CRISC Certified in Risk and Information Systems Control Exam Set 13

Which of the following nodes of the decision tree analysis represents the start point of decision tree?


Options are :

  • Event node
  • Decision node
  • End node
  • Root node (Correct)

Answer : Root node

What activity should be done for effective post-implementation reviews during the project?


Options are :

  • Establish the business measurements up front (Correct)
  • Identify the information collected during each stage of the project
  • Identify the information to be reviewed
  • Allow a sufficient number of business cycles to be executed in the new system

Answer : Establish the business measurements up front

Which of the following baselines identifies the specifications required by the resource that meet the approved requirements?


Options are :

  • Product baseline
  • Allocated baseline (Correct)
  • Developmental baseline
  • Functional baseline

Answer : Allocated baseline

Which of the following is BEST described by the definition below? "They are heavy influencers of the likelihood and impact of risk scenarios and should be taken into account during every risk analysis, when likelihood and impact are assessed."


Options are :

  • Risk analysis
  • Obscure risk
  • Risk factors (Correct)
  • Risk event

Answer : Risk factors

Which of the following components ensures that risks are examined for all new proposed change requests in the change control system?


Options are :

  • Configuration management
  • Scope change control
  • Integrated change control (Correct)
  • Risk monitoring and control

Answer : Integrated change control

You are the project manager of GHT project. You and your team have developed risk responses for those risks with the highest threat to or best opportunity for the project objectives. What are the immediate steps you should follow, after planning for risk response process? Each correct answer represents a complete solution. Choose three.


Options are :

  • Updating Project management plan and Project document (Correct)
  • Applying controls
  • Prepare Risk-related contracts (Correct)
  • Updating Risk register (Correct)

Answer : Updating Project management plan and Project document Prepare Risk-related contracts Updating Risk register

You work as the project manager for Company Inc. The project on which you are working has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks?


Options are :

  • Risk Management Plan
  • Stakeholder management strategy
  • Communications Management Plan (Correct)
  • Resource Management Plan

Answer : Communications Management Plan

Which of the following should be PRIMARILY considered while designing information systems controls?


Options are :

  • The existing IT environment
  • The IT strategic plan
  • The organizational strategic plan (Correct)
  • The present IT budget

Answer : The organizational strategic plan

You are the project manager of your enterprise. You have introduced an intrusion detection system for the control. You have identified a warning of violation of security policies of your enterprise. What type of control is an intrusion detection system (IDS)?


Options are :

  • Recovery
  • Detective (Correct)
  • Corrective
  • Preventative

Answer : Detective

Which of following is NOT used for measurement of Critical Success Factors of the project?


Options are :

  • Customer service
  • Quantity (Correct)
  • Quality
  • Productivity

Answer : Quantity

Which of the following will significantly affect the standard information security governance model?


Options are :

  • Number of employees
  • Cultural differences between physical locations
  • Complexity of the organizational structure (Correct)
  • Currency with changing legislative requirements

Answer : Complexity of the organizational structure

What are the functions of audit and accountability control? Each correct answer represents a complete solution. Choose all that apply.


Options are :

  • Implement effective access control
  • Provides details on how to determine what to audit (Correct)
  • Implement an effective audit program (Correct)
  • Provides details on how to protect the audit logs (Correct)

Answer : Provides details on how to determine what to audit Implement an effective audit program Provides details on how to protect the audit logs

Suppose you are working in Company Inc. and you are using risk scenarios for estimating the likelihood and impact of the significant risks on this organization. Which of the following assessment are you doing?


Options are :

  • Risk assessment
  • IT audit
  • IT security assessment
  • Threat and vulnerability assessment (Correct)

Answer : Threat and vulnerability assessment

Which of the following statements are true for enterprise's risk management capability maturity level 3?


Options are :

  • The business knows how IT fits in the enterprise risk universe and the risk portfolio view (Correct)
  • Workflow tools are used to accelerate risk issues and track decisions (Correct)
  • The enterprise formally requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals
  • Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized (Correct)

Answer : The business knows how IT fits in the enterprise risk universe and the risk portfolio view Workflow tools are used to accelerate risk issues and track decisions Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized

Which of the following control is used to ensure that users have the rights and permissions they need to perform their jobs, and no more?


Options are :

  • Audit and Accountability control
  • Identification and Authentication control
  • Access control (Correct)
  • System and Communications protection control

Answer : Access control

When it appears that a project risk is going to happen, what is this term called?


Options are :

  • Trigger (Correct)
  • Threshold
  • ssue
  • Contingency response

Answer : Trigger

You are using Information system. You have chosen a poor password and also sometimes transmits data over unprotected communication lines. What is this poor quality of password and unsafe transmission refers to?


Options are :

  • Threats
  • Probabilities
  • Impacts
  • Vulnerabilities (Correct)

Answer : Vulnerabilities

Which of the following events refer to loss of integrity? Each correct answer represents a complete solution. Choose three.


Options are :

  • Someone makes unauthorized changes to a Web site (Correct)
  • Someone sees company's secret formula
  • A virus infects a file (Correct)
  • An e-mail message is modified in transit (Correct)

Answer : Someone makes unauthorized changes to a Web site A virus infects a file An e-mail message is modified in transit

Which of the following is the MOST critical security consideration when an enterprise outsource its major part of IT department to a third party whose servers are in foreign company?


Options are :

  • A security breach notification may get delayed due to time difference
  • Additional network intrusion detection sensors should be installed, resulting in additional cost
  • Laws and regulations of the country of origin may not be enforceable in foreign country (Correct)
  • The enterprise could not be able to monitor the compliance with its internal security and privacy guidelines

Answer : Laws and regulations of the country of origin may not be enforceable in foreign country

A part of a project deals with the hardware work. As a project manager, you have decided to hire a company to deal with all hardware work on the project. Which type of risk response is this?


Options are :

  • Exploit
  • Avoidance
  • Transference (Correct)
  • Mitigation

Answer : Transference

Which of the following is the MOST effective inhibitor of relevant and efficient communication?


Options are :

  • Misalignment between real risk appetite and translation into policies
  • Existence of a blame culture (Correct)
  • A false sense of confidence at the top on the degree of actual exposure related to IT and lack of a well-understood direction for risk management from the top down
  • The perception that the enterprise is trying to cover up known risk from stakeholders

Answer : Existence of a blame culture

You are the Risk Official in Bluewell Inc. You have detected much vulnerability during risk assessment process. What you should do next?


Options are :

  • Handle vulnerabilities as a risk, even though there is no threat.
  • Evaluate vulnerabilities for threat, impact, and cost of mitigation. (Correct)
  • Analyze the effectiveness of control on the vulnerabilities' basis.
  • Prioritize vulnerabilities for remediation solely based on impact.

Answer : Evaluate vulnerabilities for threat, impact, and cost of mitigation.

What type of policy would an organization use to forbid its employees from using organizational e-mail for personal use?


Options are :

  • Intellectual property policy
  • Anti-harassment policy
  • Privacy policy
  • Acceptable use policy (Correct)

Answer : Acceptable use policy

Assessing the probability and consequences of identified risks to the project objectives, assigning a risk score to each risk, and creating a list of prioritized risks describes which of the following


Options are :

  • Identify Risks
  • Qualitative Risk Analysis (Correct)
  • Plan Risk Management
  • Quantitative Risk Analysis

Answer : Qualitative Risk Analysis

Out of several risk responses, which of the following risk responses is used for negative risk events?


Options are :

  • Enhance
  • Exploit
  • Share
  • Accept (Correct)

Answer : Accept

You are the project manager of GHT project. You have analyzed the risk and applied appropriate controls. In turn, you got residual risk as a result of this. Residual risk can be used to determine which of the following?


Options are :

  • Whether the benefits of such controls outweigh the costs (Correct)
  • Appropriate controls to be applied next
  • Status of enterprise's risk
  • The area that requires more control (Correct)

Answer : Whether the benefits of such controls outweigh the costs The area that requires more control

Wendy has identified a risk event in her project that has an impact of $75,000 and a 60 percent chance of happening. Through research, her project team learns that the risk impact can actually be reduced to just $15,000 with only a ten percent chance of occurring. The proposed solution will cost $25,000. Wendy agrees to the $25,000 solution. What type of risk response is this?


Options are :

  • Avoidance
  • Mitigation (Correct)
  • Transference
  • Enhancing

Answer : Mitigation

Tom works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks, and provides a quantitative assessment of the likely cost to complete the scheduled activities?


Options are :

  • Activity duration estimates
  • Cost management plan
  • Risk management plan
  • Activity cost estimates (Correct)

Answer : Activity cost estimates

You have identified several risks in your project. You have opted for risk mitigation in order to respond to identified risk. Which of the following ensures that risk mitigation method that you have chosen is effective?


Options are :

  • Reduction in the frequency of a threat
  • Reduction in the impact of a threat
  • Minimization of inherent risk (Correct)
  • Minimization of residual risk

Answer : Minimization of inherent risk

What is the value of exposure factor if the asset is lost completely?


Options are :

  • 0
  • 1 (Correct)
  • Infinity
  • 10

Answer : 1

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions