Isaca Certified in Risk and Information Systems Control CRISC Question # 375 Topic 38 Discussion
CRISC Exam Topic 38 Question 375 Discussion:
Question #: 375
Topic #: 38
An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?
A.
Invoke the disaster recovery plan during an incident.
B.
Prepare a cost-benefit analysis of alternatives available
C.
Implement redundant infrastructure for the application.
D.
Reduce the recovery time by strengthening the response team.
According to the CRISC Review Manual (Digital Version), the next course of action when there is a gap between the acceptable downtime and the actual recovery time of an application is to prepare a cost-benefit analysis of alternatives available to reduce the gap. The cost-benefit analysis should compare the costs of implementing different risk response options, such as avoidance, mitigation, transfer or acceptance, with the benefits of reducing the impact and likelihood of the risk. The cost-benefit analysis should also consider the alignment of the risk response options with the enterprise’s risk appetite, business objectives and strategy. The cost-benefit analysis should help the application owner and the risk owner to select the most appropriate risk response option that optimizes the value of the application and minimizes the residual risk.
References = CRISC Review Manual (Digital Version), Chapter 3: IT Risk Response, Section 3.2: Risk Response Process, pp. 162-1631
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit