Download Certified in Risk and Information Systems Control.CRISC.PracticeTest.2018-08-07.234q.vcex

Vendor: ISACA
Exam Code: CRISC
Exam Name: Certified in Risk and Information Systems Control
Date: Aug 07, 2018
File Size: 291 KB
Downloads: 1

How to open VCEX files?

Files with VCEX extension can be opened by ProfExam Simulator.

ProfExam Discount

Demo Questions

Question 1
Which of the following is true for Single loss expectancy (SLE), Annual rate of occurrence (ARO), and Annual loss expectancy (ALE)?
  1. ALE= ARO/SLE
  2. ARO= SLE/ALE
  3. ARO= ALE*SLE
  4. ALE= ARO*SLE
Correct answer: D
Explanation:
A quantitative risk assessment quantifies risk in terms of numbers such as dollar values. This involves gathering data and then entering it into standard formulas. The results can help in identifying the priority of risks. These results are also used to determine the effectiveness of controls. Some of the terms associated with quantitative risk assessments are:Single loss expectancy (SLE)-It refers to the total loss expected from a single incident. This incident can occur when vulnerability is being exploited by threat. The loss is expressed as a dollar value such as $1,000. It includes the value of data, software, and hardware. SLE = Asset value * Exposure factor Annual rate of occurrence (ARO)-It refers to the number of times expected for an incident to occur in a year. If an incident occurred twice a month in the past year, the ARO is 24. Assuming nothing changes, it is likely that it will occur 24 times next year. Annual loss expectancy (ALE)-It is the expected loss for a year. ALE is calculated by multiplying SLE with ARO. Because SLE is a given in a dollar value, ALE is also given in a dollar value. For example, if the SLE is $1,000 and the ARO is 24, the ALE is $24,000. ALE = SLE * ARO Safeguard value-This is the cost of a control. Controls are used to mitigate risk. For example, antivirus software of an average cost of $50 for each computer. If there are 50 computers, the safeguard value is $2,500. A, B, C: These are wrong formulas and are not used in quantitative risk assessment.
A quantitative risk assessment quantifies risk in terms of numbers such as dollar values. This involves gathering data and then entering it into standard formulas. The results can help in identifying the priority of risks. These results are also used to determine the effectiveness of controls. Some of the terms associated with quantitative risk assessments are:
  • Single loss expectancy (SLE)-It refers to the total loss expected from a single incident. This incident can occur when vulnerability is being exploited by threat. The loss is expressed as a dollar value such as $1,000. It includes the value of data, software, and hardware. SLE = Asset value * Exposure factor 
  • Annual rate of occurrence (ARO)-It refers to the number of times expected for an incident to occur in a year. If an incident occurred twice a month in the past year, the ARO is 24. Assuming nothing changes, it is likely that it will occur 24 times next year. Annual loss expectancy (ALE)-It is the expected loss for a year. ALE is calculated by multiplying SLE with ARO. Because SLE is a given in a dollar value, ALE is also given in a dollar value. For example, if the SLE is $1,000 and the ARO is 24, the ALE is $24,000. 
  • ALE = SLE * ARO Safeguard value-This is the cost of a control. Controls are used to mitigate risk. For example, antivirus software of an average cost of $50 for each computer. If there are 50 computers, the safeguard value is $2,500. A, B, C: These are wrong formulas and are not used in quantitative risk assessment.
Question 2
Which of the following statements are true for enterprise's risk management capability maturity level 3?
  1. Workflow tools are used to accelerate risk issues and track decisions
  2. The business knows how IT fits in the enterprise risk universe and the risk portfolio view
  3. The enterprise formally requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals
  4. Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized
Correct answer: ABD
Explanation:
An enterprise's risk management capability maturity level is 3 when:Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized. There is a selected leader for risk management, engaged with the enterprise risk committee, across the enterprise. The business knows how IT fits in the enterprise risk universe and the risk portfolio view. Local tolerances drive the enterprise risk tolerance. Risk management activities are being aligned across the enterprise. Formal risk categories are identified and described in clear terms. Situations and scenarios are included in risk awareness training beyond specific policy and structures and promote a common language for communicating risk. Defined requirements exist for a centralized inventory of risk issues. Workflow tools are used to accelerate risk issues and track decisions. Incorrect Answers:C: Enterprise having risk management capability maturity level 5 requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals.
An enterprise's risk management capability maturity level is 3 when:
  • Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized. 
  • There is a selected leader for risk management, engaged with the enterprise risk committee, across the enterprise. 
  • The business knows how IT fits in the enterprise risk universe and the risk portfolio view. 
  • Local tolerances drive the enterprise risk tolerance. 
  • Risk management activities are being aligned across the enterprise. 
  • Formal risk categories are identified and described in clear terms. 
  • Situations and scenarios are included in risk awareness training beyond specific policy and structures and promote a common language for communicating risk. 
  • Defined requirements exist for a centralized inventory of risk issues. 
  • Workflow tools are used to accelerate risk issues and track decisions. 
Incorrect Answers:
C: Enterprise having risk management capability maturity level 5 requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals.
Question 3
Which of the following role carriers is accounted for analyzing risks, maintaining risk profile, and risk-aware decisions?
  1. Business management
  2. Business process owner
  3. Chief information officer (CIO)
  4. Chief risk officer (CRO)
Correct answer: A
Explanation:
Business management is the business individuals with roles relating to managing a program. They are typically accountable for analyzing risks, maintaining risk profile, and risk-aware decisions. Other than this, they are also responsible for managing risks, react to events, etc. Incorrect Answers:B: Business process owner is an individual responsible for identifying process requirements, approving process design and managing process performance. He/she is responsible for analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them.C: CIO is the most senior official of the enterprise who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services and information and the deployment of associated human resources. CIO has some responsibility analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them.D: CRO is the individual who oversees all aspects of risk management across the enterprise. He/she is responsible for analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them.
Business management is the business individuals with roles relating to managing a program. They are typically accountable for analyzing risks, maintaining risk profile, and risk-aware decisions. Other than this, they are also responsible for managing risks, react to events, etc. 
Incorrect Answers:
B: Business process owner is an individual responsible for identifying process requirements, approving process design and managing process performance. He/she is responsible for analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them.
C: CIO is the most senior official of the enterprise who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services and information and the deployment of associated human resources. CIO has some responsibility analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them.
D: CRO is the individual who oversees all aspects of risk management across the enterprise. He/she is responsible for analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them.
Question 4
You are using Information system. You have chosen a poor password and also sometimes transmits data over unprotected communication lines. 
What is this poor quality of password and unsafe transmission refers to?
  1. Probabilities
  2. Threats
  3. Vulnerabilities
  4. Impacts
Correct answer: C
Explanation:
Vulnerabilities represent characteristics of information resources that may be exploited by a threat. The given scenario describes such a situation, hence it is a vulnerability. Incorrect Answers:A: Probabilities represent the likelihood of the occurrence of a threat, and this scenario does not describe a probability.B: Threats are circumstances or events with the potential to cause harm to information resources. This scenario does not describe a threat.D: Impacts represent the outcome or result of a threat exploiting a vulnerability. The stem does not describe an impact.
Vulnerabilities represent characteristics of information resources that may be exploited by a threat. The given scenario describes such a situation, hence it is a vulnerability. 
Incorrect Answers:
A: Probabilities represent the likelihood of the occurrence of a threat, and this scenario does not describe a probability.
B: Threats are circumstances or events with the potential to cause harm to information resources. This scenario does not describe a threat.
D: Impacts represent the outcome or result of a threat exploiting a vulnerability. The stem does not describe an impact.
Question 5
Which of the following is the BEST way to ensure that outsourced service providers comply with the enterprise's information security policy?
  1. Penetration testing
  2. Service level monitoring
  3. Security awareness training
  4. Periodic audits
Correct answer: D
Explanation:
As regular audits can spot gaps in information security compliance, periodic audits can ensure that outsourced service provider comply with the enterprise's information security policy. Incorrect Answers:A: Penetration testing can identify security vulnerability, but cannot ensure information compliance.B: Service level monitoring can only identify operational issues in the enterprise's operational environment. It does not play any role in ensuring that outsourced service provider comply with the enterprise's information security policy. C: Training can increase user awareness of the information security policy, but is less effective than periodic auditing.
As regular audits can spot gaps in information security compliance, periodic audits can ensure that outsourced service provider comply with the enterprise's information security policy. 
Incorrect Answers:
A: Penetration testing can identify security vulnerability, but cannot ensure information compliance.
B: Service level monitoring can only identify operational issues in the enterprise's operational environment. It does not play any role in ensuring that outsourced service provider comply with the enterprise's information security policy. 
C: Training can increase user awareness of the information security policy, but is less effective than periodic auditing.
Question 6
You are the project manager of RFT project. You have identified a risk that the enterprise's IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become very expensive. To overcome this risk the response adopted is re-architecture of the existing system and purchase of new integrated system. In which of the following risk prioritization options would this case be categorized?
  1. Deferrals
  2. Quick win
  3. Business case to be made
  4. Contagious risk
Correct answer: C
Explanation:
This is categorized as a Business case to be made because the project cost is very large. The response to be implemented requires quite large investment. Therefore it comes under business case to be made. Incorrect Answers:A: It addresses costly risk response to a low risk. But here the response is less costly than that of business case to be made.B: Quick win is very effective and efficient response that addresses medium to high risk. But in this the response does not require large investments.D: This is not risk response prioritization option, instead it is a type of risk that happen with the several of the enterprise's business partners within a very short time frame.
This is categorized as a Business case to be made because the project cost is very large. The response to be implemented requires quite large investment. Therefore it comes under business case to be made. 
Incorrect Answers:
A: It addresses costly risk response to a low risk. But here the response is less costly than that of business case to be made.
B: Quick win is very effective and efficient response that addresses medium to high risk. But in this the response does not require large investments.
D: This is not risk response prioritization option, instead it is a type of risk that happen with the several of the enterprise's business partners within a very short time frame.
Question 7
Which of the following BEST ensures that a firewall is configured in compliance with an enterprise's security policy?
  1. Interview the firewall administrator.
  2. Review the actual procedures.
  3. Review the device's log file for recent attacks.
  4. Review the parameter settings.
Correct answer: D
Explanation:
A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide reliable audit evidence documentation. Incorrect Answers:A: While interviewing the firewall administrator may provide a good process overview, it does not reliably confirm that the firewall configuration complies with the enterprise's security policy.B: While procedures may provide a good understanding of how the firewall is supposed to be managed, they do not reliably confirm that the firewall configuration complies with the enterprise's security policy.C: While reviewing the device's log file for recent attacks may provide indirect evidence about the fact that logging is enabled, it does not reliably confirm that the firewall configuration complies with the enterprise's security policy.
A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide reliable audit evidence documentation. 
Incorrect Answers:
A: While interviewing the firewall administrator may provide a good process overview, it does not reliably confirm that the firewall configuration complies with the enterprise's security policy.
B: While procedures may provide a good understanding of how the firewall is supposed to be managed, they do not reliably confirm that the firewall configuration complies with the enterprise's security policy.
C: While reviewing the device's log file for recent attacks may provide indirect evidence about the fact that logging is enabled, it does not reliably confirm that the firewall configuration complies with the enterprise's security policy.
Question 8
Which of following is NOT used for measurement of Critical Success Factors of the project?
  1. Productivity
  2. Quality
  3. Quantity
  4. Customer service
Correct answer: C
Explanation:
Incorrect Answers:A, B, D: Productivity, quality and customer service are used for evaluating critical service factor of any particular project.
Incorrect Answers:
A, B, D: Productivity, quality and customer service are used for evaluating critical service factor of any particular project.
Question 9
Which of the following statements is NOT true regarding the risk management plan?
  1. The risk management plan is an output of the Plan Risk Management process.
  2. The risk management plan is an input to all the remaining risk-planning processes.
  3. The risk management plan includes a description of the risk responses and triggers.
  4. The risk management plan includes thresholds, scoring and interpretation methods, responsible parties, and budgets.
Correct answer: C
Explanation:
The risk management plan details how risk management processes will be implemented, monitored, and controlled throughout the life of the project. The risk management plandoes not include responses to risks or triggers. Responses to risks are documented in the risk register as part of the Plan Risk Responses process. Incorrect Answers:A, B, D: These all statements are true for risk management plan. The risk management plan details how risk management processes will be implemented, monitored, and controlled throughout the life of the project. It includes thresholds, scoring and interpretation methods, responsible parties, and budgets. It also act as input to all the remaining risk-planning processes.
The risk management plan details how risk management processes will be implemented, monitored, and controlled throughout the life of the project. The risk management plandoes not include responses to risks or triggers. Responses to risks are documented in the risk register as part of the Plan Risk Responses process. 
Incorrect Answers:
A, B, D: These all statements are true for risk management plan. The risk management plan details how risk management processes will be implemented, monitored, and controlled throughout the life of the project. It includes thresholds, scoring and interpretation methods, responsible parties, and budgets. It also act as input to all the remaining risk-planning processes.
Question 10
You are the project manager of a project in Bluewell Inc. You and your project team have identified several project risks, completed risk analysis, and are planning to apply most appropriate risk responses. Which of the following tools would you use to choose the appropriate risk response?
  1. Project network diagrams
  2. Cause-and-effect analysis
  3. Decision tree analysis
  4. Delphi Technique
Correct answer: C
Explanation:
Decision tree analysis is a risk analysis tool that can help the project manager in determining the best risk response. The tool can be used to measure probability, impact, and risk exposure and how the selected risk response can affect the probability and/or impact of the selected risk event. It helps to form a balanced image of the risks and opportunities connected with each possible course of action. This makes them mostly useful for choosing between different strategies, projects, or investment opportunities particularly when the resources are limited. A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible consequences, including chance event outcomes, resource costs, and utility. Incorrect Answers:A: Project network diagrams help the project manager and stakeholders visualize the flow of the project work, but they are not used as a part of risk response planning.B: Cause-and-effect analysis is used for exposing risk factors and not an effective one in risk response planning.This analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes. D: Delphi technique is used for risk analysis, i.e., for identifying the most probable risks. Delphi is a group of experts who used to rate independently the business risk of an organization. Each expert analyzes the risk independently and then prioritizes the risk, and the result is combined into a consensus.
Decision tree analysis is a risk analysis tool that can help the project manager in determining the best risk response. The tool can be used to measure probability, impact, and risk exposure and how the selected risk response can affect the probability and/or impact of the selected risk event. It helps to form a balanced image of the risks and opportunities connected with each possible course of action. This makes them mostly useful for choosing between different strategies, projects, or investment opportunities particularly when the resources are limited. A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible consequences, including chance event outcomes, resource costs, and utility. 
Incorrect Answers:
A: Project network diagrams help the project manager and stakeholders visualize the flow of the project work, but they are not used as a part of risk response planning.
B: Cause-and-effect analysis is used for exposing risk factors and not an effective one in risk response planning.
This analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes. 
D: Delphi technique is used for risk analysis, i.e., for identifying the most probable risks. Delphi is a group of experts who used to rate independently the business risk of an organization. Each expert analyzes the risk independently and then prioritizes the risk, and the result is combined into a consensus.
HOW TO OPEN VCE FILES

Use VCE Exam Simulator to open VCE files
Avanaset

HOW TO OPEN VCEX AND EXAM FILES

Use ProfExam Simulator to open VCEX and EXAM files
ProfExam Screen

ProfExam
ProfExam at a 20% markdown

You have the opportunity to purchase ProfExam at a 20% reduced price

Get Now!