CRISC Exam - Study Guide

ISACA’s Thinking Hat

As you all are aware that ISACA’s examinations are recognized throughout the globe and hence people across the world enrol for their examinations. It is of utmost importance for the ISACA to use jargons and terminologies in their study materials and examinations that is globally accepted and not restricted to particular country or continent. It is equally important for all of us to understand these jargons and terminologies in the same way as ISACA. For this, we need to let go our local perception and wear the ISACA’s thinking hat.  

Let us understand some important terminologies from the perspective of ISACA’s examination.

Risk

Please do not apply any of the definition that you might be knowing about ‘risk’  for ISACA’s exam. For ISACA ‘risk’ is a simple term consisting of two elements i.e., probability and impact. Risk is the probability of occurrence of an event which can have impact on the objective of the organization.

Whenever you see the word ‘risk’, remember two elements i.e., probability and impact.

Probability

ISACA sometimes interchange the word ‘probability’ with ‘possibility’ and ‘chances’

Impact

Impact is also sometimes referred as ‘consequences’ and ‘losses’.

Risk Management

Risk management indicates combination of following processes:

Risk Assessment

Risk identification

Risk analysis

Risk evaluation

Risk Response

Risk Monitoring

Risk Assessment

Risk Assessment indicates combination of following three processes:

Risk Identification

Risk Analysis

Risk Evaluation

Risk assessment is a process used to identify, analyse and evaluate the risk. Results of risk assessment is used to prioritize the risk and decide appropriate risk response option.

Risk Analysis

Risk analysis is the process to determine the level of risk. Level of risk can be either quantified (i.e., numerical, percentage, dollar amount etc.) or qualified (i.e., low risk, medium risk or high risk etc.)

Risk Evaluation

Risk evaluation is process of comparing the level of risk (as arrived from risk analysis) with acceptable risk level (i.e., risk appetite). 

Risk Response

Risk response is also referred as risk treatment.

Risk Response / Risk Treatment

Risk response / risk treatment includes four options:

Risk mitigation

Risk acceptance

Risk avoidance

Risk transfer

Risk Appetite

Risk appetite indicates organization’s willingness to take risk. It is also sometimes referred as acceptable risk.

Risk Tolerance

Risk tolerance means minor deviation from risk appetite.

Risk Capacity

Risk capacity is the maximum amount of risk an organization can tolerate. After this level, existence of the organization is questionable.

Threat & Vulnerability

Threat indicates any factor that can cause harm to the assets of the organization. Vulnerability indicates weakness in the process or system.

Key Performance Indicator

KPI is an indicator to measure the performance of the business target

Key Risk Indicator

KRI is an indicator to measure the level of risk

Key Control Indicator

KCI is an indicator to measure the effectiveness of the control

Threshold

Threshold indicates minimum requirements or maximum limit within which KPI, KRI and KCI is expected to operate.

Chapter 1 – Governance

Chapter 1 consists of topics related to governance and management of IT. Chapter 1 represents 26% of total questions in CRISC exams. In this chapter, we will discuss following topics:

This chapter covers following topics:

1.1 Risk Management Concepts

1.2 Organizational Goals, Objectives and Strategy

1.3 IT Risk Strategy

1.4 Organization Structure, Roles and Responsibilities

1.5 Organization Culture

1.6 Policies and Standards

1.7 Business Process Review

1.8 Organizational Assets

1.9 Enterprise Risk Management & Risk Management Framework

1.10 Three lines of Defence

1.11 Risk Profile

1.12 Risk Appetite, Tolerance and Capacity

1.13 Legal, Regulatory and Contractual Requirements

1.14 Professional Ethics for Risk Management

1.1 Risk Management Concepts

A CRISC aspirants should have basic understanding of risk and risk related concepts. Let us discuss each element of risk management in detail.

What is Risk?

Let us look into some of the widely accepted definitions of Risk.

From a CRISC exam perspective, you need not worry about any of the above definitions. If you observe, almost every definition speaks directly or indirectly about two terms:  Probability & Impact.  In simplest form, Risk is the product of Probability & Impact.

i.e. Risk= P * I

(Probability is also known as likelihood, possibility, chances etc.)

Both the terms are equally important while determining risk. Let us understand with an example. Probability of damage of a product is very high, let say 1, however that product hardly costs anything and hence Impact is Nil i.e. zero even if the product is damaged. So, risk of rain on articles will be:

Risk = P * I 

i.e. Risk = 1 * 0 = 0

CIA Principle

CIA stands for Confidentiality-Integrity-Availability. Risk practitioners are required to have a strong understanding of CIA and the interrelationship between the three principles and a fourth - nonrepudiation.

They are inversely related. To increase one of them results in decreasing at least one of the others or substantially increasing cost.  For example: increasing confidentiality increases processing time, which reduces availability.

Confidentiality

Confidentiality refers to privacy of data. Principle of confidentiality requires that data should be available to only authorized users.  Confidentiality can be ensured by following principles:

●  Access on the basis of need to know

●  Access on the basis of least privilege

Integrity

Integrity refers to correctness, completeness and accuracy of data. Principle of integrity requires guarding of data against improper modification, exclusion or destruction of information. Risk practitioners need to have technical expertise to verify integrity controls. Risk practitioners must carefully determine and evaluate risk related to data integrity.

Availability

Availability refers to timely access to information and data. In some cases, near-real-time availability may be needed for safety and system operations. It is very important that the business determines the level of availability requirement for smooth business functioning. Gap between required level and current level of availability indicates availability risks.

To be prepared for a natural disaster, it is appropriate to assume the worst-case scenario. This helps the organization to strengthen its ability to recover.

Non - repudiation

––––––––

●  Nonrepudiation refers to a positive guarantee that a given action was carried out by a given individual or process.

●  Nonrepudiation requires tracing of responsibility and enforcing accountability.

●  Nonrepudiation can be implemented through digital signatures and certificate-based authentication in a public key infrastructure (PKI).

●  Risk practitioners should ensure nonrepudiation is implemented for critical processes such as deletion of records or modification of data.

●  Public key infrastructure (PKI) allows senders to provide authentication, integrity validation and nonrepudiation.

●  Most important aspect to establish non-repudiation is the use of individual and unique ID. It is difficult to establish whether the non-repudiation is shared or generic IDs are used as there can be multiple users.

Key aspects from CRISC exam perspective

Practice Questions

1. Risk practitioner noticed that a generic account is used by two or more staff members. Which of the following is the main concern?

A. Repudiation

B. Segregation of duties

C. Password Confidentiality

D. Capturing of audit logs

Answer: A. Repudiation

Explanation: In case of generic ID, the username and password are the same for more than one user. This will impact the non-repudiation of information as it will be difficult to establish which user logged in and performed the transaction. Repudiation is the denial of a transaction by the user. None of the users can be held accountable because each user can deny accountability for transactions performed under the generic account.

2. To ensure message integrity and non-repudiation, which of the following techniques is best?

A. MD 5 Hash

B. Symmetric Encryption

C. Authentication Code

D. Public Key Encryption

Answer: D. Public Key Encryption

Explanation: Public key infrastructure (PKI) allows senders to provide authentication, integrity validation and nonrepudiation. Other options do not serve the objective. Symmetric encryption provides confidentiality. Hashing can provide integrity and confidentiality. Authentication codes provide integrity.

3. While designing risk mitigation for unavailability of IT services during natural disaster, which of the following is the first step?

A. Ensure availability of updated call tree.

B. Arrangement for low cost alternate sites.

C. Employees to be made aware of natural disasters.

D. Worst case scenario analysis.

Answer: D. Worst case scenario analysis.

Explanation: Best strategy would be to consider the worst-case scenario and derive the expected impact. On the basis of expected impact further mitigation action can be planned out. Adequate investment should be made based on an impact analysis.

4. A Risk practitioner noticed that copy of printed documents is saved on the built-in hard disk of the printer. Which of the following is the best course of action?

A. Printer should be configured to automatically wipe all the data on disks after each print job.

B. Risk assessment should be conducted considering the risk of disclosure of data.

C. Printer to be replaced with other printers without any built-in hard disk.

D. Employees to be instructed to delete the data immediately. 

Answer: B. Risk assessment should be conducted considering the risk of disclosure of data.

Explanation: Risk assessment will help to determine the level of risk and appetite. On the basis of risk assessment, appropriate risk mitigation techniques can be planned and implemented. Implementing other options are not appropriate without a prior risk assessment because the data may be useful for forensic investigation and may impact performance of the printer.

5. Which of the following is the most effective measure to protect confidential information against insider threats?

A. Log monitoring

B. Information Security Policy

C. Need to know basis access control

D. Network Defense

Answer: C. Need to know basis access control

Explanation: Need to know access control provides access according to business needs; therefore, it reduces unnecessary access rights and enforces accountability. Others are important controls but most effective will be option C.

––––––––

For more CRISC practice questions visit: https://www.udemy.com/course/crisc-with-hemang-doshi/?referralCode=D9EE73CB3445E8BB1302

1.2 Organizational Goals, Objectives and Strategy

IT governance is also known as enterprise governance of IT (EGIT). IT governance is a process used to monitor and control IT activities. IT governance ensures that information technology provides added value to business processes and also that IT risks are appropriately addressed. It ensures that IT activities are aligned with business objectives. The alignment of IT and business leads to the attainment of business value

The Board of Directors is primarily responsible for EGIT. Governance is implemented through leadership, organizational structures, policies that are set out, and performance monitoring to ensure that business objectives are achieved.

CRISC aspirants should be aware of the following aspect of organizational goals, objectives and strategy:

Business and IT processes should be aligned to achieve the organization's overall objectives.

It is important that the Board of Directors and senior officials are involved in IT governance.

Enhanced control over outsourced IT activities.

Performance monitoring vis-à-vis generally accepted standards and benchmarking with peers.

A structured approach to monitoring compliance with legal, regulatory, and contractual requirements.

IT governance – success factors

CRISC aspirants should remember the factors mentioned in this section for the successful implementation of EGIT:

IT governance is primarily the responsibility of directors and senior management. IT governance is designed to ensure the optimal use of IT resources to support business objectives.

The effectiveness of an IT governance implementation can be determined most effectively by ensuring the involvement of all stakeholders.

It is very important to define the accountability of each critical function.

The risk practitioner is required to review the organization's chart to understand the roles, responsibilities, and authority of various functionaries.

IT can add value to the business only if IT strategies are aligned with the business strategy. The Risk practitioner should determine whether IT and business requirements are integrated and heading in the same direction. A strategic IT plan must contain a clear statement regarding the vision and mission of IT.

The participation of senior officials is very important to ensure that the information security policy is in accordance with business objectives. Mediation between senior officials in terms of business and technology needs is the best option when it comes to improving strategic alignment.

To achieve an organization's objective, the IT department should have long- and short-term plans. Plans should be consistent with the organization's business objectives.

To ensure that IT is continuously supporting the business requirements, it is important to design an internal control framework. Internal control system should be able to detect any mismatch between IT and business alignment and correct the same in timely manner.

Strategic IT Risk

It is very important for a risk practitioner to have thorough understanding of strategic level risk. First step is to understand the business strategy and goals of the organization. This can be best done by discussing with senior executives. Senior executive provides their view about expectations and dependencies from IT. This helps in understanding the potential risks.

Key aspects from CRISC exam perspective

––––––––

Practice Questions

1. Most important aspect to be considered at the time of developing risk management strategy for the organization is:

A. criteria for assessing the risk

B. complexity of technology architecture

C. disaster recovery strategy

D. business objectives and operations

Answer: D. business objectives and operations

Explanation: Main objective of a strategy is to support the business objectives and operations. At the time of development of risk management strategies, the risk practitioner should consider the organization’s goals and objectives and tolerance for risk and design risk management framework. Few organizations would like to accept the known risk while other organization implement controls to reduce the risk. Other options are secondary aspects.

––––––––

2. What is the most effective method to ensure that IT is effective in addressing the business requirements?

A. An internal control system or framework

B. conducting cost benefit analysis

C. analyzing return on investment

D. benchmarking industry processes

Answer: A. An internal control system or framework

Explanation:  To ensure effectiveness of IT in addressing the business requirements, organization should design internal control system that monitors whether IT is aligned with the business requirements. To ensure that IT is continuously supporting the business requirements, it is important to design an internal control framework. Internal control system should be able to detect any mismatch between IT and business alignment and correct the same in timely manner. Other options are secondary aspects.

––––––––

3. Most relevant risk assessment outputs to justify an organization’ s information security program is:

A. A list of risk that may impact the organization

B. A list of threat applicable to the organization

C. Evaluation of the impact

D.A list of appropriate controls for addressing risk

Answer: D.A list of appropriate controls for addressing risk

Explanation: Without implemented controls, information security program will have no value. Implementing control is most important aspect of information security program.  Risk assessment outputs includes the details of necessary control to reduce the risk. Controls are the prime element for any information security program and justifies the existence of information security program.  List of risk is not sufficient as it does not cover how the risk will be addressed. List of threat is not sufficient as it does not address how the risk will be reduced. Evaluation of the impact is not sufficient as it does not cover how to reduce the impact by implementing the control

4. What should be reviewed to determine that whether a risk has been mitigated to an acceptable level?

A. IT requirements

B. Information security requirements

C. Requirements of international standards

D. Organizational requirement

Answer: D. Organizational requirement

Explanation: Organizational requirement are derived from goals and objectives of the organization. When determining the acceptable level of risk, organization requirements are the prime determination. Other options do not consider critical factor of organizational goals and objectives. Other options are not the prime determination. 

5. To obtain support from senior management, business case should include: 

A. details of the technical risk

B. details of accepted industry practices

C. details of successful attack against competitor

D. details of security risk impacting business objective

Answer: D. details of security risk impacting business objective

Explanation: Senior management is more interested in achieving the goals and objectives of the organization. Tying security risk to key business objectives is the best way to gain support from senior management. Senior management will not be interested in knowing the technical risks or accepted industry practices or successful attack against competitor. They will be more keen to protect their business objectives.

6. What is the main objective of developing enterprise security architecture?

A. to align security strategies among the functional areas of the organization and external entities

B. to ensure that external traffic do not directly communicate with internal network

C. to facilitate the understanding of the organization’s technologies and their interactions.

D. to monitor the organization’s internal network from external threat

Answer: A. to align security strategies among the functional areas of the organization and external entities

Explanation:  The enterprise security architecture should align strategies and objectives of different functional areas within the organization and facilitates structured communication with external partners, customers and suppliers. strategy. There should be co-ordinated efforts for effective information security. Other options are secondary aspects. 

––––––––

7. Which of the following indicates that risk practitioner needs to review the organization’ s risk practices?

A. risk assessment findings are often challenged by business process owners

B. sales department appoints its own risk officer

C. head of the manufacturing department has approved few exceptions for manufacturing processes

D. finance department conduct review of their risk management processes on yearly basis

Answer: A. risk assessment findings are often challenged by business process owners

Explanation: Business process owner are generally the risk owner. They have thorough understanding of business processes and related risk. If they do not agree with risk assessment findings, then it suggests that risk practices area not aligned with business strategies. Other options are normal risk management practices and not the area of major concern.

8. IT plan should be primarily driven by:

A. business strategy and requirements

B. available technology

C. operational procedures

D. laws and regulations

Answer:  A. business strategy and requirements

Explanation: Main objective of IT is to support the business strategy and objectives. IT plan should be aligned with business objectives. Other options are secondary aspects.

––––––––

9. Most significant impact due to lack of strategic planning is:

A. high instances of licensing violations

B. use of obsolete systems

C. improper oversight of IT investment

D. improper incident management process

Answer: C. improper oversight of IT investment

Explanation: Major risk of lack of strategic plan is improper oversight of IT investment. In absence of strategic plan, IT investment may not be aligned with business goals and objectives. Other options are secondary aspects. 

10. What is the first step in understanding the strategic IT risk?

A. review IT project risk.

B. understanding organization’s strategy from senior executives.

C. develop enterprise architecture strategy.

D. review past IT incident reports

Answer: B. understanding organization’s strategy from senior executives.

Explanation: First step is to understand the business strategy and goals of the organization. This can be best done by discussing with senior executives. Senior executive provides their view about expectations and dependencies from IT. This helps in understanding the potential risks. Other options are subsequent steps.

––––––––

11. What is the main consideration at the time of selecting a risk response technique?

A. responding to all identified risks

B. availability of the resources 

C. whether risk response supports the organizational goals and objectives

D. whether risk response is line with industry good practices

Answer: C. whether risk response supports the organizational goals and objectives

Explanation: First and most important consideration is that whether risk response supports the goals and objectives of the organization. Risks that impact the organization’s goals and objective should be prioritized and responded first. It is not required to respond to all the risks. Availability of the resource is not the prime consideration. Industry good practice is not the prime consideration.

12.The effectiveness of an IT governance implementation can be most effectively determined by:

A. Ensuring that the objectives are defined

B. Ensuring the involvement of stakeholders

C. The identification of emerging risks

D. Ensuring that relevant enablers are determined

Answer: B. Ensuring the involvement of stakeholders

Explanation: The effectiveness of IT governance implementation can be determined most effectively by involving stakeholders and addressing their requirements. Considering the stakeholder's needs and involving them in the project drives its success.

13. The Risk practitioner noted that roles and responsibilities in terms of IT governance and management are not properly documented and defined. What is the most appropriate recommendation?

A. To review the alignment of IT with business objectives

B. To define the accountability for each critical function

C. To conduct an IS audit on an ongoing basis

D. To create the role of CRO in the organization

Answer: B. To define accountability for each critical function.

Explanation: The IS auditor should recommend defining accountability for each critical function of the organization. Undefined responsibilities constitute a major risk in attaining business objectives. Other options will not add value if accountability and responsibility are not defined.

14.The primary reason for reviewing the organizational chart is as follows:

A. To understand the structure of the organization

B. To understand various communication channels

C. To understand the roles and responsibilities of individuals

D. To understand the network and system architecture

Answer: C. To understand the roles and responsibilities of individuals. Explanation: The primary reason for reviewing the organizational chart is to understand the roles, responsibilities, and authority of the individual. This helps in determining whether there is proper segregation of functions. Options B and D can be determined with the use of a network diagram.

––––––––

15. Which of the following is the prime consideration in determining whether IT adds value to the business?

A. The alignment of the IT strategy with the organizational strategy

B. Defining organizational accountability

C. Empowering IT with the latest technology

D. Designing a risk management process for the IT department

Answer: A. Alignment of IT strategy with the organization's strategy. Explanation: IT can add value to the business only if IT strategies are aligned with business strategies. The other options are not as important as option A.

16. A major risk associated with a lack of top management support in terms of IT strategic planning is the following:

A. The absence of technical advancement

B. The absence of IT processes, policies, and guidelines

C. A lack of alignment between the technology and business objectives

D. A lack of qualified IT staff

––––––––

Answer: C. A lack of alignment between technology and business objectives.

Explanation: A major risk arising from the lack of involvement of senior management in supporting IT-related strategic planning is that IT activities are not aligned with business objectives. Investment in IT will be of no value if IT does not support the business objectives.

––––––––

17. The greatest concern with respect to an organization's governance model is the following:

A. Senior management does not review information security policy

B. The patch management policy is not documented

C. An IS audit is only conducted once every 2 years

D. The IT risk management program only covers critical functions

Answer: A. Senior management does not review information security policy.

Explanation: Participation by top management is critical in ensuring that information security policy complies with business requirements. The information security policy should be reviewed at least once a year to address new and emerging risks. An IT risk management program need not necessarily cover all the functions of the organization. Options B and C are not as critical as option A.

18. For sound IT governance, the IT plan should be consistent with the following:

A. The organization's business plan

B. The organization's business continuity plan

C. The organization's investment plan

D. The organization's information security plan

Answer: A. An organization's business plan.

Explanation: For effective and sound IT governance, IT and business plans should be aligned and should be moving in the same direction. IT should add value to the business.

19. Who among the following is responsible for IT governance?

A. Directors

B. Steering committee

C. CEO

D. CIO

Answer: A. Directors.

Explanation: IT governance is primarily the obligation of the Board of Directors. The Board of Directors is required to ensure that IT activities are moving in the desired direction and that IT is adding value to the business.

––––––––

20. To achieve the organization's objective, the most important consideration for an IT department is to have which of the following:

A. A budget-oriented philosophy

B. Long- and short-term strategies

C. The latest technology

D. Documented IT processes and guidelines

Answer: B. Long- and short-term strategies.

Explanation: To achieve an organization's objectives, the most important consideration for an IT department is to have long- and short-term plans. An organization's business objective and IT plan should correspond. This is most important consideration of all of the options.

––––––––

For more CRISC practice questions visit: https://www.udemy.com/course/crisc-with-hemang-doshi/?referralCode=D9EE73CB3445E8BB1302

1.3 IT Risk Strategy

It is very important for a risk practitioner to understand a business's overall risk strategy to guide development of an IT risk strategy that aligns with organizational goals and priorities. IT risk must be measured not only by its impact on IT services but also by the impact of risk on business operations.

The strategic IT plan is the first policy to create when developing an enterprise’s governance model. For a new entity, the first approach is to establish an IT strategy plan. Once the strategy plan is defined, policies and procedures can be designed to support the strategy plan.

Types of IT-related Business Risk

It is expected from a CRISC aspirant to understand below risk: 

Senior Management Support

––––––––

Support from senior management is utmost important for the success of the risk management process. Support from senior management ensures budget, authority, access to personnel and information, and legitimacy that will provide a successful result.

Senior management having a strategic view and knowledge of the performance metrics and indicators should be involved in the sign-off process of IT Risk Management.

Interaction with senior management is the best way to understand the goals and objectives of the organization. This gives risk practitioner insight into the potential & evolving risk universe of the organization.

Alignment of risk appetite with business goals and objectives

Risk appetite should be aligned with business objectives. This helps an enterprise to evaluate and deploy valuable resources toward high-risk areas which can impact business objectives.

RACI (Responsible, Accountable, Consulted, Informed)

Following are the four roles that are involved in the risk management process:

The RACI model assists in understanding the relationships or interactions between the various stakeholders and the roles of each stakeholder in the successful completion of the risk management effort.

Organizational Culture, Ethics and Behaviour and the Impact on Risk

Ethics plays an important role in risk management. Organizations with poor ethical standards may be more prone to risk of fraud or theft. Ethics are related to an individual’s view about what is right and what is wrong. Policy and processes should be clearly communicated to address the risk of a person violating the ethics. Processes should be visibly enforced and equally applicable for the employees.

Establishing an Enterprise Approach to Risk Management

It is ideal to have a standardized and structured risk management approach that can be applied to the entire enterprise without substantial modification or customization.  Results of risk management in one process should be comparable to the results in another.

In absence of a structured approach, there can be a gap in risk measurement of different projects or systems. Risk identified on a system-by-system or project-by-project basis creates new risk of false assurance by having neither consistency nor interoperability among the risk solutions that are implemented.

A critical part of establishing the risk management process is availability of concise and coherent risk management policy.

Key aspects from CRISC exam perspective

Practice Questions

1. Which of the following is the most critical consideration while giving a project to a third-party service provider whose servers are in a foreign country?

A. delay in incident communication due to time difference

B. additional cost due to installation of network intrusion detection systems

C. laws and regulations of origin country may not be enforceable to foreign country

D. difficulty to monitor compliance due to geographical distance

Answer: C. laws and regulations of origin country may not be enforceable to foreign country.

Explanation: A potential violation of local laws applicable to the enterprise or the vendor may not be recognized by foreign countries and hence terms and conditions of SLA may not be enforced. Other options are not the major considerations.

2. What will be the best course of action by a risk practitioner, in case of enactment of a new law impacting security requirements of an organization?

A. to analysis which systems and processes will have impact because of new law.

B. to wait till next review cycle

C. to avail information for course of action initiated by competitors.

D. to notify the system custodians to implement changes.

Answer: A. to analysis which systems and processes will have impact because of new law.

Explanation: To analyze and assess what systems and technology-related processes may be impacted is the best course of action. The analysis must also determine whether existing controls already address the new requirements.

3. Which of the following is the best approach for organizations having operations in multiple countries?

A. Availability of a global corporate policy which excludes all disputed local level content.

B. Availability of a global policy that can be locally amended to comply with local laws.

C. Availability of a global policy that complies with law at corporate headquarters and that all employees must follow.

D. Availability of local policies to include laws within each region.

Answer: B. Availability of a global policy that can be locally amended to comply with local laws.

Explanation: Option B is the only way to minimize the effort and also be in line with local laws.

4. An enterprise which is operating in multiple countries has a single handbook in multiple languages applicable to all the employees. Which is the most important concern?

A. Translation error may remain undetected.

B. Handbook does not include new policies.

C. Expired policies are not removed from handbook.

D. Handbook may not comply with local laws and regulations.

Answer: D. Handbook may not comply with local laws and regulations.

Explanation: It is very important to acknowledge the compliance with all the laws and regulations. Customs and laws play a role in an enterprise's ability to effectively operate in a given location, it is important for the employee handbook to appropriately acknowledge all applicable laws and regulations.

5. To understand the potential impact of law and other contractual requirements on business objectives, which of the following is most effective?

A. Compliance audit

B. Gap analysis

C. Interview with senior management

D. Compliance oriented business impact analysis (BIA)

Answer: D. Compliance oriented business impact analysis (BIA)

Explanation: A compliance-oriented business impact analysis (BIA) will identify all of the compliance requirements to which the enterprise has to align and their impacts on business objectives and activities. Other methods will not provide potential impact of non-compliance.

For more CRISC practice questions visit: https://www.udemy.com/course/crisc-with-hemang-doshi/?referralCode=D9EE73CB3445E8BB1302

1.4 Organization Structure, Roles and Responsibilities

A CRISC candidate is expected to have an understanding of the organizational structure as well as the various roles and responsibilities of important IT functions.

The following table depicts the roles of IT-related functions:

––––––––

Differences between the IT strategy committee and the IT steering committee

A CRISC aspirant should understand the functions of the IT strategy and IT steering committees. The following table outlines the differences between the two committees: