Want to know Pass4sure CRISC Exam practice test features? Want to lear more about Isaca Certified in Risk and Information Systems Control certification experience? Study Accurate Isaca CRISC answers to Abreast of the times CRISC questions at Pass4sure. Gat a success with an absolute guarantee to pass Isaca CRISC (Certified in Risk and Information Systems Control) test on your first attempt.
2017 Feb CRISC test preparation
Q161. - (Topic 3)
You are using Information system. You have chosen a poor password and also sometimes transmits data over unprotected communication lines. What is this poor quality of password and unsafe transmission refers to?
Vulnerabilities represent characteristics of information resources that may be exploited by a threat. The given scenario describes such a situation, hence it is a vulnerability.
Answer: B is incorrect. Threats are circumstances or events with the potential to cause harm to information resources. This scenario does not describe a threat.
Answer: A is incorrect. Probabilities represent the likelihood of the occurrence of a threat, and this scenario does not describe a probability.
Answer: D is incorrect. Impacts represent the outcome or result of a threat exploiting a vulnerability. The stem does not describe an impact.
Q162. - (Topic 2)
While defining the risk management strategies, what are the major parts to be determined first? Each correct answer represents a part of the solution. Choose two.
A. IT architecture complexity
B. Organizational objectives
C. Risk tolerance
D. Risk assessment criteria
While defining the risk management strategies, risk professional should first identify and analyze the objectives of the organization and the risk tolerance. Once the objectives of enterprise are known, risk professional can detect the possible risks which can occur in accomplishing those objectives. Analyzing the risk tolerance would help in identifying the priorities of risk which is the latter steps in risk management. Hence these two do the basic framework in risk management.
Answer: A is incorrect. IT architecture complexity is related to the risk assessment and not the risk management, as it does much help in evaluating each significant risk identified. Answer: D is incorrect. Risk assessment is one of the various phases that occur while managing risks, which uses quantitative and qualitative approach to evaluate risks. Hence riskassessmentcriteria is only a part of this framework.
Q163. - (Topic 1)
Which of the following statements is NOT true regarding the risk management plan?
A. The risk management plan is an output of the Plan Risk Management process.
B. The risk management plan is an input to all the remaining risk-planning processes.
C. The risk management plan includes a description of the risk responses and triggers.
D. The risk management plan includes thresholds, scoring and interpretation methods, responsible parties, and budgets.
The risk management plan details how risk management processes will be implemented, monitored, and controlled throughout the life of the project. The risk management plandoes not include responses to risks or triggers. Responses to risks are documented in the risk register as part of the Plan Risk Responses process.
Answer: A, D, and B are incorrect. These all statements are true for risk management plan. The risk management plan details how risk management processes will be implemented, monitored, and controlled throughout the life of the project. It includes thresholds, scoring and interpretation methods, responsible parties, and budgets. It also act as input to all the remaining risk-planning processes.
Q164. - (Topic 1)
Which of the following is the BEST way to ensure that outsourced service providers comply with the enterprise's information security policy?
A. Penetration testing
B. Service level monitoring
C. Security awareness training
D. Periodic audits
As regular audits can spot gaps in information security compliance, periodic audits can ensure that outsourced service provider comply with the enterprise's information security policy.
Answer: C is incorrect. Training can increase user awareness of the information security policy, but is less effective than periodic auditing.
Answer: A is incorrect. Penetration testing can identify security vulnerability, but cannot ensure information compliance.
Answer: B is incorrect. Service level monitoring can only identify operational issues in the enterprise's operational environment. It does not play any role in ensuring that outsourced service provider comply with the enterprise's information security policy.
Q165. - (Topic 2)
Which of the following aspects are included in the Internal Environment Framework of COSO ERM?
Each correct answer represents a complete solution. Choose three.
A. Enterprise's integrity and ethical values
B. Enterprise's working environment
C. Enterprise's human resource standards
D. Enterprise's risk appetite
The internal environment for risk management is the foundational level of the COSO ERM framework, which describes the philosophical basics of managing risks within the implementing enterprise. The different aspects of the internal environment include theenterprise's:
Philosophy on risk management Risk appetite
Attitudes of Board of Directors Integrity and ethical values Commitment to competence Organizational structure Authority and responsibility Human resource standards
Improve CRISC test preparation:
Q166. - (Topic 2)
While developing obscure risk scenarios, what are the requirements of the enterprise? Each correct answer represents a part of the solution. Choose two.
A. Have capability to cure the risk events
B. Have capability to recognize an observed event as something wrong
C. Have sufficient number of analyst
D. Be in a position that it can observe anything going wrong
The enterprise must consider risk that has not yet occurred and should develop scenarios around unlikely, obscure or non-historical events.
Such scenarios can be developed by considering two things:
For the fulfillment of this task enterprise must:
Be in a position that it can observe anything going wrong
Have the capability to recognize an observed event as something wrong
Answer: C and A are incorrect. These are not the direct requirements for developing obscure risk scenarios, like curing risk events comes under process of risk management. Hence capability of curing risk event does not lay any impact on the process of development of risk scenarios.
Q167. - (Topic 2)
Walter is the project manager of a large construction project. He'll be working with several vendors on the project. Vendors will be providing materials and labor for several parts of the project. Some of the works in the project are very dangerous so Walter has
implemented safety requirements for all of the vendors and his own project team. Stakeholders for the project have added new requirements, which have caused new risks in the project. A vendor has identified a new risk that could affect the project if it comes into fruition. Walter agrees with the vendor and has updated the risk register and created potential risk responses to mitigate the risk. What should Walter also update in this scenario considering the risk event?
A. Project management plan
B. Project communications plan
C. Project contractual relationship with the vendor
D. Project scope statement
When new risks are identified as part of the scope additions, Walter should update the risk register and the project management plan to reflect the responses to the risk event.
Answer: D is incorrect. The project scope statement is changed as part of the scope approval that has already happened.
Answer: C is incorrect. The contractual relationship won't change with the vendor as far as project risks are concerned.
Answer: B is incorrect. The project communications management plan may be updated if there's a communication need but the related to the risk event, not the communication of the risks.
Q168. - (Topic 1)
You work as the project manager for Bluewell Inc. There has been a delay in your project work that is adversely affecting the project schedule. You decide, with your stakeholders' approval, to fast track the project work to get the project done faster. When you fast track the project, what is likely to increase?
A. Human resource needs
B. Quality control concerns
Fast tracking allows entire phases of the project to overlap and generally increases risks within the project.
Fast tracking is a technique for compressing project schedule. In fast tracking, phases are overlapped that would normally be done in sequence. It is shortening the project schedule without reducing the project scope.
Answer: B is incorrect. Quality control concerns usually are not affected by fast tracking decisions.
Answer: C is incorrect. Costs do not generally increase based on fast tracking decisions.
Answer: A is incorrect. Human resources are not affected by fast tracking in most scenarios.
Q169. - (Topic 3)
You are the project manager of GHT project. You identified a risk of noncompliance with regulations due to missing of a number of relatively simple procedures.
The response requires creating the missing procedures and implementing them. In which of the following risk response prioritization should this case be categorized?
A. Business case to be made
B. Quick win
C. Risk avoidance
This is categorized as a "quick win" because the allocation of existing resources or a minor resource investment provides measurable benefits. Quick win is very effective and efficient response that addresses medium to high risk.
Answer:A is incorrect. "Business case to be made" requires careful analysis and management decisions on investments that are more expensive or difficult risk responses to medium to high risk. Here in this scenario, there is only minor investment that is why, it is not "business case to be made".
Answer:D is incorrect. Deferral addresses costly risk response to a low risk, and hence in this specified scenario it is not used.
Answer:C is incorrect. Risk avoidance is a type of risk response and not risk response prioritization option.
Q170. - (Topic 4)
You work as a project manager for BlueWell Inc. You have declined a proposed change request because of the risk associated with the proposed change request. Where should the declined change request be documented and stored?
A. Change request log
B. Project archives
C. Lessons learned
D. Project document updates
The change request log records the status of all change requests, approved or declined. The change request log is used as an account for change requests and as a means of tracking their disposition on a current basis. The change request log develops a measure of consistency into the change management process. It encourages common inputs into the process and is a common estimation approach for all change requests. As the log is an important component of project requirements, it should be readily available to the project team members responsible for project delivery. It should be maintained in a file with read-
only access to those who are not responsible for approving or disapproving project change requests.
Answer:C is incorrect. Lessons learned are not the correct place to document the status of a declined, or approved, change request.
Answer:B is incorrect. The project archive includes all project documentation and is created through the close project or phase process. It is not the best choice for this option D is incorrect. The project document updates is not the best choice for thisbe fleshed into the project documents, but the declined changes are part of the change request log.
see more CRISC dumps