Latest ISACA CRISC Free Certification Exam Material with 1196 Q&As [Q16-Q38]

Latest ISACA CRISC Free Certification Exam Material with 1196 Q&As 

UPDATED CRISC Exam Questions Certification Test Engine to PDF

NEW QUESTION # 16
Which of the following is true for risk management frameworks, standards and practices?
Each correct answer represents a part of the solution. Choose three.

• A. They provide a systematic view of "things to be considered" that could harm clients or an enterprise.
• B. They result in increase in cost of training, operation and performance improvement.
• C. They assist in achieving business objectives quickly and easily.
• D. They act as a guide to focus efforts of variant teams.

Answer: C,D

Explanation:
Frameworks, standards and practices are necessary as:
They provide a systematic view of "things to be considered" that could harm clients or an
enterprise.
They act as a guide to focus efforts of variant teams.
They save time and revenue, such as training costs, operational costs and performance
improvement costs.
They assist in achieving business objectives quickly and easily.

NEW QUESTION # 17
Reviewing which of the following BEST helps an organization gam insight into its overall risk profile''

• A. Risk register
• B. Threat landscape
• C. Risk metrics
• D. Risk appetite

Answer: D

NEW QUESTION # 18
Which of the following is MOST effective in continuous risk management process improvement?

• A. Awareness training
• B. Policy updates
• C. Change management
• D. Periodic assessments

Answer: D

Explanation:
Section: Volume D

NEW QUESTION # 19
An organization's business gap analysis reveals the need for a robust IT risk strategy. Which of the following should be the risk practitioner's PRIMARY consideration when participating in development of the new strategy?

• A. Scale of technology
• B. Risk indicators
• C. Risk culture
• D. Proposed risk budget

Answer: C

NEW QUESTION # 20
When evaluating enterprise IT risk management, it is MOST important to:

• A. create new control processes to reduce identified IT risk scenarios
• B. review alignment with the organization's investment plan
• C. report identified IT risk scenarios to senior management
• D. confirm the organization's risk appetite and tolerance

Answer: B

Explanation:
Section: Volume D

NEW QUESTION # 21
What type of policy would an organization use to forbid its employees from using organizational e-mail for personal use?

• A. Intellectual property policy
• B. Explanation:
  An acceptable use policy is a set of rules applied by the owner/manager of a network, website or
  large computer system that restrict the ways in which the network site or system may be used.
  Acceptable Use Policies are an integral part of the framework of information security policies.
• C. is incorrect. Privacy policy is a statement or a legal document (privacy law) that
  discloses some or all of the ways a party gathers, uses, discloses and manages a customer or
  client's data.
• D. Privacy policy
• E. Acceptable use policy
• F. Anti-harassment policy

Answer: E

Explanation:
and A are incorrect. These two policies are not related to Information system security.

NEW QUESTION # 22
Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?

• A. Configuring the DLP control to block credit card numbers
• B. Testing the DLP rule change control process
• C. Reviewing logs for unauthorized data transfers
• D. Testing the transmission of credit card numbers

Answer: C

Explanation:
Explanation/Reference:
Reference: https://www.esecurityplanet.com/network-security/data-loss-prevention-dlp.html

NEW QUESTION # 23
Which of the following is the MOST important consideration when sharing risk management updates with executive management?

• A. Ensuring relevance to organizational goals
• B. Using an aggregated view of organizational risk
• C. Relying on key risk indicator (KRI) data
• D. Including trend analysis of risk metrics

Answer: A

Explanation:
Section: Volume D
Explanation

NEW QUESTION # 24
Which of the following is the BEST indication of the effectiveness of a business continuity program?

• A. Business continuity and disaster recovery plans are regularly updated.
• B. Business continuity tests are performed successfully and issues are addressed.
• C. Business units are familiar with the business continuity plans and process.
• D. Business impact analyses are reviewed and updated in a timely manner.

Answer: B

NEW QUESTION # 25
The PRIMARY reason for periodic penetration testing of Internet-facing applications is to:

• A. assess the proliferation of new threats.
• B. ensure policy and regulatory compliance.
• C. verify Internet firewall control settings.
• D. identify vulnerabilities in the system.

Answer: A

NEW QUESTION # 26
Which of the following is the FIRST step when developing a business case to drive the adoption of a risk remediation project by senior management?

• A. Identifying the objectives
• B. Analyzing cost-effectiveness
• C. Determining the stakeholders
• D. Calculating the cost

Answer: D

NEW QUESTION # 27
Shawn is the project manager of the HWT project. In this project Shawn's team reports that they have found a way to complete the project work cheaply than what was originally estimated earlier. The project team presents a new software that will help to automate the project work. While the software and the associated training costs $25,000 it will save the project nearly $65,000 in total costs. Shawn agrees to the software and changes the project management plan accordingly. What type of risk response had been used by him?

• A. Enhancing
• B. Avoiding
• C. Accepting
• D. Exploiting

Answer: D

Explanation:
Explanation/Reference:
Explanation:
A risk event is been exploited so as to identify the opportunities for positive impacts. Exploit response is one of the strategies to negate risks or threats that appear in a project. This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized.
Exploiting a risk event provides opportunities for positive impact on a project. Assigning more talented resources to the project to reduce the time to completion is an example of exploit response.
Incorrect Answers:
A: To avoid a risk means to evade it altogether, eliminate the cause of the risk event, or change the project plan to protect the project objectives from the risk event.
B: Accepting is a risk response that is appropriate for positive or negative risk events. It does not pursue the risk, but documents the event and allows the risk to happen. Often acceptance is used for low probability and low impact risk events.
D: Enhancing is a positive risk response that aims to increase the probability and/or impact of the risk event.

NEW QUESTION # 28
A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?

• A. Human resources manager (HRM)
• B. Business continuity manager (BCM)
• C. Chief information officer (CIO)
• D. Chief risk officer (CRO)

Answer: C

Explanation:
Section: Volume D

NEW QUESTION # 29
A risk practitioner discovers several key documents detailing the design of a product currently in development have been posted on the Internet. What should be the risk practitioner's FIRST course of action?

• A. Conduct an immediate risk assessment
• B. Invoke the established incident response plan
• C. Perform a root cause analysis
• D. Inform internal audit

Answer: D

Explanation:
Section: Volume D

NEW QUESTION # 30
Which of the following should management consider when selecting a risk mitigation option?

• A. Reliability of key risk indicators (KPIs)
• B. Reliability of key performance indicators (KPIs)
• C. Cost of control implementation
• D. Maturity of the enterprise architecture

Answer: C

NEW QUESTION # 31
A program manager has completed an unsuccessful disaster recovery test. Which of the following should the risk practitioner recommend as the NEXT course of action?

• A. Prioritize issues noted during the testing window
• B. Update the business impact analysis (BIA)
• C. Identify what additional controls are needed
• D. Communicate test results to management

Answer: B

NEW QUESTION # 32
The MAIN purpose of having a documented risk profile is to:

• A. enable well-informed decision making.
• B. prioritize investment projects.
• C. comply with external and internal requirements.
• D. keep the risk register up-to-date.

Answer: A

Explanation:
Section: Volume D

NEW QUESTION # 33
Which of the following process ensures that the risk response strategy remains active and that proposed controls are implemented according to schedule?

• A. Risk response implementation
• B. Risk response tracking
• C. Risk response integration
• D. Risk management

Answer: B

Explanation:
Explanation/Reference:
Explanation:
Risk response tracking tracks the ongoing status of risk mitigation processes as part of risk response process. This tracking ensures that the risk response strategy remains active and that proposed controls are implemented according to schedule. When an enterprise is conscious of a risk, but does not have an appropriate risk response strategy, then it lead to the increase of the liability of the organization to adverse publicity or even civil or criminal penalties.
Incorrect Answers:
A: Risk management provides an approach for individuals and groups to make a decision on how to deal with potentially harmful situations B: Integrating risk response options to address more than one risk together, help in achieving greater efficiency.
The use of techniques that are versatile and enterprise-wide, rather than individual solutions provides better justification for risk response strategies and related costs.
C: Implementation of risk response ensures that the risks analyzed in risk analysis process are being lowered to level that the enterprise can accept, by applying appropriate controls.

NEW QUESTION # 34
The BEST way to improve a risk register is to ensure the register:

• A. contains the risk assessment completion date.
• B. documents possible countermeasures.
• C. is regularly audited.
• D. is updated based upon significant events.

Answer: D

NEW QUESTION # 35
An organization recently configured a new business division Which of the following is MOST likely to be affected?

• A. Risk tolerance
• B. Risk culture
• C. Risk profile
• D. Risk appetite

Answer: C

NEW QUESTION # 36
You work as a Project Manager for Company Inc. You are incorporating a risk response owner to take the job for each agreed-to and funded risk response. On which of the following processes are you working?

• A. Identify Risks
• B. Qualitative Risk Analysis
• C. Quantitative Risk Analysis
• D. Plan risk response

Answer: D

Explanation:
Explanation/Reference:
Explanation:
The plan risk response project management process aims to reduce the threats to the project objectives and to increase opportunities. It follows the perform qualitative risk analysis process and perform quantitative risk analysis process. Plan risk response process includes the risk response owner to take the job for each agreed-to and funded risk response. This process addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget.
The inputs to the plan risk response process are as follows:
Risk register

Risk management plan

Incorrect Answers:
A: Quantitative analysis is the use of numerical and statistical techniques rather than the analysis of verbal material for analyzing risks. Some of the quantitative methods of risk analysis are:
Internal loss method

External data analysis

Business process modeling (BPM) and simulation

Statistical process control (SPC)

B: Identify Risks is the process of determining which risks may affect the project. It also documents risks' characteristics. The Identify Risks process is part of the Project Risk Management knowledge area. As new risks may evolve or become known as the project progresses through its life cycle, Identify Risks is an iterative process. The process should involve the project team so that they can develop and maintain a sense of ownership and responsibility for the risks and associated risk response actions. Risk Register is the only output of this process.
D: Qualitative analysis is the definition of risk factors in terms of high/medium/low or a numeric scale (1 to
10). Hence it determines the nature of risk on a relative scale.
Some of the qualitative methods of risk analysis are:
Scenario analysis- This is a forward-looking process that can reflect risk for a given point in time.

Risk Control Self -assessment (RCSA) - RCSA is used by enterprises (like banks) for the identification

and evaluation of operational risk exposure. It is a logical first step and assumes that business owners and managers are closest to the issues and have the most expertise as to the source of the risk. RCSA is a constructive process in compelling business owners to contemplate, and then explain, the issues at hand with the added benefit of increasing their accountability.

NEW QUESTION # 37
Which of the following is MOST essential for an effective change control environment?

• A. Separation of development and production environments
• B. Requirement of an implementation rollback plan
• C. IT management review of implemented changes
• D. Business management approval of change requests

Answer: B

NEW QUESTION # 38
......

Get The Important Preparation Guide With CRISC Dumps: https://torrentpdf.exam4tests.com/CRISC-pdf-braindumps.html