QUESTION 87
Suppose you are working in Techmart Inc. which sells various products through its website. Due to some recent losses, you are trying to identify the most important risks to the Website. Based on feedback from several experts, you have come up with a list. You now want to prioritize these risks. Now in which category you would put the risk concerning the modification of the Website by unauthorized parties.
A. Ping Flooding Attack B. Web defacing
C. Denial of service attack
D. FTP Bounce Attack
Correct Answer: B Section: Volume B Explanation
Explanation/Reference:
Explanation:
Website defacing is an attack on a website by unauthorized party that changes the visual appearance of the site or a webpage. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own.
Incorrect Answers:
A: Ping Flooding is the extreme of sending thousands or millions of pings per second. Ping Flooding attack can make system slow or even shut down an entire site.
C: A denial-of-service attack (DoS attack) is an attempt to make a computer or network resource unavailable to its intended users. One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable.
D: The FTP bounce attack is attack which slips past application-based firewalls. In this hacker uploads a file to the FTP server and then requests this file be sent to an internal server. This file may contain malicious software or a simple script that occupies the internal server and uses up all the memory and CPU resources.
QUESTION 88
Which of the following is true for risk evaluation?
A. Risk evaluation is done only when there is significant change.
B. Risk evaluation is done once a year for every business processes.
C. Risk evaluation is done annually or when there is significant change.
D. Risk evaluation is done every four to six months for critical business processes.
Correct Answer: C Section: Volume B Explanation
Explanation/Reference:
Explanation:
Due to the reason that risk is constantly changing, it is being evaluated annually or when there is significant change. This gives best alternative as it takes into consideration a reasonable time frame of one year, and meanwhile it also addresses significant changes (if any).
Incorrect Answers:
A: Evaluating risk only when there are significant changes do not take into consideration the effect of time. As the risk is changing constantly, small changes do occur with time that would affect the overall risk. Hence risk evaluation should be done annually too.
B: Evaluating risk once a year is not sufficient in the case when some significant change takes place. This significant change should be taken into account as it affects the overall risk.
D: Risk evaluation need not to be done every four to six months for critical processes, as it does not address important changes in timely manner.
QUESTION 89
You are completing the qualitative risk analysis process with your project team and are relying on the risk management plan to help you determine the budget, schedule for risk management, and risk categories. You discover that the risk categories have not been created. When the risk categories should have been created?
A. Define scope process
B. Risk identification process
C. Plan risk management process
D. Create work breakdown structure process
Correct Answer: C Section: Volume B Explanation
Explanation/Reference:
Explanation:
The plan risk management process is when risk categories were to be defined. If they were not defined, as in this scenario, it is acceptable to define the categories as part of the qualitative risk analysis process.
Plan risk management is the process of defining the way to conduct the risk management activities. Planning is essential for providing sufficient resources and time for risk management activities, and to establish an agreed-upon basis of evaluating risks. This process should start as soon as project is conceived and should be completed early during project planning.
Incorrect Answers:
A: Risk categories are not defined through the define scope process.
B: Risk categories are not defined through the risk identification process.
D: Risk categories are not defined through the create work breakdown structure process.
QUESTION 90
You work as a project manager for BlueWell Inc. You have declined a proposed change request because of the risk associated with the proposed change request. Where should the declined change request be documented and stored?
A. Change request log
B. Project archives
C. Lessons learned
D. Project document updates
Correct Answer: A Section: Volume B Explanation
Explanation/Reference:
Explanation:
The change request log records the status of all change requests, approved or declined.
The change request log is used as an account for change requests and as a means of tracking their disposition on a current basis. The change request log develops a measure of consistency into the change management process. It encourages common inputs into the process and is a common estimation approach for all change requests. As the log is an important component of project requirements, it should be readily available to the project team members responsible for project delivery. It should be maintained in a file with read-only access to those who are not responsible for approving or disapproving project change requests.
Incorrect Answers:
B: The project archive includes all project documentation and is created through the close project or phase process. It is not the best choice for this option.
C: Lessons learned are not the correct place to document the status of a declined, or approved, change request.
D: The project document updates is not the best choice for this question. It can be placed into the project documents, but the declined changes are part of the change request log.
QUESTION 91
Using which of the following one can produce comprehensive result while performing qualitative risk analysis?
A. Scenarios with threats and impacts B. Cost-benefit analysis
C. Value of information assets.
D. Vulnerability assessment
Correct Answer: A Section: Volume B Explanation
Explanation/Reference:
Explanation:
Using list of possible scenarios with threats and impacts will better frame the range of risk and hence can frame more informative result of qualitative analysis.
Incorrect Answers:
B: Cost and benefit analysis is used for taking financial decisions that can be formal or informal, such as appraisal of any project or proposal. The approach weighs the total cost against the benefits expected, and then identifies the most profitable option. It only decides what type of control should be applied for effective risk management.
C, D: These are not sufficient for producing detailed result.
QUESTION 92
Which of the following is the BEST method for discovering high-impact risk types?
A. Qualitative risk analysis
B. Delphi technique
C. Failure modes and effects analysis D. Quantitative risk analysis
Correct Answer: C Section: Volume B Explanation
Explanation/Reference:
Explanation:
Failure modes and effects analysis is used in discovering high-impact risk types. FMEA:
Is one of the tools used within the Six Sigma methodology to design and implement a robust process to:
- Identify failure modes
- Establish a risk priority so that corrective actions can be put in place to address and reduce the risk
- Helps in identifying and documenting where in the process the source of the failure impacts the (internal or external) customer - Is used to determine failure modes and assess risk posed by the process and thus, to the enterprise as a whole’
Incorrect Answers:
A, D: These two are the methods of analyzing risk, but not specifically for high-impact risk types. Hence is not the best answer.
B: Delphi is a technique to identify potential risk. In this technique, the responses are gathered via a question: and their inputs are organized according to their contents. The collected responses are sent back to these experts for further input, addition, and comments. The final list of risks in the project is prepared after that. The participants in this technique are anonymous and therefore it helps prevent a person from unduly influencing the others in the group. The Delphi technique helps in reaching the consensus quickly.
QUESTION 93
Which of the following is MOST appropriate method to evaluate the potential impact of legal, regulatory, and contractual requirements on business objectives?
A. Communication with business process stakeholders
B. Compliance-oriented business impact analysis
C. Compliance-oriented gap analysis
D. Mapping of compliance requirements to policies and procedures
Correct Answer: B Section: Volume B Explanation
Explanation/Reference:
Explanation:
A compliance-oriented BIA will identify all the compliance requirements to which the enterprise has to align and their impacts on business objectives and activities. It is a discovery process meant to uncover the inner workings of any process. Hence it will also evaluate the potential impact of legal, regulatory, and contractual requirements on business objectives.
Incorrect Answers:
A: Communication with business process stakeholders is done so as to identify the business objectives, but it does not help in identifying impacts.
C: Compliance-oriented gap analysis will only identify the gaps in compliance to current requirements and will not identify impacts to business objectives.
D: Mapping of compliance requirements to policies and procedures will identify only the way the compliance is achieved but not the business impact.
QUESTION 94
Wendy is about to perform qualitative risk analysis on the identified risks within her project. Which one of the following will NOT help Wendy to perform this project management activity?
A. Risk management plan B. Project scope statement C. Risk register
D. Stakeholder register
Correct Answer: D Section: Volume B Explanation
Explanation/Reference:
Explanation:
The stakeholder register is not an input to the qualitative risk analysis process. The four inputs are the risk register, risk management plan, project scope statement, and organizational process assets.
Incorrect Answers:
A: The Risk management plan is an input to the risk qualitative analysis process.
B: The project scope statement is needed to help with qualitative risk analysis.
C: The risk register can help Wendy to perform qualitative risk analysis.
QUESTION 95
There are four inputs to the Monitoring and Controlling Project Risks process. Which one of the following will NOT help you, the project manager, to prepare for risk monitoring and controlling?
A. Risk register
B. Work Performance Information C. Project management plan
D. Change requests
Correct Answer: D Section: Volume B Explanation
Explanation/Reference:
Explanation:
Change requests are not one of the four inputs to the Risk Monitoring and Controlling Process. The four inputs are the risk register, the project management plan, work performance information, and performance reports.
Incorrect Answers:
A, B, C: These are the valid inputs to the Risk Monitoring and Controlling Process.
QUESTION 96
You are the project manager of GHT project. You have implemented an automated tool to analyze and report on access control logs based on severity. This tool generates excessively large amounts of results. You perform a risk assessment and decide to configure the monitoring tool to report only when the alerts are marked "critical". What you should do in order to fulfill that?
A. Apply risk response
B. Optimize Key Risk Indicator
C. Update risk register
D. Perform quantitative risk analysis
Correct Answer: B Section: Volume B Explanation
Explanation/Reference:
Explanation:
As the sensitivity of the monitoring tool has to be changed, therefore it requires optimization of Key Risk Indicator. The monitoring tool which is giving alerts is itself acting as a risk indicator. Hence to change the sensitivity of the monitoring tool to give alert only for critical situations requires optimization of the KRI.
Incorrect Answers:
A, C, D: These options are not relevant to the change of sensitivity of the monitoring tools.
QUESTION 97
One of the risk events you've identified is classified as force majeure. What risk response is likely to be used?
A. Acceptance B. Transference C. Enhance
D. Mitigation
Correct Answer: A Section: Volume B Explanation
Explanation/Reference:
Explanation:
Force majeure describes acts of God (Natural disaster), such as tornados and fires, and are usually accepted because there's little than can be done to mitigate these risks.
Incorrect Answers:
B: Transference transfers the risk ownership to a third party, usually for a fee.
C: Enhance is used for a positive risk event, not for force majeure.
D: Mitigation isn't the best choice, as this lowers the probability and/or impact of the risk event.
QUESTION 98
You are the project manager for BlueWell Inc. You have noticed that the risk level in your project increases above the risk tolerance level of your enterprise. You have applied several risk responses. Now you have to update the risk register in accordance to risk response process. All of the following are included in the risk register except for which item?
A. Risk triggers
B. Agreed-upon response strategies
C. Network diagram analysis of critical path activities D. Risk owners and their responsibility
Correct Answer: C Section: Volume B Explanation
Explanation/Reference:
Explanation:
The risk register does not examine the network diagram and the critical path. There may be risks associated with the activities on the network diagram, but it does not address the network diagram directly.
The risk register is updated at the end of the plan risk response process with the information that was discovered during the process. The response plans are recorded in the risk register. In the risk register, risk is stated in order of priority, i.e., those with the highest potential for threat or opportunity first. Some risks might not require response plans at all, but then too they should be put on a watch list and monitored throughout the project. Following elements should appear in the risk register:
List of identified risks, including their descriptions, root causes, and how the risks impact the project objectives Risk owners and their responsibility
Outputs from the Perform Qualitative Analysis process
Agreed-upon response strategies
Risk triggers
Cost and schedule activities needed to implement risk responses
Contingency plans
Fallback plans, which are risk response plans that are executed when the initial risk response plan proves to be ineffective Contingency reserves
Residual risk, which is a leftover risk that remains after the risk response strategy has been implemented
Secondary risks, which are risks that come about as a result of implementing a risk response
QUESTION 99
Ben is the project manager of the CMH Project for his organization. He has identified a risk that has a low probability of happening, but the impact of the risk event could save the project and the organization with a significant amount of capital. Ben assigns Laura to the risk event and instructs her to research the time, cost, and
method to improve the probability of the positive risk event. Ben then communicates the risk event and response to management. What risk response has been used here?
A. Transference B. Enhance
C. Exploit
D. Sharing
Correct Answer: B Section: Volume B Explanation
Explanation/Reference:
Explanation:
Enhance is a risk response to improve the conditions to ensure the risk event occurs. Risk enhancement raises the probability of an opportunity to take place by focusing on the trigger conditions of the opportunity and optimizing the chances. Identifying and maximizing input drivers of these positive-impact risks may raise the probability of their occurrence.
Incorrect Answers:
A: Transference is a strategy to mitigate negative risks or threats. In this strategy, consequences and the ownership of a risk is transferred to a third party. This strategy does not eliminate the risk but transfers responsibility of managing the risk to another party. Insurance is an example of transference.
C: Exploit response is one of the strategies to negate risks or threats that appear in a project. This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. Exploiting a risk event provides opportunities for positive impact on a project. Assigning more talented resources to the project to reduce the time to completion is an example of exploit response.
D: Sharing happens through partnerships, joint ventures, and teaming agreements. Sharing response is where two or more entities share a positive risk. Teaming agreements are good example of sharing the reward that comes from the risk of the opportunity.
QUESTION 100
Which of the following actions assures management that the organization's objectives are protected from the occurrence of risk events?
A. Internal control
B. Risk management C. Hedging
D. Risk assessment
Correct Answer: A Section: Volume B
Explanation Explanation/Reference:
Explanation:
Internal controls are the actions taken by the organization to help to assure management that the organization's objectives are protected from the occurrence of risk events. Internal control objectives are applicable to all manual or automated areas. Internal control objectives include:
Internal accounting controls- They control accounting operations, including safeguarding assets and financial records.
Operational controls- They focus on day-to-day operations, functions, and activities. They ensure that all the organization's objectives are being accomplished. Administrative controls- They focus on operational efficiency in a functional area and stick to management policies.
Incorrect Answers:
B: Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources. It is done to minimize, monitor, and control the probability and impact of unfortunate events or to maximize the realization of opportunities.
C: Hedging is the process of managing the risk of price changes in physical material by offsetting that risk in the futures market. In other words, it is the avoidance of risk. So, it only avoids risk but can not assure protection against risk.
D: Risk assessment is a process of analyzing the identified risk, both quantitatively and qualitatively. Quantitative risk assessment requires calculations of two components of risk, the magnitude of the potential loss, and the probability that the loss will occur. While qualitatively risk assessment checks the severity of risk. The assessment attempts to determine the likelihood of the risk being realized and the impact of the risk on the operation. This provides several conclusions:
Probability-establishing the likelihood of occurrence and reoccurrence of specific risks, independently and combined.
Interdependencies-the relationship between different types of risk. For instance, one risk may have greater potential of occurring if another risk has occurred. Or probability or impact of a situation may increase with combined risk.
QUESTION 101
You are the project manager of HGT project. You are in the first phase of the risk response process and are doing following tasks : Communicating risk analysis results
Reporting risk management activities and the state of compliance
Interpreting independent risk assessment findings
Identifying business opportunities
Which of the following process are you performing?
A. Articulating risk B. Mitigating risk C. Tracking risk D. Reporting risk
Correct Answer: A Section: Volume B Explanation
Explanation/Reference:
Explanation:
Articulating risk is the first phase in the risk response process to ensure that information on the true state of exposures and opportunities are made available in a timely manner and to the right people for appropriate response. Following are the tasks that are involved in articulating risk:
Communicate risk analysis results.
Report risk management activities and the state of compliance. Interpret independent risk assessment findings.
Identify business opportunities.
Incorrect Answers:
B: Risk mitigation attempts to reduce the probability of a risk event and its impacts to an acceptable level. Risk mitigation can utilize various forms of control carefully integrated together. This comes under risk response process and is latter stage after articulating risk.
C: Tracking risk is the process of tracking the ongoing status of risk mitigation processes. This tracking ensures that the risk response strategy remains active and that proposed controls are implemented according to schedule.
D: This is not related to risk response process. It is a type of risk. Reporting risks are the risks that are caused due to wrong reporting which leads to bad decision.
QUESTION 102
Which of the following BEST measures the operational effectiveness of risk management capabilities?
A. Capability maturity models (CMMs) B. Metric thresholds
C. Key risk indicators (KRIs)
D. Key performance indicators (KPIs)
Correct Answer: D Section: Volume B Explanation
Explanation/Reference:
Explanation:
Key performance indicators (KPIs) provide insights into the operational effectiveness of the concept or capability that they monitor. Key Performance Indicators is a set of measures that a company or industry uses to measure and/or compare performance in terms of meeting their strategic and operational goals. KPIs vary with company to company, depending on their priorities or performance criteria.
A company must establish its strategic and operational goals and then choose their KPIs which can best reflect those goals. For example, if a software company's goal is to have the fastest growth in its industry, its main performance indicator may be the measure of its annual revenue growth.
Incorrect Answers:
A: Capability maturity models (CMMs) assess the maturity of a concept or capability and do not provide insights into operational effectiveness.
B: Metric thresholds are decision or action points that are enacted when a KPI or KRI reports a specific value or set of values. It does not provide any insights into operational effectiveness.
C: Key risk indicators (KRIs) only provide insights into potential risks that may exist or be realized within a concept or capability that they monitor. Key Risk Indicators are the prime monitoring indicators of the enterprise. KRIs are highly relevant and possess a high probability of predicting or indicating important risk. KRIs help in avoiding excessively large number of risk indicators to manage and report that a large enterprise may have.
QUESTION 103
Your project change control board has approved several scope changes that will drastically alter your project plan. You and the project team set about updating the project scope, the WBS, the WBS dictionary, the activity list, and the project network diagram. There are also some changes caused to the project risks, communication, and vendors. What also should the project manager update based on these scope changes?
A. Stakeholder identification B. Vendor selection process C. Quality baseline
D. Process improvement plan
Correct Answer: C Section: Volume B Explanation
Explanation/Reference:
Explanation:
When changes enter the project scope, the quality baseline is also updated. The quality baseline records the quality objectives of the project and is based on the project requirements.
Incorrect Answers:
A: The stakeholder identification process will not change because of scope additions. The number of stakeholders may change but how they are identified will not be affected by the scope addition.
B: The vendor selection process likely will not change because of added scope changes. The vendors in the project may, but the selection process will not.
D: The process improvement plan aims to improve the project's processes regardless of scope changes.
QUESTION 104
You are the risk control professional of your enterprise. You have implemented a tool that correlates information from multiple sources. To which of the following do
this monitoring tool focuses?
A. Transaction data
B. Process integrity
C. Configuration settings D. System changes
Correct Answer: A Section: Volume B Explanation
Explanation/Reference:
Explanation:
Monitoring tools that focuses on transaction data generally correlate information from one system to another, such as employee data from the human resources (HR) system with spending information from the expense system or the payroll system.
Incorrect Answers:
B: Process integrity is confirmed within the system, it does not need monitoring.
C: Configuration settings are generally compared against predefined values and not based on the correlation between multiple sources.
D: System changes are compared from a previous state to the current state, it does not correlate information from multiple sources.
QUESTION 105
Which of the following are the security plans adopted by the organization? Each correct answer represents a complete solution. (Choose three.)
A. Business continuity plan B. Backup plan
C. Disaster recovery plan
D. Project management plan
Correct Answer: ABC Section: Volume B Explanation
Explanation/Reference:
Explanation:
Organizations create different security plans to address different scenarios. Many of the security plans are common to most organizations.
Most used security plans found in many organizations are: Business continuity plan
Disaster recovery plan
Backup plan
Incident response plan
Incorrect Answers:
D: Project management plan is not a security plan, but a plan which describes the implementation of the project.
QUESTION 106
Thomas is a key stakeholder in your project. Thomas has requested several changes to the project scope for the project you are managing.
Upon review of the proposed changes, you have discovered that these new requirements are laden with risks and you recommend to the change control board that the changes be excluded from the project scope. The change control board agrees with you. What component of the change control system communicates the approval or denial of a proposed change request?
A. Configuration management system B. Integrated change control
C. Change log
D. Scope change control system
Correct Answer: B Section: Volume B Explanation
Explanation/Reference:
Explanation:
Integrated change control is responsible for facilitating, documenting, and dispersing information on a proposed change to the project scope.
Integrated change control is a way to manage the changes incurred during a project. It is a method that manages reviewing the suggestions for changes and utilizing the tools and techniques to evaluate whether the change should be approved or rejected. Integrated change control is a primary component of the project's change control system that examines the affect of a proposed change on the entire project.
Incorrect Answers:
A: The configuration management system controls and documents changes to the project's product
C: The change log documents approved changes in the project scope.
D: The scope change control system controls changes that are permitted to the project scope.
QUESTION 107
Which of the following process ensures that the risk response strategy remains active and that proposed controls are implemented according to schedule?
A. Risk management
B. Risk response integration
C. Risk response implementation D. Risk response tracking
Correct Answer: D Section: Volume B Explanation
Explanation/Reference:
Explanation:
Risk response tracking tracks the ongoing status of risk mitigation processes as part of risk response process. This tracking ensures that the risk response strategy remains active and that proposed controls are implemented according to schedule. When an enterprise is conscious of a risk, but does not have an appropriate risk response strategy, then it leads to the increase of the liability of the organization to adverse publicity or even civil or criminal penalties.
Incorrect Answers:
A: Risk management provides an approach for individuals and groups to make a decision on how to deal with potentially harmful situations
B: Integrating risk response options to address more than one risk together, help in achieving greater efficiency.
The use of techniques that are versatile and enterprise-wide, rather than individual solutions provides better justification for risk response strategies and related costs.
C: Implementation of risk response ensures that the risks analyzed in risk analysis process are being lowered to level that the enterprise can accept, by applying appropriate controls.
QUESTION 108
Which of the following individuals is responsible for identifying process requirements, approving process design and managing process performance?
A. Business process owner B. Risk owner
C. Chief financial officer
D. Chief information officer
Correct Answer: A Section: Volume B Explanation
Explanation/Reference:
Explanation:
Business process owners are the individuals responsible for identifying process requirements, approving process design and managing process performance. In general, a business process owner must be at an appropriately high level in the enterprise and have authority to commit resources to process-specific risk management activities.
Incorrect Answers:
B: Risk owner for each risk should be the person who has the most influence over its outcome. Selecting the risk owner thus usually involves considering the source of risk and identifying the person who is best placed to understand and implement what needs to be done.
C: Chief financial officer is the most senior official of the enterprise who is accountable for financial planning, record keeping, investor relations and financial risks.
D: Chief information officer is the most senior official of the enterprise who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services and information and the deployment of associated human resources.
QUESTION 109
Which of the following should be considered to ensure that risk responses that are adopted are cost-effective and are aligned with business objectives? Each correct answer represents a part of the solution. Choose three.
A. Identify the risk in business terms
B. Recognize the business risk appetite
C. Adopt only pre-defined risk responses of business D. Follow an integrated approach in business
Correct Answer: ABD Section: Volume B Explanation
Explanation/Reference:
Explanation:
Risk responses require a formal approach to issues, opportunities and events to ensure that solutions are cost-effective and are aligned with business objectives. The following should be considered:
While preparing the risk response, identify the risk in business terms like loss of productivity, disclosure of confidential information, lost opportunity costs, etc. Recognize the business risk appetite.
Follow an integrated approach in business.
Risk responses requiring an investment should be supported by a carefully planned business case that justifies the expenditure outlines alternatives and describes the justification for the alternative selected.
Incorrect Answers:
C: There is no such requirement to follow the pre-defined risk responses. If some new risk responses are discovered during the risk management of a particular project, they should be noted down in lesson leaned document so that project manager working on some other project could also utilize them.
QUESTION 110
Certified in Risk and Information Systems Control CRISC Questions + Answers Part 3
-
answerhappygod
- Site Admin
- Posts: 899603
- Joined: Mon Aug 02, 2021 8:13 am