QUESTION 1
You are the project manager of GHT project. You have identified a risk event on your project that could save $100,000 in project costs if it occurs. Which of the following statements BEST describes this risk event?
A. This risk event should be mitigated to take advantage of the savings.
B. This is a risk event that should be accepted because the rewards outweigh the threat to the project. C. This risk event should be avoided to take full advantage of the potential savings.
D. This risk event is an opportunity to the project and should be exploited.
Correct Answer: D Section: Volume A Explanation
Explanation/Reference:
Explanation:
This risk event has the potential to save money on project costs, so it is an opportunity, and the appropriate strategy to use in this case is the exploit strategy. The exploit response is one of the strategies to negate risks or threats appear in a project. This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. Exploiting a risk event provides opportunities for positive impact on a project. Assigning more talented resources to the project to reduce the time to completion is an example of exploit response.
Incorrect Answers:
A, C: Mitigation and avoidance risk response is used in case of negative risk events, and not in positive risk events. Here in this scenario, as it is stated that the event could save $100,000, hence it is a positive risk event. Therefore should not be mitigated or avoided.
B: To accept risk means that no action is taken relative to a particular risk; loss is accepted if it occurs. But as this risk event bring an opportunity, it should me exploited and not accepted.
QUESTION 2
Which of the following is the MOST important use of KRIs?
A. Providing a backward-looking view on risk events that have occurred B. Providing an early warning signal
C. Providing an indication of the enterprise's risk appetite and tolerance D. Enabling the documentation and analysis of trends
Correct Answer: B Section: Volume A Explanation
Explanation/Reference:
Explanation:
Key Risk Indicators are the prime monitoring indicators of the enterprise. KRIs are highly relevant and possess a high probability of predicting or indicating important risk. KRIs help in avoiding excessively large number of risk indicators to manage and report that a large enterprise may have.
As KRIs are the indicators of risk, hence its most important function is to effectively give an early warning signal that a high risk is emerging to enable management to take proactive action before the risk actually becomes a loss.
Incorrect Answers:
A: This is one of the important functions of KRIs which can help management to improve but is not as important as giving early warning.
C: KRIs provide an indication of the enterprise's risk appetite and tolerance through metric setting, but this is not as important as giving early warning.
D: This is not as important as giving early warning.
QUESTION 3
Which of the following role carriers will decide the Key Risk Indicator of the enterprise? Each correct answer represents a part of the solution. Choose two.
A. Business leaders
B. Senior management C. Human resource
D. Chief financial officer
Correct Answer: AB Section: Volume A Explanation
Explanation/Reference:
Explanation:
An enterprise may have hundreds of risk indicators such as logs, alarms and reports. The CRISC will usually need to work with senior management and business leaders to determine which risk indicators will be monitored on a regular basis and be recognized as KRIs.
Incorrect Answers:
C, D: Chief financial officer and human resource only overview common risk view, but are not involved in risk based decisions.
QUESTION 4
What are the requirements for creating risk scenarios? Each correct answer represents a part of the solution. Choose three.
A. Determination of cause and effect
B. Determination of the value of business process at risk
C. Potential threats and vulnerabilities that could cause loss D. Determination of the value of an asset
Correct Answer: BCD Section: Volume A Explanation
Explanation/Reference:
Explanation:
Creating a scenario requires determination of the value of an asset or a business process at risk and the potential threats and vulnerabilities that could cause loss. The risk scenario should be assessed for relevance and realism, and then entered into the risk register if found to be relevant.
In practice following steps are involved in risk scenario development: First determine manageable set of scenarios, which include:
- Frequently occurring scenarios in the industry or product area.
- Scenarios representing threat sources that are increasing in count or severity level. - Scenarios involving legal and regulatory requirements applicable to the business.
After determining manageable risk scenarios, perform a validation against the business objectives of the entity.
Based on this validation, refine the selected scenarios and then detail them to a level in line with the criticality of the entity.
Lower down the number of scenarios to a manageable set. Manageable does not signify a fixed number, but should be in line with the overall importance and criticality of the unit.
Risk factors kept in a register so that they can be reevaluated in the next iteration and included for detailed analysis if they have become relevant at that time. Risk factors kept in a register so that they can be reevaluated in the next iteration and included for detailed analysis if they have become relevant at that time. Include an unspecified event in the scenarios, that is, address an incident not covered by other scenarios.
Incorrect Answers:
A: Cause-and-effect analysis is a predictive or diagnostic analytical tool used to explore the root causes or factors that contribute to positive or negative effects or outcomes. It is used during the process of exposing risk factors.
QUESTION 5
You work as the project manager for Bluewell Inc. Your project has several risks that will affect several stakeholder requirements. Which project management plan will define who will be available to share information on the project risks?
A. Resource Management Plan
B. Risk Management Plan
C. Stakeholder management strategy D. Communications Management Plan
Correct Answer: D Section: Volume A Explanation
Explanation/Reference:
Explanation:
The Communications Management Plan defines, in regard to risk management, who will be available to share information on risks and responses throughout the project.
The Communications Management Plan aims to define the communication necessities for the project and how the information will be circulated. The Communications Management Plan sets the communication structure for the project. This structure provides guidance for communication throughout the project's life and is updated as communication needs change. The Communication Managements Plan identifies and defines the roles of persons concerned with the project. It includes a matrix known as the communication matrix to map the communication requirements of the project.
Incorrect Answers:
A: The Resource Management Plan does not define risk communications.
B: The Risk Management Plan defines risk identification, analysis, response, and monitoring.
C: The stakeholder management strategy does not address risk communications.
QUESTION 6
You are the project manager of GHT project. Your project team is in the process of identifying project risks on your current project. The team has the option to use all of the following tools and techniques to diagram some of these potential risks EXCEPT for which one?
A. Process flowchart
B. Ishikawa diagram
C. Influence diagram
D. Decision tree diagram
Correct Answer: D Section: Volume A Explanation
Explanation/Reference:
Explanation:
Decision tree diagrams are used during the Quantitative risk analysis process and not in risk identification.
Incorrect Answers:
A, B, C: All these options are diagrammatical techniques used in the Identify risks process.
QUESTION 7
Which of the following aspect of monitoring tool ensures that the monitoring tool has the ability to keep up with the growth of an enterprise?
A. Scalability
B. Customizability
C. Sustainability
D. Impact on performance
Correct Answer: A Section: Volume A Explanation
Explanation/Reference:
Explanation:
Monitoring tools have to be able to keep up with the growth of an enterprise and meet anticipated growth in process, complexity or transaction volumes; this is ensured by the scalability criteria of the monitoring tool.
Incorrect Answers:
B: For software to be effective, it must be customizable to the specific needs of an enterprise. Hence customizability ensures that end users can adapt the software.
C: It ensures that monitoring software is able to change at the same speed as technology applications and infrastructure to be effective over time.
D: The impact on performance has nothing related to the ability of monitoring tool to keep up with the growth of enterprise.
QUESTION 8
You are the project manager in your enterprise. You have identified risk that is noticeable failure threatening the success of certain goals of your enterprise. In which of the following levels do this identified risk exists?
A. Moderate risk
B. High risk
C. Extremely high risk D. Low risk
Correct Answer: A Section: Volume A Explanation
Explanation/Reference:
Explanation:
Moderate risks are noticeable failure threatening the success of certain goals.
Incorrect Answers:
B: High risk is the significant failure impacting in certain goals not being met.
C: Extremely high risk are the risks that has large impact on enterprise and are most likely results in failure with severe consequences.
D: Low risks are the risk that results in certain unsuccessful goals.
QUESTION 9
Courtney is the project manager for her organization. She is working with the project team to complete the qualitative risk analysis for her project. During the analysis Courtney encourages the project team to begin the grouping of identified risks by common causes. What is the primary advantage to group risks by common causes during qualitative risk analysis?
A. It helps the project team realize the areas of the project most laden with risks.
B. It assist in developing effective risk responses.
C. It saves time by collecting the related resources, such as project team members, to analyze the risk events. D. It can lead to the creation of risk categories unique to each project.
Correct Answer: B Section: Volume A Explanation
Explanation/Reference:
Explanation:
By grouping the risks by categories the project team can develop effective risk responses. Related risk events often have common causal factors that can be
addressed with a single risk response.
QUESTION 10
Which of the following processes is described in the statement below?
"It is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions."
A. Risk governance
B. Risk identification
C. Risk response planning D. Risk communication
Correct Answer: D Section: Volume A Explanation
Explanation/Reference:
Explanation:
Risk communication is the process of exchanging information and views about risks among stakeholders, such as groups, individuals, and institutions. Risk communication is mostly concerned with the nature of risk or expressing concerns, views, or reactions to risk managers or institutional bodies for risk management. The key plan to consider and communicate risk is to categorize and impose priorities, and acquire suitable measures to reduce risks. It is important throughout any crisis to put across multifaceted information in a simple and clear manner.
Risk communication helps in switching or allocating the information concerning risk among the decision-maker and the stakeholders. Risk communication can be explained more clearly with the help of the following definitions:
It defines the issue of what a group does, not just what it says.
It must take into account the valuable element in user's perceptions of risk. It will be more valuable if it is thought of as conversation, not instruction.
Risk communication is a fundamental and continuing element of the risk analysis exercise, and the involvement of the stakeholder group is from the beginning. It makes the stakeholders conscious of the process at each phase of the risk assessment. It helps to guarantee that the restrictions, outcomes, consequence, logic, and risk assessment are undoubtedly understood by all the stakeholders.
Incorrect Answers:
C: A risk response ensures that the residual risk is within the limits of the risk appetite and tolerance of the enterprise. Risk response is process of selecting the correct, prioritized response to risk, based on the level of risk, the enterprise's risk tolerance and the cost and benefit of the particular risk response option.
Risk response ensures that management is providing accurate reports on:
The level of risk faced by the enterprise
The incidents' type that have occurred
Any alteration in the enterprise's risk profile based on changes in the risk environment
QUESTION 11
Which of the following components of risk scenarios has the potential to generate internal or external threat on an enterprise?
A. Timing dimension B. Events
C. Assets
D. Actors
Correct Answer: D Section: Volume A Explanation
Explanation/Reference:
Explanation:
Components of risk scenario that are needed for its analysis are:
Actor: Actors are those components of risk scenario that has the potential to generate the threat that can be internal or external, human or non-human. Internal actors are within the enterprise like staff, contractors, etc. On the other hand, external actors include outsiders, competitors, regulators and the market.
Threat type: Threat type defines the nature of threat, that is, whether the threat is malicious, accidental, natural or intentional.
Event: Event is an essential part of a scenario; a scenario always has to contain an event. Event describes the happenings like whether it is a disclosure of confidential information, or interruption of a system or project, or modification, theft, destruction, etc.
Asset: Assets are the economic resources owned by business or company. Anything tangible or intangible that one possesses, usually considered as applicable to the payment of one's debts, is considered an asset. An asset can also be defined as a resource, process, product, computing infrastructure, and so forth that an organization has determined must be protected. Tangible asset: Tangible are those asset that has physical attributes and can be detected with the senses, e.g., people, infrastructure, and finances. Intangible asset: Intangible are those assets that has no physical attributes and cannot be detected with the senses, e.g., information, reputation and customer trust.
Timing dimension: The timing dimension is the application of the scenario to detect time to respond to or recover from an event. It identifies if the event occurs at a critical moment and its duration. It also specifies the time lag between the event and the consequence, that is, if there an immediate consequence (e.g., network failure, immediate downtime) or a delayed consequence (e.g., wrong IT architecture with accumulated high costs over a long period of time).
QUESTION 12
Which of the following is NOT true for risk management capability maturity level 1?
A. There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk
B. Decisions involving risk lack credible information
C. Risk appetite and tolerance are applied only during episodic risk assessments
D. Risk management skills exist on an ad hoc basis, but are not actively developed
Correct Answer: B Section: Volume A Explanation
Explanation/Reference:
Explanation:
The enterprise with risk management capability maturity level 0 makes decisions without having much knowledge about the risk credible information. In level 1, enterprise takes decisions on the basis of risk credible information.
Incorrect Answers:
A, C, D: An enterprise's risk management capability maturity level is 1 when:
There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk.
Any risk identification criteria vary widely across the enterprise.
Risk appetite and tolerance are applied only during episodic risk assessments.
Enterprise risk policies and standards are incomplete and/or reflect only external requirements and lack defensible rationale and enforcement mechanisms. Risk management skills exist on an ad hoc basis, but are not actively developed.
Ad hoc inventories of controls that are unrelated to risk are dispersed across desktop applications.
QUESTION 13
An enterprise has identified risk events in a project. While responding to these identified risk events, which among the following stakeholders is MOST important for reviewing risk response options to an IT risk.
A. Information security managers
B. Internal auditors
C. Incident response team members D. Business managers
Correct Answer: D Section: Volume A Explanation
Explanation/Reference:
Explanation:
Business managers are accountable for managing the associated risk and will determine what actions to take based on the information provided by others.
Incorrect Answers:
A: Information security managers may best understand the technical tactical situation, but business managers are accountable for managing the associated risk and will determine what actions to take based on the information provided by others, which includes collaboration with, and support from, lT security managers.
C: The incident response team must ensure open communication to management and stakeholders to ensure that business managers understand the associated risk and are provided enough information to make informed risk-based decisions. They are not responsible for reviewing risk response options.
QUESTION 14
Which of the following is a technique that provides a systematic description of the combination of unwanted occurrences in a system?
A. Sensitivity analysis
B. Scenario analysis
C. Fault tree analysis
D. Cause and effect analysis
Correct Answer: C Section: Volume A Explanation
Explanation/Reference:
Explanation:
Fault tree analysis (FIA) is a technique that provides a systematic description of the combination of possible occurrences in a system, which can result in an undesirable outcome. It combines hardware failures and human failures.
Incorrect Answers:
A: Sensitivity analysis is the quantitative risk analysis technique that:
Assist in determination of risk factors that have the most potential impact Examines the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline values
B: This analysis provides ability to see a range of values across several scenarios to identify risk in specific situation. It provides ability to identify those inputs which will provide the greatest level of uncertainty.
D: Cause-and-effect analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes. These tools also help in identifying potential risk.
QUESTION 15
You work as the project manager for Bluewell Inc. There has been a delay in your project work that is adversely affecting the project schedule. You decide, with your stakeholders' approval, to fast track the project work to get the project done faster. When you fast track the project, what is likely to increase?
A. Human resource needs B. Quality control concerns C. Costs
D. Risks
Correct Answer: D Section: Volume A Explanation
Explanation/Reference:
Explanation:
Fast tracking allows entire phases of the project to overlap and generally increases risks within the project.
Fast tracking is a technique for compressing project schedule. In fast tracking, phases are overlapped that would normally be done in sequence. It is shortening the project schedule without reducing the project scope.
Incorrect Answers:
A: Human resources are not affected by fast tracking in most scenarios.
B: Quality control concerns usually are not affected by fast tracking decisions.
C: Costs do not generally increase based on fast tracking decisions.
QUESTION 16
David is the project manager of the HRC Project. He has identified a risk in the project, which could cause the delay in the project. David does not want this risk event to happen so he takes few actions to ensure that the risk event will not happen. These extra steps, however, cost the project an additional $10,000. What type of risk response has David adopted?
A. Avoidance B. Mitigation C. Acceptance D. Transfer
Correct Answer: B Section: Volume A Explanation
Explanation/Reference:
Explanation:
As David is taking some operational controls to reduce the likelihood and impact of the risk, hence he is adopting risk mitigation. Risk mitigation means that actions are taken to reduce the likelihood and/or impact of risk.
Incorrect Answers:
A: Risk avoidance means that activities or conditions that give rise to risk are discontinued. But here, no such actions are taken, therefore risk in not avoided.
C: Risk acceptance means that no action is taken relative to a particular risk; loss is accepted in case it occurs. As David has taken some actions in case to defend, therefore he is not accepting risk.
D: David has not hired a vendor to manage the risk for his project; therefore he is not transferring the risk.
QUESTION 17
Which of the following is the MOST important objective of the information system control?
A. Business objectives are achieved and undesired risk events are detected and corrected B. Ensuring effective and efficient operations
C. Developing business continuity and disaster recovery plans
D. Safeguarding assets
Correct Answer: A Section: Volume A Explanation
Explanation/Reference:
Explanation:
The basic purpose of Information System control in an organization is to ensure that the business objectives are achieved and undesired risk events are detected and corrected. Some of the IS control objectives are given below:
Safeguarding assets
Assuring integrity of sensitive and critical application system environments
Assuring integrity of general operating system
Ensuring effective and efficient operations
Fulfilling user requirements, organizational policies and procedures, and applicable laws and regulations Changing management
Developing business continuity and disaster recovery plans
Developing incident response and handling plans
Hence the most important objective is to ensure that business objectives are achieved and undesired risk events are detected and corrected.
Incorrect Answers:
B, C, D: These are also the objectives of the information system control but are not the best answer.
QUESTION 18
Which of the following is true for Cost Performance Index (CPI)?
A. If the CPI > 1, it indicates better than expected performance of project B. CPI = Earned Value (EV) * Actual Cost (AC)
C. It is used to measure performance of schedule
D. If the CPI = 1, it indicates poor performance of project
Correct Answer: A Section: Volume A Explanation
Explanation/Reference:
Explanation:
Cost performance index (CPI) is used to calculate performance efficiencies of project. It is used in trend analysis to predict future performance. CPI is the ratio of earned value to actual cost.
If the CPI value is greater than 1, it indicates better than expected performance, whereas if the value is less than 1, it shows poor performance.
Incorrect Answers:
B: CPI is the ratio of earned value to actual cost, i.e., CPI = Earned Value (EV) / Actual Cost (AC).
C: Cost performance index (CPI) is used to calculate performance efficiencies of project and not its schedule.
D: The CPI value of 1 indicates that the project is right on target.
QUESTION 19
Which of the following do NOT indirect information?
A. Information about the propriety of cutoff
B. Reports that show orders that were rejected for credit limitations.
C. Reports that provide information about any unusual deviations and individual product margins. D. The lack of any significant differences between perpetual levels and actual levels of goods.
Correct Answer: A Section: Volume A Explanation
Explanation/Reference:
Explanation:
Information about the propriety of cutoff is a kind of direct information.
Incorrect Answers:
B: Reports that show orders that were rejected for credit limitations provide indirect information that credit checking aspects of the system are working as intended.
C: Reports that provide information about any unusual deviations and individual product margins (whereby, the price of an item sold is compared to its standard cost) provide indirect information that controls over billing and pricing are operating.
D: The lack of any significant differences between perpetual levels and actual levels provides indirect information that its billing controls are operating.
QUESTION 20
Which of the following is the first MOST step in the risk assessment process?
A. Identification of assets
B. Identification of threats
C. Identification of threat sources D. Identification of vulnerabilities
Correct Answer: A Section: Volume A Explanation
Explanation/Reference:
Explanation:
Asset identification is the most crucial and first step in the risk assessment process. Risk identification, assessment and evaluation (analysis) should always be clearly aligned to assets. Assets can be people, processes, infrastructure, information or applications.
QUESTION 21
Which of the following matrices is used to specify risk thresholds?
A. Risk indicator matrix B. Impact matrix
C. Risk scenario matrix D. Probability matrix
Correct Answer: A Section: Volume A Explanation
Explanation/Reference:
Explanation:
Risk indicators are metrics used to indicate risk thresholds, i.e., it gives indication when a risk level is approaching a high or unacceptable level of risk. The main objective of a risk indicator is to ensure tracking and reporting mechanisms that alert staff about the potential risks.
Incorrect Answers:
B, D: Estimation of risk's consequence and priority for awareness is conducted by using probability and impact matrix. These matrices specify the mixture of probability and impact that directs to rating the risks as low, moderate, or high priority.
C: A risk scenario is a description of an event that can lay an impact on business, when and if it would occur.
Some examples of risk scenario are of: Having a major hardware failure
Failed disaster recovery planning (DRP) Major software failure
QUESTION 22
What are the two MAJOR factors to be considered while deciding risk appetite level? Each correct answer represents a part of the solution. Choose two.
A. The amount of loss the enterprise wants to accept
B. Alignment with risk-culture
C. Risk-aware decisions
D. The capacity of the enterprise's objective to absorb loss.
Correct Answer: AD Section: Volume A Explanation
Explanation/Reference:
Explanation:
Risk appetite is the amount of risk a company or other entity is willing to accept in pursuit of its mission. This is the responsibility of the board to decide risk appetite of an enterprise. When considering the risk appetite levels for the enterprise, the following two major factors should be taken into account:
The enterprise's objective capacity to absorb loss, e.g., financial loss, reputation damage, etc.
The culture towards risk taking-cautious or aggressive. In other words, the amount of loss the enterprise wants to accept in pursue of its objective fulfillment.
Incorrect Answers:
B: Alignment with risk-culture is also one of the factors but is not as important as these two.
C: Risk aware decision is not the factor, but is the result which uses risk appetite information as its input.
QUESTION 23
You are the project manager of GHT project. You have selected appropriate Key Risk Indicators for your project. Now, you need to maintain those Key Risk Indicators. What is the MOST important reason to maintain Key Risk Indicators?
A. Risk reports need to be timely
B. Complex metrics require fine-tuning
C. Threats and vulnerabilities change over time D. They help to avoid risk
Correct Answer: C Section: Volume A Explanation
Explanation/Reference:
Explanation:
Since the enterprise's internal and external environments are constantly changing, the risk environment is also highly dynamic, i.e., threats and vulnerabilities change over time. Hence KRIs need to be maintained to ensure that KRIs continue to effectively capture these changes.
Incorrect Answers:
A: Timely risk reporting is one of the business requirements, but is not the reason behind KRI maintenance.
B: While most key risk indicator metrics need to be optimized in respect to their sensitivity, the most important objective of KRI maintenance is to ensure that KRIs continue to effectively capture the changes in threats and vulnerabilities over time.
D: Avoiding risk is a type of risk response. Risk responses are based on KRI reporting.
QUESTION 24
Mary is a project manager in her organization. On her current project she is working with her project team and other key stakeholders to identify the risks within the project. She is currently aiming to create a comprehensive list of project risks so she is using a facilitator to help generate ideas about project risks. What risk identification method is Mary likely using?
A. Delphi Techniques B. Expert judgment C. Brainstorming
D. Checklist analysis
Correct Answer: C
Section: Volume A Explanation
Explanation/Reference:
Explanation:
Mary is using brainstorming in this example. Brainstorming attempts to create a comprehensive list of risks and often is led by a moderator or facilitator to move the process along.
Brainstorming is a technique to gather general data. It can be used to identify risks, ideas, or solutions to issues by using a group of team members or subject- matter expert. Brainstorming is a group creativity technique that also provides other benefits, such as boosting morale, enhancing work enjoyment, and improving team work.
Incorrect Answers:
A: The Delphi technique uses rounds of anonymous surveys to generate a consensus on the identified risks.
B: Expert judgment is not the best answer for this; projects experts generally do the risk identification, in addition to the project team.
D: Checklist analysis uses historical information and information from similar projects within the organization's experience.
QUESTION 25
Where are all risks and risk responses documented as the project progresses?
A. Risk management plan B. Project management plan C. Risk response plan
D. Risk register
Correct Answer: D Section: Volume A Explanation
Explanation/Reference:
Explanation:
All risks, their responses, and other characteristics are documented in the risk register. As the project progresses and the conditions of the risk events change, the risk register should be updated to reflect the risk conditions.
Incorrect Answers:
A: The risk management plan addresses the project management's approach to risk management, risk identification, analysis, response, and control.
B: The project management plan is the overarching plan for the project, not the specifics of the risk responses and risk identification.
C: The risk response plan only addresses the planned risk responses for the identified risk events in the risk register.
QUESTION 26
A part of a project deals with the hardware work. As a project manager, you have decided to hire a company to deal with all hardware work on the project. Which type of risk response is this?
A. Transference B. Mitigation
C. Avoidance D. Exploit
Correct Answer: A Section: Volume A Explanation
Explanation/Reference:
Explanation:
When you are hiring a third party to own risk, it is known as transference risk response.
Risk transfer means that impact of risk is reduced by transferring or otherwise sharing a portion of the risk with an external organization or another internal entity. Transfer of risk can occur in many forms but is most effective when dealing with financial risks. Insurance is one form of risk transfer.
Incorrect Answers:
B: The act of spending money to reduce a risk probability and impact is known as mitigation.
C: When extra activities are introduced into the project to avoid the risk, this is an example of avoidance.
D: Exploit is a strategy that may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized.
QUESTION 27
Which of the following events refer to loss of integrity?
Each correct answer represents a complete solution. Choose three.
A. Someone sees company's secret formula
B. Someone makes unauthorized changes to a Web site C. An e-mail message is modified in transit
D. A virus infects a file
Correct Answer: BCD Section: Volume A Explanation
Explanation/Reference:
Explanation:
Loss of integrity refers to the following types of losses:
An e-mail message is modified in transit A virus infects a file Someone makes unauthorized changes to a Web site
Incorrect Answers:
A: Someone sees company's secret formula or password comes under loss of confidentiality.
QUESTION 28
Which of the following should be PRIMARILY considered while designing information systems controls?
A. The IT strategic plan
B. The existing IT environment
C. The organizational strategic plan D. The present IT budget
Correct Answer: C Section: Volume A Explanation
Explanation/Reference:
Explanation:
Review of the enterprise's strategic plan is the first step in designing effective IS controls that would fit the enterprise's long-term plans.
Incorrect Answers:
A: The IT strategic plan exists to support the enterprise's strategic plan but is not solely considered while designing information system control.
B: Review of the existing IT environment is also useful and necessary but is not the first step that needs to be undertaken.
D: The present IT budget is just one of the components of the strategic plan.
QUESTION 29
You are the project manager of your enterprise. You have introduced an intrusion detection system for the control. You have identified a warning of violation of security policies of your enterprise. What type of control is an intrusion detection system (IDS)?
A. Detective
B. Corrective C. Preventative D. Recovery
Correct Answer: A Section: Volume A Explanation
Explanation/Reference:
Explanation:
An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPS for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies.
As IDS detects and gives warning when the violation of security policies of the enterprise occurs, it is a detective control.
Incorrect Answers:
B: These controls make effort to reduce the impact of a threat from problems discovered by detective controls. As IDS only detects but not reduce the impact, hence it is not a corrective control.
C: As IDS only detects the problem when it occurs and not prior of its occurrence, it is not preventive control.
D: These controls make efforts to overcome the impact of the incident on the business, hence IDS is not a recovery control.
QUESTION 30
Which among the following acts as a trigger for risk response process?
A. Risk level increases above risk appetite B. Risk level increase above risk tolerance C. Risk level equates risk appetite
D. Risk level equates the risk tolerance
Correct Answer: B Section: Volume A Explanation
Explanation/Reference:
Explanation:
The risk response process is triggered when a risk exceeds the enterprise's risk tolerance level. The acceptable variation relative to the achievement of an objective is termed as risk tolerance. In other words, risk tolerance is the acceptable deviation from the level set by the risk appetite and business objectives.
Risk tolerance is defined at the enterprise level by the board and clearly communicated to all stakeholders. A process should be in place to review and approve any exceptions to such standards.
Incorrect Answers:
A, C: Risk appetite level is not relevant in triggering of risk response process. Risk appetite is the amount of risk a company or other entity is willing to accept in pursuit of its mission. This is the responsibility of the board to decide risk appetite of an enterprise. When considering the risk appetite levels for the enterprise, the following two major factors should be taken into account:
The enterprise's objective capacity to absorb loss, e.g., financial loss, reputation damage, etc.
The culture towards risk taking-cautious or aggressive. In other words, the amount of loss the enterprise wants to accept in pursue of its objective fulfillment.
D: Risk response process is triggered when the risk level increases the risk tolerance level of the enterprise, and not when it just equates the risk tolerance level.
QUESTION 31
What is the value of exposure factor if the asset is lost completely?
A. 1
B. Infinity C. 10
D. 0
Correct Answer: A Section: Volume A Explanation
Explanation/Reference:
Explanation:
Exposure Factor represents the impact of the risk over the asset, or percentage of asset lost. For example, if the Asset Value is reduced to two third, the exposure factor value is 0.66.
Therefore, when the asset is completely lost, the Exposure Factor is 1.0.
Incorrect Answers:
B, C, D: These are not the values of exposure factor for zero assets.
QUESTION 32
Which of the following statements are true for enterprise's risk management capability maturity level 3?
A. Workflow tools are used to accelerate risk issues and track decisions
B. The business knows how IT fits in the enterprise risk universe and the risk portfolio view
C. The enterprise formally requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals D. Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized
Correct Answer: ABD Section: Volume A Explanation
Explanation/Reference:
Explanation:
An enterprise's risk management capability maturity level is 3 when:
Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized.
There is a selected leader for risk management, engaged with the enterprise risk committee, across the enterprise.
The business knows how IT fits in the enterprise risk universe and the risk portfolio view.
Local tolerances drive the enterprise risk tolerance.
Risk management activities are being aligned across the enterprise.
Formal risk categories are identified and described in clear terms.
Situations and scenarios are included in risk awareness training beyond specific policy and structures and promote a common language for communicating risk. Defined requirements exist for a centralized inventory of risk issues.
Workflow tools are used to accelerate risk issues and track decisions.
Incorrect Answers:
C: Enterprise having risk management capability maturity level 5 requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals.
QUESTION 33
You are using Information system. You have chosen a poor password and also sometimes transmits data over unprotected communication lines. What is this poor quality of password and unsafe transmission refers to?
A. Probabilities B. Threats
C. Vulnerabilities D. Impacts
Correct Answer: C Section: Volume A Explanation
Explanation/Reference:
Explanation:
Vulnerabilities represent characteristics of information resources that may be exploited by a threat. The given scenario describes such a situation, hence it is a vulnerability.
Incorrect Answers:
A: Probabilities represent the likelihood of the occurrence of a threat, and this scenario does not describe a probability.
B: Threats are circumstances or events with the potential to cause harm to information resources. This scenario does not describe a threat.
D: Impacts represent the outcome or result of a threat exploiting a vulnerability. The stem does not describe an impact.
QUESTION 34
You are the project manager of RFT project. You have identified a risk that the enterprise's IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become very expensive. To overcome this risk, the response adopted is re-architecture of the existing system and purchase of new integrated system. In which of the following risk prioritization options would this case be categorized?
A. Deferrals
B. Quick win
C. Business case to be made D. Contagious risk
Correct Answer: C Section: Volume A Explanation
Explanation/Reference:
Explanation:
This is categorized as a Business case to be made because the project cost is very large. The response to be implemented requires quite large investment. Therefore it comes under business case to be made.
Incorrect Answers:
A: It addresses costly risk response to a low risk. But here the response is less costly than that of business case to be made.
B: Quick win is very effective and efficient response that addresses medium to high risk. But in this the response does not require large investments.
D: This is not risk response prioritization option, instead it is a type of risk that happen with the several of the enterprise's business partners within a very short time frame.
QUESTION 35
Which of the following BEST ensures that a firewall is configured in compliance with an enterprise's security policy?
A. Interview the firewall administrator.
B. Review the actual procedures.
C. Review the device's log file for recent attacks. D. Review the parameter settings.
Correct Answer: D Section: Volume A Explanation
Explanation/Reference:
Explanation:
A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide reliable audit evidence documentation.
Incorrect Answers:
A: While interviewing the firewall administrator may provide a good process overview, it does not reliably confirm that the firewall configuration complies with the enterprise's security policy.
B: While procedures may provide a good understanding of how the firewall is supposed to be managed, they do not reliably confirm that the firewall configuration complies with the enterprise's security policy.
C: While reviewing the device's log file for recent attacks may provide indirect evidence about the fact that logging is enabled, it does not reliably confirm that the firewall configuration complies with the enterprise's security policy.
QUESTION 36
You are the project manager of a project in Bluewell Inc. You and your project team have identified several project risks, completed risk analysis, and are planning to apply most appropriate risk responses. Which of the following tools would you use to choose the appropriate risk response?
A. Project network diagrams B. Cause-and-effect analysis C. Decision tree analysis
D. Delphi Technique
Correct Answer: C Section: Volume A Explanation
Explanation/Reference:
Explanation:
Decision tree analysis is a risk analysis tool that can help the project manager in determining the best risk response. The tool can be used to measure probability, impact, and risk exposure and how the selected risk response can affect the probability and/or impact of the selected risk event. It helps to form a balanced image of the risks and opportunities connected with each possible course of action. This makes them mostly useful for choosing between different strategies, projects, or investment opportunities particularly when the resources are limited. A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible consequences, including chance event outcomes, resource costs, and utility.
Incorrect Answers:
A: Project network diagrams help the project manager and stakeholders visualize the flow of the project work, but they are not used as a part of risk response planning.
B: Cause-and-effect analysis is used for exposing risk factors and not an effective one in risk response planning.
This analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes.
D: Delphi technique is used for risk analysis, i.e., for identifying the most probable risks. Delphi is a group of experts who used to rate independently the business risk of an organization. Each expert analyzes the risk independently and then prioritizes the risk, and the result is combined into a consensus.
QUESTION 37
Which of the following is the priority of data owners when establishing risk mitigation method?
A. User entitlement changes B. Platform security
C. Intrusion detection
D. Antivirus controls
Correct Answer: A Section: Volume A Explanation
Explanation/Reference:
Explanation:
Data owners are responsible for assigning user entitlement changes and approving access to the systems for which they are responsible.
Incorrect Answers:
B, C, D: Data owners are not responsible for intrusion detection, platform security or antivirus controls. These are the responsibilities of data custodians.
QUESTION 38
What type of policy would an organization use to forbid its employees from using organizational e-mail for personal use?
A. Anti-harassment policy
B. Acceptable use policy
C. Intellectual property policy D. Privacy policy
Correct Answer: B Section: Volume A Explanation
Explanation/Reference:
Explanation:
An acceptable use policy is a set of rules applied by the owner/manager of a network, website or large computer system that restrict the ways in which the network site or system may be used. Acceptable Use Policies are an integral part of the framework of information security policies.
Incorrect Answers:
A, C: These two policies are not related to Information system security.
D: Privacy policy is a statement or a legal document (privacy law) that discloses some or all of the ways a party gathers, uses, discloses and manages a customer or client's data.
QUESTION 39
Wendy has identified a risk event in her project that has an impact of $75,000 and a 60 percent chance of happening. Through research, her project team learns that the risk impact can actually be reduced to just $15,000 with only a ten percent chance of occurring. The proposed solution will cost $25,000. Wendy agrees to the $25,000 solution. What type of risk response is this?
A. Mitigation
B. Avoidance C. Transference D. Enhancing
Correct Answer: A Section: Volume A Explanation
Explanation/Reference:
Explanation:
Risk mitigation implies a reduction in the probability and/or impact of an adverse risk event to be within acceptable threshold limits. Taking early actions to reduce the probability and/or impact of a risk occurring on the project is often more effective than trying to repair the damage after the risk has occurred.
Incorrect Answers:
B: Avoidance changes the project plan to avoid the risk altogether.
C: Transference requires shifting some or all of the negative impacts of a threat, along with the ownership of the response, to a third party. Transferring the risk simply gives another party the responsibility for its management-it does not eliminate it.
Transferring the liability for a risk is most effective in dealing with financial risk exposure. Risk transference nearly always involves payment of a risk premium to the party taking on the risk.
D: Enhancing is actually a positive risk response. This strategy is used to increase the probability and/or the positive impact of an opportunity. Identifying and maximizing the key drivers of these positive-impact risks may increase the probability of their occurrence.
QUESTION 40
Out of several risk responses, which of the following risk responses is used for negative risk events?
A. Share
B. Enhance C. Exploit D. Accept
Correct Answer: D Section: Volume A Explanation
Explanation/Reference:
Explanation:
Among the given choices only Acceptance response is used for negative risk events. Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider who can accept the risk. Risk should be accepted only by senior management in relationship with senior management and the board. There are two alternatives to the acceptance strategy, passive and active.
Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk but willing to accept the consequences of the risk. Active acceptance is the second strategy and might include developing contingency plans and reserves to deal with risks.
Incorrect Answers:
A, B, C: These all are used to deal with opportunities or positive risks, and not with negative risks.
QUESTION 41
Which of the following risks refer to probability that an actual return on an investment will be lower than the investor's expectations?
A. Integrity risk
B. Project ownership risk C. Relevance risk
D. Expense risk
Correct Answer: D Section: Volume A Explanation
Explanation/Reference:
Explanation:
Probability that an actual return on an investment will be lower than the investor's expectations is termed as investment risk or expense risk. All investments have some level of risk associated with it due to the unpredictability of the market's direction. This includes consideration of the overall IT investment portfolio.
Incorrect Answers:
A: The risk that data cannot be relied on because they are unauthorized, incomplete or inaccurate is termed as integrity risks.
B: The risk of IT projects failing to meet objectives due to lack of accountability and commitment is referring to as project risk ownership.
C: The risk associated with not receiving the right information to the right people (or process or systems) at the right time to allow the right action to be taken is termed as relevance risk.
QUESTION 42
What are the PRIMARY requirements for developing risk scenarios? Each correct answer represents a part of the solution. Choose two.
A. Potential threats and vulnerabilities that could lead to loss events B. Determination of the value of an asset at risk
C. Determination of actors that has potential to generate risk
D. Determination of threat type
Correct Answer: AB
Section: Volume A Explanation
Explanation/Reference:
Explanation:
Creating a scenario requires determination of the value of an asset or a business process at risk and the potential threats and vulnerabilities that could cause loss. The risk scenario should be assessed for relevance and realism, and then entered into the risk register if found to be relevant.
In practice following steps are involved in risk scenario development:
First determine manageable set of scenarios, which include:
Frequently occurring scenarios in the industry or product area.
Scenarios representing threat sources that are increasing in count or severity level.
Scenarios involving legal and regulatory requirements applicable to the business.
After determining manageable risk scenarios, perform a validation against the business objectives of the entity.
Based on this validation, refine the selected scenarios and then detail them to a level in line with the criticality of the entity.
Lower down the number of scenarios to a manageable set. Manageable does not signify a fixed number, but should be in line with the overall importance and criticality of the unit.
Risk factors kept in a register so that they can be reevaluated in the next iteration and included for detailed analysis if they have become relevant at that time. Risk factors kept in a register so that they can be reevaluated in the next iteration and included for detailed analysis if they have become relevant at that time. Include an unspecified event in the scenarios, that is, address an incident not covered by other scenarios.
Incorrect Answers:
C, D: Determination of actors and threat type are not the primary requirements for developing risk scenarios, but are the components that are determined during risk scenario development.
QUESTION 43
You are working with a vendor on your project. A stakeholder has requested a change for the project, which will add value to the project deliverables. The vendor that you're working with on the project will be affected by the change. What system can help you introduce and execute the stakeholder change request with the vendor?
A. Contract change control system B. Scope change control system
C. Cost change control system
D. Schedule change control system
Correct Answer: A Section: Volume A Explanation
Explanation/Reference:
Explanation:
The contract change control system is part of the project's change control system. It addresses changes with the vendor that may affect the project contract. Change control system, a part of the configuration management system, is a collection of formal documented procedures that define how project deliverables and documentation will be controlled, changed, and approved.
Incorrect Answers:
B: The scope may change because of the stakeholder change request. Vendor’s relationship to the project, hence this choice is not the best answer.
C: The cost change control system manages changes to costs in the project.
D: There is no indication that the change could affect the project schedule.
QUESTION 44
You are the project manager of GHT project. You are performing cost and benefit analysis of control. You come across the result that costs of specific controls exceed the benefits of mitigating a given risk. What is the BEST action would you choose in this scenario?
A. The enterprise may apply the appropriate control anyway.
B. The enterprise should adopt corrective control.
C. The enterprise may choose to accept the risk rather than incur the cost of mitigation. D. The enterprise should exploit the risk.
Correct Answer: C Section: Volume A Explanation
Explanation/Reference:
Explanation:
If the costs of specific controls or countermeasures (control overhead) exceed the benefits of mitigating a given risk the enterprise may choose to accept the risk rather than incur the cost of mitigation. This is done according to the principle of proportionality described in:
Generally accepted security systems principles (GASSP) Generally accepted information security principles (GAISP)
Incorrect Answers:
A: When the cost of specific controls exceeds the benefits of mitigating a given risk, then controls are not applied, rather risk is being accepted.
B: As the cost of control exceeds the benefits of mitigating a given risk, hence no control should be applied. Corrective control is a type of control and hence it should not be adopted.
D: The risk is being exploited when there is an opportunity, i.e., the risk is positive. But here in this case, negative risk exists as it needs mitigation. So, exploitation cannot be done.
QUESTION 45
Mortality tables are based on what mathematical activity?
Each correct answer represents a complete solution. Choose three.
A. Normal distributions B. Probabilities
C. Impact
D. Sampling
Correct Answer: ABD Section: Volume A Explanation
Explanation/Reference:
Explanation:
Probability identifies the chances that a particular event will happen under certain circumstances.
The variables provided are based on information gathered in real life. For situations with large numbers, a smaller set of participants are identified to represent the larger population. This represents a sample of the population. The points are mapped to identify their distribution.
Normal distribution refers to the theoretical plotting of points against the mathematical mean. The result of these activities provides a reasonable predictability for the mortality of the subject.
Incorrect Answers:
C: Impact is used to identify the magnitude of identified risks. The risk leads to some type of loss. However, instead of quantifying the loss as a dollar value, an impact assessment could use words such as Low, Medium, or High. Hence it is not mathematical.
QUESTION 46
The Identify Risk process determines the risks that affect the project and document their characteristics. Why should the project team members be involved in the Identify Risk process?
A. They are the individuals that will most likely cause and respond to the risk events.
B. They are the individuals that will have the best responses for identified risks events within the project. C. They are the individuals that are most affected by the risk events.
D. They are the individuals that will need a sense of ownership and responsibility for the risk events.
Correct Answer: D Section: Volume A Explanation
Explanation/Reference:
Explanation:
The project team members should be involved in the risk identification so that they will develop a sense of ownership and responsibility for the risk events and the associated risk responses.
Identify Risks is the process of determining which risks may affect the project. It also documents risks' characteristics. The Identify Risks process is part of the Project Risk Management knowledge area. As new risks may evolve or become known as the project progresses through its life cycle, Identify Risks is an iterative process. The process should involve the project team so that they can develop and maintain a sense of ownership and responsibility for the risks and associated risk response actions. Risk Register is the only output of this process.
Incorrect Answers:
A, B, C: These are not the valid answers for this question.
Certified in Risk and Information Systems Control CRISC Questions + Answers Part 1
-
answerhappygod
- Site Admin
- Posts: 899603
- Joined: Mon Aug 02, 2021 8:13 am