Practice CRISC Questions With Certification guide Q&A from Training Expert ActualPDF
Free ISACA CRISC Test Practice Test Questions Exam Dumps
The benefit in Obtaining the CRISC Exam Certification
- A internationally accepted as the characteristic of excellence for the IS audit professional.
- Allows candidate capability in IS audit, control and security profession.
- CRISC can likewise offer a profession jump as an advancement by separating candidates from different people who are not CRISC confirmed
- Candidates with this certification for the best part they earn 47.54% higher pay.
- CRISC supports candidate knowledge and experience in the assigned region and shows their capacity for responding to any challenge.
NEW QUESTION 255
If preventive controls cannot be implemented due to technology limitations, which of the following should be done FIRST to reduce risk?
- A. Define a process for monitoring risk
- B. Develop a plan to upgrade technology
- C. Redefine the business process to reduce the risk
- D. Evaluate alternative controls
Answer: D
Explanation:
Section: Volume D
NEW QUESTION 256
An organization has four different projects competing for funding to reduce overall IT risk. Which project should management defer?
- A. Project Charlie
- B. Project Alpha
- C. Project Delta
- D. Project Bravo
Answer: A
NEW QUESTION 257
Which of the following BEST indicates the condition of a risk management program?
- A. Number of controls
- B. Amount of residual risk
- C. Level of financial support
- D. Number of risk register entries
Answer: D
NEW QUESTION 258
To minimize the risk of a potential acquisition being exposed externally, an organization has selected a few key employees to be engaged in the due diligence process. A member of the due diligence team realizes a close acquaintance is a high-ranking IT professional at a subsidiary of the company about to be acquired. What is the BEST course of action for this team member?
- A. Enforce segregation of duties.
- B. Disclose potential conflicts of interest.
- C. Delegate responsibilities involving the acquaintance.
- D. Notify the subsidiary's legal team.
Answer: B
NEW QUESTION 259
Which of the following is prepared by the business and serves as a starting point for producing the IT Service Continuity Strategy?
- A. Explanation:
The Business Continuity Strategy is an outline of the approach to ensure the continuity of Vital Business Functions in the case of disaster events. The Business Continuity Strategy is prepared by the business and serves as a starting point for producing the IT Service Continuity Strategy. - B. Business Continuity Strategy
- C. Availability/ ITSCM/ Security Testing Schedule
- D. Disaster Invocation Guideline
- E. Index of Disaster-Relevant Information
Answer: B
Explanation:
is incorrect. Disaster Invocation Guideline is a document produced by IT Service Continuity Management with detailed instructions on when and how to invoke the procedure for fighting a disaster. Most importantly, the guideline defines the first step to be taken by the Service Desk after learning that a disaster has occurred. Answer: B is incorrect. Index of Disaster-Relevant Information is a catalogue of all information that is relevant in the event of disasters. This document is maintained and circulated by IT Service Continuity Management to all members of IT staff with responsibilities for fighting disasters. Answer: D is incorrect. Availability/ ITSCM/ Security Testing Schedule is a schedule for the regular testing of all availability, continuity, and security mechanisms jointly maintained by Availability, IT Service Continuity, and IT Security Management.
NEW QUESTION 260
A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?
- A. Modify the design of the control
- B. Re-evaluate key risk indicators
- C. Invoke the incident response plan
- D. Document the finding in the risk register
Answer: D
Explanation:
Section: Volume D
NEW QUESTION 261
You are the project manager of your enterprise. You have identified new threats, and then evaluated the ability of existing controls to mitigate risk associated with new threats. You noticed that the existing control is not efficient in mitigating these new risks. What are the various steps you could take in this case?
Each correct answer represents a complete solution. (Choose three.)
- A. Education of staff or business partners
- B. Modify of the technical architecture
- C. Apply more controls
- D. Deployment of a threat-specific countermeasure
Answer: A,B,D
Explanation:
Section: Volume C
Explanation
Explanation:
As new threats are identified and prioritized in terms of impact, the first step is to evaluate the ability of existing controls to mitigate risk associated with new threats and if it does not work then in that case facilitate the:
* Modification of the technical architecture
* Deployment of a threat-specific countermeasure
* Implementation of a compensating mechanism or process until mitigating controls are developed
* Education of staff or business partners
Incorrect Answers:
D: Applying more controls is not the good solution. They usually complicate the condition.
NEW QUESTION 262
Which of the following is MOST important to the integrity of a security log?
- A. Inability to edit
- B. Encryption
- C. Ability to overwrite
- D. Least privilege access
Answer: A
NEW QUESTION 263
Which of the following practices BEST mitigates risk related to enterprise-wide ethical decision making in a multi-national organization?
- A. Policies requiring central reporting of potential procedure exceptions
- B. Ongoing awareness training to support a common risk culture
- C. Customized regional training on local laws and regulations
- D. Zero-tolerance policies for risk taking by middle-level managers
Answer: C
NEW QUESTION 264
Which of the following would BEST help to address the risk associated with malicious outsiders modifying application data?
- A. Activation of control audits
- B. Multi-factor authentication
- C. Role-based access controls
- D. Acceptable use policies
Answer: B
NEW QUESTION 265
Which of the following is MOST critical when designing controls?
- A. Quantitative impact of the risk
- B. Involvement of process owner
- C. Identification of key risk indicators
- D. Involvement of internal audit
Answer: A
Explanation:
Section: Volume D
NEW QUESTION 266
During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?
- A. Authentication
- B. Data integrity
- C. Identification
- D. Data validation
Answer: C
Explanation:
Explanation/Reference:
Reference: https://resources.infosecinstitute.com/network-design-firewall-idsips/#gref
NEW QUESTION 267
To communicate the risk associated with IT in business terms, which of the following MUST be defined?
- A. Organizational objectives
- B. Compliance objectives
- C. Risk appetite of the organization
- D. Inherent and residual risk
Answer: D
NEW QUESTION 268
Which of the following is the MOST effective way to integrate risk and compliance management?
- A. Conducting regular self-assessments to verify compliance
- B. Embedding risk management into compliance decision-making
- C. Designing corrective actions to improve risk response capabilities
- D. Embedding risk management into processes that are aligned with business drivers
Answer: B
NEW QUESTION 269
Which of the following control detects problem before it can occur?
- A. Compensation control
- B. Preventative control
- C. Deterrent control
- D. Detective control
Answer: B
Explanation:
Explanation/Reference:
Explanation:
Preventative controls are the controls that detect the problem before it occurs. They attempt to predict potential problems and make adjustments to prevent those problems to occur in near future. This prediction is being made by monitoring both the system's operations and its inputs.
Incorrect Answers:
A: Deterrent controls are similar to the preventative controls, but they diminish or reverse the attraction of the environment to prevent risk from occurring instead of making adjustments to the environment.
B: Detective controls simply detect and report on the occurrence of a problems. They identify specific symptoms to potential problems.
C: Compensation controls ensure that normal business operations continue by applying appropriate resource.
NEW QUESTION 270
After mapping generic risk scenarios to organizational security policies, the NEXT course of action should be to:
- A. reduce the number of risk scenarios to a manageable set
- B. record risk scenarios in the risk register for analysis
- C. validate the risk scenarios for business applicability
- D. perform a risk analysis on the risk scenarios
Answer: C
Explanation:
Section: Volume D
NEW QUESTION 271
You are the project manager of GHT project. You have selected appropriate Key Risk Indicators for your project. Now, you need to maintain those Key Risk Indicators. What is the MOST important reason to maintain Key Risk Indicators?
- A. Complex metrics require fine-tuning
- B. Risk reports need to be timely
- C. They help to avoid risk
- D. Threats and vulnerabilities change over time
Answer: D
Explanation:
Explanation/Reference:
Explanation:
Since the enterprise's internal and external environments are constantly changing, the risk environment is also highly dynamic, i.e., threats and vulnerabilities change over time. Hence KRIs need to be maintained to ensure that KRIs continue to effectively capture these changes.
Incorrect Answers:
A: Timely risk reporting is one of the business requirements, but is not the reason behind KRI maintenance.
B: While most key risk indicator metrics need to be optimized in respect to their sensitivity, the most important objective of KRI maintenance is to ensure that KRIs continue to effectively capture the changes in threats and vulnerabilities over time.
D: Avoiding risk is a type of risk response. Risk responses are based on KRI reporting.
NEW QUESTION 272
Adrian is a project manager for a new project using a technology that has recently been released and there's relatively little information about the technology. Initial testing of the technology makes the use of it look promising, but there's still uncertainty as to the longevity and reliability of the technology. Adrian wants to consider the technology factors a risk for her project. Where should she document the risks associated with this technology so she can track the risk status and responses?
- A. Project charter
- B. Project scope statement
- C. Risk low-level watch list
- D. Risk register
Answer: D
Explanation:
Section: Volume D
Explanation:
A risk register is an inventory of risks and exposure associated with those risks. Risks are commonly found in project management practices, and provide information to identify, analyze, and manage risks. Typically a risk register contains:
* A description of the risk
* The impact should this event actually occur
* The probability of its occurrence
* Risk Score (the multiplication of Probability and Impact)
* A summary of the planned response should the event occur
* A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the event)
* Ranking of risks by Risk Score so as to highlight the highest priority risks to all involved.
* It records the initial risks, the potential responses, and tracks the status of each identified risk in the project.
Incorrect Answers:
A: The project scope statement does document initially defined risks but it is not a place that will record risks responses and status of risks.
B: The project charter does not define risks.
C: The risk low-level watch list is for identified risks that have low impact and low probability in the project.
NEW QUESTION 273
What can be determined from the risk scenario chart?
- A. Relative positions on the risk map
- B. The multiple risk factors addressed by a chosen response
- C. Risk treatment options
- D. Capability of enterprise to implement
Answer: B
NEW QUESTION 274
You are the project manager of the HJK Project for your organization. You and the project team have created risk responses for many of the risk events in the project. Where should you document the proposed responses and the current status of all identified risks?
- A. Stakeholder management strategy
- B. Risk management plan
- C. Explanation:
Risks and the corresponding responses are documented in the risk register for the project. Risk register is a document that contains the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning. Description, category, cause, probability of occurring, impact on objectives, proposed responses, owner, and the current status of all identified risks are put in the risk register. - D. Risk register
- E. Lessons learned documentation
Answer: D
Explanation:
is incorrect. The outcome of risk events and the corresponding risk responses may be documented in the project's lessons learned documented, but the best answer is to document the risk responses as part of the risk register. Answer:D is incorrect. The risk management plan defines how risks will be identified and analyzed, the available responses, and the monitoring and controlling of the risk events. The actual risk responses are included in the risk register. Answer:A is incorrect. The stakeholder management strategy defines how stakeholders and their threats, perceived threats, opinions, and influence over the project objectives will be addressed and managed.
NEW QUESTION 275
The MOST significant benefit of using a consistent risk ranking methodology across an organization is that it enables:
- A. assignment of risk to the appropriate owners
- B. risk to be expressed in quantifiable terms
- C. allocation of available resources
- D. clear understanding of risk levels
Answer: D
NEW QUESTION 276
Which of the following is the BEST method to identify unnecessary controls?
- A. Monitoring existing key risk indicators (KRIs)
- B. Reviewing system functionalities associated with business processes
- C. Evaluating the impact of removing existing controls
- D. Evaluating existing controls against audit requirements
Answer: C
NEW QUESTION 277
Sammy is the project manager for her organization. She would like to rate each risk based on its probability and affect on time, cost, and scope. Harry, a project team member, has never done this before and thinks Sammy is wrong to attempt this approach. Harry says that an accumulative risk score should be created, not three separate risk scores. Who is correct in this scenario?
- A. Harry is correct, the risk probability and impact matrix is the only approach to risk assessment.
- B. Sammy is correct, because organizations can create risk scores for each objective of the project.
- C. Harry is correct, because the risk probability and impact considers all objectives of the project.
- D. Sammy is correct, because she is the project manager.
Answer: B
Explanation:
Section: Volume D
Explanation:
Sammy She certainly can create an assessment for a risk event for time cost, and scope. It is probable that a risk event may have an effect on just one or more objectives so an assessment of the objective is acceptable.
Incorrect Answers:
A: Just because Sammy is the project manager, it is not necessary that she is right.
C: Harry is incorrect as there are multiple approaches to risk assessment for a project D: Harry's reasoning is flawed as each objective can be reviewed for the risk's impact rather than the total project.
NEW QUESTION 278
......
Prepare Top ISACA CRISC Exam Audio Study Guide Practice Questions Edition: https://examsboost.actualpdf.com/CRISC-real-questions.html
