Free CRISC pdf Files With Updated and Accurate Dumps Training
Top-Class CRISC Question Answers Study Guide
NEW QUESTION 360
What are the PRIMARY objectives of a control?
- A. Prevent, recover, and detect
- B. Prevent, respond, and log
- C. Prevent, control, and attack
- D. Detect, recover, and attack
Answer: A
Explanation:
Section: Volume C
Explanation:
Controls are the policies, procedures, practices and guidelines designed to provide appropriate assurance that business objectives are achieved and undesired events are detected, prevented, and corrected. Controls, or countermeasures, will reduce or neutralize threats or vulnerabilities.
Controls have three primary objectives:
* Prevent
* Recover
* Detect
Incorrect Answers:
A, B, C: One or more objectives stated in these choices is not correct objective of control.
NEW QUESTION 361
Which of the following decision tree nodes have probability attached to their branches?
- A. Decision node
- B. Root node
- C. Event node
- D. End node
Answer: C
Explanation:
Explanation/Reference:
Explanation:
Event nodes represents the possible uncertain outcomes of a risky decision, with at least two nodes to illustrate the positive and negative range of events. Probabilities are always attached to the branches of event nodes.
Incorrect Answers:
A: Root node is the starting node in the decision tree, and it has no branches.
C: End node represents the outcomes of risk and decisions and probability is not attached to it.
D: It represents the choice available to the decision maker, usually between a risky choice and its non- risky counterpart. As it represents only the choices available to the decision makers, hence probability is not attached to it.
NEW QUESTION 362
Which of the following should be initiated when a high number of noncompliant conditions are observed during review of a control procedure?
- A. Root cause analysis
- B. A control self-assessment
- C. Disciplinary action
- D. A review of the awareness program
Answer: A
NEW QUESTION 363
Your project team has completed the quantitative risk analysis for your project work. Based on their findings, they need to update the risk register with several pieces of information. Which one of the following components is likely to be updated in the risk register based on their analysis?
- A. Listing of risk responses
- B. Listing of prioritized risks
- C. Qualitative analysis outcomes
- D. Risk ranking matrix
Answer: B
Explanation:
Explanation/Reference:
Explanation:
The outcome of quantitative analysis can create a listing of prioritized risks that should be updated in the risk register. The project team will create and update the risk register with four key components:
probabilistic analysis of the project
probability of achieving time and cost objectives
list of quantified risks
trends in quantitative risk analysis
Incorrect Answers:
A, B, D: These subjects are not updated in the risk register as a result of quantitative risk analysis.
NEW QUESTION 364
What should be considered while developing obscure risk scenarios?
Each correct answer represents a part of the solution. Choose two.
- A. Controls
- B. Recognition
- C. Assessment methods
- D. Visibility
Answer: B,D
Explanation:
Explanation/Reference:
Explanation:
The enterprise must consider risk that has not yet occurred and should develop scenarios around unlikely, obscure or non-historical events.
Such scenarios can be developed by considering two things:
Visibility
Recognition
For the fulfillment of this task enterprise must:
Be in a position that it can observe anything going wrong
Have the capability to recognize an observed event as something wrong
NEW QUESTION 365
Which of the following is the BEST indicator of the effectiveness of IT risk management processes?
- A. Percentage of business users completing risk training.
- B. Time between when IT risk scenarios are identified and the enterprise's response.
- C. Percentage of high-risk scenarios for which risk action plans have been developed.
- D. Number of key risk indicators (KRIs) defined.
Answer: C
Explanation:
Section: Volume D
NEW QUESTION 366
Which of the following is true for Cost Performance Index (CPI)?
- A. It is used to measure performance of schedule
- B. If the CPI > 1, it indicates better than expected performance of project
- C. If the CPI = 1, it indicates poor performance of project
- D. CPI = Earned Value (EV) * Actual Cost (AC)
Answer: B
Explanation:
Explanation/Reference:
Explanation:
Cost performance index (CPI) is used to calculate performance efficiencies of project. It is used in trend analysis to predict future performance. CPI is the ratio of earned value to actual cost.
If the CPI value is greater than 1, it indicates better than expected performance, whereas if the value is less than 1, it shows poor performance.
Incorrect Answers:
B: CPI is the ratio of earned value to actual cost, i.e., CPI = Earned Value (EV) / Actual Cost (AC).
C: Cost performance index (CPI) is used to calculate performance efficiencies of project and not its schedule.
D: The CPI value of 1 indicates that the project is right on target.
NEW QUESTION 367
Which of the following risk register updates is MOST important for senior management to review?
- A. Retiring a risk scenario no longer used
- B. Avoiding a risk that was previously accepted
- C. Changing a risk owner
- D. Extending the date of a future action plan by two months
Answer: C
Explanation:
Section: Volume D
NEW QUESTION 368
You are the risk professional of your enterprise. You have performed cost and benefit analysis of control that you have adopted. What are all the benefits of performing cost and benefit analysis of control? Each correct answer represents a complete solution. Choose three.
- A. It helps in providing a monetary impact view of risk
- B. It helps in determination of the cost of protecting what is important
- C. It helps making smart choices based on potential risk mitigation costs and losses
- D. It helps in taking risk response decisions
Answer: A,B,C
Explanation:
Section: Volume C
Explanation/Reference:
NEW QUESTION 369
Deviation from a mitigation action plan's completion date should be determined by which of the following?
- A. Project governance criteria as determined by the project office
- B. Change management as determined by a change control board
- C. Benchmarking analysis with similar completed projects
- D. The risk owner as determined by risk management processes
Answer: D
NEW QUESTION 370
Who is at the BEST authority to develop the priorities and identify what risks and impacts would occur if there were loss of the organization's private information?
- A. Security management
- B. Business process owners
- C. External regulatory agencies
- D. Internal auditor
Answer: A
Explanation:
Section: Volume C
NEW QUESTION 371
Which of following is NOT used for measurement of Critical Success Factors of the project?
- A. Quantity
- B. Customer service
- C. Quality
- D. Productivity
Answer: A
Explanation:
Explanation/Reference:
Explanation:
Incorrect Answers:
A, B, D: Productivity, quality and customer service are used for evaluating critical service factor of any particular project.
NEW QUESTION 372
Which of the following is described by the definition given below?
"It is the expected guaranteed value of taking a risk."
- A. Risk value guarantee
- B. Certain value assurance
- C. Certainty equivalent value
- D. Risk premium
Answer: C
Explanation:
Section: Volume A
Explanation
Explanation:
The Certainty equivalent value is the expected guaranteed value of taking a risk. It is derived by the uncertainty of the situation and the potential value of the situation's outcome.
Incorrect Answers:
B: The risk premium is the difference between the larger expected value of the risk and the smaller certainty equivalent value.
C, D: These are not valid answers.
NEW QUESTION 373
Out of several risk responses, which of the following risk responses is used for negative risk events?
- A. Exploit
- B. Accept
- C. Enhance
- D. Explanation:
Among the given choices only Acceptance response is used for negative risk events. Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider who can acceptthe risk. Risk should be accepted only by senior management in relationship with senior management and the board. There are two alternatives to the acceptance strategy, passive and active. Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk but willing to accept the consequences of the risk.
Active acceptance is the second strategy and might include developing contingency plans and
reserves to deal with risks. - E. Share
Answer: B,D
Explanation:
A, and B are incorrect. These all are used to deal with opportunities or positive risks,
and not with negative risks.
NEW QUESTION 374
You are the project manager of RFT project. You have identified a risk that the enterprise's IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become very expensive. To overcome this risk the response adopted is re-architecture of the existing system and purchase of new integrated system. In which of the following risk prioritization options would this case be categorized?
- A. Deferrals
- B. Quick win
- C. Contagious risk
- D. Explanation:
This is categorized as a Business case to be made because the project cost is very large. The response to be implemented requires quite large investment. Therefore it comes under business case to be made. - E. Business case to be made
Answer: E
Explanation:
is incorrect. Quick win is very effective and efficient response that addresses medium to high risk. But in this the response does not require large investments. Answer: A is incorrect. It addresses costly risk response to a low risk. But here the response is less costly than that of business case to be made. Answer: D is incorrect. This is not risk response prioritization option, instead it is a type of risk that happen with the several of the enterprise's business partners within a very short time frame.
NEW QUESTION 375
You are the project manager of GHT project. You have implemented an automated tool to analyze and report on access control logs based on severity. This tool generates excessively large amounts of results. You perform a risk assessment and decide to configure the monitoring tool to report only when the alerts are marked "critical". What you should do in order to fulfill that?
- A. Optimize Key Risk Indicator
- B. Apply risk response
- C. Update risk register
- D. Perform quantitative risk analysis
Answer: A
Explanation:
Section: Volume B
Explanation
Explanation:
As the sensitivity of the monitoring tool has to be changed, therefore it requires optimization of Key Risk Indicator. The monitoring tool which is giving alerts is itself acting as a risk indicator. Hence to change the sensitivity of the monitoring tool to give alert only for critical situations requires optimization of the KRI.
Incorrect Answers:
A, C, D: These options are not relevant to the change of sensitivity of the monitoring tools.
NEW QUESTION 376
Ben works as a project manager for the MJH Project. In this project, Ben is preparing to identify stakeholders so he can communicate project requirements, status, and risks. Ben has elected to use a salience model as part of his stakeholder identification process. Which of the following activities best describes a salience model?
- A. Explanation:
A salience model defines and charts stakeholders' power, urgency, and legitimacy in the project.
The salience model is a technique for categorizing stakeholders according to their importance.
The various difficulties faced by the project managers are as follows:
How to choose the right stakeholders?
How to prioritize competing claims of the stakeholders communication needs?
Stakeholder salience is determined by the evaluation of their power, legitimacy and urgency in the
organization.
Power is defined as the ability of the stakeholder to impose their will.
Urgency is the need for immediate action.
Legitimacy shows the stakeholders participation is appropriate or not.
The model allows the project manager to decide the relative salience of a particular stakeholder. - B. Grouping the stakeholders based on their level of authority ("power") and their active
involvement ("influence") in the project. - C. is incorrect. This defines the power/interest grid.
- D. Influence/impact grid, grouping the stakeholders based on their active involvement ("influence")
in the project and their ability to affect changes to the project's planning or
execution ("impact"). - E. is incorrect. This defines a power/influence grid.
- F. Grouping the stakeholders based on their level of authority ("power") and their level or concern
("interest") regarding the project outcomes. - G. Describing classes of stakeholders based on their power (ability to impose their will), urgency
(need for immediate attention), and legitimacy (their involvement is appropriate).
Answer: G
Explanation:
is incorrect. This defines an influence/impact grid.
NEW QUESTION 377
An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack?
- A. Obtain approval for funding to purchase a cyber insurance plan.
- B. Confirm with the antivirus solution vendor whether the next update will detect the attack.
- C. Identify systems that are vulnerable to being exploited by the attack.
- D. Verify the data backup process and confirm which backups are the most recent ones available.
Answer: C
NEW QUESTION 378
Which of the following laws applies to organizations handling health care information?
- A. GLBA
- B. SOX
- C. HIPAA
- D. FISMA
Answer: C
Explanation:
Explanation/Reference:
Explanation:
HIPAA handles health care information of an organization.
The Health Insurance Portability and Accountability Act (HIPAA) were introduced in 1996. It ensures that health information data is protected. Before HIPAA, personal medical information was often available to anyone. Security to protect the data was lax, and the data was often misused.
If your organization handles health information, HIPAA applies. HIPAA defines health information as any data that is created or received by health care providers, health plans, public health authorities, employers, life insurers, schools or universities, and health care clearinghouses.
HIPAA defines any data that is related to the health of an individual, including past/present/future health, physical/mental health, and past/present/future payments for health care.
Creating a HIPAA compliance plan involves following phases:
Assessment: An assessment helps in identifying whether organization is covered by HIPAA. If it is, then
further requirement is to identify what data is needed to protect.
Risk analysis: A risk analysis helps to identify the risks. In this phase, analyzing method of handling
data of organization is done.
Plan creation: After identifying the risks, plan is created. This plan includes methods to reduce the risk.
Plan implementation: In this plan is being implemented.
Continuous monitoring: Security in depth requires continuous monitoring. Monitor regulations for
changes. Monitor risks for changes. Monitor the plan to ensure it is still used.
Assessment: Regular reviews are conducted to ensure that the organization remains in compliance.
Incorrect Answers:
A: GLBA is not used for handling health care information.
C: SOX designed to hold executives and board members personally responsible for financial data.
D: FISMA ensures protection of data of federal agencies.
NEW QUESTION 379
Which of the following presents the GREATEST challenge for an IT risk practitioner who wants to report on trends in historical IT risk levels?
- A. Frequent use of risk acceptance as a treatment option
- B. Changes in owners for identified IT risk scenarios
- C. Changes in methods used to calculate probability
- D. Qualitative measures for potential loss events
Answer: D
NEW QUESTION 380
Natural disaster is BEST associated to which of the following types of risk?
- A. is incorrect. Natural disaster can be a short-term, but it is not the best answer.
- B. Explanation:
Natural disaster can be a long-term or short-term and can have large or small impact on the
company. However, as the natural disasters are unpredictable and infrequent, they are best
considered as discontinuous. - C. Discontinuous
- D. Short-term
- E. Large impact
- F. Long-term
- G. is incorrect. Natural disaster can be a long-term, but it is not the best answer.
Answer: C
Explanation:
is incorrect. Natural disaster can be of large impact depending upon its nature, but it is
not the best answer.
NEW QUESTION 381
A risk owner has identified a risk with high impact and very low likelihood. The potential loss is covered by insurance. Which of the following should the risk practitioner do NEXT?
- A. Update the risk register.
- B. Validate the risk response with internal audit.
- C. Evaluate outsourcing the process.
- D. Recommend avoiding the risk.
Answer: B
NEW QUESTION 382
You work as a project manager for BlueWell Inc. You are involved with the project team on the different risk issues in your project. You are using the applications of IRGC model to facilitate the understanding and managing the rising of the overall risks that have impacts on the economy and society. One of your team members wants to know that what the need to use the IRGC is. What will be your reply?
- A. IRGC is both a concept and a tool.
- B. IRGC addresses the development of resilience and the capacity of organizations and people to face unavoidable risks.
- C. IRGC addresses understanding of the secondary impacts of a risk.
- D. IRGC models aim at building robust, integrative inter-disciplinary governance models for emerging and existing risks.
Answer: D
Explanation:
Explanation/Reference:
Explanation:
IRGC is aimed at building robust, integrative inter-disciplinary governance models for emerging and existing risks.
The International Risk Governance Council (IRGC) is a self-governing organization whose principle is to facilitate the understanding and managing the rising overall risks that have impacts on the economy and society, human health and safety, the environment at large. IRGC's effort is to build and develop concepts of risk governance, predict main risk issues and present risk governance policy recommendations for the chief decision makers. IRGC mainly emphasizes on rising, universal risks for which governance deficits exist. Its goal is to present recommendations for how policy makers can correct them. IRGC models at constructing strong, integrative inter-disciplinary governance models for up-coming and existing risks.
Incorrect Answers:
B: As IRGC is aimed at building robust, integrative inter-disciplinary governance models for emerging and existing risks, so it is the best answer for this question.
C, D: Risk governance addresses understanding of the secondary impacts of a risk, the development of resilience and the capacity of organizations and people to face unavoidable risks.
NEW QUESTION 383
......
Career Path
The professionals with the ISACA CRISC certification can take up different job roles in the field of information technology and information security. Some popular positions that these specialists can hold include an IT Security Analyst, a Security Risk Strategist, a Technology Risk Analyst, an Information Security Analyst, and an IT Audit Risk Supervisor. As with remuneration in the industry, the specific salary that a certified individual earns will depend on a couple of factors, including job title, level of experience, and type of organization. However, the average annual salary of the certificate holders is $107,399.
Risk and Control Monitoring & Reporting: 22%
- Monitor and evaluate KRI to establish trends or changes in IT risk profile to help the relevant stakeholders;
- Monitor and evaluate KPIs to identify trends or changes as they relate to control environments and establish the effectiveness and efficiency of the controls;
- Assist in the identification of KPIs and metrics to allow for the evaluation of control performance;
- Identify and ascertain key risk indicators and thresholds according to present data to allow for monitoring of risk changes;
- Account for the performance, trends, or changes to the overall control environment and risk profile to the appropriate stakeholders for decision making.
Exam Overview
The CRISC certification exam is made up of 150 multiple-choice questions and the time allotted for its completion is 240 minutes. The candidates can take it in Chinese (Simplified and Traditional), English, German, French, Italian, Korean, Japanese, Spanish, and Turkish. The passing score is 450 points (out of 800).
To register for the test, the students must pay the required fee. For the ISACA members, it is $575, while for the non-members – $760. This exam is administered through the PSI testing centers across the world. You can take it at any time because registration is always on-going. After making payment, you can schedule your test as early as 48 hours. However, make sure that you understand its content before you attempt the exam to avoid retaking it. If you do not pass the test, you will have to pay another fee.
Real Updated CRISC Questions & Answers Pass Your Exam Easily: https://www.passsureexam.com/CRISC-pass4sure-exam-dumps.html
Easily To Pass New CRISC Verified & Correct Answers: https://drive.google.com/open?id=1g7VrXe5fxIFPXEFUD_2JdOFFva-OzwAU