• Home
  • Articles
  • CRISC Exam Questions Get Updated [2022] with Correct Answers [Q233-Q258]

CRISC Exam Questions Get Updated [2022] with Correct Answers [Q233-Q258]

Share

CRISC Exam Questions Get Updated [2022] with Correct Answers

Practice CRISC Questions With Certification guide Q&A from Training Expert UpdateDumps

NEW QUESTION 233
Henry is the project sponsor of the JQ Project and Nancy is the project manager. Henry has asked Nancy to start the risk identification process for the project, but Nancy insists that the project team be involved in the process. Why should the project team be involved in the risk identification?

  • A. So that the project team and the project manager can work together to assign risk ownership.
  • B. So that the project manager isn't the only person identifying the risk events within the project.
  • C. is incorrect. While the project manager shouldn't be the only person to identify the risk events, this isn't the best answer. Answer:D is incorrect. The reason to include the project team is that the project team needs to develop a sense of ownership for the risks and associated risk responsibilities, not to assign risk ownership.
  • D. So that the project manager can identify the risk owners for the risks within the project and the needed risk responses.
  • E. Explanation:
    The best answer to include the project team members is that they'll need to develop a sense of ownership for the risks and associated risk responsibilities.
  • F. So that the project team can develop a sense of ownership for the risks and associated risk responsibilities.

Answer: F

Explanation:
is incorrect. The reason to include the project team is that the project team needs to develop a sense of ownership for the risks and associated risk responsibilities, not to assign risk ownership and risk responses at this point.

 

NEW QUESTION 234
Which of the following is MOST helpful in aligning IT risk with business objectives?

  • A. Performing a business impact analysis (BIA)
  • B. Implementing a risk classification system
  • C. Introducing an approved IT governance framework
  • D. Integrating the results of top-down risk scenario analyses

Answer: C

Explanation:
Section: Volume D

 

NEW QUESTION 235
FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?

  • A. Annually
  • B. Quarterly
  • C. Never
  • D. Every three years

Answer: A

Explanation:
Explanation/Reference:
Explanation:
Inspection of FISMA is required to be done annually. Each year, agencies must have an independent evaluation of their program. The objective is to determine the effectiveness of the program. These evaluations include:
Testing for effectiveness: Policies, procedures, and practices are to be tested. This evaluation does not

test every policy, procedure, and practice. Instead, a representative sample is tested.
An assessment or report: This report identifies the agency's compliance as well as lists compliance with

FISMA. It also lists compliance with other standards and guidelines.
Incorrect Answers:
B, C, D: Auditing of compliance by external organization is done annually, not quarterly or every three years.

 

NEW QUESTION 236
Which of the following would MOST likely result in updates to an IT risk appetite statement?

  • A. External audit findings
  • B. Self-assessment reports
  • C. Feedback from focus groups
  • D. Changes in senior management

Answer: A

Explanation:
Section: Volume D

 

NEW QUESTION 237
Which of the following would be MOST helpful to a risk practitioner when ensuring that mitigated risk remains within acceptable limits?

  • A. Ensuring risk owners participate in a periodic control testing process
  • B. Building an organizational risk profile after updating the risk register
  • C. Implementing a process for ongoing monitoring of control effectiveness
  • D. Designing a process for risk owners to periodically review identified risk

Answer: C

 

NEW QUESTION 238
The PRIMARY reason for periodically monitoring key risk indicators (KRIs) is to:

  • A. detect changes in the risk profile.
  • B. continually improve risk assessments.
  • C. reduce costs of risk mitigation controls
  • D. rectify errors in results of KRIs.

Answer: A

 

NEW QUESTION 239
Whose risk tolerance matters MOST when making a risk decision?

  • A. Customers who would be affected by a breach
  • B. The business process owner of the exposed assets
  • C. Auditors, regulators and standards organizations
  • D. The information security manager

Answer: B

 

NEW QUESTION 240
What type of policy would an organization use to forbid its employees from using organizational e-mail for personal use?

  • A. Intellectual property policy
  • B. Privacy policy
  • C. Acceptable use policy
  • D. Anti-harassment policy

Answer: C

Explanation:
Explanation/Reference:
Explanation:
An acceptable use policy is a set of rules applied by the owner/manager of a network, website or large computer system that restrict the ways in which the network site or system may be used. Acceptable Use Policies are an integral part of the framework of information security policies.
Incorrect Answers:
A, C: These two policies are not related to Information system security.
D: Privacy policy is a statement or a legal document (privacy law) that discloses some or all of the ways a party gathers, uses, discloses and manages a customer or client's data.

 

NEW QUESTION 241
You are the project manager of the GHY project for your company. This project has a budget of $543,000 and is expected to last 18 months. In this project, you have identified several risk events and created risk response plans. In what project management process group will you implement risk response plans?

  • A. Executing
  • B. Monitoring and Controlling
  • C. In any process group where the risk event resides
  • D. Planning

Answer: B

Explanation:
Section: Volume D
Explanation:
The monitor and control project risk process resides in the monitoring and controlling project management process group. This process is responsible for implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness through the project.
Incorrect Answers:
B: Risk response plans are implemented as part of the monitoring and controlling process group.
C: Risk response plans are not implemented as part of project planning.
D: Risk response plans are not implemented as part of project execution.

 

NEW QUESTION 242
Which of the following is the BEST method to ensure a terminated employee's access to IT systems is revoked upon departure from the organization?

  • A. A list of terminated employees is generated for reconciliation against current IT access
  • B. Login attempts are reconciled to a list of terminated employees
  • C. A process to remove employee access during the exit interview is implemented
  • D. The human resources (HR) system automatically revokes system access

Answer: A

Explanation:
Section: Volume D

 

NEW QUESTION 243
Which of the following is the GREATEST concern when using a generic set of IT risk scenarios for risk analysis?

  • A. Risk factors might not be relevant to the organization
  • B. Inherent risk might not be considered.
  • C. Quantitative analysis might not be possible.
  • D. Implementation costs might increase.

Answer: A

 

NEW QUESTION 244
You are the project manager of the NHQ project in Bluewell Inc. The project has an asset valued at
$200,000 and is subjected to an exposure factor of 45 percent. If the annual rate of occurrence of loss in this project is once a month, then what will be the Annual Loss Expectancy (ALE) of the project?

  • A. $ 95,000
  • B. $ 108,000
  • C. $ 2,160,000
  • D. $ 90,000

Answer: B

Explanation:
Explanation/Reference:
Explanation:
The ALE of this project will be $ 108,000.
Single Loss Expectancy is a term related to Quantitative Risk Assessment. It can be defined as the monetary value expected from the occurrence of a risk on an asset. It is mathematically expressed as follows:
SLE = Asset value * Exposure factor
Therefore,
SLE = 200,000 * 0.45
= $ 90,000
As the loss is occurring once every month, therefore ARO is 12. Now ALE can be calculated as follows:
ALE = SLE * ARO
= 90,000 * 12
= $ 108,000

 

NEW QUESTION 245
Which of the following decision tree nodes have probability attached to their branches?

  • A. Root node
  • B. Decision node
  • C. End node
  • D. Event node

Answer: D

Explanation:
Section: Volume B
Explanation:
Event nodes represents the possible uncertain outcomes of a risky decision, with at least two nodes to illustrate the positive and negative range of events. Probabilities are always attached to the branches of event nodes.
Incorrect Answers:
A: Root node is the starting node in the decision tree, and it has no branches.
C: End node represents the outcomes of risk and decisions and probability is not attached to it.
D: It represents the choice available to the decision maker, usually between a risky choice and its non-risky counterpart. As it represents only the choices available to the decision makers, hence probability is not attached to it.

 

NEW QUESTION 246
Which of the following comes under phases of risk management?

  • A. Identify risk
  • B. Monitoring risk
  • C. Developing risk
  • D. Prioritization of risk
  • E. Assessing risk

Answer: A,B,D,E

Explanation:
Risk management provides an approach for individuals and groups to make a decision on how to
deal with potentially harmful situations.
Following are the four phases involved in risk management:
1.Risk identification :The first thing we must do in risk management is to identify the areas of the
project where the risks can occur.
This is termed as risk identification. Listing all the possible risks is proved to be very productive for
the enterprise as we can cure them before it can occur. In risk identification both threats and opportunities are considered, as both carry some level of risk with them. 2.Risk Assessment and Evaluation :Risk assessment use quantitative and qualitative analysis approaches to evaluate each significant risk identified. 3.Risk Prioritization and Response :As many risks are being identified in an enterprise, it is best to give each risk a score based on its likelihood and significance in form of ranking. This concludes whether the risk with high likelihood and high significance must be given greater attention as compared to similar risk with low likelihood and low significance. Hence, risks can be prioritized and appropriate responses to those risks are created. 4.Risk Monitoring :Risk monitoring is an activity which oversees the changes in risk assessment. Over time, the likelihood or significance originally attributed to a risk may change. This is especially true when certain responses, such as mitigation, have been made.

 

NEW QUESTION 247
Which of the following parameters would affect the prioritization of the risk responses and development of the risk response plan? Each correct answer represents a complete solution. Choose three.

  • A. Cost of the response to reduce risk within tolerance levels
  • B. Time required to mitigate risk.
  • C. Effectiveness of the response
  • D. Importance of the risk

Answer: A,C,D

Explanation:
Explanation/Reference:
Explanation:
The prioritization of the risk responses and development of the risk response plan is influenced by several parameters:
Cost of the response to reduce risk within tolerance levels

Importance of the risk

Capability to implement the response

Effectiveness of the response

Efficiency of the response

Incorrect Answers:
B: Time required to mitigate risk does not influence the prioritization of the risk and development of the risk response plan. It affects the scheduled time of the project.

 

NEW QUESTION 248
An organization moved its payroll system to a Software as a Service (SaaS) application. A new data privacy regulation stipulates that data can only be processed within the country where it is collected. Which of the following should be done FIRST when addressing this situation?

  • A. Include a right-to-audit clause.
  • B. Analyze data protection methods.
  • C. Implement strong access controls.
  • D. Understand data flows.

Answer: D

 

NEW QUESTION 249
When developing a new risk register, a risk practitioner should focus on which of the following risk management activities?

  • A. Risk monitoring and control
  • B. Risk management strategy planning
  • C. Risk identification
  • D. Risk response planning

Answer: A

 

NEW QUESTION 250
Which of the following nodes of the decision tree analysis represents the start point of decision tree?

  • A. Root node
  • B. Decision node
  • C. End node
  • D. Event node

Answer: A

Explanation:
Explanation/Reference:
Explanation:
Root node is the starting node in the decision tree.
Incorrect Answers:
A: Decision nodes represents the choice available to the decision maker, usually between a risky choice and its non-risky counterpart.
C: Event node represents the possible uncertain outcomes of a risky decision, with at least two nodes to illustrate the positive and negative range of events.
B: End node represents the outcomes of risk and decisions.

 

NEW QUESTION 251
You are the project manager of GHT project. You identified a risk of noncompliance with regulations due to missing of a number of relatively simple procedures.
The response requires creating the missing procedures and implementing them. In which of the following risk response prioritization should this case be categorized?

  • A. Business case to be made
  • B. Deferrals
  • C. Risk avoidance
  • D. Quick win

Answer: D

Explanation:
Section: Volume C
Explanation:
This is categorized as a "quick win" because the allocation of existing resources or a minor resource investment provides measurable benefits. Quick win is very effective and efficient response that addresses medium to high risk.
Incorrect Answers:
A: "Business case to be made" requires careful analysis and management decisions on investments that are more expensive or difficult risk responses to medium to high risk. Here in this scenario, there is only minor investment that is why, it is not "business case to be made".
C: Risk avoidance is a type of risk response and not risk response prioritization option.
D: Deferral addresses costly risk response to a low risk, and hence in this specified scenario it is not used.

 

NEW QUESTION 252
Which of the following is a PRIMARY benefit of engaging the risk owner during the risk assessment process?

  • A. Identification of controls gaps that may lead to noncompliance
  • B. Early detection of emerging threats
  • C. Prioritization of risk action plans across departments
  • D. Accurate measurement of loss impact

Answer: D

Explanation:
Section: Volume D

 

NEW QUESTION 253
A part of a project deals with the hardware work. As a project manager, you have decided to hire a company to deal with all hardware work on the project. Which type of risk response is this?

  • A. Mitigation
  • B. Avoidance
  • C. Transference
  • D. Exploit

Answer: C

Explanation:
Section: Volume C
Explanation:
When you are hiring a third party to own risk, it is known as transference risk response.
Risk transfer means that impact of risk is reduced by transferring or otherwise sharing a portion of the risk with an external organization or another internal entity. Transfer of risk can occur in many forms but is most effective when dealing with financial risks. Insurance is one form of risk transfer.
Incorrect Answers:
B: The act of spending money to reduce a risk probability and impact is known as mitigation.
C: When extra activities are introduced into the project to avoid the risk, this is an example of avoidance.
D: Exploit is a strategy that may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized.

 

NEW QUESTION 254
Which of the following would provide the MOST useful information to a risk owner when reviewing the progress of risk mitigation?

  • A. Risk scenario results
  • B. Treatment plan status
  • C. Performance indicators
  • D. Key audit findings

Answer: C

 

NEW QUESTION 255
An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system. The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:

  • A. chief information officer.
  • B. project manager.
  • C. business process owner.
  • D. chief risk officer.

Answer: C

 

NEW QUESTION 256
Which of the following is the BEST indication of an improved risk-aware culture following the implementation of a security awareness training program for all employees?

  • A. An increase in the number of identified system flaws
  • B. A reduction in the number of user access resets
  • C. An increase in the number of incidents reported
  • D. A reduction in the number of help desk calls

Answer: A

 

NEW QUESTION 257
Which of the following should be PRIMARILY considered while designing information systems controls?

  • A. The IT strategic plan
  • B. The organizational strategic plan
  • C. The existing IT environment
  • D. is incorrect. Review of the existing IT environment is also useful and necessary but is
    not the first step that needs to be undertaken.
  • E. Explanation:
    Review of the enterprise's strategic plan is the first step in designing effective IS controls that
    would fit the enterprise's long-term plans.
  • F. The present IT budget

Answer: B

Explanation:
is incorrect. The present IT budget is just one of the components of the strategic plan. Answer: A is incorrect. The IT strategic plan exists to support the enterprise's strategic plan but is not solely considered while designing information system control.

 

NEW QUESTION 258
......


How to study the CRISC Exam

UpdateDumps expert team recommends you to prepare some notes on these topics along with it don't forget to practice ISACA CRISC Exam exam dumps which been written by our expert team, Both these will help you a lot to clear this exam with good marks.


How much CRISC Exam Cost

The price of the CRISC exam is $595 USD for ISACA members and $725 USD for Non-members.

 

Prepare Top ISACA CRISC Exam Audio Study Guide Practice Questions Edition: https://pass4sure.updatedumps.com/ISACA/CRISC-updated-exam-dumps.html

Related Articles

more
ISACA CRISC Certification Practice Exam