CRISC Certified in Risk and Information Systems Control Exam Set 12

Which of the following items is considered as an objective of the three dimensional model within the framework described in COSO ERM?


Options are :

  • Financial reporting (Correct)
  • Monitoring
  • Risk assessment
  • Control environment

Answer : Financial reporting

You work as a project manager for BlueWell Inc. You are about to complete the quantitative risk analysis process for your project. You can use three available tools and techniques to complete this process. Which one of the following is NOT a tool or technique that is appropriate for the quantitative risk analysis process?


Options are :

  • Organizational process assets (Correct)
  • Quantitative risk analysis and modeling techniques
  • Expert judgment
  • Data gathering and representation techniques

Answer : Organizational process assets

You are the risk professional of your enterprise. You have performed cost and benefit analysis of control that you have adopted. What are all the benefits of performing cost and benefit analysis of control? Each correct answer represents a complete solution. Choose three.


Options are :

  • It helps making smart choices based on potential risk mitigation costs and losses (Correct)
  • It helps in providing a monetary impact view of risk (Correct)
  • It helps in taking risk response decisions
  • It helps in determination of the cost of protecting what is important (Correct)

Answer : It helps making smart choices based on potential risk mitigation costs and losses It helps in providing a monetary impact view of risk It helps in determination of the cost of protecting what is important

You are the project manager of the NHH Project. You are working with the project team to create a plan to document the procedures to manage risks throughout the project. This document will define how risks will be identified and quantified. It will also define how contingency plans will be implemented by the project team. What document do you and your team is creating in this scenario?


Options are :

  • Project management plan
  • Resource management plan
  • Risk management plan (Correct)
  • Project plan

Answer : Risk management plan

You are the project manager of a project in Bluewell Inc. You and your project team have identified several project risks, completed risk analysis, and are planning to apply most appropriate risk responses. Which of the following tools would you use to choose the appropriate risk response?


Options are :

  • Decision tree analysis (Correct)
  • Project network diagrams
  • Cause-and-effect analysis
  • Delphi Technique

Answer : Decision tree analysis

Which of the following is the BEST way to ensure that outsourced service providers comply with the enterprise's information security policy?


Options are :

  • Penetration testing
  • Security awareness training
  • Periodic audits (Correct)
  • Service level monitoring

Answer : Periodic audits

Where are all risks and risk responses documented as the project progresses?


Options are :

  • Risk management plan
  • Risk response plan
  • Project management plan
  • Risk register (Correct)

Answer : Risk register

Which of the following are true for threats? Each correct answer represents a complete solution. Choose three.


Options are :

  • They are possibility
  • They are real (Correct)
  • They can become more imminent as time goes by, or it can diminish (Correct)
  • They can result in risks from external sources (Correct)

Answer : They are real They can become more imminent as time goes by, or it can diminish They can result in risks from external sources

Which of the following statements is NOT true regarding the risk management plan?


Options are :

  • The risk management plan is an input to all the remaining risk-planning processes
  • The risk management plan is an output of the Plan Risk Management process.
  • The risk management plan includes thresholds, scoring and interpretation methods, responsible parties, and budgets.
  • The risk management plan includes a description of the risk responses and triggers. (Correct)

Answer : The risk management plan includes a description of the risk responses and triggers.

You are the project manager of GHT project. You identified a risk of noncompliance with regulations due to missing of a number of relatively simple procedures. The response requires creating the missing procedures and implementing them. In which of the following risk response prioritization should this case be categorized?


Options are :

  • Quick win (Correct)
  • Deferrals
  • Risk avoidance
  • Business case to be made

Answer : Quick win

Which among the following acts as a trigger for risk response process?


Options are :

  • Risk level increase above risk tolerance (Correct)
  • Risk level equates risk appetite
  • Risk level equates the risk tolerance
  • Risk level increases above risk appetite

Answer : Risk level increase above risk tolerance

Your project is an agricultural-based project that deals with plant irrigation systems. You have discovered a byproduct in your project that your organization could use to make a profit. If your organization seizes this opportunity it would be an example of what risk response?


Options are :

  • Exploiting (Correct)
  • Opportunistic
  • Positive
  • Enhancing

Answer : Exploiting

You are the risk professional in Bluewell Inc. You have identified a risk and want to implement a specific risk mitigation activity. What you should PRIMARILY utilize?


Options are :

  • Business case (Correct)
  • Budgetary requirements
  • Technical evaluation report
  • Vulnerability assessment report

Answer : Business case

John works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks associated to the time allowances for the activities or projects as a whole, with a width of the range indicating the degrees of risk?


Options are :

  • Schedule management plan
  • Risk management plan
  • Activity cost estimates
  • Activity duration estimates (Correct)

Answer : Activity duration estimates

Which of the following statements BEST describes policy?


Options are :

  • An overall statement of information security scope and direction (Correct)
  • A technology-dependent statement of best practices
  • A checklist of steps that must be completed to ensure information security
  • A minimum threshold of information security controls that must be implemented

Answer : An overall statement of information security scope and direction

You are working in an enterprise. Your enterprise owned various risks. Which among the following is MOST likely to own the risk to an information system that supports a critical business process?


Options are :

  • IT director
  • Risk management department
  • Senior management (Correct)
  • System users

Answer : Senior management

What is the MAIN purpose of designing risk management programs?


Options are :

  • To reduce the risk to the point at which the benefit exceeds the expense
  • To reduce the risk to a level that the enterprise is willing to accept (Correct)
  • To reduce the risk to a rate of return that equals the current cost of capital
  • To reduce the risk to a level that is too small to be measurable

Answer : To reduce the risk to a level that the enterprise is willing to accept

You are the project manager of the PFO project. You are working with your project team members and two subject matter experts to assess the identified risk events in the project. Which of the following approaches is the best to assess the risk events in the project?


Options are :

  • Interviews or meetings (Correct)
  • Probability and Impact Matrix
  • Root cause analysis
  • Determination of the true cost of the risk event

Answer : Interviews or meetings

You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won't affect your project much if they happen. What should you do with these identified risk events?


Options are :

  • These risks can be dismissed
  • These risks can be accepted.
  • All risks must have a valid, documented risk response.
  • These risks can be added to a low priority risk watch list. (Correct)

Answer : These risks can be added to a low priority risk watch list.

You work as a Project Manager for Company Inc. You have to conduct the risk management activities for a project. Which of the following inputs will you use in the plan risk management process? Each correct answer represents a complete solution. Choose all that apply.


Options are :

  • Schedule management plan (Correct)
  • Cost management plan (Correct)
  • Project scope statement (Correct)
  • Quality management plan

Answer : Schedule management plan Cost management plan Project scope statement

Which of the following documents is described in the statement below? "It is developed along with all processes of the risk management. It contains the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning."


Options are :

  • Project charter
  • Risk management plan
  • Risk register (Correct)
  • Quality management plan

Answer : Risk register

Which of the following processes addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget?


Options are :

  • Plan risk response (Correct)
  • Monitor and Control Risk
  • Qualitative Risk Analysis
  • Identify Risks

Answer : Plan risk response

You are the project manager of RFT project. You have identified a risk that the enterprise's IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become very expensive. To overcome this risk the response adopted is re-architecture of the existing system and purchase of new integrated system. In which of the following risk prioritization options would this case be categorized?


Options are :

  • Contagious risk
  • Quick win
  • Deferrals
  • Business case to be made (Correct)

Answer : Business case to be made

Which of the following is the best reason for performing risk assessment?


Options are :

  • To analyze the effect on the business
  • To budget appropriately for the application of various controls
  • To determine the present state of risk (Correct)
  • To satisfy regulatory requirements

Answer : To determine the present state of risk

You are the project manager of the AFD project for your company. You are working with the project team to reassess existing risk events and to identify risk events that have not happened and whose relevancy to the project has passed. What should you do with these events that have not happened and would not happen now in the project?


Options are :

  • Add the risk to the issues log
  • Close the outdated risks (Correct)
  • Add the risks to the risk register
  • Add the risks to a low-priority watch-list

Answer : Close the outdated risks

Which of the following is true for Single loss expectancy (SLE), Annual rate of occurrence (ARO), and Annual loss expectancy (ALE)?


Options are :

  • ARO= ALE*SLE
  • ALE= ARO*SLE (Correct)
  • ALE= ARO/SLE
  • ARO= SLE/ALE

Answer : ALE= ARO*SLE

You work as a project manager for SoftTech Inc. You are working with the project stakeholders to begin the qualitative risk analysis process. Which of the following inputs will be needed for the qualitative risk analysis process in your project? Each correct answer represents a complete solution. Choose all that apply.


Options are :

  • Cost management plan
  • Risk register (Correct)
  • Organizational process assets (Correct)
  • Project scope statement (Correct)

Answer : Risk register Organizational process assets Project scope statement

What are the PRIMARY objectives of a control?


Options are :

  • Prevent, recover, and detect (Correct)
  • Detect, recover, and attack
  • Prevent, respond, and log
  • Prevent, control, and attack

Answer : Prevent, recover, and detect

Which of the following BEST ensures that a firewall is configured in compliance with an enterprise's security policy?


Options are :

  • Interview the firewall administrator.
  • Review the actual procedures.
  • Review the device's log file for recent attacks.
  • Review the parameter settings. (Correct)

Answer : Review the parameter settings.

Which of the following processes is described in the statement below? "It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project."


Options are :

  • Monitor and Control Risks (Correct)
  • Perform Qualitative Risk Analysis
  • Identify Risks
  • Perform Quantitative Risk Analysis

Answer : Monitor and Control Risks

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions