CRISC Certified in Risk and Information Systems Control Exam Set 1

What is the process for selecting and implementing measures to impact risk called?


Options are :

  • Risk Management
  • Risk Treatment (Correct)
  • Control
  • Risk Assessment

Answer : Risk Treatment

You are the project manager of GHT project. You have identified a risk event on your project that could save $100,000 in project costs if it occurs. Which of the following statements BEST describes this risk event?


Options are :

  • This risk event should be avoided to take full advantage of the potential savings.
  • This risk event is an opportunity to the project and should be exploited. (Correct)
  • This risk event should be mitigated to take advantage of the savings.
  • This is a risk event that should be accepted because the rewards outweigh the threat to the project.

Answer : This risk event is an opportunity to the project and should be exploited.

You are the project manager of GHT project. You have selected appropriate Key Risk Indicators for your project. Now, you need to maintain those Key Risk Indicators. What is the MOST important reason to maintain Key Risk Indicators?


Options are :

  • Risk reports need to be timely
  • Complex metrics require fine-tuning
  • Threats and vulnerabilities change over time (Correct)
  • They help to avoid risk

Answer : Threats and vulnerabilities change over time

Which of the following matrices is used to specify risk thresholds?


Options are :

  • Probability matrix
  • Risk indicator matrix (Correct)
  • Risk scenario matrix
  • Impact matrix

Answer : Risk indicator matrix

You are an experienced Project Manager that has been entrusted with a project to develop a machine which produces auto components. You have scheduled meetings with the project team and the key stakeholders to identify the risks for your project. Which of the following is a key output of this process?


Options are :

  • Risk Management Plan
  • Risk Categories
  • Risk Register (Correct)
  • Risk Breakdown Structure

Answer : Risk Register

Which of the following should be PRIMARILY considered while designing information systems controls?


Options are :

  • The present IT budget
  • The IT strategic plan
  • The organizational strategic plan (Correct)
  • The existing IT environment

Answer : The organizational strategic plan

What are the requirements for creating risk scenarios? Each correct answer represents a part of the solution. Choose three.


Options are :

  • Determination of the value of business process at risk (Correct)
  • Determination of the value of an asset (Correct)
  • Potential threats and vulnerabilities that could cause loss (Correct)
  • Determination of cause and effect

Answer : Determination of the value of business process at risk Determination of the value of an asset Potential threats and vulnerabilities that could cause loss

You are the project manager of the HGT project in Bluewell Inc. The project has an asset valued at $125,000 and is subjected to an exposure factor of 25 percent. What will be the Single Loss Expectancy of this project?


Options are :

  • $5,000
  • $31,250 (Correct)
  • $125,025
  • $3,125,000

Answer : $31,250

You are the project manager of the NHH Project. You are working with the project team to create a plan to document the procedures to manage risks throughout the project. This document will define how risks will be identified and quantified. It will also define how contingency plans will be implemented by the project team. What document do you and your team is creating in this scenario?


Options are :

  • Project plan
  • Resource management plan
  • Project management plan
  • Risk management plan (Correct)

Answer : Risk management plan

What are the functions of audit and accountability control? Each correct answer represents a complete solution. Choose all that apply


Options are :

  • Implement an effective audit program (Correct)
  • Implement effective access control
  • Provides details on how to protect the audit logs (Correct)
  • Provides details on how to determine what to audit (Correct)

Answer : Implement an effective audit program Provides details on how to protect the audit logs Provides details on how to determine what to audit

Which of the following role carriers will decide the Key Risk Indicator of the enterprise? Each correct answer represents a part of the solution. Choose two.


Options are :

  • Business leaders (Correct)
  • Chief financial officer
  • Human resource
  • Senior management (Correct)

Answer : Business leaders Senior management

Which of the following controls is an example of non-technical controls?


Options are :

  • Intrusion detection system
  • Access control
  • Encryption
  • Physical security (Correct)

Answer : Physical security

What is the PRIMARY need for effectively assessing controls?


Options are :

  • Control's design effectiveness
  • Control's alignment with operating environment
  • Control's operating effectiveness
  • Control's objective achievement (Correct)

Answer : Control's objective achievement

Which of the following is the MOST effective inhibitor of relevant and efficient communication?


Options are :

  • The perception that the enterprise is trying to cover up known risk from stakeholders
  • Existence of a blame culture (Correct)
  • Misalignment between real risk appetite and translation into policies
  • A false sense of confidence at the top on the degree of actual exposure related to IT and lack of a well-understood direction for risk management from the top down

Answer : Existence of a blame culture

Mary is a project manager in her organization. On her current project she is working with her project team and other key stakeholders to identify the risks within the project. She is currently aiming to create a comprehensive list of project risks so she is using a facilitator to help generate ideas about project risks. What risk identification method is Mary likely using?


Options are :

  • Expert judgment
  • Checklist analysis
  • Brainstorming (Correct)
  • Delphi Techniques

Answer : Brainstorming

Which of the following aspect of monitoring tool ensures that the monitoring tool has the ability to keep up with the growth of an enterprise?


Options are :

  • Customizability
  • Impact on performance
  • Sustainability
  • Scalability (Correct)

Answer : Scalability

You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won't affect your project much if they happen. What should you do with these identified risk events?


Options are :

  • These risks can be accepted
  • These risks can be dismissed.
  • These risks can be added to a low priority risk watch list. (Correct)
  • All risks must have a valid, documented risk response.

Answer : These risks can be added to a low priority risk watch list.

Which of the following is the MOST important use of KRIs?


Options are :

  • Providing an indication of the enterprise's risk appetite and tolerance
  • Providing an early warning signal (Correct)
  • Enabling the documentation and analysis of trends
  • Providing a backward-looking view on risk events that have occurred

Answer : Providing an early warning signal

Ben works as a project manager for the MJH Project. In this project, Ben is preparing to identify stakeholders so he can communicate project requirements, status, and risks. Ben has elected to use a salience model as part of his stakeholder identification process. Which of the following activities best describes a salience model?


Options are :

  • Grouping the stakeholders based on their level of authority ("power") and their level or concern ("interest") regarding the project outcomes.
  • Influence/impact grid, grouping the stakeholders based on their active involvement ("influence") in the project and their ability to affect changes to the project's planning or execution ("impact").
  • Grouping the stakeholders based on their level of authority ("power") and their active involvement ("influence") in the project.
  • Describing classes of stakeholders based on their power (ability to impose their will), urgency (need for immediate attention), and legitimacy (their involvement is appropriate). (Correct)

Answer : Describing classes of stakeholders based on their power (ability to impose their will), urgency (need for immediate attention), and legitimacy (their involvement is appropriate).

You are the project manager of a large construction project. This project will last for 18 months and will cost $750,000 to complete. You are working with your project team, experts, and stakeholders to identify risks within the project before the project work begins. Management wants to know why you have scheduled so many risk identification meetings throughout the project rather than just initially during the project planning. What is the best reason for the duplicate risk identification sessions?


Options are :

  • The iterative meetings allow the project manager and the risk identification participants to identify newly discovered risk events throughout the project. (Correct)
  • The iterative meetings allow the project manager to discuss the risk events which have passed the project and which did not happen.
  • The iterative meetings allow the project manager to communicate pending risks events during project execution.
  • The iterative meetings allow all stakeholders to participate in the risk identification processes throughout the project phases.

Answer : The iterative meetings allow the project manager and the risk identification participants to identify newly discovered risk events throughout the project.

Which of the following processes is described in the statement below? "It is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions."


Options are :

  • Risk communication (Correct)
  • Risk governance
  • Risk response planning
  • Risk identification

Answer : Risk communication

You are the project manager of the GHY Project for your company. You need to complete a project management process that will be on the lookout for new risks, changing risks, and risks that are now outdated. Which project management process is responsible for these actions?


Options are :

  • Risk monitoring and controlling (Correct)
  • Risk analysis
  • Risk identification
  • Risk planning

Answer : Risk monitoring and controlling

Which of the following controls do NOT come under technical class of control?


Options are :

  • Access Control
  • Program management control (Correct)
  • Identification and Authentication control
  • System and Communications Protection control

Answer : Program management control

Which of the following is prepared by the business and serves as a starting point for producing the IT Service Continuity Strategy?


Options are :

  • Business Continuity Strategy (Correct)
  • Availability/ ITSCM/ Security Testing Schedule
  • Disaster Invocation Guideline
  • Index of Disaster-Relevant Information

Answer : Business Continuity Strategy

Which of the following components of risk scenarios has the potential to generate internal or external threat on an enterprise?


Options are :

  • Timing dimension
  • Events
  • Actors (Correct)
  • Assets

Answer : Actors

You are the project manager in your enterprise. You have identified risk that is noticeable failure threatening the success of certain goals of your enterprise. In which of the following levels do this identified risk exists?


Options are :

  • Moderate risk (Correct)
  • High risk
  • Low risk
  • Extremely high risk

Answer : Moderate risk

David is the project manager of the HRC Project. He has identified a risk in the project, which could cause the delay in the project. David does not want this risk event to happen so he takes few actions to ensure that the risk event will not happen. These extra steps, however, cost the project an additional $10,000. What type of risk response has David adopted?


Options are :

  • Mitigation (Correct)
  • Acceptance
  • Avoidance
  • Transfer

Answer : Mitigation

Risk Management


Options are :

  • Section 409
  • Section 203
  • Section 404
  • Section 302 (Correct)

Answer : Section 302

Which of the following do NOT indirect information?


Options are :

  • Reports that show orders that were rejected for credit limitations
  • Information about the propriety of cutoff (Correct)
  • The lack of any significant differences between perpetual levels and actual levels of goods.
  • Reports that provide information about any unusual deviations and individual product margins

Answer : Information about the propriety of cutoff

You are the project manager of your enterprise. You have introduced an intrusion detection system for the control. You have identified a warning of violation of security policies of your enterprise. What type of control is an intrusion detection system (IDS)?


Options are :

  • Recovery
  • Corrective
  • Preventative
  • Detective (Correct)

Answer : Detective

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions