It is impossible to pass Isaca CRISC exam without any help in the short term. Come to Examcollection soon and find the most advanced, correct and guaranteed Isaca CRISC practice questions. You will get a surprising result by our Most recent Certified in Risk and Information Systems Control practice guides.
Q16. - (Topic 1)
Which of the following risks refer to probability that an actual return on an investment will be lower than the investor's expectations?
A. Integrity risk
B. Project ownership risk
C. Relevance risk
D. Expense risk
Probability that an actual return on an investment will be lower than the investor's expectations is termed as investment risk or expense risk. All investments have some level ofrisk associated with it due to the unpredictability of the market's direction. This includes consideration of the overall IT investment portfolio.
Answer: A is incorrect. The risk that data cannot be relied on because they are unauthorized, incomplete or inaccurate is termed as integrity risks.
Answer: C is incorrect. The risk associated with not receiving the right information to the right people (or process or systems) at the right time to allow the right action to be taken is termed as relevance risk.
Answer: B is incorrect. The risk of IT projects failing to meet objectives due to lack of accountability and commitment is referring to as project risk ownership.
Q17. - (Topic 4)
Which of the following establishes mandatory rules, specifications and metrics used to measure compliance against quality, value, etc?
B. Legal requirements
Standard establishes mandatory rules, specifications and metrics used to measure compliance against quality, value, etc. Standards are usually intended for compliance purposes and to provide assurance to others who interact with a process or outputs of a process.
Answer:A is incorrect. Frameworks are generally accepted, business-process-oriented structures that establish a common language and enable repeatable business processes.
Answer:D is incorrect. Practices are frequent or usual actions performed as an application of knowledge. A leading practice would be defined as an action that optimally applies knowledge in a particular area. They are issued by a "recognized authority" that is appropriate to the subject matter. issuing bodies may include professional associations and academic institutions or commercial entities such as software vendors. They are generally based on a combination of research, expert insight and peer review.
Answer:B is incorrect. These are legal rules underneath which project has to be.
Q18. - (Topic 4)
You are the project manager of the GHY project for your organization. You are working with your project team to begin identifying risks for the project. As part of your preparation for identifying the risks within the project you will need eleven inputs for the process. Which one of the following is NOT an input to the risk identification process?
A. Quality management plan
B. Stakeholder register
C. Cost management plan
D. Procurement management plan
The procurement management plan is not one of the eleven inputs for the risk identification process. The eleven inputs to this process are:
risk management plan, activity cost estimates, activity duration estimates, scope baseline, stakeholder register, cost management plan, schedule management plan, quality management plan, project documents, enterprise environmental factors, and organizational process assets.
Q19. - (Topic 4)
Which of the following controls focuses on operational efficiency in a functional area
sticking to management policies?
A. Internal accounting control
B. Detective control
C. Administrative control
D. Operational control
Administrative control is one of the objectives of internal control and is concerned with ensuring efficiency and compliance with management policies.
Answer:B is incorrect. Detective control simply detects and reports on the occurrence of an error, omission or malicious act.
Answer:A is incorrect. It controls accounting operations, including safeguarding assets and financial records.
Answer:D is incorrect. It focuses on day-to-day operations, functions, and activities. It also ensures that all the organization's objectives are being accomplished.
Q20. - (Topic 2)
Which of the following considerations should be taken into account while selecting risk indicators that ensures greater buy-in and ownership?
A. Lag indicator
B. Lead indicator
C. Root cause
To ensure greater buy-in and ownership, risk indicators should be selected with the involvement of relevant stakeholders. Risk indicators should be identified for all stakeholders and should not focus solely on the more operational or strategic side of risk.
Answer: B is incorrect. Lead indicators indicate which capabilities are in place to prevent events from occurring. They do not play any role in ensuring greater buy-in and ownership.
Answer: A is incorrect. Role of lag indicators is to ensure that risk after events have occurred is being indicated.
Answer: C is incorrect. Root cause is considered while selecting risk indicator but it does not ensure greater buy-in or ownership.
Q21. - (Topic 1)
You are the risk official in Bluewell Inc. You are supposed to prioritize several risks. A risk has a rating for occurrence, severity, and detection as 4, 5, and 6, respectively. What Risk Priority Number (RPN) you would give to it?
Steps involving in calculating risk priority number are as follows: Identify potential failure effects
Identify potential causes
Establish links between each identified potential cause Identify potential failure modes
Assess severity, occurrence and detection
Perform score assessments by using a scale of 1 -10 (low to high rating) to score these assessments.
Compute the RPN for a particular failure mode as Severity multiplied by occurrence and detection.
RPN = Severity * Occurrence * Detection Hence,
RPN = 4 * 5 * 6
Answer: C, D, and B are incorrect. These are not RPN for given values of severity, occurrence, and detection.
Q22. - (Topic 1)
You are the project manager of GHT project. You have planned the risk response process and now you are about to implement various controls. What you should do before relying
on any of the controls?
A. Review performance data
B. Discover risk exposure
C. Conduct pilot testing
D. Articulate risk
Pilot testing and reviewing of performance data to verify operation against design are done before relying on control.
Answer: D is incorrect. Articulating risk is the first phase in the risk response process to ensure that information on the true state of exposures and opportunities are made available in a timely manner and to the right people for appropriate response.
But it does not play any role in identifying whether any specific control is reliable or not.
Answer: B is incorrect. Discovering risk exposure helps in identifying the severity of risk, but it does not play any role in specifying the reliability of control.
Q23. - (Topic 4)
Which of the following come under the management class of controls? Each correct answer represents a complete solution. Choose all that apply.
A. Risk assessment control
B. Audit and accountability control
C. Program management control
D. Identification and authentication control
The Management class of controls includes five families. These families include over 40 individual controls. Following is a list of each of the families in the Management class: Certification, Accreditation, and Security Assessment (CA): This family of controls addresses steps to implement a security and assessment program. It includes controls to ensure only authorized systems are allowed on a network. It includes details on important security concepts, such as continuous monitoring and a plan of action and milestones. Planning (PL): The PL family focuses on security plans for systems. It also covers Rules of Behaviour for users. Rules of Behaviour are also called an acceptable use policy.
Risk Assessment (RA): This family of controls provides details on risk assessments and vulnerability scanning.
System and Services Acquisition (SA): The SA family includes any controls related to the purchase of products and services. It also includes controls related to software usage and user installed software.
Program Management (PM): This family is driven by the Federal Information Security Management Act (FISMA). It provides controls to ensure compliance with FISMA. These controls complement other controls. They don't replace them.
Answer:D and B are incorrect. Identification and authentication, and audit and accountability control are technical class of controls.
Q24. - (Topic 3)
You work as a project manager for BlueWell Inc. You are involved with the project team on the different risk issues in your project. You are using the applications of IRGC model to facilitate the understanding and managing the rising of the overall risks that have impacts on the economy and society. One of your team members wants to know that what the need to use the IRGC is. What will be your reply?
A. IRGC models aim at building robust, integrative inter-disciplinary governance models for emerging and existing risks.
B. IRGC is both a concept and a tool.
C. IRGC addresses the development of resilience and the capacity of organizations and people to face unavoidable risks.
D. IRGC addresses understanding of the secondary impacts of a risk.
IRGC is aimed at building robust, integrative inter-disciplinary governance models for emerging and existing risks.
The International Risk Governance Council (IRGC) is a self-governing organization whose principle is to facilitate the understanding and managing the rising overall risks that have impacts on the economy and society, human health and safety, the environment at large. IRGC's effort is to build and develop concepts of risk governance, predict main risk issues and present risk governance policy recommendations for the chief decision makers. IRGC mainly emphasizes on rising, universal risks for which governance deficits exist. Its goal is to present recommendations for how policy makers can correct them. IRGC models at constructing strong, integrative inter-disciplinary governance models for up-coming and existing risks.
Answer:B is incorrect. As IRGC is aimed at building robust, integrative inter-disciplinary governance models for emerging and existing risks, so it is the best answer for this options D and C are incorrect. Risk governance addresses understanding of the secondary impacts of a risk, the development of resilience and the capacity of organizations and people to face unavoidable risks.
Q25. - (Topic 3)
You work as a project manager for BlueWell Inc. You are about to complete the quantitative risk analysis process for your project. You can use three available tools and techniques to complete this process. Which one of the following is NOT a tool or technique that is appropriate for the quantitative risk analysis process?
A. Data gathering and representation techniques
B. Expert judgment
C. Quantitative risk analysis and modeling techniques
D. Organizational process assets
Organizational process asset is not a tool and technique, but an input to the quantitative risk analysis process. Quantitative Risk Analysis is a process to assess the probability of achieving particular project objectives, to quantify the effect of risks on the whole project objective, and to prioritize the risks based on the impact to overall project risk. Quantitative Risk Analysis process analyzes the affect of a risk event deriving a numerical value. It also presents a quantitative approach to build decisions in the presence of uncertainty. The inputs for Quantitative Risk Analysis are :
Organizational process assets Project Scope Statement
Risk Management Plan Risk Register
Project Management Plan
Answer:A is incorrect. Data gathering and representation technique is a tool and technique for the quantitative risk analysis process.
Answer:C is incorrect. Quantitative risk analysis and modeling techniques is a tool and technique for the quantitative risk analysis process.
Answer:B is incorrect. Expert judgment is a tool and technique for the quantitative risk analysis process.
Q26. - (Topic 3)
Which of the following is the MOST critical security consideration when an enterprise outsource its major part of IT department to a third party whose servers are in foreign company?
A. A security breach notification may get delayed due to time difference
B. The enterprise could not be able to monitor the compliance with its internal security and privacy guidelines
C. Laws and regulations of the country of origin may not be enforceable in foreign country
D. Additional network intrusion detection sensors should be installed, resulting in additional cost
Laws and regulations of the country of origin may not be enforceable in foreign country and conversely, it is also true that laws and regulations of the foreign outsourcer may also impact the enterprise. Hence violation of applicable laws may not be recognized or rectified due to lack of knowledge of the local laws.
Answer:B is incorrect. Outsourcing does not remove the enterprise's responsibility regarding internal requirements. Hence monitoring the compliance with its internal security and privacy guidelines is not a problem.
Answer:A is incorrect. Security breach notification is not a problem and also time difference 199 does not play any role in 24/7 environment. Pagers, cellular phones, telephones, etc. are there to communicate the notifications.
Answer:D is incorrect. The need for additional network intrusion detection sensors is not a major problem as it can be easily managed. It only requires addition funding, but can be addressed.
Q27. - (Topic 1)
You are working with a vendor on your project. A stakeholder has requested a change for the project, which will add value to the project deliverables. The vendor that you're working with on the project will be affected by the change. What system can help you introduce and execute the stakeholder change request with the vendor?
A. Contract change control system
B. Scope change control system
C. Cost change control system
D. Schedule change control system
The contract change control system is part of the project's change control system. It addresses changes with the vendor that may affect the project contract. Change control system, a part of the configuration management system, is a collection of formal documented procedures that define how project deliverables and documentation will be controlled, changed, and approved.
Answer: C is incorrect. The cost change control system manages changes to costs in the project.
Answer: D is incorrect. There is no indication that the change could affect the project schedule.
Answer: B is incorrect. The scope may change because of the stakeholder change request. Vendor’srelationship to the project, hence this choice is not the best answer.
Q28. - (Topic 4)
Which of the following is the MOST important aspect to ensure that an accurate risk register is maintained?
A. Publish the risk register in a knowledge management platform with workflow features that periodically contacts and polls risk assessors to ensure accuracy of content
B. Perform regular audits by audit personnel and maintain risk register
C. Submit the risk register to business process owners for review and updating
D. Monitor key risk indicators, and record the findings in the risk register
A knowledge management platform with workflow and polling feature will automate the process of maintaining the risk registers. Hence this ensures that an accurate and updated risk register is maintained.
Answer:C is incorrect. Business process owners typically cannot effectively identify risk to their business processes. They may not have the ability to be unbiased and may not have the appropriate skills or tools for evaluating risks.
Answer:B is incorrect. Audit personnel may not have the appropriate business knowledge in risk assessment, hence cannot properly identify risk. Regular audits may also cause hindrance to the business activities.
Answer:D is incorrect. Monitoring key risk indicators, and record the findings in the risk register will only provide insights to known and identified risk and will not account for obscure risk, i.e. , risk that has not been identified yet.
Q29. - (Topic 4)
Which is the MOST important parameter while selecting appropriate risk response?
A. Cost of response
B. Capability to implement response
C. Importance of risk
D. Efficiency of response
The cost of the response, which is applied so as to reduce risk within tolerance levels, is one of the most important parameter. By considering the cost of response, it is decided whether or not benefits of applying response is greater than accepting the risk; and according to this analysis it is decided whether the certain response should be applied or not. For example, if risk transfer response is applied by using insurance, then cost would be the cost of insurance.
Answer:C is incorrect. This is one of the parameters that is considered but is not as important as considering cost of response. The importance of the risk is determined by the combination of likelihood and magnitude levels along with its position on the risk map.
Answer:B is incorrect. This parameter is considered after analyzing the cost of response, which will further decide the level of sophistication of risk response.
The enterprise's capability to implement the response means that if the risk management process is mature then the risk response is more
Answer:D is incorrect. Efficiency of response can only be analyzed after applying the response. So it is the latter stage in selection of response.
Q30. - (Topic 3)
You are using Information system. You have chosen a poor password and also sometimes transmits data over unprotected communication lines. What is this poor quality of password and unsafe transmission refers to?
Vulnerabilities represent characteristics of information resources that may be exploited by a threat. The given scenario describes such a situation, hence it is a vulnerability.
Answer: B is incorrect. Threats are circumstances or events with the potential to cause harm to information resources. This scenario does not describe a threat.
Answer: A is incorrect. Probabilities represent the likelihood of the occurrence of a threat, and this scenario does not describe a probability.
Answer: D is incorrect. Impacts represent the outcome or result of a threat exploiting a vulnerability. The stem does not describe an impact.