CRISC Certified in Risk and Information Systems Control – Question138

Which of the following IS processes provide indirect information? Each correct answer represents a complete solution. Choose three.

A.
Post-implementation reviews of program changes
B. Security log monitoring
C. Problem management
D. Recovery testing

Correct Answer: ABC

Explanation:

Explanation:
Security log monitoring, Post-implementation reviews of program changes, and Problem management provide indirect information. Security log monitoring provide indirect information about certain controls in the security environment, particularly when used to analyze the source of failed access attempts.
Post-implementation reviews of program changes provide indirect information about the effectiveness of internal controls over the development process.
Problem management provide indirect information about the effectiveness of several different IS processes that may ultimately be determined to be the source of incidents.
Incorrect Answers:
D: Recovery testing is the direct evidence that the redundancy or backup controls work effectively. It doesn’t provide any indirect information.