[Q106-Q122] Tested Material Used To CRISC Test Engine Exam Questions in here [Oct-2021]

Share

Tested Material Used To CRISC Test Engine Exam Questions in here [Oct-2021]

Penetration testers simulate CRISC exam PDF


Exam Syllabus

The ISACA CRISC exam is aimed at those professionals who want to build a career in the field of IT and, in particular, in the risk management domain. The test validates that the candidates possess the basic knowledge and skills in the area of risk and information systems control. The topics covered in the exam are highlighted below:

Information Technology Risk Identification: 27%

  • Recognize risk appetite and tolerance as defined by the key stakeholders and senior leadership to align with the business objectives.
  • Identify the domain of IT risk and contribute to the IT risk management strategy execution to support the business objectives while aligning with the enterprise risk management strategy;
  • Gather and analyze information, such as existing documentation to identify possible IT risk or its impact on the business operations and objectives of an organization;
  • Identify possible vulnerabilities and threats to people, process, and technology of an organization;
  • Partner in developing a risk awareness program and carry out the required training to educate the stakeholders on the risk potential and promote the organizational risk-aware culture;
  • Create an IT risk register for documenting an identified IT risk scenario and incorporate the same in the risk profile of the enterprise;
  • Develop in-depth IT risk scenarios according to available data to establish potential effects on the enterprise objectives and operations;

 

NEW QUESTION 106
If one says that the particular control or monitoring tool is sustainable, then it refers to what ability?

  • A. The ability to be applied in same manner throughout the organization
  • B. The ability to protect itself from exploitation or attack
  • C. The ability to adapt as new elements are added to the environment
  • D. The ability to ensure the control remains in place when it fails

Answer: C

Explanation:
Section: Volume D
Explanation
Explanation:
Sustainability of the controls or monitoring tools refers to its ability to function as expected over time or when changes are made to the environment.
Incorrect Answers:
B: Sustainability ensures that controls changes with the conditions, so as not to fail in any circumstances.
Hence this in not a valid answer.
C: This is not a valid answer.
D: This is not a valid definition for defining sustainability of a tool.

 

NEW QUESTION 107
Which of the following is the best reason for performing risk assessment?

  • A. To analyze the effect on the business
  • B. To satisfy regulatory requirements
  • C. To budget appropriately for the application of various controls
  • D. To determine the present state of risk

Answer: D

Explanation:
Explanation/Reference:
Explanation:
Risk assessment is a process of analyzing the identified risk, both quantitatively and qualitatively.
Quantitative risk assessment requires calculations of two components of risk, the magnitude of the potential loss, and the probability that the loss will occur. While qualitatively risk assessment checks the severity of risk. Hence risk assessment helps in determining the present state of the risk.
Incorrect Answers:
B: Analyzing the effect of risk on an enterprise is the part of the process while performing risk assessment, but is not the reason for doing it.
C: Performing risk assessment may satisfy the regulatory requirements, but is not the reason to perform risk assessment.
D: Budgeting appropriately is one the results of risk assessment but is not the reason for performing the risk assessment.

 

NEW QUESTION 108
You are the project manager of HJT project. Important confidential files of your project are stored on a computer. Keeping the unauthorized access of this computer in mind, you have placed a hidden CCTV in the room, even on having protection password. Which kind of control CCTV is?

  • A. Technical control
  • B. Physical control
  • C. Management control
  • D. Administrative control

Answer: B

Explanation:
Explanation/Reference:
Explanation:
CCTV is a physical control.
Physical controls protect the physical environment. They include basics such as locks to protect access to secure areas. They also include environmental controls. This section presents the following examples of physical controls:
Locked doors, guards, access logs, and closed-circuit television

Fire detection and suppression

Temperature and humidity detection

Electrical grounding and circuit breakers

Water detection

Incorrect Answers:
A, C, D CCTV is a physical control.

 

NEW QUESTION 109
Which of the following risk register updates is MOST important for senior management to review?

  • A. Changing a risk owner
  • B. Retiring a risk scenario no longer used
  • C. Extending the date of a future action plan by two months
  • D. Avoiding a risk that was previously accepted

Answer: A

Explanation:
Section: Volume D

 

NEW QUESTION 110
Jenny is the project manager for the NBT projects. She is working with the project team and several subject matter experts to perform the quantitative risk analysis process. During this process she and the project team uncover several risks events that were not previously identified. What should Jenny do with these risk events?

  • A. Explanation:
    All identified risk events should be entered into the risk register.
    A risk register is an inventory of risks and exposure associated with those risks. Risks are
    commonly found in project management practices, and provide information to identify, analyze,
    and manage risks. Typically a risk register contains:
    A description of the risk
    The impact should this event actually occur
    The probability of its occurrence
    Risk Score (the multiplication of Probability and Impact)
    A summary of the planned response should the event occur
    A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact
    of the event)
    Ranking of risks by Risk Score so as to highlight the highest priority risks to all involved.
  • B. is incorrect. Before the risk events are analyzed they should be documented in the risk
    register.
  • C. The events should be entered into the risk register.
  • D. The events should continue on with quantitative risk analysis.
  • E. The events should be entered into qualitative risk analysis.
  • F. The events should be determined if they need to be accepted or responded to.
  • G. is incorrect. These risks should first be identified, documented, passed through
    qualitative risk analysis and then it should be determined if they should pass through the
    quantitative risk analysis process.

Answer: C

Explanation:
is incorrect. The risks should first be documented and analyzed.

 

NEW QUESTION 111
You are the project manager of GHT project. A stakeholder of this project requested a change request in this project. What are your responsibilities as the project manager that you should do in order to approve this change request?
Each correct answer represents a complete solution. Choose two.

  • A. Formally accept the updated project plan
  • B. Archive copies of all change requests in the project file.
  • C. Evaluate the change request on behalf of the sponsor
  • D. Judge the impact of each change request on project activities, schedule and budget.

Answer: B,D

Explanation:
Section: Volume D
Explanation:
Project manager responsibilities related to the change request approval process is judging the impact of each change request on project activities, schedule and budget, and also archiving copies of all change requests in the project file.
Incorrect Answers:
B: This is the responsibility of Change advisory board.
D: Pm has not the authority to formally accept the updated project plan. This is done by project sponsors so as to approve the change request.

 

NEW QUESTION 112
You are the project manager of GHT project. You have initiated the project and conducted the feasibility study. What result would you get after conducting feasibility study?
Each correct answer represents a complete solution. (Choose two.)

  • A. Project management plan
  • B. Results of criteria analyzed, like costs, benefits, risk, resources required and organizational impact
  • C. Recommend alternatives and course of action
  • D. Risk response plan

Answer: B,C

Explanation:
Explanation/Reference:
Explanation:
The completed feasibility study results should include a cost/benefit analysis report that:
Provides the results of criteria analyzed (e.g., costs, benefits, risk, resources required and

organizational impact)
Recommends one of the alternatives and a course of action

Incorrect Answers:
B, C: Project management plan and risk response plan are the results of plan project management and plan risk response, respectively. They are not the result of feasibility study.

 

NEW QUESTION 113
When collecting information to identify IT-related risk, a risk practitioner should FIRST focus on IT:

  • A. security policies
  • B. process maps.
  • C. risk appetite.
  • D. risk tolerance level

Answer: A

 

NEW QUESTION 114
Within the three lines of defense model, the accountability for the system of internal control resides with:

  • A. the board of directors
  • B. the risk practitioner
  • C. the chief information officer (CIO).
  • D. enterprise risk management

Answer: A

 

NEW QUESTION 115
When an organization's disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment options is being applied?

  • A. Acceptance
  • B. Transfer
  • C. Avoidance
  • D. Mitigation

Answer: D

 

NEW QUESTION 116
You are the risk official of your enterprise. Your enterprise takes important decisions without considering risk credential information and is also unaware of external requirements for risk management and integration with enterprise risk management. In which of the following risk management capability maturity levels does your enterprise exists?

  • A. Level 0
  • B. Level 1
  • C. Level 4
  • D. Level 5

Answer: A

Explanation:
Section: Volume A
Explanation:
0 nonexistent: An enterprise's risk management capability maturity level is 0 when:
* The enterprise does not recognize the need to consider the risk management or the business impact from IT risk.
* Decisions involving risk lack credible information.
* Awareness of external requirements for risk management and integration with enterprise risk management (ERM) do not exists.
Incorrect Answers:
A, C, D: These all are much higher levels of the risk management capability maturity model and in all these enterprises do take decisions considering the risk credential information. Moreover, in these levels enterprise is aware of external requirements for risk management and integrate with ERM.

 

NEW QUESTION 117
After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?

  • A. External audit
  • B. Regulatory examination
  • C. Internal audit
  • D. Vendor performance scorecard

Answer: C

 

NEW QUESTION 118
The PRIMARY objective of testing the effectiveness of a new control before implementation is to:

  • A. comply with the organization's policy.
  • B. measure efficiency of the control process.
  • C. confirm control alignment with business objectives.
  • D. ensure that risk is mitigated by the control.

Answer: C

 

NEW QUESTION 119
Which of the following is the MOST important consideration when performing a risk assessment of a fire suppression system within a data center?

  • A. Maintenance procedures
  • B. Insurance coverage
  • C. Installation manuals
  • D. Onsite replacement availability

Answer: A

 

NEW QUESTION 120
Which of the following should be an element of the risk appetite of an organization?

  • A. The amount of inherent risk considered appropriate
  • B. The effectiveness of compensating controls
  • C. The enterprise's capacity to absorb loss
  • D. The residual risk affected by preventive controls

Answer: A

 

NEW QUESTION 121
Which of the following are the MOST important risk components that must be communicated among all the stakeholders?
Each correct answer represents a part of the solution. Choose three.

  • A. Various risk response used in the project
  • B. Status of risk with regard to IT risk
  • C. Current risk management capability
  • D. Expectations from risk management

Answer: B,C,D

Explanation:
Section: Volume C
Explanation:
The broad array of information and the major types of IT risk information that should be communicated are as follows:
* Expectations from risk management: They include risk strategy, policies, procedures, awareness training, uninterrupted reinforcement of principles, etc. This essential communication drives all subsequent efforts on risk management and sets the overall expectations from risk management.
* Current risk management capability: This allows monitoring of the status of the risk management engine in the enterprise. It is a key indicator for effective risk management and has predictive value for how well the enterprise is managing risk and reducing exposure.
* Status with regard to IT risk: This describes the actual status with regard to IT risk including information of risk profile of the enterprise, Key risk indicators (KRIs) to support management reporting on risk, event-loss data, root cause of loss events and options to mitigate risk.
Incorrect Answers:
A: Risk response is only communicated to some of the stakeholders not all, as it is irrelevant for them. It is not communicated to the stakeholders of the project like project sponsors, etc.

 

NEW QUESTION 122
......

Authentic Best resources for CRISC Online Practice Exam: https://www.itpass4sure.com/CRISC-practice-exam.html

Get the superior quality CRISC Dumps with explanations waiting just for you, get it now: https://drive.google.com/open?id=14ILSMRVgDKLLJgbZDXHZiVxDQ2L-JS-w