What may you get using your purchase of the Isaca CRISC goods are since follows: 1. The study guidebook for Isaca Isaca analyze engine and Pdf. 2. The preview of Isaca CRISC real exam questions. 3. The overview of Isaca CRISC on the internet training training course. 4. Correct answers to the CRISC practice questions. Throw absent the thicker Isaca CRISC books and act right now and download the Isaca Isaca CRISC today! Together with our constrained but valuable Isaca Isaca certification exam questions and answers to adopt the CRISC genuine exam, you will have a high mark which assures the success.
2021 Dec CRISC free exam questions
Q41. - (Topic 3)
You are the project manager of GHT project. You and your team have developed risk responses for those risks with the highest threat to or best opportunity for the project objectives. What are the immediate steps you should follow, after planning for risk response process? Each correct answer represents a complete solution. Choose three.
A. Updating Project management plan and Project document
B. Applying controls
C. Updating Risk register
D. Prepare Risk-related contracts
The risk register is updated at the end of the plan risk response process with the information that was discovered during the process. The response plans are recorded in the risk register.
Project management plan consisting of WBS, schedule baseline and cost performance baseline should be updated. After planning risk response process, there may be requirementof updating project documents like technical documentation and assumptions, documented in the project scope statement.
If risk response strategies include responses such as transference or sharing, it may be necessary to purchase services or items from third parties. Contracts for those services can be prepared and discussed with the appropriate parties.
Answer:B is incorrect. Controls are implemented in the latter stage of risk response process. It is not immediate task after the planning of risk response process, as updating of several documents is done first.
The purpose of the Plan Risk Responses process is to develop risk responses for those risks with the highest threat to or best opportunity for the project objectives. The Plan Risk Responses process has four outputs:
Risk register updates
Risk-related contract decisions Project management plan updates Project document updates
Q42. - (Topic 1)
Which of the following components of risk scenarios has the potential to generate internal or external threat on an enterprise?
A. Timing dimension
Components of risk scenario that are needed for its analysis are:
Actor: Actors are those components of risk scenario that has the potential to generate the threat that can be internal or external, human or non-human. Internal actors are within the enterprise like staff, contractors, etc. On the other hand, external actors include outsiders, competitors, regulators and the market.
Threat type: Threat type defines the nature of threat, that is, whether the threat is malicious, accidental, natural or intentional.
Event: Event is an essential part of a scenario; a scenario always has to contain an event. Event describes the happenings like whether it is a disclosure of confidential information, or interruption of a system or project, or modification, theft, destruction, etc.
Asset: Assets are the economic resources owned by business or company. Anything tangible or intangible that one possesses, usually considered as applicable to the payment of one's debts, is considered an asset. An asset can also be defined as a resource, process, product, computing infrastructure, and so forth that an organization has determined must be protected. Tangible asset: Tangible are those asset that has physical attributes and can be detected with the senses, e.g., people,
infrastructure, and finances. Intangible asset: Intangible are those asset that has no physical attributes and cannot be detected with the senses, e.g.,
information, reputation and customer trust.
Timing dimension: The timing dimension is the application of the scenario to detect time to respond to or recover from an event. It identifies if the event occur at a critical moment and its duration. It also specifies the time lag between the event and the consequence, that is, if there an immediate consequence (e.g., network failure, immediate downtime) or a delayed consequence (e.g., wrong IT architecture with accumulated high costs over a long period of time).
Q43. - (Topic 3)
You are the project manager of the NHH Project. You are working with the project team to create a plan to document the procedures to manage risks throughout the project. This document will define how risks will be identified and quantified. It will also define how contingency plans will be implemented by the project team. What document do you and your team is creating in this scenario?
A. Project plan
B. Resource management plan
C. Project management plan
D. Risk management plan
The risk management plan, part of the comprehensive management plan, defines how risks will be identified, analyzed, monitored and controlled, and even responded to.
A Risk management plan is a document arranged by a project manager to estimate the effectiveness, predict risks, and build response plans to mitigate them. It also consists of the risk assessment matrix.
Risks are built in with any project, and project managers evaluate risks repeatedly and build plans to address them. The risk management plan consists of analysis of possible risks with both high and low impacts, and the mitigation strategies to facilitate the project and avoid being derailed through which the common problems arise. Risk management plans should be timely reviewed by the project team in order to avoid having the analysis become stale and not reflective of actual potential project risks. Most critically, risk management plans include a risk strategy for project execution.
Answer: C is incorrect. The project management plan is a comprehensive plan that communicates the intent of the project for all project management knowledge areas.
Answer: A is incorrect. The project plan is not an official PMBOK project management plan.
Answer: B is incorrect. The resource management plan defines the management of project resources, such as project team members, facilities, equipment, and contractors.
Q44. - (Topic 1)
Which of following is NOT used for measurement of Critical Success Factors of the project?
D. Customer service
Answer: A, B, and D are incorrect. Productivity, quality and customer service are used for evaluating critical service factor of any particular project.
Q45. - (Topic 4)
You work as a Project Manager for Company Inc. You are incorporating a risk response owner to take the job for each agreed-to and funded risk response. On which of the following processes are you working?
A. Quantitative Risk Analysis
B. Identify Risks
C. Plan risk response
D. Qualitative Risk Analysis
The plan risk response project management process aims to reduce the threats to the project objectives and to increase opportunities. It follows the perform qualitative risk analysis process and perform quantitative risk analysis process. Plan risk response process includes the risk response owner to take the job for each agreed-to and funded risk response. This process addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget. The inputs to the plan risk response process are as follows:
Risk management plan
Answer:B is incorrect. Identify Risks is the process of determining which risks may affect the project. It also documents risks' characteristics. The Identify Risks process is part of the Project Risk Management knowledge area. As new risks may evolve or become knownas the project progresses through its life cycle, Identify Risks is an iterative process. The process should involve the project team so that they can develop and maintain a sense of ownership and responsibility for the risks and associated risk response actions. Risk Register is the only output of this process.
Answer:A is incorrect. Quantitative analysis is the use of numerical and statistical techniques rather than the analysis of verbal material for analyzing risks. Some of the quantitative methods of risk analysis are:
Internal loss method External data analysis
Business process modeling (BPM) and simulation Statistical process control (SPC)
Answer:D is incorrect. Qualitative analysis is the definition of risk factors in terms of high/medium/low or a numeric scale (1 to 10).
Hence it determines the nature of risk on a relative scale. Some of the qualitative methods of risk analysis are:
Scenario analysis- This is a forward-looking process that can reflect risk for a given point in time.
Risk Control Self -assessment (RCSA) - RCSA is used by enterprises (like banks) for the identification and evaluation of operational risk exposure. It is a logical first step and assumes that business owners and managers are closest to the issues and have the most expertise as to the source of the risk. RCSA is a constructive process in compelling business owners tocontemplate, and then explain, the issues at hand with the added benefit of increasing their accountability.
Refresh CRISC exam fees:
Q46. - (Topic 3)
Which of the following statements are true for enterprise's risk management capability maturity level 3?
A. Workflow tools are used to accelerate risk issues and track decisions
B. The business knows how IT fits in the enterprise risk universe and the risk portfolio view
C. The enterprise formally requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals
D. Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized
An enterprise's risk management capability maturity level is 3 when:
Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized.
There is a selected leader for risk management, engaged with the enterprise risk committee, across the enterprise.
The business knows how IT fits in the enterprise risk universe and the risk portfolio view. Local tolerances drive the enterprise risk tolerance.
Risk management activities are being aligned across the enterprise. Formal risk categories are identified and described in clear terms.
Situations and scenarios are included in risk awareness training beyond specific policy and structures and promote a common language for communicating risk.
Defined requirements exist for a centralized inventory of risk issues. Workflow tools are used to accelerate risk issues and track decisions.
Answer: C is incorrect. Enterprise having risk management capability maturity level 5 requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals.
Q47. - (Topic 3)
Which of the following control is used to ensure that users have the rights and permissions they need to perform their jobs, and no more?
A. System and Communications protection control
B. Audit and Accountability control
C. Access control
D. Identification and Authentication control
Access control helps an organization implement effective access control. They ensure that users have the rights and permissions they need to perform their jobs, and no more. It includes principles such as least privilege and separation of duties.
Answer:B is incorrect. Audit and Accountability control helps an organization implement an effective audit program. It provides details on how to determine what to audit. It provides details on how to protect the audit logs. It also includes information on using audit logs for non-repudiation.
Answer:D is incorrect. Identification and Authentication control cover different practices to identify and authenticate users. Each user should be uniquely identified. In other words, each user has one account. This account is only used by one user. Similarly, device identifiers uniquely identify devices on the network.
Answer:A is incorrect. System and Communications protection control is a large group of controls that cover many aspects of protecting systems and communication channels. Denial of service protection and boundary protection controls are included. Transmission integrity and confidentiality controls are also included.
Q48. - (Topic 1)
Which of the following are risk components of the COSO ERM framework? Each correct answer represents a complete solution. Choose three.
A. Risk response
B. Internal environment
C. Business continuity
D. Control activities
The risk components defined by the COSO ERM are internal environment, objective settings, event identification, risk assessment, risk response, control objectives, information and communication, and monitoring.
Answer: C is incorrect. Business continuity is not considered as risk component within the ERM framework.
Q49. - (Topic 4)
In which of the following risk management capability maturity levels risk appetite and tolerance are applied only during episodic risk assessments?
A. Level 3
B. Level 2
C. Level 4
D. Level 1
An enterprise's risk management capability maturity level is 1 when:
There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk.
Any risk identification criteria vary widely across the enterprise.
Risk appetite and tolerance are applied only during episodic risk assessments. Enterprise risk policies and standards are incomplete and/or reflect only external requirements and lack defensible rationale and enforcement mechanisms.
Risk management skills exist on an ad hoc basis, but are not actively developed.
Ad hoc inventories of controls that are unrelated to risk are dispersed across desktop applications.
Answer:A is incorrect. In level 3 of risk management capability maturity model, local tolerances drive the enterprise risk tolerance.
Answer:B is incorrect. In level 2 of risk management capability maturity model, risk tolerance is set locally and may be difficult to aggregate.
Answer:C is incorrect. In level 4 of risk management capability maturity model, business risk tolerance is reflected by enterprise policies and standards reflect.
Q50. - (Topic 1)
You are the project manager of GHT project. You have selected appropriate Key Risk Indicators for your project. Now, you need to maintain those Key Risk Indicators. What is the MOST important reason to maintain Key Risk Indicators?
A. Risk reports need to be timely
B. Complex metrics require fine-tuning
C. Threats and vulnerabilities change over time
D. They help to avoid risk
Since the enterprise's internal and external environments are constantly changing, the risk environment is also highly dynamic, i.e., threats and vulnerabilities change over time. Hence KRIs need to be maintained to ensure that KRIs continue to effectively capture these changes.
Answer: A is incorrect. Timely risk reporting is one of the business requirements, but is not the reason behind KRI maintenance.
Answer: B is incorrect. While most key risk indicator metrics need to be optimized in respect to their sensitivity, the most important objective of KRI maintenance is to ensure that KRIs continue to effectively capture the changes in threats and vulnerabilities over time.
Answer: D is incorrect. Avoiding risk is a type of risk response. Risk responses are based on KRI reporting.
see more CRISC dumps