[Q236-Q255] CRISC Certification - The Ultimate Guide [Updated 2021]

CRISC Certification - The Ultimate Guide [Updated 2021]

CRISC Practice Exam and Study Guides - Verified By ActualCollection

Conclusion

You have to be faithful to these resources until the final date of your test arrives. What will greet you at the end of your long & arduous study preparation is a sweeping validation as a specialist certified in Risk and Information Systems Control. More importantly, the bonus of accomplishing the CRISC exam is the financial security you’ll have once hired. As revealed on the ISACA official site, the average salary of this type of certified specialists is $117,000. So, just wait, diligent learner, because your effort will be rewarded at the right time!

CRISC Exam topics

Candidates must know the exam topics before they start of preparation. Because it will really help them in hitting the core. Our CRISC dumps will include the following topics:

• IS Control Monitoring and Maintenance: 18%
• Risk Identification, Assessment, and Evolution: 31%
• Risk Monitoring: 17%
• Information Systems Control Design and Implementation: 17%
• Risk Response: 17%

ISACA Risk and Information Systems Control Exam Syllabus Topics:

Topic	Details	Weights
IT Risk Assessment	A. IT Risk Identification Risk Events (e.g., contributing conditions, loss result) Threat Modelling and Threat Landscape Vulnerability and Control Deficiency Analysis (e.g., root cause analysis) Risk Scenario Development B. IT Risk Analysis and Evaluation Risk Assessment Concepts, Standards, and Frameworks Risk Register Risk Analysis Methodologies Business Impact Analysis Inherent and Residual Risk	20%
Risk Response and Reporting	A. Risk Response Risk Treatment / Risk Response Options Risk and Control Ownership Third-Party Risk Management Issue, Finding, and Exception Management Management of Emerging Risk B. Control Design and Implementation Control Types, Standards, and Frameworks Control Design, Selection, and Analysis Control Implementation Control Testing and Effectiveness Evaluation C. Risk Monitoring and Reporting Risk Treatment Plans Data Collection, Aggregation, Analysis, and Validation Risk and Control Monitoring Techniques Risk and Control Reporting Techniques (heatmap, scorecards, dashboards) Key Performance Indicators Key Risk Indicators (KRIs) Key Control Indicators (KCIs)	32%
Governance	A. Organizational Governance Organizational Strategy, Goals, and Objectives Organizational Structure, Roles, and Responsibilities Organizational Culture Policies and Standards Business Processes Organizational Assets B. Risk Governance Enterprise Risk Management and Risk Management Framework Three Lines of Defense Risk Profile Risk Appetite and Risk Tolerance Legal, Regulatory, and Contractual Requirements Professional Ethics of Risk Management	26%
Information Technology and Security	A. Information Technology Principles Enterprise Architecture IT Operations Management (e.g., change management, IT assets, problems, incidents) Project Management Disaster Recovery Management (DRM) Data Lifecycle Management System Development Life Cycle (SDLC) Emerging Technologies B. Information Security Principles Information Security Concepts, Frameworks, and Standards Information Security Awareness Training Business Continuity Management Data Privacy and Data Protection Principles	22%

 

NEW QUESTION 236
Which of the following would provide the MOST objective assessment of the effectiveness of an organization's security controls?

• A. Internal penetration testing
• B. A third-party audit
• C. Security operations center review
• D. An internal audit

Answer: B

 

NEW QUESTION 237
Which of the following will BEST support management reporting on risk?

• A. A risk register
• B. Control self-assessment (CSA)
• C. Risk policy requirements
• D. Key performance indicators (KPIs)

Answer: D

 

NEW QUESTION 238
Which of the following is a risk practitioner's BEST course of action upon learning that a control under internal review may no longer be necessary?

• A. Verify the effectiveness of the original mitigation plan.
• B. Update the status of the control as obsolete.
• C. Obtain approval to retire the control.
• D. Consult the internal auditor for a second opinion.

Answer: B

 

NEW QUESTION 239
After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:

• A. inform the development team of the concerns, and together formulate risk reduction measures.
• B. inform the process owner of the concerns and propose measures to reduce them
• C. inform the IT manager of the concerns and propose measures to reduce them.
• D. recommend a program that minimizes the concerns of that production system.

Answer: B

 

NEW QUESTION 240
Which of the following serve as the authorization for a project to begin?

• A. Approval of risk management document
• B. is incorrect. Risk management document is being prepared later after the project
  initiation, during the risk management plan. It has no scope during project initialization.
• C. Explanation:
  Approval of a project initiation document (PID) or a project request document (PRD) is the
  authorization for a project to begin.
• D. Approval of a project request document
• E. Approval of a risk response document
• F. is incorrect. Risk response document comes under risk management process, hence
  the latter phase in project development process.
• G. Approval of project management plan

Answer: B,C,D,F

Explanation:
is incorrect. Project management plan is being made after the project is being authorized.

 

NEW QUESTION 241
You are the project manager of the QPS project. You and your project team have identified a pure risk. You along with the key stakeholders, decided to remove the pure risk from the project by changing the project plan altogether. What is a pure risk?

• A. It is a risk event that is created by the application of risk response.
• B. It is a risk event that only has a negative side and not any positive result.
• C. It is a risk event that cannot be avoided because of the order of the work.
• D. It is a risk event that is generated due to errors or omission in the project work.
• E. is incorrect. This in not valid definition of pure risk.
• F. is incorrect. The risk event created by the application of risk response is called
  secondary risk.
• G. Explanation:
  A pure risk has only a negative effect on the project. Pure risks are activities that are dangerous to complete and manage such as construction, electrical work, or manufacturing. It is a class of risk
  in which loss is the only probable result and there is no positive result.
  Pure risk is associated to the events that are outside the risk-taker's control.

Answer: B

Explanation:
is incorrect. A risk event that is generated due to errors or omission in the project work
is not necessarily pure risk.

 

NEW QUESTION 242
David is the project manager of the HRC Project. He has identified a risk in the project, which could cause the delay in the project. David does not want this risk event to happen so he takes few actions to ensure that the risk event will not happen. These extra steps, however, cost the project an additional $10,000. What type of risk response has David adopted?

• A. Acceptance
• B. Transfer
• C. Avoidance
• D. Mitigation

Answer: D

Explanation:
Section: Volume A
Explanation:
As David is taking some operational controls to reduce the likelihood and impact of the risk, hence he is adopting risk mitigation. Risk mitigation means that actions are taken to reduce the likelihood and/or impact of risk.
Incorrect Answers:
A: Risk avoidance means that activities or conditions that give rise to risk are discontinued. But here, no such actions are taken, therefore risk in not avoided.
C: Risk acceptance means that no action is taken relative to a particular risk; loss is accepted in case it occurs.
As David has taken some actions in case to defend, therefore he is not accepting risk.
D: David has not hired a vendor to manage the risk for his project; therefore he is not transferring the risk.

 

NEW QUESTION 243
Which of the following is a PRIMARY benefit of engaging the risk owner during the risk assessment process?

• A. Early detection of emerging threats
• B. Identification of controls gaps that may lead to noncompliance
• C. Accurate measurement of loss impact
• D. Prioritization of risk action plans across departments

Answer: B

Explanation:
Section: Volume D

 

NEW QUESTION 244
After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?

• A. External audit
• B. Regulatory examination
• C. Internal audit
• D. Vendor performance scorecard

Answer: C

 

NEW QUESTION 245
Henry is the project sponsor of the JQ Project and Nancy is the project manager. Henry has asked Nancy to start the risk identification process for the project, but Nancy insists that the project team be involved in the process. Why should the project team be involved in the risk identification?

• A. So that the project team and the project manager can work together to assign risk ownership.
• B. So that the project team can develop a sense of ownership for the risks and associated risk responsibilities.
• C. So that the project manager isn't the only person identifying the risk events within the project.
• D. So that the project manager can identify the risk owners for the risks within the project and the needed risk responses.

Answer: B

Explanation:
Section: Volume D
Explanation:
The best answer to include the project team members is that they'll need to develop a sense of ownership for the risks and associated risk responsibilities.
Incorrect Answers:
B: The reason to include the project team is that the project team needs to develop a sense of ownership for the risks and associated risk responsibilities, not to assign risk ownership and risk responses at this point.
C: While the project manager shouldn't be the only person to identify the risk events, this isn't the best answer.
D: The reason to include the project team is that the project team needs to develop a sense of ownership for the risks and associated risk responsibilities, not to assign risk ownership.

 

NEW QUESTION 246
All business units within an organization have the same risk response plan for creating local disaster recovery plans. In an effort to achieve cost effectiveness, the BEST course of action would be to:

• A. evaluate opportunities to combine disaster recovery plans.
• B. outsource disaster recovery to an external provider.
• C. select a provider to standardize the disaster recovery plans.
• D. centralize the risk response function at the enterprise level.

Answer: D

 

NEW QUESTION 247
A control owner has completed a year-long project To strengthen existing controls. It is MOST important for the risk practitioner to:

• A. conduct and document a business impact analysis (BIA).
• B. ensure risk monitoring for the project is initiated.
• C. verify cost-benefit of the new controls betng implemented.
• D. update the risk register to reflect the correct level of residual risk.

Answer: D

 

NEW QUESTION 248
Which of the following is the MOST critical security consideration when an enterprise outsource its major part of IT department to a third party whose servers are in foreign company?

• A. Laws and regulations of the country of origin may not be enforceable in foreign country
• B. A security breach notification may get delayed due to time difference
• C. The enterprise could not be able to monitor the compliance with its internal security and privacy guidelines
• D. Additional network intrusion detection sensors should be installed, resulting in additional cost

Answer: A

Explanation:
Explanation/Reference:
Explanation:
Laws and regulations of the country of origin may not be enforceable in foreign country and conversely, it is also true that laws and regulations of the foreign outsourcer may also impact the enterprise. Hence violation of applicable laws may not be recognized or rectified due to lack of knowledge of the local laws.
Incorrect Answers:
A: Security breach notification is not a problem and also time difference does not play any role in 24/7 environment. Pagers, cellular phones, telephones, etc. are there to communicate the notifications.
B: Outsourcing does not remove the enterprise's responsibility regarding internal requirements. Hence monitoring the compliance with its internal security and privacy guidelines is not a problem.
D: The need for additional network intrusion detection sensors is not a major problem as it can be easily managed. It only requires addition funding, but can be addressed.

 

NEW QUESTION 249
Several network user accounts were recently created without the required management approvals. Which of the following would be the risk practitioner's BEST recommendation to address this situation?

• A. Conduct a comprehensive compliance review.
• B. Develop incident response procedure for noncompliance.
• C. Declare a security breach and inform management.
• D. Investigate the root cause of noncompliance.

Answer: D

Explanation:
Section: Volume D

 

NEW QUESTION 250
Which of the following is a technique that provides a systematic description of the combination of unwanted occurrences in a system?

• A. Sensitivity analysis
• B. Cause and effect analysis
• C. Scenario analysis
• D. Fault tree analysis

Answer: D

Explanation:
Explanation/Reference:
Explanation:
Fault tree analysis (FIA) is a technique that provides a systematic description of the combination of possible occurrences in a system, which can result in an undesirable outcome. It combines hardware failures and human failures.
Incorrect Answers:
A: Sensitivity analysis is the quantitative risk analysis technique that:
Assist in determination of risk factors that have the most potential impact Examines the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline values B: This analysis provides ability to see a range of values across several scenarios to identify risk in specific situation. It provides ability to identify those inputs which will provide the greatest level of uncertainty.
D: Cause-and-effect analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes. These tools also help in identifying potential risk.

 

NEW QUESTION 251
Which of the following should be considered to ensure that risk responses that are adopted are cost- effective and are aligned with business objectives?
Each correct answer represents a part of the solution. Choose three.

• A. Identify the risk in business terms
• B. Recognize the business risk appetite
• C. Follow an integrated approach in business
• D. Adopt only pre-defined risk responses of business

Answer: A,B,C

Explanation:
Explanation/Reference:
Explanation:
Risk responses require a formal approach to issues, opportunities and events to ensure that solutions are cost-effective and are aligned with business objectives. The following should be considered:
While preparing the risk response, identify the risk in business terms like loss of productivity, disclosure

of confidential information, lost opportunity costs, etc.
Recognize the business risk appetite.

Follow an integrated approach in business.

Risk responses requiring an investment should be supported by a carefully planned business case that justifies the expenditure outlines alternatives and describes the justification for the alternative selected.
Incorrect Answers:
C: There is no such requirement to follow the pre-defined risk responses. If some new risk responses are discovered during the risk management of a particular project, they should be noted down in lesson leaned document so that project manager working on some other project could also utilize them.

 

NEW QUESTION 252
Senior management has asked a risk practitioner to develop technical risk scenarios related to a recently developed enterprise resource planning (ERP) system. These scenarios will be owned by the system manager.
Which of the following would be the BEST method to use when developing the scenarios?

• A. Delphi technique
• B. Top-down approach
• C. Cause-and-effect diagram
• D. Bottom-up approach

Answer: A

Explanation:
Section: Volume D

 

NEW QUESTION 253
Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management?

• A. Changes in control ownership
• B. An increase in residual risk
• C. Changes in control design
• D. A decrease in the number of key controls

Answer: B

 

NEW QUESTION 254
Which of the following is the MOST effective way to integrate risk and compliance management?

• A. Designing corrective actions to improve risk response capabilities
• B. Embedding risk management into compliance decision-making
• C. Conducting regular self-assessments to verify compliance
• D. Embedding risk management into processes that are aligned with business drivers

Answer: D

 

NEW QUESTION 255
......

Ultimate Guide to the CRISC - Latest Edition Available Now: https://www.actualcollection.com/CRISC-exam-questions.html

2021 Updated Verified Pass CRISC Study Guides & Best Courses: https://drive.google.com/open?id=1vwIRDa46X6afQ8MZ5l3pydWNPyXlRgp2