Tested Material Used To CRISC Test Engine Exam Questions in here [Aug-2021]
Penetration testers simulate CRISC exam PDF
NEW QUESTION 458
While reviewing the risk register, a risk practitioner notices that different business units have significant variances in inherent risk for the same risk scenario. Which of the following is the BEST course of action?
- A. Review the assumptions of both risk scenarios to determine whether the variance is reasonable.
- B. Update the risk register with the average of residual risk for both business units.
- C. Update the risk register to ensure both risk scenarios have the highest residual risk.
- D. Request that both business units conduct another review of the risk.
Answer: A
NEW QUESTION 459
Which of the following is the BEST way to determine whether new controls mitigate security gaps in a business system?
- A. Complete an offsite business continuity exercise.
- B. Measure the change in inherent risk.
- C. Perform a vulnerability assessment.
- D. Conduct a compliance check against standards.
Answer: C
NEW QUESTION 460
You have been assigned as the Project Manager for a new project that involves building of a new roadway between the city airport to a designated point within the city. However, you notice that the transportation permit issuing authority is taking longer than the planned time to issue the permit to begin construction.
What would you classify this as?
- A. Project Issue
- B. Risk Update
- C. Status Update
- D. Project Risk
Answer: A
Explanation:
Explanation/Reference:
Explanation:
This is a project issue. It is easy to confuse this as a project risk; however, a project risk is always in the future. In this case, the delay by the permitting agency has already happened; hence this is a project issue.
The possible impact of this delay on the project cost, schedule, or performance can be classified as a project risk.
Incorrect Answers:
A: It is easy to confuse this as a project risk; however, a project risk is always in the future. In this case, the delay by the permitting agency has already happened; hence this is a project issue.
B, C: These are options are not valid.
NEW QUESTION 461
Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?
- A. Obtain an objective view of process gaps and systemic errors.
- B. Obtain objective assessment of the control environment.
- C. Ensure the risk profile is defined and communicated.
- D. Validate the threat management process.
Answer: A,B
NEW QUESTION 462
Which of the following is true for risk management frameworks, standards and practices?
Each correct answer represents a part of the solution. Choose three.
- A. They act as a guide to focus efforts of variant teams.
- B. They provide a systematic view of "things to be considered" that could harm clients or an enterprise.
- C. They result in increase in cost of training, operation and performance improvement.
- D. They assist in achieving business objectives quickly and easily.
Answer: A,D
Explanation:
Frameworks, standards and practices are necessary as:
They provide a systematic view of "things to be considered" that could harm clients or an
enterprise.
They act as a guide to focus efforts of variant teams.
They save time and revenue, such as training costs, operational costs and performance
improvement costs.
They assist in achieving business objectives quickly and easily.
NEW QUESTION 463
Which of the following laws applies to organizations handling health care information?
- A. HIPAA
- B. FISMA
- C. SOX
- D. GLBA
Answer: A
Explanation:
Section: Volume C
Explanation:
HIPAA handles health care information of an organization.
The Health Insurance Portability and Accountability Act (HIPAA) were introduced in 1996. It ensures that health information data is protected. Before HIPAA, personal medical information was often available to anyone.
Security to protect the data was lax, and the data was often misused.
If your organization handles health information, HIPAA applies. HIPAA defines health information as any data that is created or received by health care providers, health plans, public health authorities, employers, life insurers, schools or universities, and health care clearinghouses.
HIPAA defines any data that is related to the health of an individual, including past/present/future health, physical/mental health, and past/present/future payments for health care.
Creating a HIPAA compliance plan involves following phases:
* Assessment: An assessment helps in identifying whether organization is covered by HIPAA. If it is, then further requirement is to identify what data is needed to protect.
* Risk analysis: A risk analysis helps to identify the risks. In this phase, analyzing method of handling data of organization is done.
* Plan creation: After identifying the risks, plan is created. This plan includes methods to reduce the risk.
* Plan implementation: In this plan is being implemented.
* Continuous monitoring: Security in depth requires continuous monitoring. Monitor regulations for changes.
Monitor risks for changes. Monitor the plan to ensure it is still used.
* Assessment: Regular reviews are conducted to ensure that the organization remains in compliance.
Incorrect Answers:
A: GLBA is not used for handling health care information.
C: SOX designed to hold executives and board members personally responsible for financial data.
D: FISMA ensures protection of data of federal agencies.
NEW QUESTION 464
During implementation of an intrusion detection system (IDS) to monitor network traffic, a high number of alerts is reported. The risk practitioner should recommend to:
- A. analyze the alerts to minimize the false positives
- B. analyze the traffic to minimize the false negatives
- C. sniff the traffic using a network analyzer
- D. reset the alert threshold based on peak traffic
Answer: A
NEW QUESTION 465
You work as a project manager for SoftTech Inc. You are working with the project stakeholders to begin the qualitative risk analysis process. Which of the following inputs will be needed for the qualitative risk analysis process in your project?
Each correct answer represents a complete solution. Choose all that apply.
- A. Organizational process assets
- B. Project scope statement
- C. Cost management plan
- D. Risk register
Answer: A,B,D
Explanation:
Explanation/Reference:
Explanation:
The primary goal of qualitative risk analysis is to determine proportion of effect and theoretical response.
The inputs to the Qualitative Risk Analysis process are:
Organizational process assets
Project Scope Statement
Risk Management Plan
Risk Register
Incorrect Answers:
B: The cost management plan is the input to the perform quantitative risk analysis process.
NEW QUESTION 466
Which of the following would be MOST helpful when estimating the likelihood of negative events?
- A. Business impact analysis
- B. Threat analysis
- C. Risk response analysis
- D. Cost-benefit analysis
Answer: B
NEW QUESTION 467
A risk practitioner notices a trend of noncompliance with an IT-related control. Which of the following would BEST assist in making a recommendation to management?
- A. Assessing noncompliance with control best practices
- B. Assessing the degree to which the control hinders business objectives
- C. Reviewing the IT policy with the risk owner
- D. Reviewing the roles and responsibilities of control process owners
Answer: B
NEW QUESTION 468
Which of the following is prepared by the business and serves as a starting point for producing the IT Service Continuity Strategy?
- A. Index of Disaster-Relevant Information
- B. Disaster Invocation Guideline
- C. Business Continuity Strategy
- D. Availability/ ITSCM/ Security Testing Schedule
- E. Explanation:
The Business Continuity Strategy is an outline of the approach to ensure the continuity of Vital Business Functions in the case of disaster events. The Business Continuity Strategy is prepared by the business and serves as a starting point for producing the IT Service Continuity Strategy.
Answer: C
Explanation:
is incorrect. Disaster Invocation Guideline is a document produced by IT Service Continuity Management with detailed instructions on when and how to invoke the procedure for fighting a disaster. Most importantly, the guideline defines the first step to be taken by the Service Desk after learning that a disaster has occurred. Answer: B is incorrect. Index of Disaster-Relevant Information is a catalogue of all information that is relevant in the event of disasters. This document is maintained and circulated by IT Service Continuity Management to all members of IT staff with responsibilities for fighting disasters. Answer: D is incorrect. Availability/ ITSCM/ Security Testing Schedule is a schedule for the regular testing of all availability, continuity, and security mechanisms jointly maintained by Availability, IT Service Continuity, and IT Security Management.
NEW QUESTION 469
You are the project manager of the NKJ Project for your company. The project's success or failure will have a significant impact on your organization's profitability for the coming year. Management has asked you to identify the risk events and communicate the event's probability and impact as early as possible in the project. Management wants to avoid risk events and needs to analyze the cost-benefits of each risk event in this project. What term is assigned to the low-level of stakeholder tolerance in this project?
- A. is incorrect. This is not a valid project management and risk management term.
- B. Risk-reward mentality
- C. Explanation:
Risk utility function is assigned to the low-level of stakeholder tolerance in this project.
The risk utility function describes a person's or organization's willingness to accept risk. It is
synonymous with stakeholder tolerance to risk.
Risk utility function facilitates the selection and acceptance of risk and provides opportunity to
merge the approach with setting thresholds
of risk acceptability and using utility-risk ratios if necessary. - D. Risk avoidance
- E. Mitigation-ready project management
- F. Risk utility function
- G. is incorrect. Risk avoidance is a risk response to avoid negative risk events.
Answer: F
Explanation:
is incorrect. Risk-reward describes the balance between accepting risks and the
expected reward for the risk event. Risk-reward mentality is not a valid project management term.
NEW QUESTION 470
An IT department has provided a shared drive for personnel to store information to which all employees have access. Which of the following parties is accountable for the risk of potential loss of confidential information?
- A. IT department
- B. Data owner
- C. Risk manager
- D. End user
Answer: A
NEW QUESTION 471
You work as a project manager for SoftTech Inc. You are working with the project stakeholders to begin the qualitative risk analysis process. Which of the following inputs will be needed for the qualitative risk analysis process in your project?
Each correct answer represents a complete solution. (Choose three.)
- A. Organizational process assets
- B. Project scope statement
- C. Cost management plan
- D. Risk register
Answer: A,B,D
Explanation:
Section: Volume C
Explanation:
The primary goal of qualitative risk analysis is to determine proportion of effect and theoretical response. The inputs to the Qualitative Risk Analysis process are:
* Organizational process assets
* Project Scope Statement
* Risk Management Plan
* Risk Register
Incorrect Answers:
B: The cost management plan is the input to the perform quantitative risk analysis process.
NEW QUESTION 472
When an organization's disaster recovery plan has a reciprocal agreement, which of the following risk treatment options is being applied?
- A. Avoidance
- B. Transfer
- C. Acceptance
- D. Mitigation
Answer: D
Explanation:
Section: Volume D
NEW QUESTION 473
Which of the following will BEST mitigate the risk associated with IT and business misalignment?
- A. Introducing an established framework for IT architecture
- B. Establishing business key performance indicators (KPIs)
- C. Involving the business process owner in IT strategy
- D. Establishing key risk indicators (KRIs)
Answer: A
Explanation:
Section: Volume D
NEW QUESTION 474
Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?
- A. Implement an organization-specific risk taxonomy.
- B. Explain risk details to management.
- C. Assess risk against business objectives
- D. Align business objectives to the risk profile.
Answer: C
NEW QUESTION 475
Which of the following is MOST helpful in verifying that the implementation of a risk mitigation control has been completed as intended?
- A. An updated risk register
- B. Control testing results
- C. Technical control validation
- D. Risk assessment results
Answer: B
NEW QUESTION 476
Which of the following is the MOST important aspect to ensure that an accurate risk register is maintained?
- A. Publish the risk register in a knowledge management platform with workflow features that periodically contacts and polls risk assessors to ensure accuracy of content
- B. Perform regular audits by audit personnel and maintain risk register
- C. Submit the risk register to business process owners for review and updating
- D. Monitor key risk indicators, and record the findings in the risk register
Answer: A
Explanation:
Explanation/Reference:
Explanation:
A knowledge management platform with workflow and polling feature will automate the process of maintaining the risk registers. Hence this ensures that an accurate and updated risk register is maintained.
Incorrect Answers:
B: Audit personnel may not have the appropriate business knowledge in risk assessment, hence cannot properly identify risk. Regular audits may also cause hindrance to the business activities.
C: Business process owners typically cannot effectively identify risk to their business processes. They may not have the ability to be unbiased and may not have the appropriate skills or tools for evaluating risks.
D: Monitoring key risk indicators, and record the findings in the risk register will only provide insights to known and identified risk and will not account for obscure risk, i.e. , risk that has not been identified yet.
NEW QUESTION 477
Which of the following components ensures that risks are examined for all new proposed change requests in the change control system?
- A. Integrated change control
- B. Risk monitoring and control
- C. Scope change control
- D. Configuration management
Answer: A
Explanation:
Explanation/Reference:
Explanation:
Integrated change control is the component that is responsible for reviewing all aspects of a change's impact on a project - including risks that may be introduced by the new change.
Integrated change control is a way to manage the changes incurred during a project. It is a method that manages reviewing the suggestions for changes and utilizing the tools and techniques to evaluate whether the change should be approved or rejected. Integrated change control is a primary component of the project's change control system that examines the affect of a proposed change on the entire project.
Incorrect Answers:
A: Configuration management controls and documents changes to the features and functions of the product scope.
B: Scope change control focuses on the processes to allow changes to enter the project scope.
C: Risk monitoring and control is not part of the change control system, so this choice is not valid.
NEW QUESTION 478
When an organization's disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment options is being applied?
- A. Avoidance
- B. Transfer
- C. Acceptance
- D. Mitigation
Answer: D
NEW QUESTION 479
After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?
- A. Vendor performance scorecard
- B. Internal audit
- C. Regulatory examination
- D. External audit
Answer: B
NEW QUESTION 480
Which is the MOST important parameter while selecting appropriate risk response?
- A. Cost of response
- B. Efficiency of response
- C. Importance of risk
- D. Capability to implement response
Answer: A
Explanation:
Explanation/Reference:
Explanation:
The cost of the response, which is applied so as to reduce risk within tolerance levels, is one of the most important parameter. By considering the cost of response, it is decided whether or not benefits of applying response is greater than accepting the risk; and according to this analysis it is decided whether the certain response should be applied or not. For example, if risk transfer response is applied by using insurance, then cost would be the cost of insurance.
Incorrect Answers:
B: This parameter is considered after analyzing the cost of response, which will further decide the level of sophistication of risk response. The enterprise's capability to implement the response means that if the risk management process is mature then the risk response is more C: This is one of the parameters that is considered but is not as important as considering cost of response.
The importance of the risk is determined by the combination of likelihood and magnitude levels along with its position on the risk map.
D: Efficiency of response can only be analyzed after applying the response. So it is the latter stage in selection of response.
NEW QUESTION 481
Which of the following should be the PRIMARY focus of an IT risk awareness program?
- A. Ensure compliance with the organization's internal policies
- B. Demonstrate regulatory compliance.
- C. Communicate IT risk policy to the participants.
- D. Cultivate long-term behavioral change.
Answer: D
NEW QUESTION 482
......
Authentic Best resources for CRISC Online Practice Exam: https://www.exams4collection.com/CRISC-latest-braindumps.html
Get the superior quality CRISC Dumps with explanations waiting just for you, get it now: https://drive.google.com/open?id=1gOLCTqkNF2jJjApzan35Z0xSyY_Ou9zF
