The primary reason for periodic penetration testing of Internet-facing applications is to identify

vulnerabilities in the system, because this will help to improve the security and resilience of the

applications and the data they process. A penetration test is a simulated cyberattack that aims to

exploit the weaknesses and gaps in the security of an application or a system. A penetration test can

reveal the vulnerabilities that may not be detected by other methods, such as automated scanning

or code review. A penetration test can also measure the impact and severity of the vulnerabilities, as

well as the effectiveness of the existing controls and defenses. A penetration test can also provide

recommendations and solutions to remediate the vulnerabilities and prevent future attacks.

Internet-facing applications are programs and services that are accessible from the internet, such as

web applications, APIs, cloud services, or VPN gateways. Internet-facing applications are exposed to

a variety of cyber threats, such as denial-of-service attacks, SQL injection attacks, cross-site scripting

attacks, or credential stuffing attacks. These threats can compromise the confidentiality, integrity,

and availability of the applications and the data they handle. Therefore, periodic penetration testing

of Internet-facing applications is essential to identify vulnerabilities in the system and to protect the

applications and the data from cyberattacks. Reference = Web Application Penetration Testing: A

Practical Guide - BrightSecurity1, The Basics of Web Application Penetration Testing | Turing2,

Periodic Penetration Testing: What is the best pentesting frequency …

The risk associated with malicious functionality in outsourced application development is that the

vendor may introduce unauthorized or harmful code into the enterprise’s system, which could

compromise its security, integrity, or performance.

To mitigate this risk, the enterprise should perform an in-depth code review with an expert who can

verify that the code meets the specifications, standards, and quality requirements, and that it does

not contain any malicious or unwanted functionality.

A code review is a systematic examination of the source code of a software program, which can

identify errors, vulnerabilities, inefficiencies, or deviations from best practices. A code review can

also ensure that the code is consistent, readable, maintainable, and well-documented.

An expert is someone who has the knowledge, skills, and experience to perform the code review

effectively and efficiently. An expert may be an internal or external resource, depending on the

availability, cost, and independence of the reviewer.

A code review should be performed before the code is deployed to the production environment, and

preferably at multiple stages of the development life cycle, such as design, testing, and integration.

A code review can also be complemented by other techniques, such as automated code analysis,

testing, and scanning tools, which can detect common or known issues in the code. Reference =

ISACA, CRISC Review Manual, 7th Edition, 2022, p. 143

ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 143

A comparison of current risk levels with established tolerance is the most useful information for

senior management when determining an appropriate risk response, as it shows the gap between

the actual risk exposure and the desired risk exposure of the enterprise. This gap indicates the need

and urgency for risk response actions, and helps senior management to prioritize and allocate

resources for risk mitigation. A comparison of current risk levels with established tolerance also

reflects the effectiveness of the existing risk management process and controls, and enables senior

management to monitor and adjust the risk strategy and objectives accordingly. Reference = ISACA

Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers,

A data classification program helpsidentify appropriate controlsby categorizing data based on

sensitivity and criticality. This ensures that data protection measures are aligned with its value and

risk level, improving overall security posture.

The primary reason to report the information about the new risk scenarios identified after the

implementation of Internet of Things (IoT) devices to risk owners is to confirm the impact to the risk

profile. The risk profile is a summary of the level and nature of the risks that the organization faces or

may face in the future. The risk profile reflects the risk appetite, tolerance, and capacity of the

organization, and guides the risk management decisions and actions. The implementation of IoT

devices may introduce new risks or increase the likelihood or impact of existing risks, such as data

privacy, security, or interoperability issues. Therefore, the information about the new risk scenarios

should be reported to the risk owners, who have the authority and responsibility for managing the

risks and their responses, to confirm the impact to the risk profile and to determine the appropriate

risk treatment plans. The other options are not asprimary as confirming the impact to the risk profile,

as they are related to the reevaluation, mitigation, or recommendation of the IoT devices, not the

confirmation or assessment of the risk profile. Reference = Risk and Information Systems Control

Study Manual, Chapter 1: IT Risk Identification, Section 1.2: IT Risk Register, page 19.

Zero Trust Model:

Zero Trust security model assumes that threats can exist both inside and outside the network. Every

access request must be authenticated, authorized, and encrypted.

Preventing Control Gaps:

A robust technical architecture ensures comprehensive and consistent security controls across the

entire network.

It integrates various security measures, such as microsegmentation, strong authentication,

continuous monitoring, and least privilege access, to create a unified defense strategy.

Other Options:

Relying on Multiple Solutions:Can lead to fragmentation and inconsistencies in security controls.

Utilizing Rapid Development:May introduce vulnerabilities if security is not properly integrated.

Starting with a Large Initial Scope:Can be overwhelming and difficult to manage effectively, leading

to potential gaps.

Reference:

The CISSP Study Guide emphasizes the importance of a strong and cohesive technical architecture in

implementing Zero Trust effectively (Sybex CISSP Study Guide, Chapter 8: Principles of Security

Models, Design, and Capabilities) .

An increase in the number of security incidents is the most significant indicator of the need to

perform a penetration test, because it suggests that the organization’s IT systems or networks are

vulnerable to attacks and may not have adequate security controls in place. A penetration test is a

simulated attack on an IT system or network to identify and exploit its weaknesses and evaluate its

security posture. A penetration test can help to discover and remediate the vulnerabilities that may

have caused or contributed to the security incidents, and to prevent or reduce the likelihood and

impact of future incidents. An increase in the number of high-risk audit findings, an increase in the

percentage of turnover in IT personnel, and an increase in the number of infrastructure changes are

all possible indicators of the need to perform a penetration test, but they are not the most significant

indicator, as they do not directly reflect the actual or potential occurrence of security incidents.

Reference = Risk and Information Systems Control Study Manual, Chapter 5, Section 5.3.2, page 200

The best course of action for a system administrator who suspects a colleague may be intentionally

weakening a system’s validation controls in order to pass through fraudulent transactions is B. Share

the concern through a whistleblower communication channel1

According to the CRISC Review Manual, a whistleblower communication channel is a mechanism that

allows employees to report suspected fraud or unethical behavior without fear of retaliation or

reprisal. A whistleblower communication channel is part of an effective fraud detection and

prevention framework, and it helps to promote a culture of integrity and accountability within the

organization2

The other options are not as effective or appropriate as sharing the concern through a whistleblower

communication channel, because:

•A. Implementing compensating controls to deter fraud attempts may not address the root cause of

the problem, and it may also create additional complexity and cost for the system. Moreover, it may

not prevent the colleague from finding other ways to bypass the controls or collude with external

parties.

•C. Monitoring the activity to collect evidence may expose the system administrator to legal or

ethical risks, especially if the monitoring is done without proper authorization or due process. Itmay

also delay the reporting and resolution of the issue, and potentially allow more fraudulent

transactions to occur.

•D. Determining whether the system environment has flaws that may motivate fraud attempts may

be useful for understanding the context and the factors that contribute to the fraud risk, but it does

not address the immediate concern of reporting the suspected fraud. It may also imply that the

system administrator is trying to justify or rationalize the colleague’s behavior, rather than holding

them accountable.

1: CRISC Review Questions, Answers & Explanations Database, Question ID: 100002 2: CRISC Review

Manual, 7th Edition, page 224

A control is an action or measure that reduces the likelihood or impact of a risk to an acceptable

level. A control issue is a problem or weakness that affects the effectiveness or efficiency of a

control, such as a gap, deficiency, or failure. A control enhancement is an improvement or

modification that increases the effectiveness or efficiency of a control, such as by adding, replacing,

or updating the control. An external audit is an independent and objective examination of the

enterprise’s activities, processes, or systems, such as the risk management program or thecontrol

environment, by an external party, such as a regulator or a third-party auditor. The best way for a risk

practitioner to verify that management has addressed control issues identified during a previous

external audit is to observe the control enhancements in operation. This will enable the risk

practitioner to evaluate the actual performance and outcome of the control enhancements, and to

determine whether they have resolved or mitigated the control issues. The other options are not the

best way to verify that management has addressed control issues, as they involve different methods

or sources of verification:

Interview control owners means that the risk practitioner asks questions or collects feedback from

the persons or groups who have the authority and accountability to manage the controls and their

issues, such as the business process owners or the IT controls managers. This may provide some

information or evidence on the control enhancements, but it may not be as reliable orobjective as

observing the control enhancements in operation, as the control owners may have biases, conflicts,

or gaps in their knowledge or perception of the control enhancements.

Inspect external audit documentation means that the risk practitioner reviews the reports or records

of the external audit, such as the audit findings, recommendations, or opinions. This may provide

some information or evidence on the control issues, but it may not be as current or relevant as

observing the control enhancements in operation, as the external audit documentation may not

reflect the latest or updated status or results of the control enhancements, or may not cover all the

aspects or components of the control enhancements.

Review management’s detailed action plans means that the risk practitioner examines the

documents that specify the actions to be taken by the management to address the control issues,

such as the resources required, the timelines, the owners, and the expected outcomes. This may

provide some information or evidence on the control enhancements, but it may not be as accurate or

sufficient as observing the control enhancements in operation, as the management’s detailed action

plans may not match the actual implementation or execution of the control enhancements, or may

not account for the uncertainties or complexities of the control enhancements. Reference = Risk and

Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.3.3.1, pp. 62-63.

A risk scenario is a hypothetical situation that describes how a risk event could adversely affect an

organization’s objectives, assets, or operations. A risk scenario can be used for riskanalysis,which is

the process of estimating the likelihood and impact of the risk event, and evaluating the

effectiveness and efficiency of the risk response1.

One of the essential components of a risk scenario is the threat type, which is the source or cause of

the risk event. The threat type can be classified into various categories, such as natural, human,

technical, environmental, or legal. The threat type can help to define the characteristics, motivations,

capabilities, and methods of the risk event, and to identify the potential vulnerabilities and

exposures of the organization. The threat type can also help to determine the frequency and severity

of the risk event, and to select the appropriate risk response strategies and controls23.

The other options are not the components of a risk scenario, but rather the outcomes or inputs of

risk analysis. Risk appetite is the amount and type of risk that an organization is willing to accept in

pursuit of its objectives. Risk appetite can help to guide the risk analysis by providing a high-level

statement of the desired level of risk taking and tolerance4. Risk tolerance is the acceptable variation

in the outcomes related to specific objectives or risks. Risk tolerance can help to measure the risk

analysis by providing quantitative or qualitative indicators of the acceptable range of risk exposure

and performance4. Residual risk is the remaining risk after the risk response has been implemented.

Residual risk can help to monitor the risk analysis by providing feedback on the effectiveness and

efficiency of the risk response and the need for further action. Reference =

Risk Analysis - ISACA

Threat - ISACA

Threat Modeling - ISACA

Risk Appetite and Risk Tolerance - ISACA

[Residual Risk - ISACA]

[CRISC Review Manual, 7th Edition]