[2024] Practice with these CRISC dumps Certification Sample Questions [Q273-Q293]

Share

[2024] Practice with these CRISC dumps Certification Sample Questions

Get Instant Access of 100% REAL CRISC DUMP Pass Your Exam Easily


Who should take the CRISC exam

The ISACA Certified in Risk and Information Systems Control Consultants CRISC Exam certification is an internationally-recognized validation that identifies persons who earn it as possessing skilled as Certified in Risk and Information Systems Control. If a candidate wants significant improvement in career growth needs enhanced knowledge, skills, and talents. The ISACA Certified in Risk and Information Systems Control Consultants CRISC Exam certification provides proof of this advanced knowledge and skill. If a candidate has knowledge and skills that are required to pass the ISACA Certified in Risk and Information Systems Control Consultants CRISC Exam then he should take this exam.

 

NEW QUESTION # 273
You are the project manager of GHT project. You are performing cost and benefit analysis of control. You come across the result that costs of specific controls exceed the benefits of mitigating a given risk. What is the BEST action would you choose in this scenario?

  • A. The enterprise may apply the appropriate control anyway.
  • B. The enterprise should adopt corrective control.
  • C. The enterprise should exploit the risk.
  • D. The enterprise may choose to accept the risk rather than incur the cost of mitigation.

Answer: D

Explanation:
Section: Volume A
Explanation:
If the costs of specific controls or countermeasures (control overhead) exceed the benefits of mitigating a given risk the enterprise may choose to accept the risk rather than incur the cost of mitigation. This is done according to the principle of proportionality described in:
* Generally accepted security systems principles (GASSP)
* Generally accepted information security principles (GAISP)
Incorrect Answers:
A: When the cost of specific controls exceeds the benefits of mitigating a given risk, then controls are not applied, rather risk is being accepted.
B: As the cost of control exceeds the benefits of mitigating a given risk, hence no control should be applied.
Corrective control is a type of control and hence it should not be adopted.
D: The risk is being exploited when there is an opportunity, i.e., the risk is positive. But here in this case, negative risk exists as it needs mitigation. So, exploitation cannot be done.


NEW QUESTION # 274
Which of the following BEST ensures that a firewall is configured in compliance with an enterprise's security policy?

  • A. Review the device's log file for recent attacks.
  • B. Review the parameter settings.
  • C. Interview the firewall administrator.
  • D. Review the actual procedures.

Answer: B

Explanation:
Explanation/Reference:
Explanation:
A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide reliable audit evidence documentation.
Incorrect Answers:
A: While interviewing the firewall administrator may provide a good process overview, it does not reliably confirm that the firewall configuration complies with the enterprise's security policy.
B: While procedures may provide a good understanding of how the firewall is supposed to be managed, they do not reliably confirm that the firewall configuration complies with the enterprise's security policy.
C: While reviewing the device's log file for recent attacks may provide indirect evidence about the fact that logging is enabled, it does not reliably confirm that the firewall configuration complies with the enterprise's security policy.


NEW QUESTION # 275
Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?

  • A. Ongoing availability of data
  • B. Ability to predict trends
  • C. Availability of automated reporting systems
  • D. Ability to aggregate data

Answer: D


NEW QUESTION # 276
You are the risk official in Bluewell Inc. You are supposed to prioritize several risks. A risk has a rating for occurrence, severity, and detection as 4, 5, and 6, respectively. What Risk Priority Number (RPN) you would give to it?

  • A. 0
  • B. 1
  • C. 2
  • D. 3

Answer: B

Explanation:
Explanation/Reference:
Explanation:
Steps involving in calculating risk priority number are as follows:
Identify potential failure effects

Identify potential causes

Establish links between each identified potential cause

Identify potential failure modes

Assess severity, occurrence and detection

Perform score assessments by using a scale of 1 -10 (low to high rating) to score these assessments.

Compute the RPN for a particular failure mode as Severity multiplied by occurrence and detection.

RPN = Severity * Occurrence * Detection
Hence,
RPN = 4 * 5 * 6
= 120
Incorrect Answers:
B, C, D: These are not RPN for given values of severity, occurrence, and detection.


NEW QUESTION # 277
You are the project manager of GHT project. A risk event has occurred in your project and you have identified it. Which of the following tasks you would do in reaction to risk event occurrence? Each correct answer represents a part of the solution. Choose three.

  • A. Update risk register
  • B. Monitor risk
  • C. Communicate lessons learned from risk events
  • D. Maintain and initiate incident response plans

Answer: B,C,D

Explanation:
Explanation/Reference:
Explanation:
When the risk events occur then following tasks have to done to react to it:
Maintain incident response plans

Monitor risk

Initiate incident response

Communicate lessons learned from risk events

Incorrect Answers:
C: Risk register is updated after applying appropriate risk response and at the time of risk event occurrence.


NEW QUESTION # 278
While developing obscure risk scenarios, what are the requirements of the enterprise?
Each correct answer represents a part of the solution. Choose two.

  • A. Have sufficient number of analyst
  • B. Have capability to cure the risk events
  • C. Have capability to recognize an observed event as something wrong
  • D. Be in a position that it can observe anything going wrong

Answer: C,D

Explanation:
Section: Volume B
Explanation:
The enterprise must consider risk that has not yet occurred and should develop scenarios around unlikely, obscure or non-historical events.
Such scenarios can be developed by considering two things:
* Visibility
* Recognition
* For the fulfillment of this task enterprise must:
* Be in a position that it can observe anything going wrong
* Have the capability to recognize an observed event as something wrong Incorrect Answers:
A, C: These are not the direct requirements for developing obscure risk scenarios, like curing risk events comes under process of risk management. Hence capability of curing risk event does not lay any impact on the process of development of risk scenarios.


NEW QUESTION # 279
Which of the following is the BEST control to minimize the risk associated with scope creep in software development?

  • A. An established process for project change management
  • B. Business managements review of functional requirements
  • C. Segregation between development, test, and production
  • D. Retention of test data and results for review purposes

Answer: A


NEW QUESTION # 280
You are using Information system. You have chosen a poor password and also sometimes transmits data over unprotected communication lines. What is this poor quality of password and unsafe transmission refers to?

  • A. Impacts
  • B. Threats
  • C. Vulnerabilities
  • D. Probabilities

Answer: C

Explanation:
Explanation/Reference:
Explanation:
Vulnerabilities represent characteristics of information resources that may be exploited by a threat. The given scenario describes such a situation, hence it is a vulnerability.
Incorrect Answers:
A: Probabilities represent the likelihood of the occurrence of a threat, and this scenario does not describe a probability.
B: Threats are circumstances or events with the potential to cause harm to information resources. This scenario does not describe a threat.
D: Impacts represent the outcome or result of a threat exploiting a vulnerability. The stem does not describe an impact.


NEW QUESTION # 281
Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?

  • A. Customer data custodian
  • B. Data privacy officer
  • C. Customer database manager
  • D. Audit committee

Answer: A

Explanation:
Section: Volume D


NEW QUESTION # 282
An IT organization is replacing the customer relationship management (CRM) system. Who should own the risk associated with customer data leakage caused by insufficient IT security controls for the new system?

  • A. IT controls manager
  • B. Chief risk officer
  • C. Business process owner
  • D. Chief information security officer

Answer: C

Explanation:
Section: Volume D
Explanation


NEW QUESTION # 283
Which of the following considerations should be taken into account while selecting risk indicators that ensures greater buy-in and ownership?

  • A. Stakeholder
  • B. Lead indicator
  • C. Lag indicator
  • D. Root cause

Answer: A

Explanation:
Explanation/Reference:
Explanation:
To ensure greater buy-in and ownership, risk indicators should be selected with the involvement of relevant stakeholders. Risk indicators should be identified for all stakeholders and should not focus solely on the more operational or strategic side of risk.
Incorrect Answers:
A: Role of lag indicators is to ensure that risk after events have occurred is being indicated.
B: Lead indicators indicate which capabilities are in place to prevent events from occurring. They do not play any role in ensuring greater buy-in and ownership.
C: Root cause is considered while selecting risk indicator but it does not ensure greater buy-in or ownership.


NEW QUESTION # 284
An IT department originally planned to outsource the hosting of its data center at an overseas location to reduce operational expenses. After a risk assessment, the department has decided to keep the data center in-house. How should the risk treatment response be reflected in the risk register?

  • A. Risk acceptance
  • B. Risk transfer
  • C. Risk mitigation
  • D. Risk avoidance

Answer: C


NEW QUESTION # 285
Which of the following BEST helps to balance the costs and benefits of managing IT risk?

  • A. Evaluating risk based on frequency and probability
  • B. Prioritizing risk responses
  • C. Managing the risk by using controls
  • D. Considering risk factors that can be quantified

Answer: B


NEW QUESTION # 286
Who is MOST likely to be responsible for the coordination between the IT risk strategy and the business risk strategy?

  • A. Information security director
  • B. Chief information officer
  • C. Internal audit director
  • D. Chief financial officer

Answer: A


NEW QUESTION # 287
A cote data center went offline abruptly for several hours affecting many transactions across multiple locations. Which of the to" owing would provide the MOST useful information to determine mitigating controls?

  • A. Risk assessment
  • B. Root cause analysis
  • C. Forensic analysis
  • D. Business impact analysis (BlA)

Answer: C


NEW QUESTION # 288
You are the project manager of GFT project. Your project involves the use of electrical motor. It was stated in its specification that if its temperature would increase to 500 degree Fahrenheit the machine will overheat and have to be shut down for 48 hours. If the machine overheats even once it will delay the project's arrival date. So to prevent this you have decided while creating response that if the temperature of the machine reach 450, the machine will be paused for at least an hour so as to normalize its temperature. This temperature of 450 degree is referred to as?

  • A. is incorrect. Here risk event is 500 degree temperature, as when machine reaches this temperature it should have to be shut-down for 48 hours, which in turn will laid a great impact on the working of project. Answer: D is incorrect. Risk response here is shutting off of machine when its temperature
    reaches 450 degree Fahrenheit, so as to prevent the occurring of risk event.
  • B. Risk response
  • C. Risk event
  • D. Risk identification
  • E. Risk trigger
  • F. Explanation:
    A risk trigger is a warning sign or condition that a risk event is about to happen. Here the warning temperature is 450 degree Fahrenheit, therefore it is referred as risk trigger.

Answer: E

Explanation:
is incorrect. Risk identification is the process of the identifying the risks. This process
identifies the risk events that could affect the project adversely or would act as opportunity.


NEW QUESTION # 289
Which of the following is the BEST way to quantify the likelihood of risk materialization?

  • A. Threat and vulnerability assessment
  • B. Business impact analysis (BIA)
  • C. Compliance assessments
  • D. Balanced scorecard

Answer: B


NEW QUESTION # 290
After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?

  • A. Regulatory examination
  • B. External audit
  • C. Internal audit
  • D. Vendor performance scorecard

Answer: A


NEW QUESTION # 291
Which of the following should be considered FIRST when creating a comprehensive IT risk register?

  • A. Risk mitigation policies
  • B. Risk management budget
  • C. Risk appetite
  • D. Risk analysis techniques

Answer: C


NEW QUESTION # 292
Which of the following role carriers is accounted for analyzing risks, maintaining risk profile, and risk-aware decisions?

  • A. Chief information officer (CIO)
  • B. Business management
  • C. Business process owner
  • D. Chief risk officer (CRO)

Answer: B

Explanation:
Section: Volume C
Explanation:
Business management is the business individuals with roles relating to managing a program. They are typically accountable for analyzing risks, maintaining risk profile, and risk-aware decisions. Other than this, they are also responsible for managing risks, react to events, etc.
Incorrect Answers:
B: Business process owner is an individual responsible for identifying process requirements, approving process design and managing process performance. He/she is responsible for analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them.
C: CIO is the most senior official of the enterprise who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services and information and the deployment of associated human resources. CIO has some responsibility analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them.
D: CRO is the individual who oversees all aspects of risk management across the enterprise. He/she is responsible for analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them.


NEW QUESTION # 293
......


ISACA CRISC certification is an excellent choice for professionals who wish to demonstrate their expertise in the field of information systems and risk management. Certified in Risk and Information Systems Control certification exam covers a range of topics and is designed to assess a candidate's ability to identify, evaluate, and manage information system risks in an organization. Obtaining a CRISC certification can lead to higher salaries, greater job opportunities, and an increased ability to effectively manage information system risks in an organization.

 

Free Exam Files Downloaded Instantly: https://www.trainingquiz.com/CRISC-practice-quiz.html

CRISC Free Exam Questions with Quality Guaranteed: https://drive.google.com/open?id=1DKvcNfXFm6DZTFOxV28pizxSCSIkSP_N