個人データが関係する損失イベントの潜在的なリスク露出を評価する際に決定すべき最も重要な要素は、情報資産内のレコードの構成と数です。構成とは、名前、住所、電話番号、電子メール、社会保障番号、健康情報、財務情報などの個人データの種類と機密性を指します。レコード数は、損失イベントの影響を受ける個人データの量と範囲を指します。情報資産内のレコードの構成と数は、データ主体、組織、およびその他の利害関係者に引き起こされる可能性のある危害と損害の範囲を示すため、損失イベントの重大性と影響を決定します。情報資産内のレコードの構成と数は、インシデント対応活動のコスト、規制上の罰金のレベル、およびインシデントの封じ込めと回復の期間にも影響します。参考文献 = CRISC レビューマニュアル、第 7 版、159 ページ。

Classifying IT assets during a risk assessment is a process of assigning values to the IT assets based on their importance, sensitivity, and criticality to the enterprise. The best reason to classify IT assets is to determine the appropriate level of protection that each IT asset requires, based on its value and the potential impact of its loss or compromise. This helps the enterprise to allocate resources and implement controls that are proportional to the risk exposure of the IT assets, and to optimize the cost and benefit of risk mitigation. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, Question 233. CRISC by Isaca Actual Free Exam Q&As, Question 9. CRISC Sample Questions 2024, Question 233. CRISC: Certified in Risk & Information Systems Control Sample Questions, Question 233.

Section: Volume D

Conducting social engineering testing is the best way to assess the effectiveness of the security awareness training, as it helps to measure and evaluate the actual behavior and response of the employees to simulated real-world attacks that exploit human vulnerabilities. Social engineering testing is a type of security testing that involves performing authorized and ethical hacking activities on the employees to manipulate them into revealing sensitive information, such as credentials, or performing malicious actions, such as clicking on a phishing link or opening a malicious attachment. Social engineering testing can help to assess the effectiveness of the security awareness training by providing the following benefits:
* It tests the employees' knowledge and skills in recognizing and resisting social engineering attacks, such
* as phishing, vishing, baiting, or impersonation.
* It identifies and measures the strengths and weaknesses of the employees' security awareness and behavior, and the impact and severity of their actions on the security posture and risk exposure of the organization.
* It provides feedback and learning opportunities for the employees to improve their security awareness and behavior, and to reinforce the key concepts and practices taught in the training.
* It communicates and reports the results and findings of the testing to the management and the stakeholders, and supports the development and implementation of corrective or preventive actions.
The other options are not the best ways to assess the effectiveness of the security awareness training. Auditing security awareness training materials is a good practice to ensure that the training content is accurate, relevant, and up-to-date, but it does not measure or evaluate the employees' security awareness and behavior.
Administering an end-of-training quiz is a useful method to test the employees' comprehension and retention of the training content, but it does not reflect or simulate the employees' security awareness and behavior in real-world situations. Performing a vulnerability assessment is an important step to identify and analyze the potential vulnerabilities in the systems and software, but it does not assess or address the human vulnerabilities or the employees' security awareness and behavior. References = 3 ways to assess the effectiveness of security awareness training ..., IT Risk Resources | ISACA, Measuring the Effectiveness of Security Awareness Training - Hut Six