Certified in Risk and Information Systems Control CRISC Questions + Answers Part 4
Posted: Thu Mar 03, 2022 7:45 am
QUESTION 112
You are the project manager of GHT project. During the data extraction process, you evaluated the total number of transactions per year by multiplying the monthly average by twelve. This process of evaluating total number of transactions is known as?
A. Duplicates test
B. Controls total
C. Simplistic and ineffective D. Reasonableness test
Correct Answer: D Section: Volume B Explanation
Explanation/Reference:
Explanation:
Reasonableness tests make certain assumptions about the information as the basis for more elaborate data validation tests.
Incorrect Answers:
A: The duplicate test does not identify duplicate transactions; rather it identifies and confirms the validity of duplicates.
B: The control total test does not ensure that all transactions have been extracted, but only ensures that the data are complete.
C: As compared to simplistic, the reasonableness test is a valid foundation for more elaborate data validation tests.
QUESTION 113
Jane, the Director of Sales, contacts you and demands that you add a new feature to the software your project team is creating for the organization. In the meeting she tells you how important the scope change would be. You explain to her that the software is almost finished and adding a change now could cause the deliverable to be late, cost additional funds, and would probably introduce new risks to the project. Jane stands up and says to you, "I am the Director of Sales and this change will happen in the project." And then she leaves the room. What should you do with this verbal demand for a change in the project?
A. Include the change in the project scope immediately.
B. Direct your project team to include the change if they have time. C. Do not implement the verbal change request.
D. Report Jane to your project sponsor and then include the change.
Correct Answer: C Section: Volume B Explanation
Explanation/Reference:
Explanation:
This is a verbal change request, and verbal change requests are never implemented. They introduce risk and cannot be tracked in the project scope. Change requests are requests to expand or reduce the project scope, modify policies, processes, plans, or procedures, modify costs or budgets or revise schedules. These requests for a change can be direct or indirect, externally or internally initiated, and legally or contractually imposed or optional. A Project Manager needs to ensure that only formally documented requested changes are processed and only approved change requests are implemented.
Incorrect Answers:
A: Including the verbal change request circumvents the project's change control system.
B: Directing the project team to include the change request if they have time is not a valid option. The project manager and the project team will have all of the project team already accounted for so there is no extra time for undocumented, unapproved change requests.
D: You may want to report Jane to the project sponsor, but you are not obligated to include the verbal change request.
QUESTION 114
You are the risk professional in Bluewell Inc. A risk is identified and enterprise wants to quickly implement control by applying technical solution that deviates from the company's policies. What you should do?
A. Recommend against implementation because it violates the company's policies
B. Recommend revision of the current policy
C. Recommend a risk assessment and subsequent implementation only if residual risk is accepted
D. Conduct a risk assessment and allow or disallow based on the outcome
Correct Answer: C Section: Volume B Explanation
Explanation/Reference:
Explanation:
If it is necessary to quickly implement control by applying technical solution that deviates from the company's policies, then risk assessment should be conducted to clarify the risk. It is up to the management to accept the risk or to mitigate it.
Incorrect Answers:
A: As in this case it is important to mitigate the risk, hence risk professional should once recommend a risk assessment. Though the decision for the conduction of risk assessment in case of violation of company's policy, is taken by management.
B: The recommendation to revise the current policy should not be triggered by a single request.
D: Risk professional can only recommend the risk assessment if the company's policies is violating, but it can only be conducted when the management allows.
QUESTION 115
Jane is the project manager of the NHJ Project for his company. He has identified several positive risk events within his project and he thinks these events can save the project time and money. Positive risk events, such as these within the NHJ Project are referred to as?
A. Contingency risks B. Benefits
C. Residual risk
D. Opportunities
Correct Answer: D Section: Volume B Explanation
Explanation/Reference:
Explanation:
A positive risk event is also known as an opportunity. Opportunities within the project to save time and money must be evaluated, analyzed, and responded to.
Incorrect Answers:
A: A contingency risk is not a valid risk management term.
B: Benefits are the good outcomes of a project endeavor. Benefits usually have a cost factor associated with them.
C: Residual risk is the risk that remains after applying controls. It is not feasible to eliminate all risks from an organization. Instead, measures can be taken to reduce risk to an acceptable level. The risk that is left is residual risk.
QUESTION 116
During qualitative risk analysis you want to define the risk urgency assessment. All of the following are indicators of risk priority except for which one?
A. Warning signs
B. Symptoms
C. Risk rating
D. Cost of the project
Correct Answer: D Section: Volume B Explanation
Explanation/Reference:
Explanation:
The cost of the project is not an indicator of risk urgency. The affect of the risk on the overall cost of the project may be considered, but it is not the best answer.
Incorrect Answers:
A: Warning signs are an indicator of the risk urgency.
B: Symptoms are an indicator of the risk urgency.
C: The risk rating can be an indicator of the risk urgency.
QUESTION 117
Which of the following items is considered as an objective of the three dimensional model within the framework described in COSO ERM?
A. Risk assessment
B. Financial reporting C. Control environment D. Monitoring
Correct Answer: B Section: Volume B Explanation
Explanation/Reference:
Explanation:
The COSO ERM (Enterprise Risk Management) frame work is a 3-dimensional model. The dimensions and their components include:
Strategic Objectives - includes strategic, operations, reporting, and compliance.
Risk Components - includes Internal Environment, Objectives settings, Event identification, Risk assessment, Risk response, Control activities, Information and communication, and monitoring.
Organizational Levels - include subsidiary, business unit, division, and entity-level.
The COSO ERM framework contains eight risk components: Internal Environment
Objective Settings
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and Communication Monitoring
Section 404 of the Sarbanes-Oley act specifies a three dimensional model- COSO ERM, comprised of Internal control components, Internal control objectives, and organization entities. All the items listed are components except Financial reporting which is an internal control objective.
Incorrect Answers:
A, C, D: They are the Internal control components, not the Internal control objectives.
QUESTION 118
NIST SP 800-53 identifies controls in three primary classes. What are they?
A. Technical, Administrative, and Environmental B. Preventative, Detective, and Corrective
C. Technical, Operational, and Management
D. Administrative, Technical, and Operational
Correct Answer: C Section: Volume B Explanation
Explanation/Reference:
Explanation:
NIST SP 800-53 is used to review security in any organization, that is, in reviewing physical security. The Physical and Environmental Protection family includes 19 different controls. Organizations use these controls for better physical security. These controls are reviewed to determine if they are relevant to a particular organization or not. Many of the controls described include additional references that provide more details on how to implement them. The National Institute of Standards and Technology (NIST) SP 800-53 rev 3 identifies 18 families of controls. It groups these controls into three classes:
T echnical Operational Management
QUESTION 119
You are the project manager of GHT project. Your hardware vendor left you a voicemail saying that the delivery of the equipment you have ordered would not arrive on time. You identified a risk response strategy for this risk and have arranged for a local company to lease you the needed equipment until yours arrives. This is an example of which risk response strategy?
A. Avoid
B. Transfer
C. Acceptance D. Mitigate
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
Mitigation attempts to reduce the impact of a risk event in case it occurs. Making plans to arrange for the leased equipment reduces the consequences of the risk and hence this response in mitigation.
B: Risk transfer means that impact of risk is reduced by transferring or otherwise sharing a portion of the risk with an external organization or another internal entity. Transfer of risk can occur in many forms but is most effective when dealing with financial risks. Insurance is one form of risk transfer.
Here there no such action is taken, hence it is not a risk transfer.
Incorrect Answers:
A: Risk avoidance means to evade risk altogether, eliminate the cause of the risk event, or change the project plan to protect the project objectives from the risk event. Risk avoidance is applied when the level of risk, even after the applying controls, would be greater than the risk tolerance level of the enterprise. Hence this risk response is adopted when:
There is no other cost-effective response that can successfully reduce the likelihood and magnitude below the defined thresholds for risk appetite. The risk cannot be shared or transferred.
The risk is deemed unacceptable by management.
C: Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider who can accept the risk. Risk should be accepted only by senior management in relationship with senior management and the board. There are
two alternatives to the acceptance strategy, passive and active.
Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk but willing to accept the consequences of the risk. Active acceptance is the second strategy and might include developing contingency plans and reserves to deal with risks.
QUESTION 120
Who is at the BEST authority to develop the priorities and identify what risks and impacts would occur if there were loss of the organization's private information?
A. External regulatory agencies B. Internal auditor
C. Business process owners D. Security management
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
QUESTION 121
Which of the following is the PRIMARY requirement before choosing Key performance indicators of an enterprise?
A. Determine size and complexity of the enterprise
B. Prioritize various enterprise processes
C. Determine type of market in which the enterprise operates D. Enterprise must establish its strategic and operational goals
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
Key Performance Indicators is a set of measures that a company or industry uses to measure and/or compare performance in terms of meeting their strategic and operational goals. KPIs vary with company to company, depending on their priorities or performance criteria.
A company must establish its strategic and operational goals and then choose their KPIs which can best reflect those goals. For example, if a software company's goal is to have the fastest growth in its industry, its main performance indicator may be the measure of its annual revenue growth.
Incorrect Answers:
A: Determination of size and complexity of the enterprise is the selection criteria of the KRI, not KPI. KPI does not have any relevancy with size and complexity of the enterprise.
B: This is not the valid answer.
C: Type of market in which the enterprise is operating do not affect the selection of KPIs.
QUESTION 122
You are the project manager of project for a client. The client has promised your company a bonus, if the project is completed early. After studying the project work, you elect to crash the project in order to realize the early end date. This is an example of what type of risk response?
A. Negative risk response, because crashing will add risks.
B. Positive risk response, as crashing is an example of enhancing. C. Positive risk response, as crashing is an example of exploiting. D. Negative risk response, because crashing will add costs.
Correct Answer: B Section: Volume C Explanation
Explanation/Reference:
Explanation:
This is a positive risk response, as crashing is an example of enhancing. You are enhancing the probability of finishing the project early to realize the reward of bonus. Enhancing doesn't ensure positive risks, but it does increase the likelihood of the event.
Incorrect Answers:
A: Crashing is a positive risk response. Generally, crashing doesn't add risks and is often confused with other predominant schedule compression techniques of fast tracking - which does add risks.
C: This isn't an example of exploiting. Exploiting is an action to take advantage of a positive risk response that will happen.
D: Crashing does add costs, but in this instance, crashing is an example of the positive risk response of enhancing.
QUESTION 123
Judy has identified a risk event in her project that will have a high probability and a high impact. Based on the requirements of the project, Judy has asked to change the project scope to remove the associated requirement and the associated risk. What type of risk response is this?
A. Exploit
B. Not a risk response, but a change request C. Avoidance
D. Transference
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
Risk avoidance involves changing the project management plan to eliminate the threat entirely. The project manager may also isolate the project objectives from the risk's impact or change the objective that is in jeopardy. Examples of this include extending the schedule, changing the strategy, or reducing the scope. The most radical avoidance strategy is to shut down the project entirely. Some risks that arise early in the project can be avoided by clarifying requirements, obtaining information, improving communication, or acquiring expertise.
Incorrect Answers:
A: Exploit risk response is used for positive risk or opportunity, not for negative risk.
B: This risk response does require a change request, in some instances, but it's the avoidance risk response and not just a change request.
D: Transference allows the risk to be transferred, not removed from the project, to a third party. Transference usually requires a contractual relationship with the third party.
QUESTION 124
You are the project manager of GHT project. You want to perform post-project review of your project. What is the BEST time to perform post-project review by you and your project development team to access the effectiveness of the project?
A. Project is completed and the system has been in production for a sufficient time period B. During the project
C. Immediately after the completion of the project
D. Project is about to complete
Correct Answer: A Section: Volume C Explanation
Explanation/Reference:
Explanation:
The project development team and appropriate end users perform a post-project review jointly after the project has been completed and the system has been in production for a sufficient time period to assess its effectiveness.
Incorrect Answers:
B: The post-project review of project for accessing effectiveness cannot be done during the project as effectiveness can only evaluated after setting the project in process of production.
C: It is not done immediately after the completion of the project as its effectiveness cannot be measured until the system has been in production for certain time period.
D: Post-project review for evaluating the effectiveness of the project can only be done after the completion of the project and the project is in production phase.
QUESTION 125
What are the steps that are involved in articulating risks? Each correct answer represents a complete solution. Choose three.
A. Identify business opportunities.
B. Identify the response
C. Communicate risk analysis results and report risk management activities and the state of compliance. D. Interpret independent risk assessment findings.
Correct Answer: ACD Section: Volume C Explanation
Explanation/Reference:
Explanation:
Following are the tasks that are involved in articulating risk: Communicate risk analysis results.
Report risk management activities and the state of compliance. Interpret independent risk assessment findings.
Identify business opportunities.
QUESTION 126
Which among the following is the MOST crucial part of risk management process?
A. Risk communication B. Auditing
C. Risk monitoring
D. Risk mitigation
Correct Answer: A Section: Volume C
Explanation Explanation/Reference:
Explanation:
Risk communication is a critical part in the risk management process. People are naturally uncomfortable talking about risk and tend to put off admitting that risk is involved and communicating about issues; incidents; and; eventually, even crises.
If risk is to be managed and mitigated, it must first be discussed and effectively communicated throughout an enterprise.
Incorrect Answers:
B: Auditing is done to test the overall risk management process and the planned risk responses. So it is the very last phase after completion of risk management process.
C: Risk monitoring is the last phase to complete risk management process, and for proper management of risk it should be communicated properly. Hence risk communication is the most crucial step.
D: Risk mitigation is one of the phases of risk management process for effective mitigation of risk it should be first communicated throughout an enterprise.
QUESTION 127
Which of the following is a key component of strong internal control environment?
A. RMIS
B. Segregation of duties C. Manual control
D. Automated tools
Correct Answer: B Section: Volume C Explanation
Explanation/Reference:
Explanation:
Segregation of duties (SOD) is a key component to maintaining a strong internal control environment because it reduces the risk of fraudulent transactions. When duties for a business process or transaction are segregated it becomes more difficult for fraudulent activity to occur because it would involve collusion among several employees.
Incorrect Answers:
A: An RMIS can be a very effective tool in monitoring all risk factors that impact the enterprise. The danger is that many important classes of risk may be omitted from consideration by the system. hence it doesn't ensure strong internal control environment.
C: Manual controls usually not form strong internal control environment. By not automating SOD controls, there is, potentially, the issue of these controls becoming a barrier in serving the customer. As manual authorizations are often time consuming and require another step in any business process, this takes time away from serving the customer.
Automated compliance solutions aim to provide enterprises with timely and efficient internal controls that do not disrupt their normal business process.
D: It is not directly related in maintaining strong internal control environment. The automated tools are typically used to address SOD and also to provide the enterprise with reporting functionality on SOD violations (i.e., detective controls) and to put in place preventive controls.
QUESTION 128
How residual risk can be determined?
A. By determining remaining vulnerabilities after countermeasures are in place. B. By transferring all risks.
C. By threat analysis
D. By risk assessment
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
All risks are determined by risk assessment, regardless whether risks are residual or not.
Incorrect Answers:
A: Determining remaining vulnerabilities after countermeasures are in place says nothing about threats, therefore risk cannot be determined.
B: Transferring all the risks in not relevant to determining residual risk. It is one of the method of risk management.
C: Risk cannot be determined by threat analysis alone, regardless whether it is residual or not.
QUESTION 129
Della works as a project manager for Tech Perfect Inc. She is studying the documentation of planning of a project. The documentation states that there are twenty- eight stakeholders with the project. What will be the number of communication channels for the project?
A. 250 B. 28 C. 378
D. 300
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
According to the twenty- eight stakeholders. Communication channels are paths of communication with stakeholders in a project. The number of communication channels shows the complexity of a project's communication and can be derived through the formula shown below:
Total Number of Communication Channels = n (n-1)/2 where n is the number of stakeholders.
Hence, a project having five stakeholders will have ten communication channels. Putting the value of the number of stakeholders in the formula will provide the number of communication channels. Putting the value of the number of stakeholders in the formula will provide the number of communication channels:
Number of communication channel = (n (n-1)) / 2 = (28 (28-1)) / 2
= (28 x 27) / 2
= 756 / 2
= 378
QUESTION 130
Shawn is the project manager of the HWT project. In this project Shawn's team reports that they have found a way to complete the project work cheaply than what was originally estimated earlier. The project team presents a new software that will help to automate the project work. While the software and the associated training costs $25,000 it will save the project nearly $65,000 in total costs. Shawn agrees to the software and changes the project management plan accordingly. What type of risk response had been used by him?
A. Avoiding B. Accepting C. Exploiting D. Enhancing
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
A risk event is being exploited so as to identify the opportunities for positive impacts. Exploit response is one of the strategies to negate risks or threats that appear
in a project. This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. Exploiting a risk event provides opportunities for positive impact on a project. Assigning more talented resources to the project to reduce the time to completion is an example of exploit response.
Incorrect Answers:
A: To avoid a risk means to evade it altogether, eliminate the cause of the risk event, or change the project plan to protect the project objectives from the risk event.
B: Accepting is a risk response that is appropriate for positive or negative risk events. It does not pursue the risk, but documents the event and allows the risk to happen. Often acceptance is used for low probability and low impact risk events.
D: Enhancing is a positive risk response that aims to increase the probability and/or impact of the risk event.
QUESTION 131
Which among the following is the BEST reason for defining a risk response?
A. To eliminate risk from the enterprise
B. To ensure that the residual risk is within the limits of the risk appetite and tolerance C. To overview current status of risk
D. To mitigate risk
Correct Answer: B Section: Volume C Explanation
Explanation/Reference:
Explanation:
The purpose of defining a risk response is to ensure that the residual risk is within the limits of the risk appetite and tolerance of the enterprise. Risk response is based on selecting the correct, prioritized response to risk, based on the level of risk, the enterprise's risk tolerance and the cost or benefit of the particular risk response option.
Incorrect Answers:
A: Risk cannot be completely eliminated from the enterprise.
C: This is not a valid answer.
D: Mitigation of risk is itself the risk response process, not the reason behind this.
QUESTION 132
Mike is the project manager of the NNP Project for his organization. He is working with his project team to plan the risk responses for the NNP Project. Mike would like the project team to work together on establishing risk thresholds in the project. What is the purpose of establishing risk threshold?
A. It is a study of the organization's risk tolerance.
B. It is a warning sign that a risk event is going to happen.
C. It is a limit of the funds that can be assigned to risk events.
D. It helps to identify those risks for which specific responses are needed.
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
Risk threshold helps to identify those risks for which specific responses are needed.
QUESTION 133
What should be considered while developing obscure risk scenarios? Each correct answer represents a part of the solution. Choose two.
A. Visibility
B. Controls
C. Assessment methods D. Recognition
Correct Answer: AD Section: Volume C Explanation
Explanation/Reference:
Explanation:
The enterprise must consider risk that has not yet occurred and should develop scenarios around unlikely, obscure or non-historical events. Such scenarios can be developed by considering two things:
Visibility Recognition
For the fulfillment of this task enterprise must:
Be in a position that it can observe anything going wrong
Have the capability to recognize an observed event as something wrong
QUESTION 134
Which of the following is true for risk management frameworks, standards and practices? Each correct answer represents a part of the solution. Choose three.
A. They act as a guide to focus efforts of variant teams.
B. They result in increase in cost of training, operation and performance improvement.
C. They provide a systematic view of "things to be considered" that could harm clients or an enterprise. D. They assist in achieving business objectives quickly and easily.
Correct Answer: ACD Section: Volume C Explanation
Explanation/Reference:
Explanation:
Frameworks, standards and practices are necessary as:
They provide a systematic view of "things to be considered" that could harm clients or an enterprise.
They act as a guide to focus efforts of variant teams.
They save time and revenue, such as training costs, operational costs and performance improvement costs. They assist in achieving business objectives quickly and easily.
QUESTION 135
You work as a project manager for BlueWell Inc. You are preparing to plan risk responses for your project with your team. How many risk response types are available for a negative risk event in the project?
A. 5 B. 7 C. 1 D. 4
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
Four risk response options are there to deal with negative risks or threats on the project objectives- avoid, transfer, mitigate, and accept. Risk avoidance
Risk mitigation Risk transfer Risk acceptance
Incorrect Answers:
A, B ,C: These are incorrect choices as only 4 risk response are available to deal with negative risks.
QUESTION 136
You are the project manager for your organization. You are preparing for the quantitative risk analysis. Mark, a project team member, wants to know why you need to do quantitative risk analysis when you just completed qualitative risk analysis. Which one of the following statements best defines what quantitative risk analysis is?
A. Quantitative risk analysis is the review of the risk events with the high probability and the highest impact on the project objectives.
B. Quantitative risk analysis is the process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact. C. Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives.
D. Quantitative risk analysis is the planning and quantification of risk responses based on probability and impact of each risk event.
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives. It is performed on risk that have been prioritized through the qualitative risk analysis process.
Incorrect Answers:
A: While somewhat true, this statement does not completely define the quantitative risk analysis process.
B: This is actually the definition of qualitative risk analysis.
D: This is not a valid statement about the quantitative risk analysis process. Risk response planning is a separate project management process.
QUESTION 137
You are the project manager of your enterprise. You have identified new threats, and then evaluated the ability of existing controls to mitigate risk associated with new threats. You noticed that the existing control is not efficient in mitigating these new risks. What are the various steps you could take in this case?
Each correct answer represents a complete solution. (Choose three.) A. Education of staff or business partners
B. Deployment of a threat-specific countermeasure C. Modify of the technical architecture
D. Apply more controls
Correct Answer: ABC Section: Volume C Explanation
Explanation/Reference:
Explanation:
As new threats are identified and prioritized in terms of impact, the first step is to evaluate the ability of existing controls to mitigate risk associated with new threats and if it does not work then in that case facilitate the:
Modification of the technical architecture
Deployment of a threat-specific countermeasure
Implementation of a compensating mechanism or process until mitigating controls are developed Education of staff or business partners
Incorrect Answers:
D: Applying more controls is not the good solution. They usually complicate the condition.
QUESTION 138
Which of the following risks is associated with not receiving the right information to the right people at the right time to allow the right action to be taken?
A. Relevance risk B. Integrity risk C. Availability risk D. Access risk
Correct Answer: A Section: Volume C Explanation
Explanation/Reference:
Explanation:
Relevance risk is the risk associated with not receiving the right information to the right people (or process or systems) at the right time to allow the right action to be taken.
Incorrect Answers:
B: The risk that data cannot be relied on because they are unauthorized, incomplete or inaccurate is termed as integrity risk. C: The risk of loss of service or that data is not available when needed is referred as availability risk.
D: The risk that confidential or private information may be disclosed or made available to those without appropriate authority is termed as access or security risk. An aspect of this risk is non-compliance with local, national and international laws related to privacy and protection of personal information.
QUESTION 139
Which of the following nodes of the decision tree analysis represents the start point of decision tree?
A. Decision node B. End node
C. Event node
D. Root node
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
Root node is the starting node in the decision tree.
Incorrect Answers:
A: Decision nodes represents the choice available to the decision maker, usually between a risky choice and its non-risky counterpart.
C: Event node represents the possible uncertain outcomes of a risky decision, with at least two nodes to illustrate the positive and negative range of events.
B: End node represents the outcomes of risk and decisions.
QUESTION 140
You are the project manager of the NHH Project. You are working with the project team to create a plan to document the procedures to manage risks throughout the project. This document will define how risks will be identified and quantified. It will also define how contingency plans will be implemented by the project team. What document do you and your team is creating in this scenario?
A. Project plan
B. Resource management plan C. Project management plan D. Risk management plan
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
The risk management plan, part of the comprehensive management plan, defines how risks will be identified, analyzed, monitored and controlled, and even responded to.
A Risk management plan is a document arranged by a project manager to estimate the effectiveness, predict risks, and build response plans to mitigate them. It also consists of the risk assessment matrix.
Risks are built in with any project, and project managers evaluate risks repeatedly and build plans to address them. The risk management plan consists of analysis of possible risks with both high and low impacts, and the mitigation strategies to facilitate the project and avoid being derailed through which the common problems arise. Risk management plans should be timely reviewed by the project team in order to avoid having the analysis become stale and not reflective of actual potential project risks. Most critically, risk management plans include a risk strategy for project execution.
Incorrect Answers:
A: The project plan is not an official PMBOK project management plan.
B: The resource management plan defines the management of project resources, such as project team members, facilities, equipment, and contractors.
C: The project management plan is a comprehensive plan that communicates the intent of the project for all project management knowledge areas.
QUESTION 141
Where are all risks and risk responses documented as the project progresses?
A. Risk management plan B. Project management plan C. Risk response plan
D. Risk register
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
All risks, their responses, and other characteristics are documented in the risk register. As the project progresses and the conditions of the risk events change, the
risk register should be updated to reflect the risk conditions.
Incorrect Answers:
A: The risk management plan addresses the project management's approach to risk management, risk identification, analysis, response, and control.
B: The project management plan is the overarching plan for the project, not the specifics of the risk responses and risk identification.
C: The risk response plan only addresses the planned risk responses for the identified risk events in the risk register.
QUESTION 142
A part of a project deals with the hardware work. As a project manager, you have decided to hire a company to deal with all hardware work on the project. Which type of risk response is this?
A. Transference B. Mitigation
C. Avoidance D. Exploit
Correct Answer: A Section: Volume C Explanation
Explanation/Reference:
Explanation:
When you are hiring a third party to own risk, it is known as transference risk response.
Risk transfer means that impact of risk is reduced by transferring or otherwise sharing a portion of the risk with an external organization or another internal entity. Transfer of risk can occur in many forms but is most effective when dealing with financial risks. Insurance is one form of risk transfer.
Incorrect Answers:
B: The act of spending money to reduce a risk probability and impact is known as mitigation.
C: When extra activities are introduced into the project to avoid the risk, this is an example of avoidance.
D: Exploit is a strategy that may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized.
QUESTION 143
Which of the following events refer to loss of integrity?
Each correct answer represents a complete solution. Choose three.
A. Someone sees company's secret formula
B. Someone makes unauthorized changes to a Web site C. An e-mail message is modified in transit
D. A virus infects a file
Correct Answer: BCD Section: Volume C Explanation
Explanation/Reference:
Explanation:
Loss of integrity refers to the following types of losses:
An e-mail message is modified in transit A virus infects a file Someone makes unauthorized changes to a Web site
Incorrect Answers:
A: Someone sees company's secret formula or password comes under loss of confidentiality.
QUESTION 144
Which of the following should be PRIMARILY considered while designing information systems controls?
A. The IT strategic plan
B. The existing IT environment
C. The organizational strategic plan D. The present IT budget
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
Review of the enterprise's strategic plan is the first step in designing effective IS controls that would fit the enterprise's long-term plans.
Incorrect Answers:
A: The IT strategic plan exists to support the enterprise's strategic plan but is not solely considered while designing information system control.
B: Review of the existing IT environment is also useful and necessary but is not the first step that needs to be undertaken.
D: The present IT budget is just one of the components of the strategic plan.
QUESTION 145
You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won't affect your project much if they happen. What should you do with these identified risk events?
A. These risks can be dismissed.
B. These risks can be accepted.
C. These risks can be added to a low priority risk watch list. D. All risks must have a valid, documented risk response.
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
Low-impact, low-probability risks can be added to the low priority risk watch list.
Incorrect Answers:
A: These risks are not dismissed; they are still documented on the low priority risk watch list.
B: While these risks may be accepted, they should be documented on the low priority risk watch list. This list will be periodically reviewed and the status of the risks may change.
D: Not every risk demands a risk response, so this choice is incorrect.
QUESTION 146
You are the project manager of your enterprise. You have introduced an intrusion detection system for the control. You have identified a warning of violation of security policies of your enterprise. What type of control is an intrusion detection system (IDS)?
A. Detective
B. Corrective C. Preventative D. Recovery
Correct Answer: A Section: Volume C
Explanation Explanation/Reference:
Explanation:
An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPS for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies.
As IDS detects and gives warning when the violation of security policies of the enterprise occurs, it is a detective control.
Incorrect Answers:
B: These controls make effort to reduce the impact of a threat from problems discovered by detective controls. As IDS only detects but not reduce the impact, hence it is not a corrective control.
C: As IDS only detects the problem when it occurs and not prior of its occurrence, it is not preventive control.
D: These controls make efforts to overcome the impact of the incident on the business, hence IDS is not a recovery control.
QUESTION 147
What are the functions of audit and accountability control?
Each correct answer represents a complete solution. (Choose three.)
A. Provides details on how to protect the audit logs B. Implement effective access control
C. Implement an effective audit program
D. Provides details on how to determine what to audit
Correct Answer: ACD Section: Volume C Explanation
Explanation/Reference:
Explanation:
Audit and accountability family of controls helps an organization implement an effective audit program. It provides details on how to determine what to audit. It provides details on how to protect the audit logs. It also includes information on using audit logs for non-repudiation.
Incorrect Answers:
B: Access Control is the family of controls that helps an organization implement effective access control. They ensure that users have the rights and permissions they need to perform their jobs, and no more. It includes principles such as least privilege and separation of duties.
Audit and accountability family of controls do not help in implementing effective access control.
QUESTION 148
What is the value of exposure factor if the asset is lost completely?
A. 1
B. Infinity C. 10
D. 0
Correct Answer: A Section: Volume C Explanation
Explanation/Reference:
Explanation:
Exposure Factor represents the impact of the risk over the asset, or percentage of asset lost. For example, if the Asset Value is reduced to two third, the exposure factor value is 0.66.
Therefore, when the asset is completely lost, the Exposure Factor is 1.0.
Incorrect Answers:
B, C, D: These are not the values of exposure factor for zero assets.
QUESTION 149
Your project is an agricultural-based project that deals with plant irrigation systems. You have discovered a byproduct in your project that your organization could use to make a profit. If your organization seizes this opportunity, it would be an example of what risk response?
A. Enhancing B. Positive
C. Opportunistic D. Exploiting
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
This is an example of exploiting a positive risk - a by-product of a project is an excellent example of exploiting a risk. Exploit response is one of the strategies to negate risks or threats that appear in a project. This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. Exploiting a risk event provides opportunities for positive impact on a project. Assigning more talented resources to the project to reduce the time to completion is an example of exploit response.
Incorrect Answers:
A: Enhancing is a positive risk response that describes actions taken to increase the odds of a risk event to happen.
B: This is an example of a positive risk, but positive is not a risk response.
C: Opportunistic is not a valid risk response.
QUESTION 150
Which of the following is true for Single loss expectancy (SLE), Annual rate of occurrence (ARO), and Annual loss expectancy (ALE)?
A. ALE= ARO/SLE B. ARO= SLE/ALE C. ARO= ALE*SLE D. ALE= ARO*SLE
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
A quantitative risk assessment quantifies risk in terms of numbers such as dollar values. This involves gathering data and then entering it into standard formulas. The results can help in identifying the priority of risks. These results are also used to determine the effectiveness of controls. Some of the terms associated with quantitative risk assessments are:
Single loss expectancy (SLE)-It refers to the total loss expected from a single incident. This incident can occur when vulnerability is being exploited by threat. The loss is expressed as a dollar value such as $1,000. It includes the value of data, software, and hardware. SLE = Asset value * Exposure factor
Annual rate of occurrence (ARO)-It refers to the number of times expected for an incident to occur in a year. If an incident occurred twice a month in the past year, the ARO is 24. Assuming nothing changes, it is likely that it will occur 24 times next year. Annual loss expectancy (ALE)-It is the expected loss for a year. ALE is calculated by multiplying SLE with ARO. Because SLE is a given in a dollar value, ALE is also given in a dollar value. For example, if the SLE is $1,000 and the ARO is 24, the ALE is $24,000.
ALE = SLE * ARO Safeguard value-This is the cost of a control. Controls are used to mitigate risk. For example, antivirus software of an average cost of $50 for each computer. If there are 50 computers, the safeguard value is $2,500. A, B, C: These are wrong formulas and are not used in quantitative risk assessment.
QUESTION 151
You are the project manager of GHT project. You and your team have developed risk responses for those risks with the highest threat to or best opportunity for the project objectives. What are the immediate steps you should follow, after planning for risk response process? Each correct answer represents a complete solution. Choose three.
A. Updating Project management plan and Project document B. Applying controls
C. Updating Risk register
D. Prepare Risk-related contracts
Correct Answer: ACD Section: Volume C Explanation
Explanation/Reference:
Explanation:
The risk register is updated at the end of the plan risk response process with the information that was discovered during the process. The response plans are recorded in the risk register.
Project management plan consisting of WBS, schedule baseline and cost performance baseline should be updated. After planning risk response process, there may be requirement of updating project documents like technical documentation and assumptions, documented in the project scope statement.
If risk response strategies include responses such as transference or sharing, it may be necessary to purchase services or items from third parties. Contracts for those services can be prepared and discussed with the appropriate parties.
Incorrect Answers:
B: Controls are implemented in the latter stage of risk response process. It is not immediate task after the planning of risk response process, as updating of several documents is done first.
The purpose of the Plan Risk Responses process is to develop risk responses for those risks with the highest threat to or best opportunity for the project objectives. The Plan Risk Responses process has four outputs:
Risk register updates
Risk-related contract decisions Project management plan updates Project document updates
QUESTION 152
You are using Information system. You have chosen a poor password and also sometimes transmits data over unprotected communication lines. What is this poor quality of password and unsafe transmission referring to?
A. Probabilities B. Threats
C. Vulnerabilities D. Impacts
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
Vulnerabilities represent characteristics of information resources that may be exploited by a threat. The given scenario describes such a situation, hence it is a vulnerability.
Incorrect Answers:
A: Probabilities represent the likelihood of the occurrence of a threat, and this scenario does not describe a probability.
B: Threats are circumstances or events with the potential to cause harm to information resources. This scenario does not describe a threat.
D: Impacts represent the outcome or result of a threat exploiting a vulnerability. The stem does not describe an impact.
QUESTION 153
You are the project manager of RFT project. You have identified a risk that the enterprise's IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become very expensive. To overcome this risk, the response adopted is re-architecture of the existing system and purchase of new integrated system. In which of the following risk
prioritization options would this case be categorized?
A. Deferrals
B. Quick win
C. Business case to be made D. Contagious risk
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
This is categorized as a Business case to be made because the project cost is very large. The response to be implemented requires quite large investment. Therefore it comes under business case to be made.
Incorrect Answers:
A: It addresses costly risk response to a low risk. But here the response is less costly than that of business case to be made.
B: Quick win is very effective and efficient response that addresses medium to high risk. But in this the response does not require large investments.
D: This is not risk response prioritization option, instead it is a type of risk that happen with the several of the enterprise's business partners within a very short time frame.
QUESTION 154
Which of the following BEST ensures that a firewall is configured in compliance with an enterprise's security policy?
A. Interview the firewall administrator.
B. Review the actual procedures.
C. Review the device's log file for recent attacks. D. Review the parameter settings.
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide reliable audit evidence documentation.
Incorrect Answers:
A: While interviewing the firewall administrator may provide a good process overview, it does not reliably confirm that the firewall configuration complies with the enterprise's security policy.
B: While procedures may provide a good understanding of how the firewall is supposed to be managed, they do not reliably confirm that the firewall configuration complies with the enterprise's security policy.
C: While reviewing the device's log file for recent attacks may provide indirect evidence about the fact that logging is enabled, it does not reliably confirm that the firewall configuration complies with the enterprise's security policy.
QUESTION 155
Which of following is NOT used for measurement of Critical Success Factors of the project?
A. Productivity
B. Quality
C. Quantity
D. Customer service
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Incorrect Answers:
A, B, D: Productivity, quality and customer service are used for evaluating critical service factor of any particular project.
QUESTION 156
Which of the following statements is NOT true regarding the risk management plan?
A. The risk management plan is an output of the Plan Risk Management process.
B. The risk management plan is an input to all the remaining risk-planning processes.
C. The risk management plan includes a description of the risk responses and triggers.
D. The risk management plan includes thresholds, scoring and interpretation methods, responsible parties, and budgets.
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
The risk management plan details how risk management processes will be implemented, monitored, and controlled throughout the life of the project. The risk management plan does not include responses to risks or triggers. Responses to risks are documented in the risk register as part of the Plan Risk Responses process.
Incorrect Answers:
A, B, D: These all statements are true for risk management plan. The risk management plan details how risk management processes will be implemented, monitored, and controlled throughout the life of the project. It includes thresholds, scoring and interpretation methods, responsible parties, and budgets. It also acts as input to all the remaining risk-planning processes.
QUESTION 157
You are the project manager of a project in Bluewell Inc. You and your project team have identified several project risks, completed risk analysis, and are planning
to apply most appropriate risk responses. Which of the following tools would you use to choose the appropriate risk response?
A. Project network diagrams B. Cause-and-effect analysis C. Decision tree analysis
D. Delphi Technique
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
Decision tree analysis is a risk analysis tool that can help the project manager in determining the best risk response. The tool can be used to measure probability, impact, and risk exposure and how the selected risk response can affect the probability and/or impact of the selected risk event. It helps to form a balanced image of the risks and opportunities connected with each possible course of action. This makes them mostly useful for choosing between different strategies, projects, or investment opportunities particularly when the resources are limited. A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible consequences, including chance event outcomes, resource costs, and utility.
Incorrect Answers:
A: Project network diagrams help the project manager and stakeholders visualize the flow of the project work, but they are not used as a part of risk response planning.
B: Cause-and-effect analysis is used for exposing risk factors and not an effective one in risk response planning. This analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes.
D: Delphi technique is used for risk analysis, i.e., for identifying the most probable risks. Delphi is a group of experts who used to rate independently the business risk of an organization. Each expert analyzes the risk independently and then prioritizes the risk, and the result is combined into a consensus.
QUESTION 158
What is the MAIN purpose of designing risk management programs?
A. To reduce the risk to a level that the enterprise is willing to accept
B. To reduce the risk to the point at which the benefit exceeds the expense C. To reduce the risk to a level that is too small to be measurable
D. To reduce the risk to a rate of return that equals the current cost of capital
Correct Answer: A Section: Volume C
Explanation Explanation/Reference:
Explanation:
Risk cannot be removed completely from the enterprise; it can only be reduced to a level that an organization is willing to accept. Risk management programs are hence designed to accomplish the task of reducing risks.
Incorrect Answers:
B: Depending on the risk preference of an enterprise, it may or may not choose to pursue risk mitigation to the point at which benefit equals or exceeds the expense. Hence this is not the primary objective of designing the risk management program.
C: Reducing risk to a level too small to measure is not practical and is often cost-prohibitive.
D: Reducing risks to a specific return ignores the qualitative aspects of the risk which should also be considered.
QUESTION 159
Which of the following processes addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget?
A. Monitor and Control Risk B. Plan risk response
C. Identify Risks
D. Qualitative Risk Analysis
Correct Answer: B Section: Volume C Explanation
Explanation/Reference:
Explanation:
The plan risk response project management process aims to reduce the threats to the project objectives and to increase opportunities. It follows the perform qualitative risk analysis process and perform quantitative risk analysis process. Plan risk response process includes the risk response owner to take the job for each agreed-to and funded risk response. This process addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget. The inputs to the plan risk response process are as follows:
Risk register
Risk management plan
Incorrect Answers:
A: Monitor and Control Risk is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and
evaluating risk process effectiveness throughout the project. It can involve choosing alternative strategies, executing a contingency or fallback plan, taking corrective action, and modifying the project management plan.
C: Identify Risks is the process of determining which risks may affect the project. It also documents risks' characteristics. The Identify Risks process is part of the Project Risk Management knowledge area. As new risks may evolve or become known as the project progresses through its life cycle, Identify Risks is an iterative process. The process should involve the project team so that they can develop and maintain a sense of ownership and responsibility for the risks and associated risk response actions. Risk Register is the only output of this process.
D: Qualitative analysis is the definition of risk factors in terms of high/medium/low or a numeric scale (1 to 10). Hence it determines the nature of risk on a relative scale.
Some of the qualitative methods of risk analysis are:
Scenario analysis- This is a forward-looking process that can reflect risk for a given point in time.
Risk Control Self -assessment (RCSA) - RCSA is used by enterprises (like banks) for the identification and evaluation of operational risk exposure. It is a logical first step and assumes that business owners and managers are closest to the issues and have the most expertise as to the source of the risk. RCSA is a constructive process in compelling business owners to contemplate, and then explain, the issues at hand with the added benefit of increasing their accountability.
QUESTION 160
You are the Risk Official in Bluewell Inc. You have detected much vulnerability during risk assessment process. What you should do next?
A. Prioritize vulnerabilities for remediation solely based on impact. B. Handle vulnerabilities as a risk, even though there is no threat. C. Analyze the effectiveness of control on the vulnerabilities' basis. D. Evaluate vulnerabilities for threat, impact, and cost of mitigation.
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
Vulnerabilities detected during assessment should be first evaluated for threat, impact and cost of mitigation. It should be evaluated and prioritized on the basis whether they impose credible threat or not.
Incorrect Answers:
A, C: These are the further steps that are taken after evaluating vulnerabilities. So, these are not immediate action after detecting vulnerabilities.
B: If detected vulnerabilities impose no/negligible threat on an enterprise then it is not cost effective to address it as risk.
You are the project manager of GHT project. During the data extraction process, you evaluated the total number of transactions per year by multiplying the monthly average by twelve. This process of evaluating total number of transactions is known as?
A. Duplicates test
B. Controls total
C. Simplistic and ineffective D. Reasonableness test
Correct Answer: D Section: Volume B Explanation
Explanation/Reference:
Explanation:
Reasonableness tests make certain assumptions about the information as the basis for more elaborate data validation tests.
Incorrect Answers:
A: The duplicate test does not identify duplicate transactions; rather it identifies and confirms the validity of duplicates.
B: The control total test does not ensure that all transactions have been extracted, but only ensures that the data are complete.
C: As compared to simplistic, the reasonableness test is a valid foundation for more elaborate data validation tests.
QUESTION 113
Jane, the Director of Sales, contacts you and demands that you add a new feature to the software your project team is creating for the organization. In the meeting she tells you how important the scope change would be. You explain to her that the software is almost finished and adding a change now could cause the deliverable to be late, cost additional funds, and would probably introduce new risks to the project. Jane stands up and says to you, "I am the Director of Sales and this change will happen in the project." And then she leaves the room. What should you do with this verbal demand for a change in the project?
A. Include the change in the project scope immediately.
B. Direct your project team to include the change if they have time. C. Do not implement the verbal change request.
D. Report Jane to your project sponsor and then include the change.
Correct Answer: C Section: Volume B Explanation
Explanation/Reference:
Explanation:
This is a verbal change request, and verbal change requests are never implemented. They introduce risk and cannot be tracked in the project scope. Change requests are requests to expand or reduce the project scope, modify policies, processes, plans, or procedures, modify costs or budgets or revise schedules. These requests for a change can be direct or indirect, externally or internally initiated, and legally or contractually imposed or optional. A Project Manager needs to ensure that only formally documented requested changes are processed and only approved change requests are implemented.
Incorrect Answers:
A: Including the verbal change request circumvents the project's change control system.
B: Directing the project team to include the change request if they have time is not a valid option. The project manager and the project team will have all of the project team already accounted for so there is no extra time for undocumented, unapproved change requests.
D: You may want to report Jane to the project sponsor, but you are not obligated to include the verbal change request.
QUESTION 114
You are the risk professional in Bluewell Inc. A risk is identified and enterprise wants to quickly implement control by applying technical solution that deviates from the company's policies. What you should do?
A. Recommend against implementation because it violates the company's policies
B. Recommend revision of the current policy
C. Recommend a risk assessment and subsequent implementation only if residual risk is accepted
D. Conduct a risk assessment and allow or disallow based on the outcome
Correct Answer: C Section: Volume B Explanation
Explanation/Reference:
Explanation:
If it is necessary to quickly implement control by applying technical solution that deviates from the company's policies, then risk assessment should be conducted to clarify the risk. It is up to the management to accept the risk or to mitigate it.
Incorrect Answers:
A: As in this case it is important to mitigate the risk, hence risk professional should once recommend a risk assessment. Though the decision for the conduction of risk assessment in case of violation of company's policy, is taken by management.
B: The recommendation to revise the current policy should not be triggered by a single request.
D: Risk professional can only recommend the risk assessment if the company's policies is violating, but it can only be conducted when the management allows.
QUESTION 115
Jane is the project manager of the NHJ Project for his company. He has identified several positive risk events within his project and he thinks these events can save the project time and money. Positive risk events, such as these within the NHJ Project are referred to as?
A. Contingency risks B. Benefits
C. Residual risk
D. Opportunities
Correct Answer: D Section: Volume B Explanation
Explanation/Reference:
Explanation:
A positive risk event is also known as an opportunity. Opportunities within the project to save time and money must be evaluated, analyzed, and responded to.
Incorrect Answers:
A: A contingency risk is not a valid risk management term.
B: Benefits are the good outcomes of a project endeavor. Benefits usually have a cost factor associated with them.
C: Residual risk is the risk that remains after applying controls. It is not feasible to eliminate all risks from an organization. Instead, measures can be taken to reduce risk to an acceptable level. The risk that is left is residual risk.
QUESTION 116
During qualitative risk analysis you want to define the risk urgency assessment. All of the following are indicators of risk priority except for which one?
A. Warning signs
B. Symptoms
C. Risk rating
D. Cost of the project
Correct Answer: D Section: Volume B Explanation
Explanation/Reference:
Explanation:
The cost of the project is not an indicator of risk urgency. The affect of the risk on the overall cost of the project may be considered, but it is not the best answer.
Incorrect Answers:
A: Warning signs are an indicator of the risk urgency.
B: Symptoms are an indicator of the risk urgency.
C: The risk rating can be an indicator of the risk urgency.
QUESTION 117
Which of the following items is considered as an objective of the three dimensional model within the framework described in COSO ERM?
A. Risk assessment
B. Financial reporting C. Control environment D. Monitoring
Correct Answer: B Section: Volume B Explanation
Explanation/Reference:
Explanation:
The COSO ERM (Enterprise Risk Management) frame work is a 3-dimensional model. The dimensions and their components include:
Strategic Objectives - includes strategic, operations, reporting, and compliance.
Risk Components - includes Internal Environment, Objectives settings, Event identification, Risk assessment, Risk response, Control activities, Information and communication, and monitoring.
Organizational Levels - include subsidiary, business unit, division, and entity-level.
The COSO ERM framework contains eight risk components: Internal Environment
Objective Settings
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and Communication Monitoring
Section 404 of the Sarbanes-Oley act specifies a three dimensional model- COSO ERM, comprised of Internal control components, Internal control objectives, and organization entities. All the items listed are components except Financial reporting which is an internal control objective.
Incorrect Answers:
A, C, D: They are the Internal control components, not the Internal control objectives.
QUESTION 118
NIST SP 800-53 identifies controls in three primary classes. What are they?
A. Technical, Administrative, and Environmental B. Preventative, Detective, and Corrective
C. Technical, Operational, and Management
D. Administrative, Technical, and Operational
Correct Answer: C Section: Volume B Explanation
Explanation/Reference:
Explanation:
NIST SP 800-53 is used to review security in any organization, that is, in reviewing physical security. The Physical and Environmental Protection family includes 19 different controls. Organizations use these controls for better physical security. These controls are reviewed to determine if they are relevant to a particular organization or not. Many of the controls described include additional references that provide more details on how to implement them. The National Institute of Standards and Technology (NIST) SP 800-53 rev 3 identifies 18 families of controls. It groups these controls into three classes:
T echnical Operational Management
QUESTION 119
You are the project manager of GHT project. Your hardware vendor left you a voicemail saying that the delivery of the equipment you have ordered would not arrive on time. You identified a risk response strategy for this risk and have arranged for a local company to lease you the needed equipment until yours arrives. This is an example of which risk response strategy?
A. Avoid
B. Transfer
C. Acceptance D. Mitigate
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
Mitigation attempts to reduce the impact of a risk event in case it occurs. Making plans to arrange for the leased equipment reduces the consequences of the risk and hence this response in mitigation.
B: Risk transfer means that impact of risk is reduced by transferring or otherwise sharing a portion of the risk with an external organization or another internal entity. Transfer of risk can occur in many forms but is most effective when dealing with financial risks. Insurance is one form of risk transfer.
Here there no such action is taken, hence it is not a risk transfer.
Incorrect Answers:
A: Risk avoidance means to evade risk altogether, eliminate the cause of the risk event, or change the project plan to protect the project objectives from the risk event. Risk avoidance is applied when the level of risk, even after the applying controls, would be greater than the risk tolerance level of the enterprise. Hence this risk response is adopted when:
There is no other cost-effective response that can successfully reduce the likelihood and magnitude below the defined thresholds for risk appetite. The risk cannot be shared or transferred.
The risk is deemed unacceptable by management.
C: Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider who can accept the risk. Risk should be accepted only by senior management in relationship with senior management and the board. There are
two alternatives to the acceptance strategy, passive and active.
Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk but willing to accept the consequences of the risk. Active acceptance is the second strategy and might include developing contingency plans and reserves to deal with risks.
QUESTION 120
Who is at the BEST authority to develop the priorities and identify what risks and impacts would occur if there were loss of the organization's private information?
A. External regulatory agencies B. Internal auditor
C. Business process owners D. Security management
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
QUESTION 121
Which of the following is the PRIMARY requirement before choosing Key performance indicators of an enterprise?
A. Determine size and complexity of the enterprise
B. Prioritize various enterprise processes
C. Determine type of market in which the enterprise operates D. Enterprise must establish its strategic and operational goals
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
Key Performance Indicators is a set of measures that a company or industry uses to measure and/or compare performance in terms of meeting their strategic and operational goals. KPIs vary with company to company, depending on their priorities or performance criteria.
A company must establish its strategic and operational goals and then choose their KPIs which can best reflect those goals. For example, if a software company's goal is to have the fastest growth in its industry, its main performance indicator may be the measure of its annual revenue growth.
Incorrect Answers:
A: Determination of size and complexity of the enterprise is the selection criteria of the KRI, not KPI. KPI does not have any relevancy with size and complexity of the enterprise.
B: This is not the valid answer.
C: Type of market in which the enterprise is operating do not affect the selection of KPIs.
QUESTION 122
You are the project manager of project for a client. The client has promised your company a bonus, if the project is completed early. After studying the project work, you elect to crash the project in order to realize the early end date. This is an example of what type of risk response?
A. Negative risk response, because crashing will add risks.
B. Positive risk response, as crashing is an example of enhancing. C. Positive risk response, as crashing is an example of exploiting. D. Negative risk response, because crashing will add costs.
Correct Answer: B Section: Volume C Explanation
Explanation/Reference:
Explanation:
This is a positive risk response, as crashing is an example of enhancing. You are enhancing the probability of finishing the project early to realize the reward of bonus. Enhancing doesn't ensure positive risks, but it does increase the likelihood of the event.
Incorrect Answers:
A: Crashing is a positive risk response. Generally, crashing doesn't add risks and is often confused with other predominant schedule compression techniques of fast tracking - which does add risks.
C: This isn't an example of exploiting. Exploiting is an action to take advantage of a positive risk response that will happen.
D: Crashing does add costs, but in this instance, crashing is an example of the positive risk response of enhancing.
QUESTION 123
Judy has identified a risk event in her project that will have a high probability and a high impact. Based on the requirements of the project, Judy has asked to change the project scope to remove the associated requirement and the associated risk. What type of risk response is this?
A. Exploit
B. Not a risk response, but a change request C. Avoidance
D. Transference
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
Risk avoidance involves changing the project management plan to eliminate the threat entirely. The project manager may also isolate the project objectives from the risk's impact or change the objective that is in jeopardy. Examples of this include extending the schedule, changing the strategy, or reducing the scope. The most radical avoidance strategy is to shut down the project entirely. Some risks that arise early in the project can be avoided by clarifying requirements, obtaining information, improving communication, or acquiring expertise.
Incorrect Answers:
A: Exploit risk response is used for positive risk or opportunity, not for negative risk.
B: This risk response does require a change request, in some instances, but it's the avoidance risk response and not just a change request.
D: Transference allows the risk to be transferred, not removed from the project, to a third party. Transference usually requires a contractual relationship with the third party.
QUESTION 124
You are the project manager of GHT project. You want to perform post-project review of your project. What is the BEST time to perform post-project review by you and your project development team to access the effectiveness of the project?
A. Project is completed and the system has been in production for a sufficient time period B. During the project
C. Immediately after the completion of the project
D. Project is about to complete
Correct Answer: A Section: Volume C Explanation
Explanation/Reference:
Explanation:
The project development team and appropriate end users perform a post-project review jointly after the project has been completed and the system has been in production for a sufficient time period to assess its effectiveness.
Incorrect Answers:
B: The post-project review of project for accessing effectiveness cannot be done during the project as effectiveness can only evaluated after setting the project in process of production.
C: It is not done immediately after the completion of the project as its effectiveness cannot be measured until the system has been in production for certain time period.
D: Post-project review for evaluating the effectiveness of the project can only be done after the completion of the project and the project is in production phase.
QUESTION 125
What are the steps that are involved in articulating risks? Each correct answer represents a complete solution. Choose three.
A. Identify business opportunities.
B. Identify the response
C. Communicate risk analysis results and report risk management activities and the state of compliance. D. Interpret independent risk assessment findings.
Correct Answer: ACD Section: Volume C Explanation
Explanation/Reference:
Explanation:
Following are the tasks that are involved in articulating risk: Communicate risk analysis results.
Report risk management activities and the state of compliance. Interpret independent risk assessment findings.
Identify business opportunities.
QUESTION 126
Which among the following is the MOST crucial part of risk management process?
A. Risk communication B. Auditing
C. Risk monitoring
D. Risk mitigation
Correct Answer: A Section: Volume C
Explanation Explanation/Reference:
Explanation:
Risk communication is a critical part in the risk management process. People are naturally uncomfortable talking about risk and tend to put off admitting that risk is involved and communicating about issues; incidents; and; eventually, even crises.
If risk is to be managed and mitigated, it must first be discussed and effectively communicated throughout an enterprise.
Incorrect Answers:
B: Auditing is done to test the overall risk management process and the planned risk responses. So it is the very last phase after completion of risk management process.
C: Risk monitoring is the last phase to complete risk management process, and for proper management of risk it should be communicated properly. Hence risk communication is the most crucial step.
D: Risk mitigation is one of the phases of risk management process for effective mitigation of risk it should be first communicated throughout an enterprise.
QUESTION 127
Which of the following is a key component of strong internal control environment?
A. RMIS
B. Segregation of duties C. Manual control
D. Automated tools
Correct Answer: B Section: Volume C Explanation
Explanation/Reference:
Explanation:
Segregation of duties (SOD) is a key component to maintaining a strong internal control environment because it reduces the risk of fraudulent transactions. When duties for a business process or transaction are segregated it becomes more difficult for fraudulent activity to occur because it would involve collusion among several employees.
Incorrect Answers:
A: An RMIS can be a very effective tool in monitoring all risk factors that impact the enterprise. The danger is that many important classes of risk may be omitted from consideration by the system. hence it doesn't ensure strong internal control environment.
C: Manual controls usually not form strong internal control environment. By not automating SOD controls, there is, potentially, the issue of these controls becoming a barrier in serving the customer. As manual authorizations are often time consuming and require another step in any business process, this takes time away from serving the customer.
Automated compliance solutions aim to provide enterprises with timely and efficient internal controls that do not disrupt their normal business process.
D: It is not directly related in maintaining strong internal control environment. The automated tools are typically used to address SOD and also to provide the enterprise with reporting functionality on SOD violations (i.e., detective controls) and to put in place preventive controls.
QUESTION 128
How residual risk can be determined?
A. By determining remaining vulnerabilities after countermeasures are in place. B. By transferring all risks.
C. By threat analysis
D. By risk assessment
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
All risks are determined by risk assessment, regardless whether risks are residual or not.
Incorrect Answers:
A: Determining remaining vulnerabilities after countermeasures are in place says nothing about threats, therefore risk cannot be determined.
B: Transferring all the risks in not relevant to determining residual risk. It is one of the method of risk management.
C: Risk cannot be determined by threat analysis alone, regardless whether it is residual or not.
QUESTION 129
Della works as a project manager for Tech Perfect Inc. She is studying the documentation of planning of a project. The documentation states that there are twenty- eight stakeholders with the project. What will be the number of communication channels for the project?
A. 250 B. 28 C. 378
D. 300
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
According to the twenty- eight stakeholders. Communication channels are paths of communication with stakeholders in a project. The number of communication channels shows the complexity of a project's communication and can be derived through the formula shown below:
Total Number of Communication Channels = n (n-1)/2 where n is the number of stakeholders.
Hence, a project having five stakeholders will have ten communication channels. Putting the value of the number of stakeholders in the formula will provide the number of communication channels. Putting the value of the number of stakeholders in the formula will provide the number of communication channels:
Number of communication channel = (n (n-1)) / 2 = (28 (28-1)) / 2
= (28 x 27) / 2
= 756 / 2
= 378
QUESTION 130
Shawn is the project manager of the HWT project. In this project Shawn's team reports that they have found a way to complete the project work cheaply than what was originally estimated earlier. The project team presents a new software that will help to automate the project work. While the software and the associated training costs $25,000 it will save the project nearly $65,000 in total costs. Shawn agrees to the software and changes the project management plan accordingly. What type of risk response had been used by him?
A. Avoiding B. Accepting C. Exploiting D. Enhancing
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
A risk event is being exploited so as to identify the opportunities for positive impacts. Exploit response is one of the strategies to negate risks or threats that appear
in a project. This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. Exploiting a risk event provides opportunities for positive impact on a project. Assigning more talented resources to the project to reduce the time to completion is an example of exploit response.
Incorrect Answers:
A: To avoid a risk means to evade it altogether, eliminate the cause of the risk event, or change the project plan to protect the project objectives from the risk event.
B: Accepting is a risk response that is appropriate for positive or negative risk events. It does not pursue the risk, but documents the event and allows the risk to happen. Often acceptance is used for low probability and low impact risk events.
D: Enhancing is a positive risk response that aims to increase the probability and/or impact of the risk event.
QUESTION 131
Which among the following is the BEST reason for defining a risk response?
A. To eliminate risk from the enterprise
B. To ensure that the residual risk is within the limits of the risk appetite and tolerance C. To overview current status of risk
D. To mitigate risk
Correct Answer: B Section: Volume C Explanation
Explanation/Reference:
Explanation:
The purpose of defining a risk response is to ensure that the residual risk is within the limits of the risk appetite and tolerance of the enterprise. Risk response is based on selecting the correct, prioritized response to risk, based on the level of risk, the enterprise's risk tolerance and the cost or benefit of the particular risk response option.
Incorrect Answers:
A: Risk cannot be completely eliminated from the enterprise.
C: This is not a valid answer.
D: Mitigation of risk is itself the risk response process, not the reason behind this.
QUESTION 132
Mike is the project manager of the NNP Project for his organization. He is working with his project team to plan the risk responses for the NNP Project. Mike would like the project team to work together on establishing risk thresholds in the project. What is the purpose of establishing risk threshold?
A. It is a study of the organization's risk tolerance.
B. It is a warning sign that a risk event is going to happen.
C. It is a limit of the funds that can be assigned to risk events.
D. It helps to identify those risks for which specific responses are needed.
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
Risk threshold helps to identify those risks for which specific responses are needed.
QUESTION 133
What should be considered while developing obscure risk scenarios? Each correct answer represents a part of the solution. Choose two.
A. Visibility
B. Controls
C. Assessment methods D. Recognition
Correct Answer: AD Section: Volume C Explanation
Explanation/Reference:
Explanation:
The enterprise must consider risk that has not yet occurred and should develop scenarios around unlikely, obscure or non-historical events. Such scenarios can be developed by considering two things:
Visibility Recognition
For the fulfillment of this task enterprise must:
Be in a position that it can observe anything going wrong
Have the capability to recognize an observed event as something wrong
QUESTION 134
Which of the following is true for risk management frameworks, standards and practices? Each correct answer represents a part of the solution. Choose three.
A. They act as a guide to focus efforts of variant teams.
B. They result in increase in cost of training, operation and performance improvement.
C. They provide a systematic view of "things to be considered" that could harm clients or an enterprise. D. They assist in achieving business objectives quickly and easily.
Correct Answer: ACD Section: Volume C Explanation
Explanation/Reference:
Explanation:
Frameworks, standards and practices are necessary as:
They provide a systematic view of "things to be considered" that could harm clients or an enterprise.
They act as a guide to focus efforts of variant teams.
They save time and revenue, such as training costs, operational costs and performance improvement costs. They assist in achieving business objectives quickly and easily.
QUESTION 135
You work as a project manager for BlueWell Inc. You are preparing to plan risk responses for your project with your team. How many risk response types are available for a negative risk event in the project?
A. 5 B. 7 C. 1 D. 4
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
Four risk response options are there to deal with negative risks or threats on the project objectives- avoid, transfer, mitigate, and accept. Risk avoidance
Risk mitigation Risk transfer Risk acceptance
Incorrect Answers:
A, B ,C: These are incorrect choices as only 4 risk response are available to deal with negative risks.
QUESTION 136
You are the project manager for your organization. You are preparing for the quantitative risk analysis. Mark, a project team member, wants to know why you need to do quantitative risk analysis when you just completed qualitative risk analysis. Which one of the following statements best defines what quantitative risk analysis is?
A. Quantitative risk analysis is the review of the risk events with the high probability and the highest impact on the project objectives.
B. Quantitative risk analysis is the process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact. C. Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives.
D. Quantitative risk analysis is the planning and quantification of risk responses based on probability and impact of each risk event.
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives. It is performed on risk that have been prioritized through the qualitative risk analysis process.
Incorrect Answers:
A: While somewhat true, this statement does not completely define the quantitative risk analysis process.
B: This is actually the definition of qualitative risk analysis.
D: This is not a valid statement about the quantitative risk analysis process. Risk response planning is a separate project management process.
QUESTION 137
You are the project manager of your enterprise. You have identified new threats, and then evaluated the ability of existing controls to mitigate risk associated with new threats. You noticed that the existing control is not efficient in mitigating these new risks. What are the various steps you could take in this case?
Each correct answer represents a complete solution. (Choose three.) A. Education of staff or business partners
B. Deployment of a threat-specific countermeasure C. Modify of the technical architecture
D. Apply more controls
Correct Answer: ABC Section: Volume C Explanation
Explanation/Reference:
Explanation:
As new threats are identified and prioritized in terms of impact, the first step is to evaluate the ability of existing controls to mitigate risk associated with new threats and if it does not work then in that case facilitate the:
Modification of the technical architecture
Deployment of a threat-specific countermeasure
Implementation of a compensating mechanism or process until mitigating controls are developed Education of staff or business partners
Incorrect Answers:
D: Applying more controls is not the good solution. They usually complicate the condition.
QUESTION 138
Which of the following risks is associated with not receiving the right information to the right people at the right time to allow the right action to be taken?
A. Relevance risk B. Integrity risk C. Availability risk D. Access risk
Correct Answer: A Section: Volume C Explanation
Explanation/Reference:
Explanation:
Relevance risk is the risk associated with not receiving the right information to the right people (or process or systems) at the right time to allow the right action to be taken.
Incorrect Answers:
B: The risk that data cannot be relied on because they are unauthorized, incomplete or inaccurate is termed as integrity risk. C: The risk of loss of service or that data is not available when needed is referred as availability risk.
D: The risk that confidential or private information may be disclosed or made available to those without appropriate authority is termed as access or security risk. An aspect of this risk is non-compliance with local, national and international laws related to privacy and protection of personal information.
QUESTION 139
Which of the following nodes of the decision tree analysis represents the start point of decision tree?
A. Decision node B. End node
C. Event node
D. Root node
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
Root node is the starting node in the decision tree.
Incorrect Answers:
A: Decision nodes represents the choice available to the decision maker, usually between a risky choice and its non-risky counterpart.
C: Event node represents the possible uncertain outcomes of a risky decision, with at least two nodes to illustrate the positive and negative range of events.
B: End node represents the outcomes of risk and decisions.
QUESTION 140
You are the project manager of the NHH Project. You are working with the project team to create a plan to document the procedures to manage risks throughout the project. This document will define how risks will be identified and quantified. It will also define how contingency plans will be implemented by the project team. What document do you and your team is creating in this scenario?
A. Project plan
B. Resource management plan C. Project management plan D. Risk management plan
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
The risk management plan, part of the comprehensive management plan, defines how risks will be identified, analyzed, monitored and controlled, and even responded to.
A Risk management plan is a document arranged by a project manager to estimate the effectiveness, predict risks, and build response plans to mitigate them. It also consists of the risk assessment matrix.
Risks are built in with any project, and project managers evaluate risks repeatedly and build plans to address them. The risk management plan consists of analysis of possible risks with both high and low impacts, and the mitigation strategies to facilitate the project and avoid being derailed through which the common problems arise. Risk management plans should be timely reviewed by the project team in order to avoid having the analysis become stale and not reflective of actual potential project risks. Most critically, risk management plans include a risk strategy for project execution.
Incorrect Answers:
A: The project plan is not an official PMBOK project management plan.
B: The resource management plan defines the management of project resources, such as project team members, facilities, equipment, and contractors.
C: The project management plan is a comprehensive plan that communicates the intent of the project for all project management knowledge areas.
QUESTION 141
Where are all risks and risk responses documented as the project progresses?
A. Risk management plan B. Project management plan C. Risk response plan
D. Risk register
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
All risks, their responses, and other characteristics are documented in the risk register. As the project progresses and the conditions of the risk events change, the
risk register should be updated to reflect the risk conditions.
Incorrect Answers:
A: The risk management plan addresses the project management's approach to risk management, risk identification, analysis, response, and control.
B: The project management plan is the overarching plan for the project, not the specifics of the risk responses and risk identification.
C: The risk response plan only addresses the planned risk responses for the identified risk events in the risk register.
QUESTION 142
A part of a project deals with the hardware work. As a project manager, you have decided to hire a company to deal with all hardware work on the project. Which type of risk response is this?
A. Transference B. Mitigation
C. Avoidance D. Exploit
Correct Answer: A Section: Volume C Explanation
Explanation/Reference:
Explanation:
When you are hiring a third party to own risk, it is known as transference risk response.
Risk transfer means that impact of risk is reduced by transferring or otherwise sharing a portion of the risk with an external organization or another internal entity. Transfer of risk can occur in many forms but is most effective when dealing with financial risks. Insurance is one form of risk transfer.
Incorrect Answers:
B: The act of spending money to reduce a risk probability and impact is known as mitigation.
C: When extra activities are introduced into the project to avoid the risk, this is an example of avoidance.
D: Exploit is a strategy that may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized.
QUESTION 143
Which of the following events refer to loss of integrity?
Each correct answer represents a complete solution. Choose three.
A. Someone sees company's secret formula
B. Someone makes unauthorized changes to a Web site C. An e-mail message is modified in transit
D. A virus infects a file
Correct Answer: BCD Section: Volume C Explanation
Explanation/Reference:
Explanation:
Loss of integrity refers to the following types of losses:
An e-mail message is modified in transit A virus infects a file Someone makes unauthorized changes to a Web site
Incorrect Answers:
A: Someone sees company's secret formula or password comes under loss of confidentiality.
QUESTION 144
Which of the following should be PRIMARILY considered while designing information systems controls?
A. The IT strategic plan
B. The existing IT environment
C. The organizational strategic plan D. The present IT budget
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
Review of the enterprise's strategic plan is the first step in designing effective IS controls that would fit the enterprise's long-term plans.
Incorrect Answers:
A: The IT strategic plan exists to support the enterprise's strategic plan but is not solely considered while designing information system control.
B: Review of the existing IT environment is also useful and necessary but is not the first step that needs to be undertaken.
D: The present IT budget is just one of the components of the strategic plan.
QUESTION 145
You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won't affect your project much if they happen. What should you do with these identified risk events?
A. These risks can be dismissed.
B. These risks can be accepted.
C. These risks can be added to a low priority risk watch list. D. All risks must have a valid, documented risk response.
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
Low-impact, low-probability risks can be added to the low priority risk watch list.
Incorrect Answers:
A: These risks are not dismissed; they are still documented on the low priority risk watch list.
B: While these risks may be accepted, they should be documented on the low priority risk watch list. This list will be periodically reviewed and the status of the risks may change.
D: Not every risk demands a risk response, so this choice is incorrect.
QUESTION 146
You are the project manager of your enterprise. You have introduced an intrusion detection system for the control. You have identified a warning of violation of security policies of your enterprise. What type of control is an intrusion detection system (IDS)?
A. Detective
B. Corrective C. Preventative D. Recovery
Correct Answer: A Section: Volume C
Explanation Explanation/Reference:
Explanation:
An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPS for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies.
As IDS detects and gives warning when the violation of security policies of the enterprise occurs, it is a detective control.
Incorrect Answers:
B: These controls make effort to reduce the impact of a threat from problems discovered by detective controls. As IDS only detects but not reduce the impact, hence it is not a corrective control.
C: As IDS only detects the problem when it occurs and not prior of its occurrence, it is not preventive control.
D: These controls make efforts to overcome the impact of the incident on the business, hence IDS is not a recovery control.
QUESTION 147
What are the functions of audit and accountability control?
Each correct answer represents a complete solution. (Choose three.)
A. Provides details on how to protect the audit logs B. Implement effective access control
C. Implement an effective audit program
D. Provides details on how to determine what to audit
Correct Answer: ACD Section: Volume C Explanation
Explanation/Reference:
Explanation:
Audit and accountability family of controls helps an organization implement an effective audit program. It provides details on how to determine what to audit. It provides details on how to protect the audit logs. It also includes information on using audit logs for non-repudiation.
Incorrect Answers:
B: Access Control is the family of controls that helps an organization implement effective access control. They ensure that users have the rights and permissions they need to perform their jobs, and no more. It includes principles such as least privilege and separation of duties.
Audit and accountability family of controls do not help in implementing effective access control.
QUESTION 148
What is the value of exposure factor if the asset is lost completely?
A. 1
B. Infinity C. 10
D. 0
Correct Answer: A Section: Volume C Explanation
Explanation/Reference:
Explanation:
Exposure Factor represents the impact of the risk over the asset, or percentage of asset lost. For example, if the Asset Value is reduced to two third, the exposure factor value is 0.66.
Therefore, when the asset is completely lost, the Exposure Factor is 1.0.
Incorrect Answers:
B, C, D: These are not the values of exposure factor for zero assets.
QUESTION 149
Your project is an agricultural-based project that deals with plant irrigation systems. You have discovered a byproduct in your project that your organization could use to make a profit. If your organization seizes this opportunity, it would be an example of what risk response?
A. Enhancing B. Positive
C. Opportunistic D. Exploiting
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
This is an example of exploiting a positive risk - a by-product of a project is an excellent example of exploiting a risk. Exploit response is one of the strategies to negate risks or threats that appear in a project. This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. Exploiting a risk event provides opportunities for positive impact on a project. Assigning more talented resources to the project to reduce the time to completion is an example of exploit response.
Incorrect Answers:
A: Enhancing is a positive risk response that describes actions taken to increase the odds of a risk event to happen.
B: This is an example of a positive risk, but positive is not a risk response.
C: Opportunistic is not a valid risk response.
QUESTION 150
Which of the following is true for Single loss expectancy (SLE), Annual rate of occurrence (ARO), and Annual loss expectancy (ALE)?
A. ALE= ARO/SLE B. ARO= SLE/ALE C. ARO= ALE*SLE D. ALE= ARO*SLE
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
A quantitative risk assessment quantifies risk in terms of numbers such as dollar values. This involves gathering data and then entering it into standard formulas. The results can help in identifying the priority of risks. These results are also used to determine the effectiveness of controls. Some of the terms associated with quantitative risk assessments are:
Single loss expectancy (SLE)-It refers to the total loss expected from a single incident. This incident can occur when vulnerability is being exploited by threat. The loss is expressed as a dollar value such as $1,000. It includes the value of data, software, and hardware. SLE = Asset value * Exposure factor
Annual rate of occurrence (ARO)-It refers to the number of times expected for an incident to occur in a year. If an incident occurred twice a month in the past year, the ARO is 24. Assuming nothing changes, it is likely that it will occur 24 times next year. Annual loss expectancy (ALE)-It is the expected loss for a year. ALE is calculated by multiplying SLE with ARO. Because SLE is a given in a dollar value, ALE is also given in a dollar value. For example, if the SLE is $1,000 and the ARO is 24, the ALE is $24,000.
ALE = SLE * ARO Safeguard value-This is the cost of a control. Controls are used to mitigate risk. For example, antivirus software of an average cost of $50 for each computer. If there are 50 computers, the safeguard value is $2,500. A, B, C: These are wrong formulas and are not used in quantitative risk assessment.
QUESTION 151
You are the project manager of GHT project. You and your team have developed risk responses for those risks with the highest threat to or best opportunity for the project objectives. What are the immediate steps you should follow, after planning for risk response process? Each correct answer represents a complete solution. Choose three.
A. Updating Project management plan and Project document B. Applying controls
C. Updating Risk register
D. Prepare Risk-related contracts
Correct Answer: ACD Section: Volume C Explanation
Explanation/Reference:
Explanation:
The risk register is updated at the end of the plan risk response process with the information that was discovered during the process. The response plans are recorded in the risk register.
Project management plan consisting of WBS, schedule baseline and cost performance baseline should be updated. After planning risk response process, there may be requirement of updating project documents like technical documentation and assumptions, documented in the project scope statement.
If risk response strategies include responses such as transference or sharing, it may be necessary to purchase services or items from third parties. Contracts for those services can be prepared and discussed with the appropriate parties.
Incorrect Answers:
B: Controls are implemented in the latter stage of risk response process. It is not immediate task after the planning of risk response process, as updating of several documents is done first.
The purpose of the Plan Risk Responses process is to develop risk responses for those risks with the highest threat to or best opportunity for the project objectives. The Plan Risk Responses process has four outputs:
Risk register updates
Risk-related contract decisions Project management plan updates Project document updates
QUESTION 152
You are using Information system. You have chosen a poor password and also sometimes transmits data over unprotected communication lines. What is this poor quality of password and unsafe transmission referring to?
A. Probabilities B. Threats
C. Vulnerabilities D. Impacts
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
Vulnerabilities represent characteristics of information resources that may be exploited by a threat. The given scenario describes such a situation, hence it is a vulnerability.
Incorrect Answers:
A: Probabilities represent the likelihood of the occurrence of a threat, and this scenario does not describe a probability.
B: Threats are circumstances or events with the potential to cause harm to information resources. This scenario does not describe a threat.
D: Impacts represent the outcome or result of a threat exploiting a vulnerability. The stem does not describe an impact.
QUESTION 153
You are the project manager of RFT project. You have identified a risk that the enterprise's IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become very expensive. To overcome this risk, the response adopted is re-architecture of the existing system and purchase of new integrated system. In which of the following risk
prioritization options would this case be categorized?
A. Deferrals
B. Quick win
C. Business case to be made D. Contagious risk
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
This is categorized as a Business case to be made because the project cost is very large. The response to be implemented requires quite large investment. Therefore it comes under business case to be made.
Incorrect Answers:
A: It addresses costly risk response to a low risk. But here the response is less costly than that of business case to be made.
B: Quick win is very effective and efficient response that addresses medium to high risk. But in this the response does not require large investments.
D: This is not risk response prioritization option, instead it is a type of risk that happen with the several of the enterprise's business partners within a very short time frame.
QUESTION 154
Which of the following BEST ensures that a firewall is configured in compliance with an enterprise's security policy?
A. Interview the firewall administrator.
B. Review the actual procedures.
C. Review the device's log file for recent attacks. D. Review the parameter settings.
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide reliable audit evidence documentation.
Incorrect Answers:
A: While interviewing the firewall administrator may provide a good process overview, it does not reliably confirm that the firewall configuration complies with the enterprise's security policy.
B: While procedures may provide a good understanding of how the firewall is supposed to be managed, they do not reliably confirm that the firewall configuration complies with the enterprise's security policy.
C: While reviewing the device's log file for recent attacks may provide indirect evidence about the fact that logging is enabled, it does not reliably confirm that the firewall configuration complies with the enterprise's security policy.
QUESTION 155
Which of following is NOT used for measurement of Critical Success Factors of the project?
A. Productivity
B. Quality
C. Quantity
D. Customer service
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Incorrect Answers:
A, B, D: Productivity, quality and customer service are used for evaluating critical service factor of any particular project.
QUESTION 156
Which of the following statements is NOT true regarding the risk management plan?
A. The risk management plan is an output of the Plan Risk Management process.
B. The risk management plan is an input to all the remaining risk-planning processes.
C. The risk management plan includes a description of the risk responses and triggers.
D. The risk management plan includes thresholds, scoring and interpretation methods, responsible parties, and budgets.
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
The risk management plan details how risk management processes will be implemented, monitored, and controlled throughout the life of the project. The risk management plan does not include responses to risks or triggers. Responses to risks are documented in the risk register as part of the Plan Risk Responses process.
Incorrect Answers:
A, B, D: These all statements are true for risk management plan. The risk management plan details how risk management processes will be implemented, monitored, and controlled throughout the life of the project. It includes thresholds, scoring and interpretation methods, responsible parties, and budgets. It also acts as input to all the remaining risk-planning processes.
QUESTION 157
You are the project manager of a project in Bluewell Inc. You and your project team have identified several project risks, completed risk analysis, and are planning
to apply most appropriate risk responses. Which of the following tools would you use to choose the appropriate risk response?
A. Project network diagrams B. Cause-and-effect analysis C. Decision tree analysis
D. Delphi Technique
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
Decision tree analysis is a risk analysis tool that can help the project manager in determining the best risk response. The tool can be used to measure probability, impact, and risk exposure and how the selected risk response can affect the probability and/or impact of the selected risk event. It helps to form a balanced image of the risks and opportunities connected with each possible course of action. This makes them mostly useful for choosing between different strategies, projects, or investment opportunities particularly when the resources are limited. A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible consequences, including chance event outcomes, resource costs, and utility.
Incorrect Answers:
A: Project network diagrams help the project manager and stakeholders visualize the flow of the project work, but they are not used as a part of risk response planning.
B: Cause-and-effect analysis is used for exposing risk factors and not an effective one in risk response planning. This analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes.
D: Delphi technique is used for risk analysis, i.e., for identifying the most probable risks. Delphi is a group of experts who used to rate independently the business risk of an organization. Each expert analyzes the risk independently and then prioritizes the risk, and the result is combined into a consensus.
QUESTION 158
What is the MAIN purpose of designing risk management programs?
A. To reduce the risk to a level that the enterprise is willing to accept
B. To reduce the risk to the point at which the benefit exceeds the expense C. To reduce the risk to a level that is too small to be measurable
D. To reduce the risk to a rate of return that equals the current cost of capital
Correct Answer: A Section: Volume C
Explanation Explanation/Reference:
Explanation:
Risk cannot be removed completely from the enterprise; it can only be reduced to a level that an organization is willing to accept. Risk management programs are hence designed to accomplish the task of reducing risks.
Incorrect Answers:
B: Depending on the risk preference of an enterprise, it may or may not choose to pursue risk mitigation to the point at which benefit equals or exceeds the expense. Hence this is not the primary objective of designing the risk management program.
C: Reducing risk to a level too small to measure is not practical and is often cost-prohibitive.
D: Reducing risks to a specific return ignores the qualitative aspects of the risk which should also be considered.
QUESTION 159
Which of the following processes addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget?
A. Monitor and Control Risk B. Plan risk response
C. Identify Risks
D. Qualitative Risk Analysis
Correct Answer: B Section: Volume C Explanation
Explanation/Reference:
Explanation:
The plan risk response project management process aims to reduce the threats to the project objectives and to increase opportunities. It follows the perform qualitative risk analysis process and perform quantitative risk analysis process. Plan risk response process includes the risk response owner to take the job for each agreed-to and funded risk response. This process addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget. The inputs to the plan risk response process are as follows:
Risk register
Risk management plan
Incorrect Answers:
A: Monitor and Control Risk is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and
evaluating risk process effectiveness throughout the project. It can involve choosing alternative strategies, executing a contingency or fallback plan, taking corrective action, and modifying the project management plan.
C: Identify Risks is the process of determining which risks may affect the project. It also documents risks' characteristics. The Identify Risks process is part of the Project Risk Management knowledge area. As new risks may evolve or become known as the project progresses through its life cycle, Identify Risks is an iterative process. The process should involve the project team so that they can develop and maintain a sense of ownership and responsibility for the risks and associated risk response actions. Risk Register is the only output of this process.
D: Qualitative analysis is the definition of risk factors in terms of high/medium/low or a numeric scale (1 to 10). Hence it determines the nature of risk on a relative scale.
Some of the qualitative methods of risk analysis are:
Scenario analysis- This is a forward-looking process that can reflect risk for a given point in time.
Risk Control Self -assessment (RCSA) - RCSA is used by enterprises (like banks) for the identification and evaluation of operational risk exposure. It is a logical first step and assumes that business owners and managers are closest to the issues and have the most expertise as to the source of the risk. RCSA is a constructive process in compelling business owners to contemplate, and then explain, the issues at hand with the added benefit of increasing their accountability.
QUESTION 160
You are the Risk Official in Bluewell Inc. You have detected much vulnerability during risk assessment process. What you should do next?
A. Prioritize vulnerabilities for remediation solely based on impact. B. Handle vulnerabilities as a risk, even though there is no threat. C. Analyze the effectiveness of control on the vulnerabilities' basis. D. Evaluate vulnerabilities for threat, impact, and cost of mitigation.
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
Vulnerabilities detected during assessment should be first evaluated for threat, impact and cost of mitigation. It should be evaluated and prioritized on the basis whether they impose credible threat or not.
Incorrect Answers:
A, C: These are the further steps that are taken after evaluating vulnerabilities. So, these are not immediate action after detecting vulnerabilities.
B: If detected vulnerabilities impose no/negligible threat on an enterprise then it is not cost effective to address it as risk.