Pass ISACA CRISC Exam Info and Free Practice Test [Q587-Q612]

Share

Pass ISACA CRISC Exam Info and Free Practice Test

New 2023 Latest Questions CRISC Dumps - Use Updated ISACA Exam

NEW QUESTION # 587
Which of the following is the final step in the policy development process?

  • A. Continued awareness activities
  • B. Maintenance and review
  • C. Communication to employees
  • D. Explanation:
    Organizations should create a structured ISG document development process. A formal process gives many areas the opportunity to comment on a policy. This is very important for high-level policies that apply to the whole organization. A formal process also makes surethat final policies are communicated to employees. It also provides organizations with a way to make sure that policies are reviewed regularly. In general, a policy development process should include the following steps: In general, a policy development process should include the following steps: 1.Development 2.Stakeholder review 3.Management approval 4.Communication to employees 5.Documentation of compliance or exceptions 6.Continued awareness activities 7.Maintenance and review
  • E. Management approval

Answer: B,D

Explanation:
B, and C are incorrect. These are the earlier phases in policy development process.


NEW QUESTION # 588
When reviewing a business continuity plan (BCP). which of the following would be the MOST significant deficiency?

  • A. Recovery time objectives (RTOs) do not meet business requirements.
  • B. BCP testing is net in conjunction with the disaster recovery plan (DRP)
  • C. Each business location has separate, inconsistent BCPs.
  • D. BCP is often tested using the walk-through method.

Answer: A


NEW QUESTION # 589
You are the project manager of GHT project. You and your team have developed risk responses for those risks with the highest threat to or best opportunity for the project objectives. What are the immediate steps you should follow, after planning for risk response process? Each correct answer represents a complete solution. Choose three.

  • A. Prepare Risk-related contracts
  • B. Applying controls
  • C. Updating Risk register
  • D. Updating Project management plan and Project document

Answer: A,C,D

Explanation:
Explanation/Reference:
Explanation:
The risk register is updated at the end of the plan risk response process with the information that was discovered during the process. The response plans are recorded in the risk register.
Project management plan consisting of WBS, schedule baseline and cost performance baseline should be updated. After planning risk response process, there may be requirement of updating project documents like technical documentation and assumptions, documented in the project scope statement.
If risk response strategies include responses such as transference or sharing, it may be necessary to purchase services or items from third parties. Contracts for those services can be prepared and discussed with the appropriate parties.
Incorrect Answers:
B: Controls are implemented in the latter stage of risk response process. It is not immediate task after the planning of risk response process, as updating of several documents is done first.
The purpose of the Plan Risk Responses process is to develop risk responses for those risks with the highest threat to or best opportunity for the project objectives. The Plan Risk Responses process has four outputs:
Risk register updates

Risk-related contract decisions

Project management plan updates

Project document updates


NEW QUESTION # 590
Which of the following BEST indicates the efficiency of a process for granting access privileges?

  • A. Average time to grant access privileges
  • B. Average number of access privilege exceptions
  • C. Number of changes in access granted to users
  • D. Number and type of locked obsolete accounts

Answer: A


NEW QUESTION # 591
An organization is considering outsourcing user administration controls for a critical system. The potential vendor has offered to perform quarterly self-audits of its controls instead of having annual independent audits.
Which of the following should be of GREATEST concern to the risk practitioner?

  • A. Lack of a risk-based approach to access control
  • B. The controls may not be properly tested
  • C. The vendor will not achieve best practices
  • D. The vendor will not ensure against control failure

Answer: D

Explanation:
Section: Volume D
Explanation/Reference:


NEW QUESTION # 592
A contract associated with a cloud service provider MUST include:

  • A. the providers financial statements.
  • B. provision for source code escrow.
  • C. a business recovery plan.
  • D. ownership of responsibilities.

Answer: D


NEW QUESTION # 593
Which of the following is NOT true for Key Risk Indicators?

  • A. They are selected as the prime monitoring indicators for the enterprise
  • B. They help avoid having to manage and report on an excessively large number of risk indicators
  • C. The complete set of KRIs should also balance indicators for risk, root causes and business impact.
  • D. They are monitored annually

Answer: D

Explanation:
Explanation/Reference:
Explanation:
They are monitored on regular basis as they indicate high probability and high impact risks. As risks change over time, hence KRIs should also be monitored regularly for its effectiveness on these changing risks.
Incorrect Answers:
A, B, C: These all are true for KRIs. Key Risk Indicators are the prime monitoring indicators of the enterprise. KRIs are highly relevant and possess a high probability of predicting or indicating important risk.
KRIs help in avoiding excessively large number of risk indicators to manage and report that a large enterprise may have.
The complete set of KRIs should also balance indicators for risk, root causes and business impact, so as to indicate the risk and its impact completely.


NEW QUESTION # 594
You are the project manager of GHT project. A risk event has occurred in your project and you have identified it. Which of the following tasks you would do in reaction to risk event occurrence? Each correct answer represents a part of the solution. Choose three.

  • A. Update risk register
  • B. Communicate lessons learned from risk events
  • C. Maintain and initiate incident response plans
  • D. Monitor risk

Answer: B,C,D

Explanation:
Explanation/Reference:
Explanation:
When the risk events occur then following tasks have to done to react to it:
Maintain incident response plans

Monitor risk

Initiate incident response

Communicate lessons learned from risk events

Incorrect Answers:
C: Risk register is updated after applying appropriate risk response and at the time of risk event occurrence.


NEW QUESTION # 595
An organization has outsourced a critical process involving highly regulated data to a third party with servers located in a foreign country. Who is accountable for the confidentiality of this data?

  • A. Regional office executive
  • B. Data owner
  • C. Data custodian
  • D. Third-party data custodian

Answer: B


NEW QUESTION # 596
For which of the following risk management capability maturity levels do the statement given below is true?
"Real-time monitoring of risk events and control exceptions exists, as does automation of policy management"

  • A. Level 5
  • B. Level 0
  • C. Level 3
  • D. Level 2

Answer: A

Explanation:
Explanation/Reference:
Explanation:
An enterprise's risk management capability maturity level is 5 when real-time monitoring of risk events and control exceptions exists, as does automation of policy management.
Incorrect Answers:
A, D: In these levels real-time monitoring of risk events is not done.
B: In level 0 of risk management capability maturity model, enterprise does not recognize the importance of considering the risk management or the business impact from IT risk.


NEW QUESTION # 597
You are the project manager of GHT project. You have analyzed the risk and applied appropriate controls. In turn, you got residual risk as a result of this. Residual risk can be used to determine which of the following?

  • A. Whether the benefits of such controls outweigh the costs
  • B. is incorrect. Appropriate control can only be determined as the result of risk
    assessment, not through residual risk.
  • C. Status of enterprise's risk
  • D. Appropriate controls to be applied next
  • E. The area that requires more control
  • F. Explanation:
    Residual risk can be used by management to determine:
    Which areas require more control Whether the benefits of such controls outweigh the costs
    As residual risk is the output that comes after applying appropriate controls, so it can also estimate
    the area which need more sophisticated control. If the cost of control is large that its benefits then
    no control is applied, hence residual risk can determine benefits of these controls over cost.

Answer: A,B,E,F

Explanation:
is incorrect. Status of enterprise's risk can be determined only after risk monitoring.


NEW QUESTION # 598
An organization has completed a project to implement encryption on all databases that host customer data.
Which of the following elements of the risk register should be updated to reflect this change?

  • A. Risk tolerance
  • B. Risk appetite
  • C. Inherent risk
  • D. Risk likelihood

Answer: C

Explanation:
Section: Volume D


NEW QUESTION # 599
You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won't affect your project much if they happen. What should you do with these identified risk events?

  • A. These risks can be added to a low priority risk watch list.
  • B. These risks can be dismissed.
  • C. All risks must have a valid, documented risk response.
  • D. is incorrect. These risks are not dismissed; they are still documented on the low priority
    risk watch list.
  • E. These risks can be accepted.
  • F. is incorrect. While these risks may be accepted, they should be documented on the low
    priority risk watch list. This list will be periodically reviewed and the status of the risks may change.
  • G. Explanation:
    Low-impact, low-probability risks can be added to the low priority risk watch list.

Answer: A

Explanation:
is incorrect. Not every risk demands a risk response, so this choice is incorrect.


NEW QUESTION # 600
A program manager has completed an unsuccessful disaster recovery test. Which of the following should the risk practitioner recommend as the NEXT course of action?

  • A. Communicate test results to management
  • B. Identify what additional controls are needed
  • C. Update the business impact analysis (BIA)
  • D. Prioritize issues noted during the testing window

Answer: C


NEW QUESTION # 601
You are the project manager of a project in Bluewell Inc. You and your project team have identified several project risks, completed risk analysis, and are planning to apply most appropriate risk responses. Which of the following tools would you use to choose the appropriate risk response?

  • A. Delphi Technique
  • B. Project network diagrams
  • C. Cause-and-effect analysis
  • D. Decision tree analysis

Answer: D

Explanation:
Explanation/Reference:
Explanation:
Decision tree analysis is a risk analysis tool that can help the project manager in determining the best risk response. The tool can be used to measure probability, impact, and risk exposure and how the selected risk response can affect the probability and/or impact of the selected risk event. It helps to form a balanced image of the risks and opportunities connected with each possible course of action. This makes them mostly useful for choosing between different strategies, projects, or investment opportunities particularly when the resources are limited. A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible consequences, including chance event outcomes, resource costs, and utility.
Incorrect Answers:
A: Project network diagrams help the project manager and stakeholders visualize the flow of the project work, but they are not used as a part of risk response planning.
B: Cause-and-effect analysis is used for exposing risk factors and not an effective one in risk response planning. This analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes.
D: Delphi technique is used for risk analysis, i.e., for identifying the most probable risks. Delphi is a group of experts who used to rate independently the business risk of an organization. Each expert analyzes the risk independently and then prioritizes the risk, and the result is combined into a consensus.


NEW QUESTION # 602
Due to a change in business processes, an identified risk scenario no longer requires mitigation. Which of the following is the MOST important reason the risk should remain in the risk register?

  • A. To monitor for potential changes to the risk scenario
  • B. To prevent the risk scenario in the current environment
  • C. To track historical risk assessment results
  • D. To support regulatory requirements

Answer: C


NEW QUESTION # 603
An organization has granted a vendor access to its data in order to analyze customer behavior. Which of the following would be the MOST effective control to mitigate the risk of customer data leakage?

  • A. Restrict access to customer data on a "need to know'' basis.
  • B. Mask customer data fields.
  • C. Require vendor to sign a confidentiality agreement.
  • D. Enforce criminal background checks.

Answer: A


NEW QUESTION # 604
Which of the following individuals is responsible for identifying process requirements, approving process design and managing process performance?

  • A. Business process owner
  • B. Chief financial officer
  • C. Risk owner
  • D. Chief information officer
  • E. Explanation:
    Business process owners are the individuals responsible for identifying process requirements, approving process design and managing process performance. In general, a business process owner must be at an appropriately high level in the enterprise and have authority to commit resources to process-specific risk management activities.

Answer: A

Explanation:
is incorrect. Risk owner for each risk should be the person who has the most influence over its outcome. Selecting the risk owner thus usually involves considering the source of risk and identifying the person who is best placed to understand and implement what needs to be done. Answer: C is incorrect. Chief financial officer is the most senior official of the enterprise who is accountable for financial planning, record keeping, investor relations and financial risks. Answer: D is incorrect. Chief information officer is the most senior official of the enterprise who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services and information and the deployment of associated human resources.


NEW QUESTION # 605
During a risk assessment, the risk practitioner finds a new risk scenario without controls has been entered into the risk register. Which of the following is the MOST appropriate action?

  • A. Postpone the risk assessment until controls are identified.
  • B. Include the new risk scenario in the current risk assessment.
  • C. Exclude the new risk scenario from the current risk assessment
  • D. Request the risk scenario be removed from the register.

Answer: B


NEW QUESTION # 606
You are the project manager of the GHT project. This project will last for 18 months and has a project budget of $567,000. Robert, one of your stakeholders, has introduced a scope change request that will likely have an impact on the project costs and schedule. Robert assures you that he will pay for the extra time and costs associated with the risk event. You have identified that change request may also affect other areas of the project other than just time and cost. What project management component is responsible for evaluating a change request and its impact on all of the project management knowledge areas?

  • A. Integrated change control
  • B. Risk analysis
  • C. Project change control system
  • D. Configuration management

Answer: A

Explanation:
Explanation/Reference:
Explanation:
Integrated change control is responsible for evaluating a proposed change and determining its impact on all areas of the project: scope, time, cost, quality, human resources, communication, risk, and procurement.
Incorrect Answers:
A: Configuration management defines the management, control, and documentation of the features and functions of the project's product.
C: Risk analysis is not responsible for reviewing the change aspects for the entire project.
D: The project change control system defines the workflow and approval process for proposed changes to the project scope, time, cost, and contracts.


NEW QUESTION # 607
Where are all risks and risk responses documented as the project progresses?

  • A. Explanation:
    All risks, their responses, and other characteristics are documented in the risk register. As the project progresses and the conditions of the risk events change, the risk register should be updated to reflect the risk conditions.
  • B. Risk register
  • C. Risk response plan
  • D. Risk management plan
  • E. Project management plan

Answer: A,B

Explanation:
is incorrect. The risk management plan addresses the project management's approach to risk management, risk identification, analysis, response, and control. Answer: C is incorrect. The risk response plan only addresses the planned risk responses for the identified risk events in the risk register. Answer: B is incorrect. The project management plan is the overarching plan for the project, not the specifics of the risk responses and risk identification.


NEW QUESTION # 608
Which of the following should be the PRIMARY focus of a risk owner once a decision is made to mitigate a risk?

  • A. Determining processes for monitoring the effectiveness of the controls
  • B. Updating the risk register to include the risk mitigation plan
  • C. Ensuring that control design reduces risk to an acceptable level
  • D. Confirming to management the controls reduce the likelihood of the risk

Answer: C

Explanation:
Section: Volume D


NEW QUESTION # 609
FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?

  • A. Annually
  • B. Every three years
  • C. Quarterly
  • D. Never

Answer: A

Explanation:
Explanation/Reference:
Explanation:
Inspection of FISMA is required to be done annually. Each year, agencies must have an independent evaluation of their program. The objective is to determine the effectiveness of the program. These evaluations include:
Testing for effectiveness: Policies, procedures, and practices are to be tested. This evaluation does not

test every policy, procedure, and practice. Instead, a representative sample is tested.
An assessment or report: This report identifies the agency's compliance as well as lists compliance with

FISMA. It also lists compliance with other standards and guidelines.
Incorrect Answers:
B, C, D: Auditing of compliance by external organization is done annually, not quarterly or every three years.


NEW QUESTION # 610
Which of the following is the MOST important concern when assigning multiple risk owners for an identified risk?

  • A. Mitigation efforts may be duplicated.
  • B. Risk ratings may be inconsistently applied.
  • C. Different risk taxonomies may be used.
  • D. Accountability may not be clearly defined.

Answer: D


NEW QUESTION # 611
You are an experienced Project Manager that has been entrusted with a project to develop a machine which produces auto components. You have scheduled meetings with the project team and the key stakeholders to identify the risks for your project. Which of the following is a key output of this process?

  • A. Risk Categories
  • B. Risk Management Plan
  • C. Risk Register
  • D. Risk Breakdown Structure

Answer: C

Explanation:
Explanation/Reference:
Explanation:
The primary outputs from Identify Risks are the initial entries into the risk register. The risk register ultimately contains the outcomes of other risk management processes as they are conducted, resulting in an increase in the level and type of information contained in the risk register over time.
Incorrect Answers:
B, C, D: All these are outputs from the "Plan Risk Management" process, which happens prior to the starting of risk identification.


NEW QUESTION # 612
......

Latest CRISC Exam Dumps ISACA Exam: https://www.passleader.top/ISACA/CRISC-exam-braindumps.html

Pass ISACA CRISC PDF Dumps Recently Updated 1196 Questions: https://drive.google.com/open?id=1Oljl_ZfqkUkyw1PsXQwPcVwTjqAvfrqB