[Jan-2024] Use Real CRISC Dumps - 100% Free CRISC Exam Dumps
CRISC PDF Dumps Exam Questions – Valid CRISC Dumps
NEW QUESTION # 288
Which of the following activities would BEST contribute to promoting an organization-wide risk-aware culture?
- A. Performing a benchmark analysis and evaluating gaps
- B. Participating in peer reviews and implementing best practices
- C. Conducting risk assessments and implementing controls
- D. Communicating components of risk and their acceptable levels
Answer: C
Explanation:
Section: Volume D
Explanation/Reference: https://m.isaca.org/Certification/CRISC-Certified-in-Risk-and-Information-Systems-Control/ Documents/CRISC-Additional-Verification-Form-2015-Later-frm_Eng_0818.pdf
NEW QUESTION # 289
Which of the following is MOST important to include in a Software as a Service (SaaS) vendor agreement?
- A. A requirement to provide an independent audit report
- B. An annual contract review
- C. A service level agreement (SLA)
- D. A requirement to adopt an established risk management framework
Answer: C
NEW QUESTION # 290
An organization operates in an environment where reduced time-to-market for new software products is a top business priority. Which of the following should be the risk practitioner's GREATEST concern?
- A. Email infrastructure does not have proper rollback plans
- B. Sufficient resources are not assigned to IT development projects
- C. Customer support help desk staff does not have adequate training
- D. The corporate email system does not identify and store phishing emails
Answer: B
Explanation:
Section: Volume D
NEW QUESTION # 291
Which of the following would BEST mitigate the risk associated with reputational damage from inappropriate use of social media sites by employees?
- A. Monitoring Internet usage on employee workstations
- B. Validating employee social media accounts and passwords
- C. Implementing training and awareness programs
- D. Disabling social media access from the organization's technology
Answer: C
Explanation:
Section: Volume D
NEW QUESTION # 292
You are the project manager of the AFD project for your company. You are working with the project team to reassess existing risk events and to identify risk events that have not happened and whose relevancy to the project has passed. What should you do with these events that have not happened and would not happen now in the project?
- A. Add the risks to the risk register
- B. Explanation:
Risks that are now outdated should be closed by the project manager, there is no need to keep record of that. - C. Close the outdated risks
- D. Add the risks to a low-priority watch-list
- E. Add the risk to the issues log
- F. is incorrect. Risks with low probability and low impact go on the risk watchlist.
- G. is incorrect. Identified risks are already in the risk register.
Answer: C
Explanation:
is incorrect. Risks do not go into the issue log, but the risk register.
NEW QUESTION # 293
An organization is considering acquiring a new line of business and wants to develop new IT risk scenarios to guide its decisions. Which of the following would add the MOST value to the new risk scenarios?
- A. Audit findings
- B. Organizational threats
- C. Expected losses
- D. Cost-benefit analysis
Answer: D
Explanation:
Section: Volume D
NEW QUESTION # 294
Which of the following attributes of a key risk indicator (KRI) is MOST important?
- A. Repeatable
- B. Quantitative
- C. Qualitative
- D. Automated
Answer: A
NEW QUESTION # 295
Your project is an agricultural-based project that deals with plant irrigation systems. You have discovered a byproduct in your project that your organization could use to make a profit. If your organization seizes this opportunity it would be an example of what risk response?
- A. Opportunistic
- B. Enhancing
- C. Exploiting
- D. Positive
Answer: C
Explanation:
Section: Volume A
Explanation:
This is an example of exploiting a positive risk - a by-product of a project is an excellent example of exploiting a risk. Exploit response is one of the strategies to negate risks or threats that appear in a project. This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. Exploiting a risk event provides opportunities for positive impact on a project. Assigning more talented resources to the project to reduce the time to completion is an example of exploit response.
Incorrect Answers:
A: Enhancing is a positive risk response that describes actions taken to increase the odds of a risk event to happen.
B: This is an example of a positive risk, but positive is not a risk response.
C: Opportunistic is not a valid risk response.
NEW QUESTION # 296
An organization has raised the risk appetite for technology risk. The MOST likely result would be:
- A. decreased residual risk.
- B. higher risk management cost
- C. lower risk management cost.
- D. increased inherent risk.
Answer: C
NEW QUESTION # 297
Which of the following is the process of numerically analyzing the effects of identified risks on the overall enterprise's objectives?
- A. Quantitative Risk Assessment
- B. Explanation:
A quantitative risk assessment quantifies risk in terms of numbers such as dollar values. This involves gathering data and then entering it into standard formulas. The results can help in identifying the priority of risks. These results are also used to determine the effectiveness of controls. Some of the terms associated with quantitative risk assessments are : Single loss expectancy (SLE)-It refers to the total loss expected from a single incident. This incident can occur when vulnerability is being exploited by threat. The loss is expressed as a dollar value such as $1,000. It includes the value of data, software, and hardware. SLE = Asset value * Exposure factor Annual rate of occurrence (ARO)-It refers to the number of times expected for an incident to occur in a year. If an incident occurred twice a month in the past year, the ARO is 24. Assuming nothing changes, it is likely that it will occur 24 times next year. Annual loss expectancy (ALE)-It is the expected loss for a year. ALE is calculated by multiplying SLE with ARO. Because SLE is a given in a dollar value, ALE is also given in a dollar value. For example, if the SLE is $1,000 and the ARO is 24, the ALE is $24,000. ALE = SLE * ARO Safeguard value-This is the cost of a control. Controls are used to mitigate risk. For example, antivirus software of an average cost of $50 for each computer. If there are 50 computers, the safeguard value is $2,500. - C. Identifying Risks
- D. Qualitative Risk Assessment
- E. Monitoring and Controlling Risks
Answer: A
Explanation:
is incorrect. Unlike the quantitative risk assessment, qualitative risk assessment does not assign dollar values. Rather, it determines risk's level based on the probability and impact of a risk. These values are determined by gathering the opinions of experts. Probability- establishing the likelihood of occurrence and reoccurrence of specific risks, independently, and combined. The risk occurs when a threat exploits vulnerability. Scaling is done to define the probability that a risk will occur. The scale can be based on word values such as Low, Medium, or High. Percentage can also be assigned to these words, like 10% to low and 90% to high. Impact- Impact is used to identify the magnitude of identified risks. The risk leads to some type of loss. However, instead of quantifying the loss as a dollar value, an impact assessment could use words such as Low, Medium, or High. Impact is expressed as a relative value. For example, low could be 10, medium could be 50, and high could be 100. Risk level= Probability*Impact Answer: A is incorrect. The first thing we must do in risk management is to identify the areas of the project where the risks can occur. This is termed as risk identification. Listing all the possible risks is proved to be very productive for the enterprise as we can cure them before it can occur. In risk identification both threats and opportunities are considered, as both carry some level of risk with them. Answer: D is incorrect. This is the process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness through the project.
NEW QUESTION # 298
A part of a project deals with the hardware work. As a project manager, you have decided to hire a company to deal with all hardware work on the project. Which type of risk response is this?
- A. Exploit
- B. Avoidance
- C. Mitigation
- D. Transference
Answer: D
Explanation:
Explanation/Reference:
Explanation:
When you are hiring a third party to own risk, it is known as transference risk response.
Risk transfer means that impact of risk is reduced by transferring or otherwise sharing a portion of the risk with an external organization or another internal entity. Transfer of risk can occur in many forms but is most effective when dealing with financial risks. Insurance is one form of risk transfer.
Incorrect Answers:
B: The act of spending money to reduce a risk probability and impact is known as mitigation.
C: When extra activities are introduced into the project to avoid the risk, this is an example of avoidance.
D: Exploit is a strategy that may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized.
NEW QUESTION # 299
Which of the following role carriers is accounted for analyzing risks, maintaining risk profile, and risk-aware decisions?
- A. Business process owner
- B. Business management
- C. Chief information officer (CIO)
- D. Chief risk officer (CRO)
Answer: B
Explanation:
Explanation/Reference:
Explanation:
Business management is the business individuals with roles relating to managing a program. They are typically accountable for analyzing risks, maintaining risk profile, and risk-aware decisions. Other than this, they are also responsible for managing risks, react to events, etc.
Incorrect Answers:
B: Business process owner is an individual responsible for identifying process requirements, approving process design and managing process performance. He/she is responsible for analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them.
C: CIO is the most senior official of the enterprise who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services and information and the deployment of associated human resources. CIO has some responsibility analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them.
D: CRO is the individual who oversees all aspects of risk management across the enterprise. He/she is responsible for analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them.
NEW QUESTION # 300
Mapping open risk issues to an enterprise risk heat map BEST facilitates:
- A. risk ownership.
- B. risk identification.
- C. control monitoring.
- D. risk response.
Answer: B
NEW QUESTION # 301
Which of the following is MOST likely to introduce risk for financial institutions that use blockchain?
- A. Implementation of unproven applications
- B. Cost of implementation
- C. Disruption to business processes
- D. Increase in attack surface area
Answer: A
NEW QUESTION # 302
Which of the following is the GREATEST benefit when enterprise risk management (ERM) provides oversight of IT risk management?
- A. Prioritizing internal departments that provide service to customers
- B. Aligning IT with short-term and long-term goals of the organization
- C. Ensuring senior management's primary focus is on the impact of identified risk
- D. Ensuring the IT budget and resources focus on risk management
Answer: B
NEW QUESTION # 303
Which erf the following stakeholders are typically included as part of a line of defense within the three lines of defense model?
- A. Regulators
- B. Board of directors
- C. Legal team
- D. Vendors
Answer: A
NEW QUESTION # 304
Which of the following is true for Single loss expectancy (SLE), Annual rate of occurrence (ARO), and Annual loss expectancy (ALE)?
- A. ARO= ALE*SLE
- B. ALE= ARO*SLE
- C. ALE= ARO/SLE
- D. ARO= SLE/ALE
Answer: B
Explanation:
Section: Volume C
Explanation:
A quantitative risk assessment quantifies risk in terms of numbers such as dollar values. This involves gathering data and then entering it into standard formulas. The results can help in identifying the priority of risks. These results are also used to determine the effectiveness of controls. Some of the terms associated with quantitative risk assessments are:
* Single loss expectancy (SLE)-It refers to the total loss expected from a single incident. This incident can occur when vulnerability is being exploited by threat. The loss is expressed as a dollar value such as
$1,000. It includes the value of data, software, and hardware. SLE = Asset value * Exposure factor
* Annual rate of occurrence (ARO)-It refers to the number of times expected for an incident to occur in a year. If an incident occurred twice a month in the past year, the ARO is 24. Assuming nothing changes, it is likely that it will occur 24 times next year. Annual loss expectancy (ALE)-It is the expected loss for a year.
ALE is calculated by multiplying SLE with ARO. Because SLE is a given in a dollar value, ALE is also given in a dollar value. For example, if the SLE is $1,000 and the ARO is 24, the ALE is $24,000.
* ALE = SLE * ARO Safeguard value-This is the cost of a control. Controls are used to mitigate risk. For example, antivirus software of an average cost of $50 for each computer. If there are 50 computers, the safeguard value is $2,500. A, B, C: These are wrong formulas and are not used in quantitative risk assessment.
NEW QUESTION # 305
What are the requirements of effectively communicating risk analysis results to the relevant stakeholders?
Each correct answer represents a part of the solution. Choose three.
- A. The results should be reported in terms and formats that are useful to support business decisions
- B. Provide decision makers with an understanding of worst-case and most probable scenarios
- C. Communicate only the negative risk impacts of events in order to drive response decisions
- D. Communicate the risk-return context clearly
Answer: A,B,D
Explanation:
Explanation/Reference:
Explanation:
The result of risk analysis process is being communicated to relevant stakeholders. The steps that are involved in communication are:
The results should be reported in terms and formats that are useful to support business decisions.
Coordinate additional risk analysis activity as required by decision makers, like report rejection and
scope adjustment.
Communicate the risk-return context clearly, which include probabilities of loss and/or gain, ranges, and
confidence levels (if possible) that enable management to balance risk-return.
Identify the negative impacts of events that drive response decisions as well as positive impacts of
events that represent opportunities which should channel back into the strategy and objective setting process.
Provide decision makers with an understanding of worst-case and most probable scenarios, due
diligence exposures and significant reputation, legal or regulatory considerations.
Incorrect Answers:
B: Both the negative and positive risk impacts are being communicated to relevant stakeholders. Identify the negative impacts of events that drive response decisions as well as positive impacts of events that represent opportunities which should channel back into the strategy and objective setting process.
NEW QUESTION # 306
You have identified several risks in your project. You have opted for risk mitigation in order to respond to identified risk. Which of the following ensures that risk mitigation method that you have chosen is effective?
- A. Reduction in the impact of a threat
- B. Minimization of inherent risk
- C. Reduction in the frequency of a threat
- D. Minimization of residual risk
- E. is incorrect. The objective of risk reduction is to reduce the residual risk to levels below
the enterprise's risk tolerance level. - F. Explanation:
The inherent risk of a process is a given and cannot be affected by risk reduction or risk mitigation
efforts. Hence it should be reduced as far as possible. - G. is incorrect. Risk reduction efforts can focus on either avoiding the frequency of the risk
or reducing the impact of a risk.
Answer: B
Explanation:
is incorrect. Risk reduction efforts can focus on either avoiding the frequency of the risk
or reducing the impact of a risk.
NEW QUESTION # 307
Which of the following come under the phases of risk identification and evaluation?
Each correct answer represents a complete solution. Choose three.
- A. Analyzing risk
- B. Maintain a risk profile
- C. Collecting data
- D. Applying controls
Answer: A,B,C
Explanation:
Section: Volume D
Explanation:
Risk identification is the process of determining which risks may affect the project. It also documents risks' characteristics.
Following are high-level phases that are involved in risk identification and evaluation:
* Collecting data- Involves collecting data on the business environment, types of events, risk categories, risk scenarios, etc., to identify relevant data to enable effective risk identification, analysis and reporting.
* Analyzing risk- Involves analyzing risk to develop useful information which is used while taking risk- decisions. Risk-decisions take into account the business relevance of risk factors.
* Maintain a risk profile- Requires maintaining an up-to-date and complete inventory of known threats and their attributes (e.g., expected likelihood, potential impact, and disposition), IT resources, capabilities, and controls as understood in the context of business products, services and processes to effectively monitor risk over time.
Incorrect Answers:
D: It comes under risk management process, and not in risk identification and evaluation process.
NEW QUESTION # 308
An organization has been notified that a dis grunted, terminated IT administrator has tried to break into the corporate network. Which of the following discoveries should be of GREATEST concern to the organization?
- A. An external vulnerability scan has been detected
- B. Authentication logs have been disabled
- C. A brute force attack has been detected
- D. An increase in support request has been observed
Answer: B
NEW QUESTION # 309
......
Ultimate CRISC Guide to Prepare Free Latest ISACA Practice Tests Dumps: https://www.actualtests4sure.com/CRISC-test-questions.html
Get Top-Rated ISACA CRISC Exam Dumps Now: https://drive.google.com/open?id=1IxBuVzeA_eBTCZ7hkYYH6qC0qJUnqrCu

