ExamTopics Logo
Mail Us[email protected]
Menu
Isaca Discussions
exam questions

Exam CRISC All Questions

View all questions & answers for the CRISC exam
Go to Exam

Exam CRISC topic 1 question 1505 discussion

Actual exam question from Isaca's CRISC
Question #: 1505
Topic #: 1
[All CRISC Questions]

A risk practitioner has observed that risk owners have approved a high number of exceptions to the information security policy. Which of the following should be the risk practitioner’s GREATEST concern?

  • A. Vulnerabilities are not being mitigated.
  • B. Security policies are being reviewed infrequently.
  • C. Controls are not operating efficiently.
  • D. Aggregate risk is approaching the tolerance threshold.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by K5000ism at Jan. 1, 2024, 2:33 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
K5000ism
11 months, 1 week ago
Selected Answer: D
D. Aggregate risk is approaching the tolerance threshold. The high number of exceptions suggests that the organization is deviating significantly from its established security policies. Approving numerous exceptions may result in a cumulative increase in risk exposure, potentially approaching or exceeding the organization's risk tolerance. It raises concerns about the overall effectiveness of risk management and the ability to maintain risk within acceptable limits. Monitoring aggregate risk is crucial for ensuring that the organization stays within its defined risk appetite and tolerance.
upvoted 1 times
K5000ism
11 months, 1 week ago
Risk owners don't have the authority to approve exceptions.
upvoted 1 times
K5000ism
11 months, 1 week ago
Manual 1.2.2Key Roles Page 37: Risk owner-The individual in whom the enterprise has invested the authority and accountability for making risk-based decisions, and who owns the loss associated with a realized risk scenario. •Control The individual accountable for ensuring controls are designed, implemented, and operating as planned to keep risk at an acceptable level. This may also be the risk owner. This includes budgeting, staffing, design, implementation, and monitoring of controls.
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel