a risk avoidance strategy

removed from the risk log once it is accepted

keep it in the risk log

avoided next time as it provides the best response to the enterprise

reassessed periodically because the risk can be escalated to an unacceptable level due

to revised conditions

Robust information security policies

An exchange of accurate and timely information

Skilled risk management personnel

Effective process controls

firewalls.

Using a tool like wireshark

honeypot

screened subnet

To meet regulatory requirements

To meet due care requirements

To ensure that control objectives are met

To achieve compliance with standard policy

The handbook may not have been correctly translated into all languages

Newer policies may not be included in the handbook

Expired policies may be included in the handbook

The handbook may violate local laws and regulations