[Jan-2022] Latest ISACA CRISC Certification Practice Test Questions
Verified CRISC Dumps Q&As - 1 Year Free & Quickly Updates
NEW QUESTION 491
Which among the following acts as a trigger for risk response process?
- A. Risk level equates risk appetite
- B. Risk level increases above risk appetite
- C. Risk level equates the risk tolerance
- D. Risk level increase above risk tolerance
Answer: D
Explanation:
Section: Volume A
Explanation
Explanation:
The risk response process is triggered when a risk exceeds the enterprise's risk tolerance level. The acceptable variation relative to the achievement of an objective is termed as risk tolerance. In other words, risk tolerance is the acceptable deviation from the level set by the risk appetite and business objectives.
Risk tolerance is defined at the enterprise level by the board and clearly communicated to all stakeholders. A process should be in place to review and approve any exceptions to such standards.
Incorrect Answers:
A, C: Risk appetite level is not relevant in triggering of risk response process. Risk appetite is the amount of risk a company or other entity is willing to accept in pursuit of its mission. This is the responsibility of the board to decide risk appetite of an enterprise. When considering the risk appetite levels for the enterprise, the following two major factors should be taken into account:
* The enterprise's objective capacity to absorb loss, e.g., financial loss, reputation damage, etc.
* The culture towards risk taking-cautious or aggressive. In other words, the amount of loss the enterprise wants to accept in pursue of its objective fulfillment.
D: Risk response process is triggered when the risk level increases the risk tolerance level of the enterprise, and not when it just equates the risk tolerance level.
NEW QUESTION 492
Using which of the following one can produce comprehensive result while performing qualitative risk analysis?
- A. Scenarios with threats and impacts
- B. Vulnerability assessment
- C. Cost-benefit analysis
- D. Explanation:
Using list of possible scenarios with threats and impacts will better frame the range of risk and hence can frame more informative result of qualitative analysis. - E. Value of information assets.
Answer: A
Explanation:
is incorrect. Cost and benefit analysis is used for taking financial decisions that can be formal or informal, such as appraisal of any project or proposal. The approach weighs the total cost against the benefits expected, and then identifies the most profitable option. It only decides what type of control should be applied for effective risk management. Answer: D and C are incorrect. These are not sufficient for producing detailed result.
NEW QUESTION 493
Which of the following is the GREATEST risk associated with the misclassification of data?
- A. Data disruption
- B. Unauthorized access
- C. Inadequate retention schedules
- D. Inadequate resource allocation
Answer: B
Explanation:
Section: Volume D
NEW QUESTION 494
Controls should be defined during the design phase of system development because:
- A. structured analysis techniques exclude identification of controls.
- B. technical specifications are defined during this phase.
- C. structured programming techniques require that controls be designed before coding begins.
- D. it is more cost-effective to determine controls in the early design phase.
Answer: B
NEW QUESTION 495
When reviewing a business continuity plan (BCP). which of the following would be the MOST significant deficiency?
- A. BCP testing is net in conjunction with the disaster recovery plan (DRP)
- B. BCP is often tested using the walk-through method.
- C. Each business location has separate, inconsistent BCPs.
- D. Recovery time objectives (RTOs) do not meet business requirements.
Answer: D
NEW QUESTION 496
A risk practitioner has been asked to advise management on developing a log collection and correlation strategy. Which of the following should be the MOST important consideration when developing this strategy?
- A. Ensuring the inclusion of external threat intelligence log sources
- B. Ensuring time synchronization of log sources
- C. Ensuring read-write access to all log sources
- D. Ensuring the inclusion of all computing resources as log sources
Answer: B
Explanation:
Section: Volume D
NEW QUESTION 497
The BEST metric to monitor the risk associated with changes deployed to production is the percentage of:
- A. changes that cause incidents.
- B. personnel that have rights to make changes in production.
- C. changes due to emergencies.
- D. changes not requiring user acceptance testing.
Answer: A
NEW QUESTION 498
Which of the following risks is associated with not receiving the right information to the right people at the right time to allow the right action to be taken?
- A. Access risk
- B. Relevance risk
- C. Availability risk
- D. Integrity risk
Answer: B
Explanation:
Explanation/Reference:
Explanation:
Relevance risk is the risk associated with not receiving the right information to the right people (or process or systems) at the right time to allow the right action to be taken.
Incorrect Answers:
B: The risk that data cannot be relied on because they are unauthorized, incomplete or inaccurate is termed as integrity risk.
C: The risk of loss of service or that data is not available when needed is referred as availability risk.
D: The risk that confidential or private information may be disclosed or made available to those without appropriate authority is termed as access or security risk. An aspect of this risk is non-compliance with local, national and international laws related to privacy and protection of personal information.
NEW QUESTION 499
What is the GREATEST concern with maintaining decentralized risk registers instead of a consolidated risk register?
- A. Risk analysis may be inconsistent due to non-uniform impact and likelihood scales.
- B. Duplicate resources may be used to manage risk registers.
- C. Aggregated risk may exceed the enterprise's risk appetite and tolerance.
- D. Standardization of risk management practices may be difficult to enforce.
Answer: D
NEW QUESTION 500
A PRIMARY advantage of involving business management in evaluating and managing risk is that management:
- A. can balance technical and business risk
- B. better understands the system architecture
- C. can make better informed business decisions
- D. is more objective than risk management
Answer: C
NEW QUESTION 501
Which of the following techniques examines the degree to which organizational strengths offset threats and opportunities that may serve to overcome weaknesses?
- A. Brainstorming
- B. Expert Judgment
- C. Delphi
- D. SWOT Analysis
Answer: D
Explanation:
Explanation/Reference:
Explanation:
SWOT analysis is a strategic planning method used to evaluate the Strengths, Weaknesses, Opportunities, and Threats involved in a project or in a business venture. It involves specifying the objective of the business venture or project and identifying the internal and external factors that are favorable and unfavorable to achieving that objective.
Incorrect Answers:
B, C: Brainstorming and Delphi techniques are used to identify risks in a project through consensus. Delphi differs in that as the members of the team do not know each other.
D: In this technique, risks can be identified directly by experts with relevant experience of similar projects or business areas.
NEW QUESTION 502
Suppose you are working in Techmart Inc. which sells various products through its website. Due to some recent losses, you are trying to identify the most important risks to the Website. Based on feedback from several experts, you have come up with a list. You now want to prioritize these risks. Now in which category you would put the risk concerning the modification of the Website by unauthorized parties.
- A. FTP Bounce Attack
- B. Web defacing
- C. Explanation:
Website defacing is an attack on a website by unauthorized party that changes the visual appearance of the site or a webpage. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own. - D. Denial of service attack
- E. Ping Flooding Attack
Answer: B
Explanation:
is incorrect. The FTP bounce attack is attack which slips past application-based firewalls. In this hacker uploads a file to the FTP server and then requests this file be sent to an internal server. This file may contain malicious software or a simple script that occupies the internal server and uses up all the memory and CPU resources. Answer: A is incorrect. Ping Flooding is the extreme of sending thousands or millions of pings per second. Ping Flooding attack can make system slow or even shut down an entire site. Answer: C is incorrect. A denial-of-service attack (DoS attack) is an attempt to make a computer or network resource unavailable to its intended users. One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable.
NEW QUESTION 503
Which of the following is the PRIMARY reason for conducting peer reviews of risk analysis?
- A. To provide assessments for benchmarking
- B. To enhance compliance with standards
- C. To increase consensus among peers
- D. To minimize subjectivity of assessments
Answer: D
NEW QUESTION 504
Your project team has completed the quantitative risk analysis for your project work. Based on their findings, they need to update the risk register with several pieces of information. Which one of the following components is likely to be updated in the risk register based on their analysis?
- A. Listing of prioritized risks
- B. Explanation:
The outcome of quantitative analysis can create a listing of prioritized risks that should be updated
in the risk register. The project team will create and update the risk register with fourkey
components: probabilistic analysis of the project, probability of achieving time and cost objectives,
list of quantified risks, and trends in quantitative risk analysis. - C. Qualitative analysis outcomes
- D. Listing of risk responses
- E. Risk ranking matrix
Answer: A
Explanation:
B, and A are incorrect. These subjects are not updated in the risk register as a result of
quantitative risk analysis.
NEW QUESTION 505
Marie has identified a risk event in her project that needs a mitigation response. Her response actually creates a new risk event that must now be analyzed and planned for. What term is given to this newly created risk event?
- A. Infinitive risk
- B. Populated risk
- C. Residual risk
- D. Secondary risk
Answer: D
Explanation:
Explanation/Reference:
Explanation:
Secondary risks are the risks that come about as a result of implementing a risk response. This new risk event must be recorded, analyzed, and planned for management.
Incorrect Answers:
A: A residual risk event is similar to a secondary risk, but is often small in probability and impact, so it may just be accepted.
C: Infinitive risk is not a valid project management term.
D: Populated risk event is not a valid project management term.
NEW QUESTION 506
All business units within an organization have the same risk response plan for creating local disaster recovery plans. In an effort to achieve cost effectiveness, the BEST course of action would be to:
- A. evaluate opportunities to combine disaster recovery plans.
- B. centralize the risk response function at the enterprise level.
- C. select a provider to standardize the disaster recovery plans.
- D. outsource disaster recovery to an external provider.
Answer: B
NEW QUESTION 507
Which of the following processes is described in the statement below?
"It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project."
- A. Monitor and Control Risks
- B. Perform Qualitative Risk Analysis
- C. Perform Quantitative Risk Analysis
- D. Identify Risks
- E. Explanation:
Monitor and Control Risk is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project. It can involve choosing alternative strategies, executing a contingency or fallback plan, taking corrective action, and modifying the project management plan.
Answer: A
Explanation:
is incorrect. This is the process of prioritizing risks for further analysis or action by accessing and combining their probability of occurrence and impact. Answer:C is incorrect. This is the process of determining which risks may affect the project and documenting their characteristics. Answer:B is incorrect. This is the process of numerically analyzing the effect of identified risks on overall project objectives.
NEW QUESTION 508
Which of the following is MOST important when developing key performance indicators (KPIs)?
- A. Alerts when risk thresholds are reached
- B. Alignment to management reports
- C. Identification of trends
- D. Alignment to risk responses
Answer: A
NEW QUESTION 509
An organization's HR department has implemented a policy requiring staff members to take a minimum of five consecutive days leave per year to mitigate the risk of malicious insider activities. Which of the following is the BEST key performance indicator (KPI) of the effectiveness of this policy?
- A. Financial loss incurred due to malicious activities during staff members' leave
- B. Number of malicious activities occurring during staff members' leave
- C. Percentage of staff members taking leave according to the policy
- D. Percentage of staff members seeking exception to the policy
Answer: B
NEW QUESTION 510
Which of the following should be the HIGHEST priority when developing a risk response?
- A. The risk response is based on a cost-benefit analysis.
- B. The risk response aligns with the organization's risk appetite.
- C. The risk response addresses the risk with a holistic view.
- D. The risk response is accounted for in the budget.
Answer: B
NEW QUESTION 511
You are the project manager of GHT project. You have initiated the project and conducted the feasibility study. What result would you get after conducting feasibility study?
Each correct answer represents a complete solution. Choose all that apply.
- A. Recommend alternatives and course of action
- B. Risk response plan
- C. Project management plan
- D. Results of criteria analyzed, like costs, benefits, risk, resources required and organizational impact
Answer: A,D
Explanation:
Explanation/Reference:
Explanation:
The completed feasibility study results should include a cost/benefit analysis report that:
Provides the results of criteria analyzed (e.g., costs, benefits, risk, resources required and
organizational impact)
Recommends one of the alternatives and a course of action
Incorrect Answers:
B, C: Project management plan and risk response plan are the results of plan project management and plan risk response, respectively. They are not the result of feasibility study.
NEW QUESTION 512
......
Latest 2022 Realistic Verified CRISC Dumps - 100% Free CRISC Exam Dumps: https://www.actual4labs.com/ISACA/CRISC-actual-exam-dumps.html
Get 2022 Updated Free ISACA CRISC Exam Questions and Answer: https://drive.google.com/open?id=1-e2zZAp_kGO1-EA1lTxxEgqh11m8VyqP