CRISC Certified in Risk and Information Systems Control Exam Set 10

You are the project manager of HGT project. You have identified project risks and applied appropriate response for its mitigation. You noticed a risk generated as a result of applying response. What this resulting risk is known as?


Options are :

  • Response risk
  • Pure risk
  • High risk
  • Secondary risk (Correct)

Answer : Secondary risk

Which of the following are external risk factors? Each correct answer represents a complete solution. Choose three.


Options are :

  • Competition (Correct)
  • Geopolitical situation (Correct)
  • Market
  • Complexity of the enterprise

Answer : Competition Geopolitical situation

You are the project manager for your company and a new change request has been approved for your project. This change request, however, has introduced several new risks to the project. You have communicated these risk events and the project stakeholders understand the possible effects these risks could have on your project. You elect to create a mitigation response for the identified risk events. Where will you record the mitigation response?


Options are :

  • Risk register (Correct)
  • Risk log
  • Risk management plan
  • Project management plan

Answer : Risk register

Which of the following risks is associated with not receiving the right information to the right people at the right time to allow the right action to be taken?


Options are :

  • Availability risk
  • Access risk
  • Integrity risk
  • Relevance risk (Correct)

Answer : Relevance risk

Walter is the project manager of a large construction project. He'll be working with several vendors on the project. Vendors will be providing materials and labor for several parts of the project. Some of the works in the project are very dangerous so Walter has implemented safety requirements for all of the vendors and his own project team. Stakeholders for the project have added new requirements, which have caused new risks in the project. A vendor has identified a new risk that could affect the project if it comes into fruition. Walter agrees with the vendor and has updated the risk register and created potential risk responses to mitigate the risk. What should Walter also update in this scenario considering the risk event?


Options are :

  • Project management plan (Correct)
  • Project contractual relationship with the vendor
  • Project communications plan
  • Project scope statement

Answer : Project management plan

Which of the following is the BEST defense against successful phishing attacks?


Options are :

  • Intrusion detection system
  • End-user awareness (Correct)
  • Application hardening
  • Spam filters

Answer : End-user awareness

NIST SP 800-53 identifies controls in three primary classes. What are they?


Options are :

  • Administrative, Technical, and Operational
  • Technical, Administrative, and Environmental
  • Technical, Operational, and Management (Correct)
  • Preventative, Detective, and Corrective

Answer : Technical, Operational, and Management

You are the project manager for TTP project. You are in the Identify Risks process. You have to create the risk register. Which of the following are included in the risk register? Each correct answer represents a complete solution. Choose two.


Options are :

  • List of key stakeholders
  • List of mitigation techniques
  • List of potential responses (Correct)
  • List of identified risks (Correct)

Answer : List of potential responses List of identified risks

Jane, the Director of Sales, contacts you and demands that you add a new feature to the software your project team is creating for the organization. In the meeting she tells you how important the scope change would be. You explain to her that the software is almost finished and adding a change now could cause the deliverable to be late, cost additional funds, and would probably introduce new risks to the project. Jane stands up and says to you, "I am the Director of Sales and this change will happen in the project." And then she leaves the room. What should you do with this verbal demand for a change in the project?


Options are :

  • Report Jane to your project sponsor and then include the change.
  • Do not implement the verbal change request. (Correct)
  • Include the change in the project scope immediately.
  • Direct your project team to include the change if they have time.

Answer : Do not implement the verbal change request.

Della works as a project manager for Tech Perfect Inc. She is studying the documentation of planning of a project. The documentation states that there are twenty-eight stakeholders with the project. What will be the number of communication channels for the project?


Options are :

  • 378 (Correct)
  • 250
  • 300
  • 28

Answer : 378

You are the risk professional in Bluewell Inc. A risk is identified and enterprise wants to quickly implement control by applying technical solution that deviates from the company's policies. What you should do?


Options are :

  • Recommend a risk assessment and subsequent implementation only if residual risk is accepted (Correct)
  • Conduct a risk assessment and allow or disallow based on the outcome
  • Recommend against implementation because it violates the company's policies
  • Recommend revision of the current policy

Answer : Recommend a risk assessment and subsequent implementation only if residual risk is accepted

To which level the risk should be reduced to accomplish the objective of risk management?


Options are :

  • To a level that an organization can mitigate
  • To a level where ALE is lower than SLE
  • To a level that an organization can accept (Correct)
  • To a level where ARO equals SLE

Answer : To a level that an organization can accept

What are the steps that are involved in articulating risks? Each correct answer represents a complete solution. Choose three.


Options are :

  • Interpret independent risk assessment findings. (Correct)
  • Communicate risk analysis results and report risk management activities and the state of compliance. (Correct)
  • Identify the response
  • Identify business opportunities. (Correct)

Answer : Interpret independent risk assessment findings. Communicate risk analysis results and report risk management activities and the state of compliance. Identify business opportunities.

Which of the following are true for quantitative analysis? Each correct answer represents a complete solution. Choose three.


Options are :

  • Determines risk factors in terms of high/medium/low.
  • Produces statistically reliable results (Correct)
  • Allows discovery of which phenomena are likely to be genuine and which are merely chance occurrences (Correct)
  • Allows data to be classified and counted (Correct)

Answer : Produces statistically reliable results Allows discovery of which phenomena are likely to be genuine and which are merely chance occurrences Allows data to be classified and counted

An interruption in business productivity is considered as which of the following risks?


Options are :

  • Operational risk (Correct)
  • Reporting risk
  • Legal risk
  • Strategic risk

Answer : Operational risk

Shawn is the project manager of the HWT project. In this project Shawn's team reports that they have found a way to complete the project work cheaply than what was originally estimated earlier. The project team presents a new software that will help to automate the project work. While the software and the associated training costs $25,000 it will save the project nearly $65,000 in total costs. Shawn agrees to the software and changes the project management plan accordingly. What type of risk response had been used by him?


Options are :

  • Enhancing
  • Avoiding
  • Accepting
  • Exploiting (Correct)

Answer : Exploiting

Which of the following is true for risk management frameworks, standards and practices? Each correct answer represents a part of the solution. Choose three.


Options are :

  • They act as a guide to focus efforts of variant teams. (Correct)
  • They provide a systematic view of "things to be considered" that could harm clients or an enterprise.
  • They result in increase in cost of training, operation and performance improvement.
  • They assist in achieving business objectives quickly and easily. (Correct)

Answer : They act as a guide to focus efforts of variant teams. They assist in achieving business objectives quickly and easily.

You are elected as the project manager of GHT project. You are in project initialization phase and are busy in defining requirements for your project. While defining requirements you are describing how users will interact with a system. Which of the following requirements are you defining here?


Options are :

  • Functional requirement (Correct)
  • Business requirement
  • Project requirement
  • Technical requirement

Answer : Functional requirement

You work as a project manager for BlueWell Inc. You are involved with the project team on the different risk issues in your project. You are using the applications of IRGC model to facilitate the understanding and managing the rising of the overall risks that have impacts on the economy and society. One of your team members wants to know that what the need to use the IRGC is. What will be your reply?


Options are :

  • IRGC addresses understanding of the secondary impacts of a risk.
  • IRGC is both a concept and a tool.
  • IRGC addresses the development of resilience and the capacity of organizations and people to face unavoidable risks.
  • IRGC models aim at building robust, integrative inter-disciplinary governance models for emerging and existing risks. (Correct)

Answer : IRGC models aim at building robust, integrative inter-disciplinary governance models for emerging and existing risks.

Which of the following is a key component of strong internal control environment?


Options are :

  • Automated tools
  • Manual control
  • RMIS
  • Segregation of duties (Correct)

Answer : Segregation of duties

You are the project manager of GHT project. During the data extraction process you evaluated the total number of transactions per year by multiplying the monthly average by twelve. This process of evaluating total number of transactions is known as?


Options are :

  • Controls total
  • Reasonableness test (Correct)
  • Simplistic and ineffective
  • Duplicates test

Answer : Reasonableness test

Who is at the BEST authority to develop the priorities and identify what risks and impacts would occur if there were loss of the organization's private information?


Options are :

  • Business process owners (Correct)
  • Security management
  • External regulatory agencies
  • Internal auditor

Answer : Business process owners

Mike is the project manager of the NNP Project for his organization. He is working with his project team to plan the risk responses for the NNP Project. Mike would like the project team to work together on establishing risk thresholds in the project. What is the purpose of establishing risk threshold?


Options are :

  • It is a study of the organization's risk tolerance.
  • It helps to identify those risks for which specific responses are needed. (Correct)
  • It is a limit of the funds that can be assigned to risk events.
  • It is a warning sign that a risk event is going to happen.

Answer : It helps to identify those risks for which specific responses are needed.

Billy is the project manager of the HAR Project and is in month six of the project. The project is scheduled to last for 18 months. Management asks Billy how often the project team is participating in risk reassessment in this project. What should Billy tell management if he's following the best practices for risk management?


Options are :

  • At every status meeting the project team project risk management is an agenda item. (Correct)
  • Project risk management has been concluded with the project planning.
  • Project risk management happens at every milestone.
  • Project risk management is scheduled for every month in the 18-month project.

Answer : At every status meeting the project team project risk management is an agenda item.

Which of the following laws applies to organizations handling health care information?


Options are :

  • FISMA
  • SOX
  • HIPAA (Correct)
  • GLBA

Answer : HIPAA

Which of the following are the common mistakes while implementing KRIs? Each correct answer represents a complete solution. Choose three.


Options are :

  • Choosing KRIs that are difficult to measure (Correct)
  • Choosing KRIs that has high correlation with the risk
  • Choosing KRIs that are incomplete or inaccurate due to unclear specifications D. Choosing KRIs that are not linked to specific risk (Correct)

Answer : Choosing KRIs that are difficult to measure Choosing KRIs that are incomplete or inaccurate due to unclear specifications D. Choosing KRIs that are not linked to specific risk

While developing obscure risk scenarios, what are the requirements of the enterprise? Each correct answer represents a part of the solution. Choose two.


Options are :

  • Have sufficient number of analyst
  • Have capability to recognize an observed event as something wrong (Correct)
  • Be in a position that it can observe anything going wrong (Correct)
  • Have capability to cure the risk events

Answer : Have capability to recognize an observed event as something wrong Be in a position that it can observe anything going wrong

What are the three PRIMARY steps to be taken to initialize the project? Each correct answer represents a complete solution. Choose all that apply.


Options are :

  • Conduct a feasibility study (Correct)
  • Acquire software (Correct)
  • Plan risk management
  • Define requirements (Correct)

Answer : Conduct a feasibility study Acquire software Define requirements

Which of the following are the MOST important risk components that must be communicated among all the stakeholders? Each correct answer represents a part of the solution. Choose three.


Options are :

  • Expectations from risk management (Correct)
  • Current risk management capability (Correct)
  • Status of risk with regard to IT risk (Correct)
  • Various risk response used in the project

Answer : Expectations from risk management Current risk management capability Status of risk with regard to IT risk

Which among the following is the MOST crucial part of risk management process?


Options are :

  • Risk communication (Correct)
  • Auditing
  • Risk monitoring
  • Risk mitigation

Answer : Risk communication

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions