Certified in Risk and Information Systems Control v1.0 (CRISC)

Page:    1 / 57   
Total 854 questions

Which of the following is the BEST way to ensure that outsourced service providers comply with the enterprise's information security policy?

  • A. Penetration testing
  • B. Service level monitoring
  • C. Security awareness training
  • D. Periodic audits


Answer : D

Explanation:
As regular audits can spot gaps in information security compliance, periodic audits can ensure that outsourced service provider comply with the enterprise's information security policy.
Incorrect Answers:
A: Penetration testing can identify security vulnerability, but cannot ensure information compliance.
B: Service level monitoring can only identify operational issues in the enterprise's operational environment. It does not play any role in ensuring that outsourced service provider complies with the enterprise's information security policy.
C: Training can increase user awareness of the information security policy, but is less effective than periodic auditing.

You are the project manager of RFT project. You have identified a risk that the enterprise's IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become very expensive. To overcome this risk, the response adopted is re- architecture of the existing system and purchase of new integrated system. In which of the following risk prioritization options would this case be categorized?

  • A. Deferrals
  • B. Quick win
  • C. Business case to be made
  • D. Contagious risk


Answer : C

Explanation:
This is categorized as a Business case to be made because the project cost is very large. The response to be implemented requires quite large investment.
Therefore it comes under business case to be made.
Incorrect Answers:
A: It addresses costly risk response to a low risk. But here the response is less costly than that of business case to be made.
B: Quick win is very effective and efficient response that addresses medium to high risk. But in this the response does not require large investments.
D: This is not risk response prioritization option, instead it is a type of risk that happen with the several of the enterprise's business partners within a very short time frame.

Which of the following BEST ensures that a firewall is configured in compliance with an enterprise's security policy?

  • A. Interview the firewall administrator.
  • B. Review the actual procedures.
  • C. Review the device's log file for recent attacks.
  • D. Review the parameter settings.


Answer : D

Explanation:
A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide reliable audit evidence documentation.
Incorrect Answers:
A: While interviewing the firewall administrator may provide a good process overview, it does not reliably confirm that the firewall configuration complies with the enterprise's security policy.
B: While procedures may provide a good understanding of how the firewall is supposed to be managed, they do not reliably confirm that the firewall configuration complies with the enterprise's security policy.
C: While reviewing the device's log file for recent attacks may provide indirect evidence about the fact that logging is enabled, it does not reliably confirm that the firewall configuration complies with the enterprise's security policy.

Which of following is NOT used for measurement of Critical Success Factors of the project?

  • A. Productivity
  • B. Quality
  • C. Quantity
  • D. Customer service


Answer : C

Explanation:
Incorrect Answers:
A, B, D: Productivity, quality and customer service are used for evaluating critical service factor of any particular project.

Which of the following statements is NOT true regarding the risk management plan?

  • A. The risk management plan is an output of the Plan Risk Management process.
  • B. The risk management plan is an input to all the remaining risk-planning processes.
  • C. The risk management plan includes a description of the risk responses and triggers.
  • D. The risk management plan includes thresholds, scoring and interpretation methods, responsible parties, and budgets.


Answer : C

Explanation:
The risk management plan details how risk management processes will be implemented, monitored, and controlled throughout the life of the project. The risk management plan does not include responses to risks or triggers. Responses to risks are documented in the risk register as part of the Plan Risk Responses process.
Incorrect Answers:
A, B, D: These all statements are true for risk management plan. The risk management plan details how risk management processes will be implemented, monitored, and controlled throughout the life of the project. It includes thresholds, scoring and interpretation methods, responsible parties, and budgets. It also act as input to all the remaining risk-planning processes.

You are the project manager of a project in Bluewell Inc. You and your project team have identified several project risks, completed risk analysis, and are planning to apply most appropriate risk responses. Which of the following tools would you use to choose the appropriate risk response?

  • A. Project network diagrams
  • B. Cause-and-effect analysis
  • C. Decision tree analysis
  • D. Delphi Technique


Answer : C

Explanation:
Decision tree analysis is a risk analysis tool that can help the project manager in determining the best risk response. The tool can be used to measure probability, impact, and risk exposure and how the selected risk response can affect the probability and/or impact of the selected risk event. It helps to form a balanced image of the risks and opportunities connected with each possible course of action. This makes them mostly useful for choosing between different strategies, projects, or investment opportunities particularly when the resources are limited. A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible consequences, including chance event outcomes, resource costs, and utility.
Incorrect Answers:
A: Project network diagrams help the project manager and stakeholders visualize the flow of the project work, but they are not used as a part of risk response planning.
B: Cause-and-effect analysis is used for exposing risk factors and not an effective one in risk response planning.
This analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes.
D: Delphi technique is used for risk analysis, i.e., for identifying the most probable risks. Delphi is a group of experts who used to rate independently the business risk of an organization. Each expert analyzes the risk independently and then prioritizes the risk, and the result is combined into a consensus.

You are the risk official of your enterprise. Your enterprise takes important decisions without considering risk credential information and is also unaware of external requirements for risk management and integration with enterprise risk management. In which of the following risk management capability maturity levels does your enterprise exists?

  • A. Level 1
  • B. Level 0
  • C. Level 5
  • D. Level 4


Answer : B

Explanation:
0 nonexistent: An enterprise's risk management capability maturity level is 0 when:
-> The enterprise does not recognize the need to consider the risk management or the business impact from IT risk.
-> Decisions involving risk lack credible information.
-> Awareness of external requirements for risk management and integration with enterprise risk management (ERM) do not exists.
Incorrect Answers:
A, C, D: These all are much higher levels of the risk management capability maturity model and in all these enterprises do take decisions considering the risk credential information. Moreover, in these levels enterprise is aware of external requirements for risk management and integrate with ERM.

Which of the following is the priority of data owners when establishing risk mitigation method?

  • A. User entitlement changes
  • B. Platform security
  • C. Intrusion detection
  • D. Antivirus controls


Answer : A

Explanation:
Data owners are responsible for assigning user entitlement changes and approving access to the systems for which they are responsible.
Incorrect Answers:
B, C, D: Data owners are not responsible for intrusion detection, platform security or antivirus controls.
These are the responsibilities of data custodians.

What type of policy would an organization use to forbid its employees from using organizational e-mail for personal use?

  • A. Anti-harassment policy
  • B. Acceptable use policy
  • C. Intellectual property policy
  • D. Privacy policy


Answer : B

Explanation:
An acceptable use policy is a set of rules applied by the owner/manager of a network, website or large computer system that restrict the ways in which the network site or system may be used. Acceptable Use Policies are an integral part of the framework of information security policies.
Incorrect Answers:
A, C: These two policies are not related to Information system security.
D: Privacy policy is a statement or a legal document (privacy law) that discloses some or all of the ways a party gathers, uses, discloses and manages a customer or client's data.

Wendy has identified a risk event in her project that has an impact of $75,000 and a 60 percent chance of happening. Through research, her project team learns that the risk impact can actually be reduced to just $15,000 with only a ten percent chance of occurring. The proposed solution will cost $25,000. Wendy agrees to the $25,000 solution. What type of risk response is this?

  • A. Mitigation
  • B. Avoidance
  • C. Transference
  • D. Enhancing


Answer : A

Explanation:
Risk mitigation implies a reduction in the probability and/or impact of an adverse risk event to be within acceptable threshold limits. Taking early actions to reduce the probability and/or impact of a risk occurring on the project is often more effective than trying to repair the damage after the risk has occurred.
Incorrect Answers:
B: Avoidance changes the project plan to avoid the risk altogether.
C: Transference requires shifting some or all of the negative impacts of a threat, along with the ownership of the response, to a third party. Transferring the risk simply gives another party the responsibility for its management-it does not eliminate it.
Transferring the liability for a risk is most effective in dealing with financial risk exposure. Risk transference nearly always involves payment of a risk premium to the party taking on the risk.
D: Enhancing is actually a positive risk response. This strategy is used to increase the probability and/or the positive impact of an opportunity. Identifying and maximizing the key drivers of these positive-impact risks may increase the probability of their occurrence.

Which of the following processes addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget?

  • A. Monitor and Control Risk
  • B. Plan risk response
  • C. Identify Risks
  • D. Qualitative Risk Analysis


Answer : B

Explanation:
The plan risk response project management process aims to reduce the threats to the project objectives and to increase opportunities. It follows the perform qualitative risk analysis process and perform quantitative risk analysis process. Plan risk response process includes the risk response owner to take the job for each agreed-to and funded risk response. This process addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget. The inputs to the plan risk response process are as follows:
-> Risk register

Risk management plan -


Incorrect Answers:
A: Monitor and Control Risk is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project. It can involve choosing alternative strategies, executing a contingency or fallback plan, taking corrective action, and modifying the project management plan.
C: Identify Risks is the process of determining which risks may affect the project. It also documents risks' characteristics. The Identify Risks process is part of the
Project Risk Management knowledge area. As new risks may evolve or become known as the project progresses through its life cycle, Identify Risks is an iterative process. The process should involve the project team so that they can develop and maintain a sense of ownership and responsibility for the risks and associated risk response actions. Risk Register is the only output of this process.
D: Qualitative analysis is the definition of risk factors in terms of high/medium/low or a numeric scale (1 to 10). Hence it determines the nature of risk on a relative scale.
Some of the qualitative methods of risk analysis are:
-> Scenario analysis- This is a forward-looking process that can reflect risk for a given point in time.
-> Risk Control Self -assessment (RCSA) - RCSA is used by enterprises (like banks) for the identification and evaluation of operational risk exposure. It is a logical first step and assumes that business owners and managers are closest to the issues and have the most expertise as to the source of the risk. RCSA is a constructive process in compelling business owners to contemplate, and then explain, the issues at hand with the added benefit of increasing their accountability.

Out of several risk responses, which of the following risk responses is used for negative risk events?

  • A. Share
  • B. Enhance
  • C. Exploit
  • D. Accept


Answer : D

Explanation:
Among the given choices only Acceptance response is used for negative risk events. Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider who can accept the risk. Risk should be accepted only by senior management in relationship with senior management and the board. There are two alternatives to the acceptance strategy, passive and active.
-> Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk but willing to accept the consequences of the risk.
Active acceptance is the second strategy and might include developing contingency plans and reserves to deal with risks.


Incorrect Answers:
A, B, C: These all are used to deal with opportunities or positive risks, and not with negative risks.

Which of the following risks refer to probability that an actual return on an investment will be lower than the investor's expectations?

  • A. Integrity risk
  • B. Project ownership risk
  • C. Relevance risk
  • D. Expense risk


Answer : D

Explanation:
Probability that an actual return on an investment will be lower than the investor's expectations is termed as investment risk or expense risk. All investments have some level of risk associated with it due to the unpredictability of the market's direction. This includes consideration of the overall IT investment portfolio.
Incorrect Answers:
A: The risk that data cannot be relied on because they are unauthorized, incomplete or inaccurate is termed as integrity risks.
B: The risk of IT projects failing to meet objectives due to lack of accountability and commitment is referring to as project risk ownership.
C: The risk associated with not receiving the right information to the right people (or process or systems) at the right time to allow the right action to be taken is termed as relevance risk.

What are the PRIMARY requirements for developing risk scenarios?
Each correct answer represents a part of the solution. Choose two.

  • A. Potential threats and vulnerabilities that could lead to loss events
  • B. Determination of the value of an asset at risk
  • C. Determination of actors that has potential to generate risk
  • D. Determination of threat type


Answer : AB

Explanation:
Creating a scenario requires determination of the value of an asset or a business process at risk and the potential threats and vulnerabilities that could cause loss.
The risk scenario should be assessed for relevance and realism, and then entered into the risk register if found to be relevant.
In practice following steps are involved in risk scenario development:
-> First determine manageable set of scenarios, which include:
-> Frequently occurring scenarios in the industry or product area.
-> Scenarios representing threat sources that are increasing in count or severity level.
-> Scenarios involving legal and regulatory requirements applicable to the business.
-> After determining manageable risk scenarios, perform a validation against the business objectives of the entity.
-> Based on this validation, refine the selected scenarios and then detail them to a level in line with the criticality of the entity.
-> Lower down the number of scenarios to a manageable set. Manageable does not signify a fixed number, but should be in line with the overall importance and criticality of the unit.
-> Risk factors kept in a register so that they can be reevaluated in the next iteration and included for detailed analysis if they have become relevant at that time.
-> Risk factors kept in a register so that they can be reevaluated in the next iteration and included for detailed analysis if they have become relevant at that time.
-> Include an unspecified event in the scenarios, that is, address an incident not covered by other scenarios.
Incorrect Answers:
C, D: Determination of actors and threat type are not the primary requirements for developing risk scenarios, but are the components that are determined during risk scenario development.

What are the responsibilities of the CRO?
Each correct answer represents a complete solution. Choose three.

  • A. Managing the risk assessment process
  • B. Implement corrective actions
  • C. Advising Board of Directors
  • D. Managing the supporting risk management function


Answer : ABD

Explanation:
Chief Risk Officer is the executive-level manager in an organization. They provide corporate, guidance, governance, and oversight over the enterprise's risk management activities. The main priority for the CRO is to ensure that the organization is in full compliance with applicable regulations. They may also deal with areas regarding insurance, internal auditing, corporate investigations, fraud, and information security.
CRO's responsibilities include:
-> Managing the risk assessment process
-> Implementation of corrective actions
-> Communicate risk management issues
-> Supporting the risk management functions

Page:    1 / 57   
Total 854 questions