CRISC Certified in Risk and Information Systems Control Exam Set 7

Which negative risk response usually has a contractual agreement?


Options are :

  • Sharing
  • Exploiting
  • Transference (Correct)
  • Mitigation

Answer : Transference

You are the project manager of GHT project. A risk event has occurred in your project and you have identified it. Which of the following tasks you would do in reaction to risk event occurrence? Each correct answer represents a part of the solution. Choose three.


Options are :

  • Update risk register
  • Monitor risk (Correct)
  • Communicate lessons learned from risk events (Correct)
  • Maintain and initiate incident response plans (Correct)

Answer : Monitor risk Communicate lessons learned from risk events Maintain and initiate incident response plans

What are the functions of the auditor while analyzing risk? Each correct answer represents a complete solution. Choose three.


Options are :

  • Identify threats and vulnerabilities to the information system
  • Provide information for evaluation of controls in audit planning (Correct)
  • Supporting decision based on risks (Correct)
  • Aids in determining audit objectives (Correct)

Answer : Provide information for evaluation of controls in audit planning Supporting decision based on risks Aids in determining audit objectives

You work as a project manager for BlueWell Inc. You are preparing for the risk identification process. You will need to involve several of the project's key stakeholders to help you identify and communicate the identified risk events. You will also need several documents to help you and the stakeholders identify the risk events. Which one of the following is NOT a document that will help you identify and communicate risks within the project?


Options are :

  • Risk register (Correct)
  • Stakeholder registers
  • Activity duration estimates
  • Activity cost estimates

Answer : Risk register

Which of the following establishes mandatory rules, specifications and metrics used to measure compliance against quality, value, etc?


Options are :

  • Practices
  • Legal requirements
  • Framework
  • Standard (Correct)

Answer : Standard

You are working in an enterprise. Assuming that your enterprise periodically compares finished goods inventory levels to the perpetual inventories in its ERP system. What kind of information is being provided by the lack of any significant differences between perpetual levels and actual levels?


Options are :

  • Risk management plan
  • Risk audit information
  • Indirect information (Correct)
  • Direct information

Answer : Indirect information

You are the project manager of HFD project. You have identified several project risks. You have adopted alternatives to deal with these risks which do not attempt to reduce the probability of a risk event or its impacts. Which of the following response have you implemented?


Options are :

  • Contingent response (Correct)
  • Acceptance
  • Mitigation
  • Avoidance

Answer : Contingent response

You work as a Project Manager for Company Inc. You are incorporating a risk response owner to take the job for each agreed-to and funded risk response. On which of the following processes are you working?


Options are :

  • Quantitative Risk Analysis
  • Identify Risks
  • Plan risk response (Correct)
  • Qualitative Risk Analysis

Answer : Plan risk response

Which of the following is the BEST way of managing risk inherent to wireless network?


Options are :

  • Require private, key-based encryption to connect to the wireless network (Correct)
  • Enabling auditing on every host that connects to a wireless network
  • Enable auditing on every connection to the wireless network
  • Require that the every host that connect to this network have a well-tested recovery plan

Answer : Require private, key-based encryption to connect to the wireless network

Which of the following come under the phases of risk identification and evaluation? Each correct answer represents a complete solution. Choose three.


Options are :

  • Maintain a risk profile (Correct)
  • Analyzing risk (Correct)
  • Applying controls
  • Collecting data (Correct)

Answer : Maintain a risk profile Analyzing risk Collecting data

You are the project manager of the NHQ project in Bluewell Inc. The project has an asset valued at $200,000 and is subjected to an exposure factor of 45 percent. If the annual rate of occurrence of loss in this project is once a month, then what will be the Annual Loss Expectancy (ALE) of the project?


Options are :

  • $95,000
  • $90,000
  • $108,000 (Correct)
  • $2,160,000

Answer : $108,000

Which of the following methods involves the use of predictive or diagnostic analytical tool for exposing risk factors?


Options are :

  • Scenario analysis
  • Fault tree analysis
  • Sensitivity analysis
  • Cause and effect analysis (Correct)

Answer : Cause and effect analysis

You are working in Bluewell Inc. which make advertisement Websites. Someone had made unauthorized changes to a your Website. Which of the following terms refers to this type of loss?


Options are :

  • Loss of confidentiality
  • Loss of integrity (Correct)
  • Loss of availability
  • Loss of revenue

Answer : Loss of integrity

Which of the following is the greatest risk to reporting?


Options are :

  • Integrity of data
  • Confidentiality of data
  • Availability of data
  • Reliability of data (Correct)

Answer : Reliability of data

When a risk cannot be sufficiently mitigated through manual or automatic controls, which of the following options will BEST protect the enterprise from the potential financial impact of the risk?


Options are :

  • Outsourcing the related business process to a third party
  • Insuring against the risk (Correct)
  • Improving staff-training in the risk area
  • Updating the IT risk registry

Answer : Insuring against the risk

You work as a project manager for BlueWell Inc. You have declined a proposed change request because of the risk associated with the proposed change request. Where should the declined change request be documented and stored?


Options are :

  • Project archives
  • Change request log (Correct)
  • Lessons learned
  • Project document updates

Answer : Change request log

Which of the following are parts of SWOT Analysis? Each correct answer represents a complete solution. Choose all that apply.


Options are :

  • Strengths (Correct)
  • Tools
  • Opportunities (Correct)
  • Threats (Correct)
  • Weaknesses (Correct)

Answer : Strengths Opportunities Threats Weaknesses

You are the project manager for the NHH project. You are working with your project team to examine the project from four different defined perspectives to increase the breadth of identified risks by including internally generated risks. What risk identification approach are you using in this example?


Options are :

  • Influence diagramming techniques
  • Assumptions analysis
  • Root cause analysis
  • SWOT analysis (Correct)

Answer : SWOT analysis

You are the project manager of your enterprise. While performing risk management, you are given a task to identify where your enterprise stand in certain practice and also to suggest the priorities for improvements. Which of the following models would you use to accomplish this task?


Options are :

  • Decision tree model
  • Fishbone model
  • Capability maturity model (Correct)
  • Simulation tree model

Answer : Capability maturity model

You are the administrator of your enterprise. Which of the following controls would you use that BEST protects an enterprise from unauthorized individuals gaining access to sensitive information?


Options are :

  • Using a challenge response system
  • Monitoring and recording unsuccessful logon attempts
  • Forcing periodic password changes
  • Providing access on a need-to-know basis (Correct)

Answer : Providing access on a need-to-know basis

You are the project manager of GHT project. You have identified a risk event on your current project that could save $670,000 in project costs if it occurs. Your organization is considering hiring a vendor to help establish proper project management techniques in order to assure it realizes these savings. Which of the following statements is TRUE for this risk event?


Options are :

  • This risk event should be accepted because the rewards outweigh the threat to the project.
  • This is a risk event that should be shared to take full advantage of the potential savings. (Correct)
  • This risk event is an opportunity to the project and should be exploited.
  • This risk event should be mitigated to take advantage of the savings.

Answer : This is a risk event that should be shared to take full advantage of the potential savings.

A project team member has just identified a new project risk. The risk event is determined to have significant impact but a low probability in the project. Should the risk event happen it'll cause the project to be delayed by three weeks, which will cause new risk in the project. What should the project manager do with the risk event?


Options are :

  • Add the identified risk to the low-level risk watch-list.
  • Add the identified risk to a quality control management chart.
  • Add the identified risk to the issues log.
  • Add the identified risk to the risk register. (Correct)

Answer : Add the identified risk to the risk register.

You are the project manager of the NNN Project. Stakeholders in the two-year project have requested to send status reports to them via. email every week. You have agreed and send reports every Thursday. After six months of the project, the stakeholders are pleased with the project progress and they would like you to reduce the status reports to every two weeks. What process will examine the change to this project process and implement it in the project?


Options are :

  • Communications management
  • Project change control process
  • Perform integrated change control process (Correct)
  • Configuration management

Answer : Perform integrated change control process

What is the most important benefit of classifying information assets?


Options are :

  • Linking security requirements to business objectives
  • Defining access rights
  • Allotting risk ownership
  • Identifying controls that should be applied (Correct)

Answer : Identifying controls that should be applied

You are the project manager of GRT project. You discovered that by bringing on more qualified resources or by providing even better quality than originally planned, could result in reducing the amount of time required to complete the project. If your organization seizes this opportunity it would be an example of what risk response?


Options are :

  • Exploit
  • Share
  • Enhance
  • Accept (Correct)

Answer : Accept

Your project has several risks that may cause serious financial impact if they occur. You have studied the risk events and made some potential risk responses for the risk events but management wants you to do more. They'd like you to create some type of a chart that identified the risk probability and impact with a financial amount for each risk event. What is the likely outcome of creating this type of chart?


Options are :

  • Risk response plan
  • Risk response
  • Contingency reserve (Correct)
  • Quantitative analysis

Answer : Contingency reserve

You are the project manager of the GHY project for your organization. You are working with your project team to begin identifying risks for the project. As part of your preparation for identifying the risks within the project you will need eleven inputs for the process. Which one of the following is NOT an input to the risk identification process?


Options are :

  • Procurement management plan (Correct)
  • Stakeholder register
  • Cost management plan
  • Quality management plan

Answer : Procurement management plan

What are the responsibilities of the CRO? Each correct answer represents a complete solution. Choose three.


Options are :

  • Managing the risk assessment process (Correct)
  • Advising Board of Directors
  • Implement corrective actions (Correct)
  • Managing the supporting risk management function (Correct)

Answer : Managing the risk assessment process Implement corrective actions Managing the supporting risk management function

Which of the following is NOT the method of Qualitative risk analysis?


Options are :

  • Attribute analysis
  • Likelihood-impact matrix
  • Scorecards
  • Business process modeling (BPM) and simulation (Correct)

Answer : Business process modeling (BPM) and simulation

If one says that the particular control or monitoring tool is sustainable, then it refers to what ability?


Options are :

  • The ability to protect itself from exploitation or attack
  • The ability to adapt as new elements are added to the environment (Correct)
  • The ability to ensure the control remains in place when it fails
  • The ability to be applied in same manner throughout the organization

Answer : The ability to adapt as new elements are added to the environment

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions