CRISC Domain II Flashcards

Domain II - Risk Repsonse

1
Q

What’s the purpose of defining a risk response?

A

To ensure the residual risk is within the limits of the risk appetite and tolerance of the enterprise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is Risk Response based on?

A

-Selecting the correct, prioritized response to risk, based on the level of risk, the enterprise’s risk tolerance and the cost-benefit advantages of the selected risk response option

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the risk management processes? Where does Risk Response fit?

A
  • Identification
  • Assessment
  • Evaluation
  • Monitoring
  • Risk Response integrates with risk management processes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Risk Reponse ensure that management is provided what?

A

Accurate reports on:

  • Level of risk faced by the enterprise
  • Types of incidents that have occurred
  • Any change to the enterprise’s risk profile based on changes in the (internal and external) risk environment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Risk should always be reported based on?

A
  • The risk to the business,
  • The ability of the business to meet its objectives and
  • Risk to IT systems
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

When is the Risk Response triggered

A

When a risk exceeds the enterprise’s risk tolerance level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The prioritzation of the risk response and development of risk response plan is influenced by what several parameters?

A
  • Cost of the response to reduce risk to within tolerence levels
  • Importance of the risk
  • Capability to implement the response
  • Effectiveness of the response
  • Efficiency of the response
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the high-level risk response process phases?

A
  • Phase 1: Review results of the risk analysis
  • Phase 2:Select risk response options
  • Phase 3:Prioritize the risk response options
  • Phase 4:Implement the risk action plan
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What should be done where the risk analysis shows risk is not within the defined risk tolerance levels?

A

Weigh projected risk versus the potential cost of implementing and maintaining controls and select the most appropriate response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the four key risk response options?

A
  • Risk avoidance (avoid)
  • Risk mitigation (reduce/mitigate)
  • Risk sharing (share/transfer)
  • Risk acceptance (accept)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Define Risk Avoidance?

A

Activities or conditions that give rise to risk are discontinued

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Risk avoidance applies when?

A

The level or risk, even after the slection of controls, would be greater than the risk tolerance level of the enterprise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Provide Risk Avoidance examples?

A
  • Not engaging in electronic commerce (e-commerce) to avoid the risk associated with the line of business
  • Not engating in a very large project when the business case shows a significant risk of failure
  • Not operating in some countries or regions due to safety concerns
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are some cases of Risk Avoidance?

A
  • There is no other cost-effective response in reducing the liklihood and magnitude below the defined thresholds for risk appetite
  • The risk cannot be shared or transferred
  • The risk is deemed unacceptable by management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is Risk Mitigation?

A

Actions are taken to reduce the likelihood and/or the impact of risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the main control types in Risk Mitigation?

A
  • Managerial (policies)
  • Technical (tools like FW’s and IDS’s)
  • Operational (procedures, SOD)
  • Preparedness activities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Give Risk Mitigation examples?

A
  • Strengthening overall risk management practices, such as implementing sufficiently mature risk mgmt processes
  • Deploying new technical, management or operational controls that reduce either the likelihood or impact of an adverse event
  • Installing a new access control system
  • Implementing policies or operational procedures
  • Developing an effective incident response and business continuity plan
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is Risk Sharing?

A

Risk impact is reduced by transferring or otherwise sharing a portion of the risk with an external enterprise or another internal entity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Give examples of Risk Sharing?

A
  • Taking out insurance coverage for disasters or incidents
  • Outsourcing unique business processes
  • Sharing project risk with other organizations through fixed prices arrangements or shared investment arrangements
20
Q

What is an important note regarding Risk Sharing?

A

In both physical and legal sense this technique does not releive an enterprise of a risk

21
Q

What is Risk Acceptance?

A

No action is taken relative to a particular risk; loss is accepted when/if it occurs

22
Q

If an enterprise adopts a risk accpetance stance it should consider?

A

Who can accept the risk. It should only be accepted by senior business management in collaboration with senior management and the board

23
Q

What is an important note regarding Risk Acceptance?

A
  • Risk Acceptance is different from being ignorant of risk

- Accepting risk assumes risk is know and that an informal decision has been made by management to accept it

24
Q

What must be considered when selecting any of the risk mitigation options?

A
  • Goals and objectives of an enterprise
25
Q

What is the “best in class” approach to risk response consideration?

A

Use appropriate technology along with appropriate risk mitigation options and nontechnical, administrative measures

26
Q

What are the risk response selction parameters?

A
  • Cost of response
  • Importance of risk
  • Capability to implement response
  • Effectiveness of response
  • Efficiency of response
27
Q

What are the Risk Response Prioritzation Options?

A
  • Quick win
  • Business case to be made
  • Deferral
28
Q

What is a Quick Win prioritization option?

A

Very effective and efficient response that addresses medium to high risk

29
Q

What is a Business case to be made option?

A

Requires careful analysis and management decisions on investments:

  • More expensive or difficult risk responses to medium to high risk
  • Efficient, effective responses to low to medium risk
30
Q

What is a Deferal option?

A

Costly risk reponse to a low risk

31
Q

A risk has been identified the enterprise’s IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become expensive. What is the response and the risk prioritization option?

A

Response:
- Major rearchitecuture and redesign of the existing system
- Purhase of a new, integrated system
Risk Option:
- Categorized as Business case to be made because of project cost

32
Q

A risk of noncompliance with regulations is identified because a number of relatively simple procedures are missing. What is the response and the risk prioritization option?

A

Reponse:
- Creating the missing procedures and implementing them
Risk Option:
- Categorized as Quick Win because the allocation of existing resources or a minor resource investment provides measurable benefits

33
Q

What is contained in a risk response plan?

A
  • Steps, timelines, budgets, people and tools needed to implemente risk response strategy
34
Q

Whare are risk response factors should be taken into account?

A
  • Stakeholder interests
  • Acceptance of change
  • Balance of technical and nontechnical solutions
  • Cost
  • Impact on productivity
  • Ownership of controls
  • Ability to audit and monitor risk
  • Regulations
  • Changing market conditions
35
Q

As part of a risk response, ongoing status of risk mitigation process must be tracked. How is this done?

A
  • Tracking is often done using a risk register
36
Q

Why is it important to use a risk register?

A

To ensure the risk response strategy remains active and proposed controls are implemented according to schedule

37
Q

What happens when an enterprise is aware of a risk but does not have a justifiable risk response strategy or not following its strategy?

A

The liablity of the tnerprise to adverse publicity or even civil or criminal penalties increases

38
Q

What should a risk practitioner always look to achieve?

A

Greater efficiency by integrating risk response options to address more than one risk

39
Q

What iks the result of the use of techniques that are versatile and enterprisewide rather than individual solutions? Give an example?

A
  • It provides better justification for risk response strategies and related costs
  • Example: Deploying an access control system that supports more than one system
40
Q

The implementation of IS controls should consider?

A
  • Controls are tested prior to implementation whenever possible
  • People are trained in the use of the tools
  • A control owner is clearly identified and responsible for the control
  • The control is measurable
  • The control is monitored to ensure that it remains effective over time
41
Q

What are the Phases of Risk Reponse Process?

A
  • Phase 1: Articulate risk
  • Phase 2: Manage risk
  • Phase 3: React to risk events
42
Q

Explain the Phase 1 of the risk response process and what it requires?

A

Phase 1 is Articulate Risk. Requires articulating (documenting and reporting) risk to ensure information on the true state of exposures and opportunities is made available in a timely manner and to the right people to enable the appropriate response

43
Q

What are the tasks associated with Phase 1-Risk Articulation

A

Task 1: Communicate risk analysis results
Task 2: Report risk management activities and the state of compliance
Task 3: Interpret independent risk assessment findings
Task 4: Identify business oportunities

44
Q

What are the steps to communicate risk analysis results? What Task is this associated with?

A

Step 1: Report the results of risk analysis in terms and formats useful to support business and risk mgmt decisions
Step 2: Coordinate additonal risk analysis as required by decision makers (report rejection and scope adjustments)
Step 3: Clearly communicate the risk-return context, including, wherever possible, probabilities of loss and/or gain, ranges, and confidence levels that enable managmenet to balance risk-return ratios
Step 4: Identify the negative impacts of events/scnarios that drive response decisions and possitive impacts that represent oportunities that mgmt should channel back into the strategy and objective setting process
Step 5: Provide decision makers with an understinding of:
- Worst case and most probable scenarios
- Due dilligence exposures
- Significant reputation, legal or regulatory considrations

  • Associate with Task 1: Communicate Risk Analysis Results
45
Q

What are the steps to Report Risk Management Acitivities and State of Compliance? What Task is this associated with?

A

Step 1: Meet the risk reporting needs of variouis stakeholders
Step 2: Apply the principles of relevance, efficiency, timeliness and accuracy to ensure strategic and efficient reporting on risk issues and status
Step 3: When reporting, include the following:
- Control effectiveness and performance
- Issues and gaps
- Remediation status
- Events and incidents
- Impacts of events and incidents on the risk profile
- Performance of risk management process
Step 4: Provide inputs to integrated enterprise reporting

  • Associate with Task 1: Communicate Risk Analysis Results