CRISC Certified in Risk and Information Systems Control Exam Set 2

Which of the following is the MOST important objective of the information system control?


Options are :

  • Developing business continuity and disaster recovery plans
  • Safeguarding assets
  • Business objectives are achieved and undesired risk events are detected and corrected (Correct)
  • Ensuring effective and efficient operations

Answer : Business objectives are achieved and undesired risk events are detected and corrected

An enterprise has identified risk events in a project. While responding to these identified risk events, which among the following stakeholders is MOST important for reviewing risk response options to an IT risk.


Options are :

  • Business managers (Correct)
  • Information security managers
  • Incident response team members
  • Internal auditors

Answer : Business managers

What are the two MAJOR factors to be considered while deciding risk appetite level? Each correct answer represents a part of the solution. Choose two.


Options are :

  • Risk-aware decisions
  • Alignment with risk-culture
  • The capacity of the enterprise's objective to absorb loss. (Correct)
  • The amount of loss the enterprise wants to accept (Correct)

Answer : The capacity of the enterprise's objective to absorb loss. The amount of loss the enterprise wants to accept

Which among the following acts as a trigger for risk response process?


Options are :

  • Risk level equates risk appetite
  • Risk level increases above risk appetite
  • Risk level increase above risk tolerance (Correct)
  • Risk level equates the risk tolerance

Answer : Risk level increase above risk tolerance

Which of the following is NOT true for risk management capability maturity level 1?


Options are :

  • There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk
  • Decisions involving risk lack credible information (Correct)
  • Risk management skills exist on an ad hoc basis, but are not actively developed
  • Risk appetite and tolerance are applied only during episodic risk assessments

Answer : Decisions involving risk lack credible information

Which of the following is the first MOST step in the risk assessment process?


Options are :

  • Identification of assets (Correct)
  • Identification of threats
  • Identification of threat sources
  • Identification of vulnerabilities

Answer : Identification of assets

You are using Information system. You have chosen a poor password and also sometimes transmits data over unprotected communication lines. What is this poor quality of password and unsafe transmission refers to?


Options are :

  • Threats
  • Vulnerabilities (Correct)
  • Impacts
  • Probabilities

Answer : Vulnerabilities

Which of the following is an administrative control?


Options are :

  • Water detection
  • Reasonableness check
  • Data loss prevention program (Correct)
  • Session timeout

Answer : Data loss prevention program

John works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks associated to the time allowances for the activities or projects as a whole, with a width of the range indicating the degrees of risk?


Options are :

  • Activity cost estimates
  • Risk management plan
  • Activity duration estimates (Correct)
  • Schedule management plan

Answer : Activity duration estimates

You are the risk official in Bluewell Inc. You are supposed to prioritize several risks. A risk has a rating for occurrence, severity, and detection as 4, 5, and 6, respectively. What Risk Priority Number (RPN) you would give to it?


Options are :

  • 30
  • 100
  • 15
  • 120 (Correct)

Answer : 120

Which of the following role carriers is accounted for analyzing risks, maintaining risk profile, and risk-aware decisions?


Options are :

  • . Business management (Correct)
  • Chief information officer (CIO)
  • Business process owner
  • Chief risk officer (CRO)

Answer : . Business management

Which of the following are the principles of access controls? Each correct answer represents a complete solution. Choose three.


Options are :

  • Integrity (Correct)
  • Availability (Correct)
  • Reliability
  • Confidentiality (Correct)

Answer : Integrity Availability Confidentiality

You are the project manager of a HGT project that has recently finished the final compilation process. The project customer has signed off on the project completion and you have to do few administrative closure activities. In the project, there were several large risks that could have wrecked the project but you and your project team found some new methods to resolve the risks without affecting the project costs or project completion date. What should you do with the risk responses that you have identified during the project's monitoring and controlling process?


Options are :

  • Include the responses in the project management plan.
  • Nothing. The risk responses are included in the project's risk register already.
  • Include the risk responses in the risk management plan.
  • Include the risk responses in the organization's lessons learned database. (Correct)

Answer : Include the risk responses in the organization's lessons learned database.

Which of the following is true for Cost Performance Index (CPI)?


Options are :

  • It is used to measure performance of schedule
  • If the CPI > 1, it indicates better than expected performance of project (Correct)
  • CPI = Earned Value (EV) * Actual Cost (AC)
  • If the CPI = 1, it indicates poor performance of project

Answer : If the CPI > 1, it indicates better than expected performance of project

Which of the following is true for Single loss expectancy (SLE), Annual rate of occurrence (ARO), and Annual loss expectancy (ALE)?


Options are :

  • ALE= ARO/SLE
  • ALE= ARO*SLE (Correct)
  • ARO= ALE*SLE
  • ARO= SLE/ALE

Answer : ALE= ARO*SLE

You work as the project manager for Bluewell Inc. Your project has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks?


Options are :

  • Communications Management Plan (Correct)
  • Resource Management Plan
  • Stakeholder management strategy
  • Risk Management Plan

Answer : Communications Management Plan

Your project is an agricultural-based project that deals with plant irrigation systems. You have discovered a byproduct in your project that your organization could use to make a profit. If your organization seizes this opportunity it would be an example of what risk response?


Options are :

  • Opportunistic (Correct)
  • Positive
  • Enhancing
  • Opportunistic

Answer : Opportunistic

Which of the following is the MOST important reason to maintain key risk indicators (KRIs)?


Options are :

  • In order to avoid risk
  • Complex metrics require fine-tuning
  • Threats and vulnerabilities change over time (Correct)
  • Risk reports need to be timely

Answer : Threats and vulnerabilities change over time

A part of a project deals with the hardware work. As a project manager, you have decided to hire a company to deal with all hardware work on the project. Which type of risk response is this?


Options are :

  • Avoidance
  • Transference (Correct)
  • Mitigation
  • Exploit

Answer : Transference

Which of the following events refer to loss of integrity? Each correct answer represents a complete solution. Choose three.


Options are :

  • An e-mail message is modified in transit (Correct)
  • Someone makes unauthorized changes to a Web site (Correct)
  • A virus infects a file (Correct)
  • Someone sees company's secret formula

Answer : An e-mail message is modified in transit Someone makes unauthorized changes to a Web site A virus infects a file

Which of the following BEST describes the utility of a risk?


Options are :

  • The mechanics of how a risk works
  • The finance incentive behind the risk
  • The potential opportunity of the risk
  • The usefulness of the risk to individuals or groups (Correct)

Answer : The usefulness of the risk to individuals or groups

Which of the following statements are true for enterprise's risk management capability maturity level 3 ?


Options are :

  • The business knows how IT fits in the enterprise risk universe and the risk portfolio view (Correct)
  • Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized (Correct)
  • The enterprise formally requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals
  • Workflow tools are used to accelerate risk issues and track decisions (Correct)

Answer : The business knows how IT fits in the enterprise risk universe and the risk portfolio view Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized Workflow tools are used to accelerate risk issues and track decisions

Where are all risks and risk responses documented as the project progresses?


Options are :

  • Risk register (Correct)
  • Project management plan
  • Risk management plan
  • Risk response plan

Answer : Risk register

For which of the following risk management capability maturity levels do the statement given below is true? "Real-time monitoring of risk events and control exceptions exists, as does automation of policy management"


Options are :

  • Level 0
  • Level 2
  • Level 3
  • Level 5 (Correct)

Answer : Level 5

You are the project manager of GHT project. Your project team is in the process of identifying project risks on your current project. The team has the option to use all of the following tools and techniques to diagram some of these potential risks EXCEPT for which one?


Options are :

  • Influence diagram
  • Decision tree diagram (Correct)
  • Process flowchart
  • Ishikawa diagram

Answer : Decision tree diagram

What is the value of exposure factor if the asset is lost completely?


Options are :

  • 0
  • Infinity
  • 1 (Correct)
  • 10

Answer : 1

You are the project manager of GHT project. You have planned the risk response process and now you are about to implement various controls. What you should do before relying on any of the controls?


Options are :

  • Discover risk exposure
  • Articulate risk
  • Review performance data (Correct)
  • Conduct pilot testing (Correct)

Answer : Review performance data Conduct pilot testing

Which of the following is a technique that provides a systematic description of the combination of unwanted occurrences in a system?


Options are :

  • Scenario analysis
  • Cause and effect analysis
  • Sensitivity analysis
  • Fault tree analysis (Correct)

Answer : Fault tree analysis

You work as the project manager for Bluewell Inc. There has been a delay in your project work that is adversely affecting the project schedule. You decide, with your stakeholders' approval, to fast track the project work to get the project done faster. When you fast track the project, what is likely to increase?


Options are :

  • Human resource needs
  • Quality control concerns
  • Costs
  • Risks (Correct)

Answer : Risks

Courtney is the project manager for her organization. She is working with the project team to complete the qualitative risk analysis for her project. During the analysis Courtney encourages the project team to begin the grouping of identified risks by common causes. What is the primary advantage to group risks by common causes during qualitative risk analysis?


Options are :

  • It saves time by collecting the related resources, such as project team members, to analyze the risk events.
  • It helps the project team realize the areas of the project most laden with risks.
  • It can lead to the creation of risk categories unique to each project.
  • It assist in developing effective risk responses. (Correct)

Answer : It assist in developing effective risk responses.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions