[Q110-Q126] Top ISACA CRISC Courses Online - Updated [Jan-2024]

Top ISACA CRISC Courses Online - Updated [Jan-2024]

CRISC Practice Dumps - Verified By SurePassExams Updated 1196 Questions

ISACA Risk and Information Systems Control Exam Syllabus Topics:

Topic	Details	Weights
Information Technology and Security	A. Information Technology Principles Enterprise Architecture IT Operations Management (e.g., change management, IT assets, problems, incidents) Project Management Disaster Recovery Management (DRM) Data Lifecycle Management System Development Life Cycle (SDLC) Emerging Technologies B. Information Security Principles Information Security Concepts, Frameworks, and Standards Information Security Awareness Training Business Continuity Management Data Privacy and Data Protection Principles	22%
IT Risk Assessment	A. IT Risk Identification Risk Events (e.g., contributing conditions, loss result) Threat Modelling and Threat Landscape Vulnerability and Control Deficiency Analysis (e.g., root cause analysis) Risk Scenario Development B. IT Risk Analysis and Evaluation Risk Assessment Concepts, Standards, and Frameworks Risk Register Risk Analysis Methodologies Business Impact Analysis Inherent and Residual Risk	20%
Governance	A. Organizational Governance Organizational Strategy, Goals, and Objectives Organizational Structure, Roles, and Responsibilities Organizational Culture Policies and Standards Business Processes Organizational Assets B. Risk Governance Enterprise Risk Management and Risk Management Framework Three Lines of Defense Risk Profile Risk Appetite and Risk Tolerance Legal, Regulatory, and Contractual Requirements Professional Ethics of Risk Management	26%
Risk Response and Reporting	A. Risk Response Risk Treatment / Risk Response Options Risk and Control Ownership Third-Party Risk Management Issue, Finding, and Exception Management Management of Emerging Risk B. Control Design and Implementation Control Types, Standards, and Frameworks Control Design, Selection, and Analysis Control Implementation Control Testing and Effectiveness Evaluation C. Risk Monitoring and Reporting Risk Treatment Plans Data Collection, Aggregation, Analysis, and Validation Risk and Control Monitoring Techniques Risk and Control Reporting Techniques (heatmap, scorecards, dashboards) Key Performance Indicators Key Risk Indicators (KRIs) Key Control Indicators (KCIs)	32%

 

NEW QUESTION # 110
Which of the following risk management practices BEST facilitates the incorporation of IT risk scenarios into the enterprise-wide risk register?

• A. Risk appetites for IT risk scenarios are approved by key business stakeholders.
• B. IT risk scenarios are assessed by the enterprise risk management team
• C. Key risk indicators (KRls) are developed for key IT risk scenarios
• D. IT risk scenarios are developed in the context of organizational objectives.

Answer: D

NEW QUESTION # 111
You are working on a project in an enterprise. Some part of your project requires e-commerce, but your enterprise choose not to engage in e-commerce. This scenario is demonstrating which of the following form?

• A. risk transfer
• B. Explanation:
  Each business process involves inherent risk. Not engaging in any activity avoids the inherent risk associated with the activity. Hence this demonstrates risk avoidance.
• C. risk treatment
• D. risk avoidance
• E. risk acceptance

Answer: D

Explanation:
is incorrect. Risk transfer/sharing means reducing either risk frequency or impact by transferring or otherwise sharing a portion of the risk. Common techniques include insurance and outsourcing. These techniques do not relieve an enterprise of a risk, but can involve the skills of another party in managing the risk and reducing the financial consequence if an adverse event occurs. Answer: B is incorrect. Risk treatment means that action is taken to reduce the frequency and impact of a risk. Answer: C is incorrect. Acceptance means that no action is taken relative to a particular risk, and loss is accepted when/if it occurs. This is different from being ignorant of risk; accepting risk assumes that the risk is known, i.e., an informed decision has been made by management to accept it as such.

NEW QUESTION # 112
Which of the following actions assures management that the organization's objectives are protected from the occurrence of risk events?

• A. is incorrect. Risk management is the identification, assessment, and prioritization of
  risks followed by coordinated and economical application of resources. It is done tominimize,
  monitor, and control the probability and impact of unfortunate events or to maximize the realization
  of opportunities.
• B. Hedging
• C. Risk assessment
• D. Explanation:
  Internal controls are the actions taken by the organization to help to assure management that the organization's objectives are protected from the occurrence of risk events. Internal control objectives are applicable to all manual or automated areas. Internal control objectives include: Internal accounting controls- They control accounting operations, including safeguarding assets and financial records. Operational controls- They focus on day-to-day operations, functions, and activities. They ensure that all the organization's objectives are being accomplished. Administrative controls- They focus on operational efficiency in a functional area and stick to management policies.
• E. Internal control
• F. is incorrect. Risk assessment is a process of analyzing the identified risk, both quantitatively and qualitatively. Quantitative risk assessment requires calculations of two components of risk, the magnitude of the potential loss, and the probability that the loss will occur. While qualitatively risk assessment checks the severity of risk. The assessment attempts to determine the likelihood of the risk being realized and the impact of the risk on the operation. This provides several conclusions: Probability-establishing the likelihood of occurrence and reoccurrence of specific risks,
  independently and combined.
  Interdependencies-the relationship between different types of risk. For instance, one risk may
  have greater potential of occurring if another risk has occurred. Or probability or impact of a
  situation may increase with combined risk.
• G. Risk management

Answer: E

Explanation:
is incorrect. Hedging is the process of managing the risk of price changes in physical
material by offsetting that risk in the futures market. In other words, it is the avoidance of risk. So,
it only avoids risk but can not assure protection against risk.

NEW QUESTION # 113
Which of the following statements are true for enterprise's risk management capability maturity level 3 ?

• A. The business knows how IT fits in the enterprise risk universe and the risk portfolio view
• B. Workflow tools are used to accelerate risk issues and track decisions
• C. Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized
• D. Explanation:
  An enterprise's risk management capability maturity level is 3 when:
  Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are
  recognized.
  There is a selected leader for risk management, engaged with the enterprise risk committee,
  across the enterprise.
  The business knows how IT fits in the enterprise risk universe and the risk portfolio view.
  Local tolerances drive the enterprise risk tolerance.
  Risk management activities are being aligned across the enterprise.
  Formal risk categories are identified and described in clear terms.
  Situations and scenarios are included in risk awareness training beyond specific policy and
  structures and promote a common language for communicating risk.
  Defined requirements exist for a centralized inventory of risk issues.
  Workflow tools are used to accelerate risk issues and track decisions.
• E. The enterprise formally requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals

Answer: A,B,C,D

Explanation:
is incorrect. Enterprise having risk management capability maturity level 5 requires
continuous improvement of risk management skills, based on clearly defined personal and
enterprise goals.

NEW QUESTION # 114
Which of the following is the STRONGEST indication an organization has ethics management issues?

• A. Employees face sanctions for not signing the organization's acceptable use policy.
• B. Internal IT auditors report to the chief information security officer (CISO).
• C. The organization has only two lines of defense.
• D. Employees do not report IT risk issues for fear of consequences.

Answer: D

Explanation:
Section: Volume D

NEW QUESTION # 115
During an acquisition, which of the following would provide the MOST useful input to the parent company's risk practitioner when developing risk scenarios for the post-acquisition phase?

• A. Risk registers of both companies
• B. IT balanced scorecard of each company
• C. Risk management framework adopted by each company
• D. Most recent internal audit findings from both companies

Answer: B

NEW QUESTION # 116
Which of the following would MOST likely cause a risk practitioner to reassess risk scenarios?

• A. An increase in intrusion attempts
• B. A change in the risk management policy
• C. A change in the regulatory environment
• D. A major security incident

Answer: C

NEW QUESTION # 117
You are the project manager of the NGQQ Project for your company. To help you communicate project status to your stakeholders, you are going to create a stakeholder register. All of the following information should be included in the stakeholder register except for which one?

• A. Stakeholder classification of their role in the project
• B. Identification information for each stakeholder
• C. Assessment information of the stakeholders' major requirements, expectations, and potential influence
• D. Stakeholder management strategy

Answer: D

Explanation:
Section: Volume C
Explanation:
The stakeholder management strategy is generally not included in the stakeholder registry because it may contain sensitive information that should not be shared with project team members or certain other individuals that could see the stakeholder register. The stakeholder register is a project management document that contains a list of the stakeholders associated with the project. It assesses how they are involved in the project and identifies what role they play in the organization. The information in this document can be very perceptive and is meant for limited exchange only. It also contains relevant information about the stakeholders, such as their requirements, expectations, and influence on the project.
Incorrect Answers:
B, C, D: Stakeholder identification, Assessment information, and Stakeholder classification should be included in the stakeholder register.

NEW QUESTION # 118
You are the Risk Official in Bluewell Inc. You have detected much vulnerability during risk assessment process.
What you should do next?

• A. Prioritize vulnerabilities for remediation solely based on impact.
• B. Handle vulnerabilities as a risk, even though there is no threat.
• C. Evaluate vulnerabilities for threat, impact, and cost of mitigation.
• D. Analyze the effectiveness of control on the vulnerabilities' basis.

Answer: C

Explanation:
Section: Volume C
Explanation
Explanation:
Vulnerabilities detected during assessment should be first evaluated for threat, impact and cost of mitigation. It should be evaluated and prioritized on the basis whether they impose credible threat or not.
Incorrect Answers:
A, C: These are the further steps that are taken after evaluating vulnerabilities. So, these are not immediate action after detecting vulnerabilities.
B: If detected vulnerabilities impose no/negligible threat on an enterprise then it is not cost effective to address it as risk.

NEW QUESTION # 119
You work as a Project Manager for Company Inc. You are incorporating a risk response owner to take the job for each agreed-to and funded risk response. On which of the following processes are you working?

• A. Qualitative Risk Analysis
• B. Plan risk response
• C. Identify Risks
• D. Quantitative Risk Analysis

Answer: B

Explanation:
Explanation/Reference:
Explanation:
The plan risk response project management process aims to reduce the threats to the project objectives and to increase opportunities. It follows the perform qualitative risk analysis process and perform quantitative risk analysis process. Plan risk response process includes the risk response owner to take the job for each agreed-to and funded risk response. This process addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget.
The inputs to the plan risk response process are as follows:
Risk register

Risk management plan

Incorrect Answers:
A: Quantitative analysis is the use of numerical and statistical techniques rather than the analysis of verbal material for analyzing risks. Some of the quantitative methods of risk analysis are:
Internal loss method

External data analysis

Business process modeling (BPM) and simulation

Statistical process control (SPC)

B: Identify Risks is the process of determining which risks may affect the project. It also documents risks' characteristics. The Identify Risks process is part of the Project Risk Management knowledge area. As new risks may evolve or become known as the project progresses through its life cycle, Identify Risks is an iterative process. The process should involve the project team so that they can develop and maintain a sense of ownership and responsibility for the risks and associated risk response actions. Risk Register is the only output of this process.
D: Qualitative analysis is the definition of risk factors in terms of high/medium/low or a numeric scale (1 to
10). Hence it determines the nature of risk on a relative scale.
Some of the qualitative methods of risk analysis are:
Scenario analysis- This is a forward-looking process that can reflect risk for a given point in time.

Risk Control Self -assessment (RCSA) - RCSA is used by enterprises (like banks) for the identification

and evaluation of operational risk exposure. It is a logical first step and assumes that business owners and managers are closest to the issues and have the most expertise as to the source of the risk. RCSA is a constructive process in compelling business owners to contemplate, and then explain, the issues at hand with the added benefit of increasing their accountability.

NEW QUESTION # 120
The PRIMARY advantage of implementing an IT risk management framework is the:

• A. improvement of controls within the organization and minimized losses
• B. establishment of a reliable basis for risk-aware decision making
• C. compliance with relevant legal and regulatory requirements
• D. alignment of business goals with IT objectives

Answer: A

Explanation:
Section: Volume D

NEW QUESTION # 121
You work as a Project Manager for www.company.com Inc. You have to measure the probability, impact, and risk exposure. Then, you have to measure how the selected risk response can affect the probability and impact of the selected risk event. Which of the following tools will help you to accomplish the task?

• A. Project network diagrams
• B. Decision tree analysis
• C. Cause-and-effect diagrams
• D. Delphi technique

Answer: B

Explanation:
Section: Volume B
Explanation:
Decision tree analysis is a risk analysis tool that can help the project manager in determining the best risk response. The tool can be used to measure probability, impact, and risk exposure and how the selected risk response can affect the probability and/or impact of the selected risk event. It helps to form a balanced image of the risks and opportunities connected with each possible course of action. This makes them mostly useful for choosing between different strategies, projects, or investment opportunities particularly when the resources are limited. A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible consequences, including chance event outcomes, resource costs, and utility.
Incorrect Answers:
A: Project network diagrams help the project manager and stakeholders visualize the flow of the project work, but they are not used as a part of risk response planning.
B: The Delphi technique can be used in risk identification, but generally is not used in risk response planning.
The Delphi technique uses rounds of anonymous surveys to identify risks.
D: Cause-and-effect diagrams are useful for identifying root causes and risk identification, but they are not the most effective ones for risk response planning.

NEW QUESTION # 122
Which of the following will BEST ensure that information security risk factors are mitigated when developing in-house applications?

• A. Include information security control specifications in business cases.
• B. Design key performance indicators (KPIs) for security in system specifications.
• C. Identify information security controls in the requirements analysis
• D. Identify key risk indicators (KRIs) as process output.

Answer: A

NEW QUESTION # 123
Risk mitigation procedures should include:

• A. deployment of counter measures.
• B. buying an insurance policy.
• C. acceptance of exposures
• D. enterprise architecture implementation.

Answer: A

NEW QUESTION # 124
If one says that the particular control or monitoring tool is sustainable, then it refers to what ability?

• A. Explanation:
  Sustainability of the controls or monitoring tools refers to its ability to function as expected over
  time or when changes are made to the environment.
• B. is incorrect. This is not valid definition for defining sustainability of al tool.
• C. The ability to be applied in same manner throughout the organization
• D. The ability to ensure the control remains in place when it fails
• E. The ability to protect itself from exploitation or attack
• F. is incorrect. Sustainability ensures that controls changes with the conditions, so as not
  to fail in any circumstances. Hence this in not valid answer.
• G. The ability to adapt as new elements are added to the environment

Answer: G

Explanation:
is incorrect. This in not valid answer.

NEW QUESTION # 125
John works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks associated to the time allowances for the activities or projects as a whole, with a width of the range indicating the degrees of risk?

• A. Activity duration estimates
• B. Schedule management plan
• C. Activity cost estimates
• D. Risk management plan

Answer: A

Explanation:
Section: Volume A
Explanation:
The activity duration estimates review is valuable in identifying risks associated to the time allowances for the activities or projects as a whole, with a width of the range indicating the degrees of risk.
Incorrect Answers:
B: The activity cost estimates review is valuable in identifying risks as it provides a quantitative assessment of the expected cost to complete scheduled activities and is expressed as a range, with a width of the range indicating the degrees of risk.
C: A Risk management plan is a document arranged by a project manager to estimate the effectiveness, predict risks, and build response plans to mitigate them. It also consists of the risk assessment matrix.
D: It describes how the schedule contingencies will be reported and assessed.

NEW QUESTION # 126
......

The CRISC certification is an important credential for IT professionals who want to advance their careers and demonstrate their expertise in risk management and information systems control. By acquiring this certification, professionals can enhance their credibility and demonstrate their commitment to maintaining the highest standards of excellence in their field.

 

New (2024) ISACA CRISC Exam Dumps: https://www.surepassexams.com/CRISC-exam-bootcamp.html

Updated CRISC Exam Dumps - PDF Questions and Testing Engine: https://drive.google.com/open?id=1Z3gXQkRJ746ES97a7ahfowG6DCk409QP