Download Certified in Risk and Information Systems Control.CRISC.TestKing.2019-01-22.252q.vcex

Vendor: ISACA
Exam Code: CRISC
Exam Name: Certified in Risk and Information Systems Control
Date: Jan 22, 2019
File Size: 329 KB

How to open VCEX files?

Files with VCEX extension can be opened by ProfExam Simulator.

Demo Questions

Question 1
Jenny is the project manager for the NBT projects. She is working with the project team and several subject matter experts to perform the quantitative risk analysis process. During this process she and the project team uncover several risks events that were not previously identified. What should Jenny do with these risk events?
  1. The events should be entered into qualitative risk analysis.
  2. The events should be determined if they need to be accepted or responded to.
  3. The events should be entered into the risk register.
  4. The events should continue on with quantitative risk analysis.
Correct answer: C
Explanation:
All identified risk events should be entered into the risk register. A risk register is an inventory of risks and exposure associated with those risks. Risks are commonly found in project management practices, and provide information to identify, analyze, and manage risks. Typically a risk register contains:A description of the risk The impact should this event actually occur The probability of its occurrence Risk Score (the multiplication of Probability and Impact) A summary of the planned response should the event occur A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the event) Ranking of risks by Risk Score so as to highlight the highest priority risks to all involved. Incorrect Answers:A: Before the risk events are analyzed they should be documented in the risk register.B: The risks should first be documented and analyzed.D: These risks should first be identified, documented, passed through qualitative risk analysis and then it should be determined if they should pass through the quantitative risk analysis process.
All identified risk events should be entered into the risk register. 
A risk register is an inventory of risks and exposure associated with those risks. Risks are commonly found in project management practices, and provide information to identify, analyze, and manage risks. Typically a risk register contains:
  • A description of the risk 
  • The impact should this event actually occur 
  • The probability of its occurrence 
  • Risk Score (the multiplication of Probability and Impact) 
  • A summary of the planned response should the event occur 
  • A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the event) 
  • Ranking of risks by Risk Score so as to highlight the highest priority risks to all involved. 
Incorrect Answers:
A: Before the risk events are analyzed they should be documented in the risk register.
B: The risks should first be documented and analyzed.
D: These risks should first be identified, documented, passed through qualitative risk analysis and then it should be determined if they should pass through the quantitative risk analysis process.
Question 2
You are working on a project in an enterprise. Some part of your project requires e-commerce, but your enterprise choose not to engage in e-commerce. This scenario is demonstrating which of the following form?
  1. risk avoidance
  2. risk treatment
  3. risk acceptance
  4. risk transfer
Correct answer: A
Explanation:
Each business process involves inherent risk. Not engaging in any activity avoids the inherent risk associated with the activity. Hence this demonstrates risk avoidance. Incorrect Answers:B: Risk treatment means that action is taken to reduce the frequency and impact of a risk.C: Acceptance means that no action is taken relative to a particular risk, and loss is accepted when/if it occurs. This is different from being ignorant of risk; accepting risk assumes that the risk is known, i.e., an informed decision has been made by management to accept it as such.D: Risk transfer/sharing means reducing either risk frequency or impact by transferring or otherwise sharing a portion of the risk. Common techniques include insurance and outsourcing. These techniques do not relieve an enterprise of a risk, but can involve the skills of another party in managing the risk and reducing the financial consequence if an adverse event occurs.
Each business process involves inherent risk. Not engaging in any activity avoids the inherent risk associated with the activity. Hence this demonstrates risk avoidance. 
Incorrect Answers:
B: Risk treatment means that action is taken to reduce the frequency and impact of a risk.
C: Acceptance means that no action is taken relative to a particular risk, and loss is accepted when/if it occurs. This is different from being ignorant of risk; accepting risk assumes that the risk is known, i.e., an informed decision has been made by management to accept it as such.
D: Risk transfer/sharing means reducing either risk frequency or impact by transferring or otherwise sharing a portion of the risk. Common techniques include insurance and outsourcing. These techniques do not relieve an enterprise of a risk, but can involve the skills of another party in managing the risk and reducing the financial consequence if an adverse event occurs.
Question 3
Which of the following are risk components of the COSO ERM framework? 
Each correct answer represents a complete solution. Choose three.
  1. Risk response
  2. Internal environment
  3. Business continuity
  4. Control activities
Correct answer: ABD
Explanation:
The risk components defined by the COSO ERM are internal environment, objective settings, event identification, risk assessment, risk response, control objectives, information and communication, and monitoring. Incorrect Answers:C: Business continuity is not considered as risk component within the ERM framework.
The risk components defined by the COSO ERM are internal environment, objective settings, event identification, risk assessment, risk response, control objectives, information and communication, and monitoring. 
Incorrect Answers:
C: Business continuity is not considered as risk component within the ERM framework.
Question 4
Your project team has completed the quantitative risk analysis for your project work. Based on their findings, they need to update the risk register with several pieces of information. Which one of the following components is likely to be updated in the risk register based on their analysis?
  1. Listing of risk responses
  2. Risk ranking matrix
  3. Listing of prioritized risks
  4. Qualitative analysis outcomes
Correct answer: C
Explanation:
The outcome of quantitative analysis can create a listing of prioritized risks that should be updated in the risk register. The project team will create and update the risk register with four key components:probabilistic analysis of the project probability of achieving time and cost objectives list of quantified risks trends in quantitative risk analysis Incorrect Answers:A, B, D: These subjects are not updated in the risk register as a result of quantitative risk analysis.
The outcome of quantitative analysis can create a listing of prioritized risks that should be updated in the risk register. The project team will create and update the risk register with four key components:
  • probabilistic analysis of the project 
  • probability of achieving time and cost objectives 
  • list of quantified risks 
  • trends in quantitative risk analysis 
Incorrect Answers:
A, B, D: These subjects are not updated in the risk register as a result of quantitative risk analysis.
Question 5
Fred is the project manager of a large project in his organization. Fred needs to begin planning the risk management plan with the project team and key stakeholders. Which plan risk management process tool and technique should Fred use to plan risk management?
  1. Information gathering techniques
  2. Data gathering and representation techniques
  3. Planning meetings and analysis
  4. Variance and trend analysis
Correct answer: C
Explanation:
There is only one tool and technique available for Fred to plan risk management: planning meetings and analysis. Planning Meeting and Analysis is a tool and technique in the Plan Risk Management process. Planning meetings are organized by the project teams to develop the risk management plan. Attendees at these meetings include the following:Project manager Selected project team members Stakeholders Anybody in the organization with the task to manage risk planning  Sophisticated plans for conducting the risk management activities are defined in these meetings, responsibilities related to risk management are assigned, and risk contingency reserve application approaches are established and reviewed. Incorrect Answers:A, B, D: These are not plan risk management tools and techniques.
There is only one tool and technique available for Fred to plan risk management: planning meetings and analysis. Planning Meeting and Analysis is a tool and technique in the Plan Risk Management process. Planning meetings are organized by the project teams to develop the risk management plan. Attendees at these meetings include the following:
  • Project manager 
  • Selected project team members 
  • Stakeholders 
  • Anybody in the organization with the task to manage risk planning  
Sophisticated plans for conducting the risk management activities are defined in these meetings, responsibilities related to risk management are assigned, and risk contingency reserve application approaches are established and reviewed. 
Incorrect Answers:
A, B, D: These are not plan risk management tools and techniques.
Question 6
Which of the following is the HIGHEST risk of a policy that inadequately defines data and system ownership?
  1. User management coordination does not exist
  2. Audit recommendations may not be implemented
  3. Users may have unauthorized access to originate, modify or delete data
  4. Specific user accountability cannot be established
Correct answer: C
Explanation:
There is an increased risk without a policy defining who has the responsibility for granting access to specific data or systems, as one could gain system access without a justified business needs. There is better chance that business objectives will be properly supported when there is appropriate ownership. Incorrect Answers:A, B, D: These risks are not such significant as compared to unauthorized access.
There is an increased risk without a policy defining who has the responsibility for granting access to specific data or systems, as one could gain system access without a justified business needs. There is better chance that business objectives will be properly supported when there is appropriate ownership. 
Incorrect Answers:
A, B, D: These risks are not such significant as compared to unauthorized access.
Question 7
Marie has identified a risk event in her project that needs a mitigation response. Her response actually creates a new risk event that must now be analyzed and planned for. What term is given to this newly created risk event?
  1. Residual risk
  2. Secondary risk
  3. Infinitive risk
  4. Populated risk
Correct answer: B
Explanation:
Secondary risks are the risks that come about as a result of implementing a risk response. This new risk event must be recorded, analyzed, and planned for management. Incorrect Answers:A: A residual risk event is similar to a secondary risk, but is often small in probability and impact, so it may just be accepted.C: Infinitive risk is not a valid project management term.D: Populated risk event is not a valid project management term.
Secondary risks are the risks that come about as a result of implementing a risk response. This new risk event must be recorded, analyzed, and planned for management. 
Incorrect Answers:
A: A residual risk event is similar to a secondary risk, but is often small in probability and impact, so it may just be accepted.
C: Infinitive risk is not a valid project management term.
D: Populated risk event is not a valid project management term.
Question 8
Which one of the following is the only output for the qualitative risk analysis process?
  1. Project management plan
  2. Risk register updates
  3. Organizational process assets
  4. Enterprise environmental factors
Correct answer: B
Explanation:
Risk register update is the only output of the choices presented for the qualitative risk analysis process. The four inputs for the qualitative risk analysis process are the risk register, risk management plan, project scope statement, and organizational process assets. The output of perform qualitative risk analysis process is Risk Register Updates. Risk register is updated with the information from perform qualitative risk analysis and the updated risk register is included in the project documents. Updates include the following important elements:Relative ranking or priority list of project risks Risks grouped by categories Causes of risk or project areas requiring particular attention List of risks requiring response in the near-term List of risks for additional analysis and response Watchlist of low priority risks Trends in qualitative risk analysis results Incorrect Answers:A, C, D: These are not the valid outputs for the qualitative risk analysis process.
Risk register update is the only output of the choices presented for the qualitative risk analysis process. The four inputs for the qualitative risk analysis process are the risk register, risk management plan, project scope statement, and organizational process assets. The output of perform qualitative risk analysis process is Risk Register Updates. Risk register is updated with the information from perform qualitative risk analysis and the updated risk register is included in the project documents. Updates include the following important elements:
  • Relative ranking or priority list of project risks 
  • Risks grouped by categories 
  • Causes of risk or project areas requiring particular attention 
  • List of risks requiring response in the near-term 
  • List of risks for additional analysis and response 
  • Watchlist of low priority risks 
  • Trends in qualitative risk analysis results 
Incorrect Answers:
A, C, D: These are not the valid outputs for the qualitative risk analysis process.
Question 9
FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?
  1. Annually
  2. Quarterly
  3. Every three years
  4. Never
Correct answer: A
Explanation:
Inspection of FISMA is required to be done annually. Each year, agencies must have an independent evaluation of their program. The objective is to determine the effectiveness of the program. These evaluations include:Testing for effectiveness: Policies, procedures, and practices are to be tested. This evaluation does not test every policy, procedure, and practice. Instead, a representative sample is tested.An assessment or report: This report identifies the agency's compliance as well as lists compliance with FISMA. It also lists compliance with other standards and guidelines.Incorrect Answers:B, C, D: Auditing of compliance by external organization is done annually, not quarterly or every three years.
Inspection of FISMA is required to be done annually. Each year, agencies must have an independent evaluation of their program. The objective is to determine the effectiveness of the program. These evaluations include:
  • Testing for effectiveness: Policies, procedures, and practices are to be tested. This evaluation does not test every policy, procedure, and practice. Instead, a representative sample is tested.
  • An assessment or report: This report identifies the agency's compliance as well as lists compliance with FISMA. It also lists compliance with other standards and guidelines.
Incorrect Answers:
B, C, D: Auditing of compliance by external organization is done annually, not quarterly or every three years.
Question 10
Which of the following is the FOREMOST root cause of project risk? 
Each correct answer represents a complete solution. Choose two.
  1. New system is not meeting the user business needs
  2. Delay in arrival of resources
  3. Lack of discipline in managing the software development process
  4. Selection of unsuitable project methodology
Correct answer: CD
Explanation:
The foremost root cause of project risk is:A lack of discipline in managing the software development process Selection of a project methodology that is unsuitable to the system being developed Incorrect Answers:A: The risk associated with new system is not meeting the user business needs is business risks, not project risk.B: This is not direct reason of project risk.
The foremost root cause of project risk is:
  • A lack of discipline in managing the software development process 
  • Selection of a project methodology that is unsuitable to the system being developed 
Incorrect Answers:
A: The risk associated with new system is not meeting the user business needs is business risks, not project risk.
B: This is not direct reason of project risk.
HOW TO OPEN VCE FILES

Use VCE Exam Simulator to open VCE files
Avanaset

HOW TO OPEN VCEX AND EXAM FILES

Use ProfExam Simulator to open VCEX and EXAM files
ProfExam Screen

ProfExam
ProfExam at a 20% markdown

You have the opportunity to purchase ProfExam at a 20% reduced price

Get Now!