QUESTION 161
You and your project team have identified a few risk events in the project and recorded the events in the risk register. Part of the recording of the events includes the identification of a risk owner. Who is a risk owner?
A. A risk owner is the party that will monitor the risk events.
B. A risk owner is the party that will pay for the cost of the risk event if it becomes an issue. C. A risk owner is the party that has caused the risk event.
D. A risk owner is the party authorized to respond to the risk event.
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
Risk owner for each risk should be the person who has the most influence over its outcome. Selecting the risk owner thus usually involves considering the source of risk and identifying the person who is best placed to understand and implement what needs to be done. They are also responsible for responding to the event and reporting on the risk status.
Incorrect Answers:
A: A risk owner will monitor the identified risks for status changes, but all project stakeholders should be iteratively looking to identify the risks.
B: Risk owners do not pay for the cost of the risk event.
C: Risk owners are not the people who cause the risk event.
QUESTION 162
Suppose you are working in Company Inc. and you are using risk scenarios for estimating the likelihood and impact of the significant risks on this organization. Which of the following assessment are you doing?
A. IT security assessment
B. IT audit
C. Threat and vulnerability assessment D. Risk assessment
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
Threat and vulnerability assessment consider the full spectrum of risks. It identifies the likelihood of occurrence of risks and impact of the significant risks on the organization using the risk scenarios. For example: Natural threats can be evaluated by using historical data concerning frequency of occurrence for given natural disasters such as tornadoes, hurricanes, floods, fire, etc.
Incorrect Answers:
A, B: These use either some technical evaluation tool or assessment methodologies to evaluate risk but do not use risk scenarios.
D: Risk assessment uses quantitative and qualitative analysis approaches to evaluate each significant risk identified.
QUESTION 163
Which of the following is BEST described by the definition below?
"They are heavy influencers of the likelihood and impact of risk scenarios and should be taken into account during every risk analysis, when likelihood and impact are assessed."
A. Obscure risk B. Risk factors C. Risk analysis D. Risk event
Correct Answer: B Section: Volume C Explanation
Explanation/Reference:
Explanation:
Risk factors are those features that influence the likelihood and/or business impact of risk scenarios. They have heavy influences on probability and impact of risk scenarios. They should be taken into account during every risk analysis, when likelihood and impact are assessed.
Incorrect Answers:
A: The enterprise must consider risk that has not yet occurred and should develop scenarios around unlikely, obscure or non-historical events.
Such scenarios can be developed by considering two things: Visibility
Recognition
For the fulfillment of this task enterprise must:
Be in a position that it can observe anything going wrong
Have the capability to recognize an observed event as something wrong
C: A risk analysis involves identifying the most probable threats to an organization and analyzing the related vulnerabilities of the organization to these threats. A risk from an organizational perspective consists of:
Threats to various processes of organization. Threats to physical and information assets. Likelihood and frequency of occurrence from threat. Impact on assets from threat and vulnerability.
Risk analysis allows the auditor to do the following tasks:
Identify threats and vulnerabilities to the enterprise and its information system. Provide information for evaluation of controls in audit planning.
Aids in determining audit objectives.
Supporting decision based on risks.
D: A risk event represents the situation where you have a risk that only occurs with a certain probability and where the risk itself is represented by a specified distribution.
QUESTION 164
Which of the following processes is described in the statement below?
"It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project."
A. Perform Quantitative Risk Analysis B. Monitor and Control Risks
C. Identify Risks
D. Perform Qualitative Risk Analysis
Correct Answer: B Section: Volume C Explanation
Explanation/Reference:
Explanation:
Monitor and Control Risk is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project. It can involve choosing alternative strategies, executing a contingency or fallback plan, taking corrective action, and modifying the project management plan.
Incorrect Answers:
B: This is the process of numerically analyzing the effect of identified risks on overall project objectives.
C: This is the process of determining which risks may affect the project and documenting their characteristics.
D: This is the process of prioritizing risks for further analysis or action by accessing and combining their probability of occurrence and impact.
QUESTION 165
Which of the following documents is described in the statement below?
"It is developed along with all processes of the risk management. It contains the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning."
A. Quality management plan B. Risk management plan C. Risk register
D. Project charter
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
Risk register is a document that contains the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning. Risk register is developed along with all processes of the risk management from Plan Risk Management through Monitor and Control Risks.
Incorrect Answers:
A: The quality management plan is a component of the project management plan. It describes how the project team will implement the organization's quality policy. The quality management plan addresses quality control (QC), quality assurance (QA), and continuous process improvement for the project. Based on the requirement of the project, the quality management plan may be formal or informal, highly detailed or broadly framed.
B: Risk management plan includes roles and responsibilities, risk analysis definitions, timing for reviews, and risk threshold. The Plan Risk Responses process takes input from risk management plan and risk register to define the risk response.
D: The project charter is the document that formally authorizes a project. The project charter provides the project manager with the authority to apply organizational resources to project activities.
QUESTION 166
You have identified several risks in your project. You have opted for risk mitigation in order to respond to identified risk. Which of the following ensures that risk mitigation method that you have chosen is effective?
A. Reduction in the frequency of a threat B. Minimization of inherent risk
C. Reduction in the impact of a threat
D. Minimization of residual risk
Correct Answer: B Section: Volume C Explanation
Explanation/Reference:
Explanation:
The inherent risk of a process is a given and cannot be affected by risk reduction or risk mitigation efforts. Hence it should be reduced as far as possible.
Incorrect Answers:
A: Risk reduction efforts can focus on either avoiding the frequency of the risk or reducing the impact of a risk.
C: Risk reduction efforts can focus on either avoiding the frequency of the risk or reducing the impact of a risk.
D: The objective of risk reduction is to reduce the residual risk to levels below the enterprise's risk tolerance level.
QUESTION 167
You are working in an enterprise. Your enterprise owned various risks. Which among the following is MOST likely to own the risk to an information system that supports a critical business process?
A. System users
B. Senior management
C. IT director
D. Risk management department
Correct Answer: B Section: Volume C Explanation
Explanation/Reference:
Explanation:
Senior management is responsible for the acceptance and mitigation of all risk. Hence they will also own the risk to an information system that supports a critical business process.
Incorrect Answers:
A: The system users are responsible for utilizing the system properly and following procedures, but they do not own the risk.
C: The IT director manages the IT systems on behalf of the business owners.
D: The risk management department determines and reports on level of risk, but does not own the risk. Risk is owned by senior management.
QUESTION 168
Which of the following components ensures that risks are examined for all new proposed change requests in the change control system?
A. Configuration management B. Scope change control
C. Risk monitoring and control D. Integrated change control
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
Integrated change control is the component that is responsible for reviewing all aspects of a change's impact on a project - including risks that may be introduced by the new change.
Integrated change control is a way to manage the changes incurred during a project. It is a method that manages reviewing the suggestions for changes and utilizing the tools and techniques to evaluate whether the change should be approved or rejected. Integrated change control is a primary component of the project's change control system that examines the affect of a proposed change on the entire project.
Incorrect Answers:
A: Configuration management controls and documents changes to the features and functions of the product scope. B: Scope change control focuses on the processes to allow changes to enter the project scope.
C: Risk monitoring and control is not part of the change control system, so this choice is not valid.
QUESTION 169
Which of the following are true for threats?
Each correct answer represents a complete solution. Choose three.
A. They can become more imminent as time goes by, or it can diminish B. They can result in risks from external sources
C. They are possibility
D. They are real
E. They will arise and stay in place until they are properly dealt.
Correct Answer: ABD Section: Volume C Explanation
Explanation/Reference:
Explanation:
Threat is an act of coercion wherein an act is proposed to elicit a negative response. Threats are real, while the vulnerabilities are a possibility. They can result in risks from external sources, and can become imminent by time or can diminish.
Incorrect Answers:
C, E: These two are true for vulnerability, but not threat. Unlike the threat, vulnerabilities are possibility and can result in risks from internal sources. They will arise and stay in place until they are properly dealt.
QUESTION 170
Which of the following statements BEST describes policy?
A. A minimum threshold of information security controls that must be implemented B. A checklist of steps that must be completed to ensure information security
C. An overall statement of information security scope and direction
D. A technology-dependent statement of best practices
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
A policy is an executive mandate which helps in identifying a topic that contains particular risks to avoid or prevent. Policies are high-level documents signed by a person of high authority with the power to force cooperation. The policy is a simple document stating that a particular high-level control objective is important to the organization's success. Policies are usually only one page in length. The authority of the person mandating a policy will determine the scope of implementation.
Hence in other words, policy is an overall statement of information security scope and direction.
Incorrect Answers:
A, B, D: These are not the valid definitions of the policy.
QUESTION 171
When it appears that a project risk is going to happen, what is this term called?
A. Issue
B. Contingency response C. Trigger
D. Threshold
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
A trigger is a warning sign or a condition that a risk event is likely to occur within the project.
Incorrect Answers:
A: Issues are events that come about as a result of risk events. Risks become issues only after they have actually occurred.
B: A contingency response is a pre-planned response for a risk event, such as a rollback plan.
D: A threshold is a limit that the risk passes to actually become an issue in the project.
QUESTION 172
Which of the following will significantly affect the standard information security governance model?
A. Currency with changing legislative requirements B. Number of employees
C. Complexity of the organizational structure
D. Cultural differences between physical locations
Correct Answer: C Section: Volume C Explanation
Explanation/Reference:
Explanation:
Complexity of the organizational structure will have the most significant impact on the Information security governance model. Some of the elements that impact
organizational structure are multiple business units and functions across the organization.
Incorrect Answers:
A: Currency with changing legislative requirements should not have major impact once good governance models are placed, hence, governance will help in effective management of the organization's ongoing compliance.
B, D: The numbers of employees and the distance between physical locations have less impact on
Information security models as well-defined process, technology and people components together provide the proper governance.
QUESTION 173
You are the project manager of the AFD project for your company. You are working with the project team to reassess existing risk events and to identify risk events that have not happened and whose relevancy to the project has passed. What should you do with these events that have not happened and would not happen now in the project?
A. Add the risk to the issues log
B. Close the outdated risks
C. Add the risks to the risk register
D. Add the risks to a low-priority watch-list
Correct Answer: B Section: Volume C Explanation
Explanation/Reference:
Explanation:
Risks that are now outdated should be closed by the project manager, there is no need to keep record of that.
Incorrect Answers:
A: Risks do not go into the issue log, but the risk register.
C: Identified risks are already in the risk register.
D: Risks with low probability and low impact go on the risk watchlist.
QUESTION 174
What activity should be done for effective post-implementation reviews during the project?
A. Establish the business measurements up front
B. Allow a sufficient number of business cycles to be executed in the new system C. Identify the information collected during each stage of the project
D. Identify the information to be reviewed
Correct Answer: A Section: Volume C Explanation
Explanation/Reference:
Explanation:
For effective post-implementation review the business measurements up front is established during the project.
Incorrect Answers:
B: Executing sufficient number of business cycles in the new system is done after the completion of the project.
C, D: Identifying the information to be reviewed and information collected during each stage of project is done in pre-project phase and not during project for effective post-implementation review.
QUESTION 175
You are the project manager of GHT project. You identified a risk of noncompliance with regulations due to missing of a number of relatively simple procedures.
The response requires creating the missing procedures and implementing them. In which of the following risk response prioritization should this case be categorized?
A. Business case to be made B. Quick win
C. Risk avoidance
D. Deferrals
Correct Answer: B Section: Volume C Explanation
Explanation/Reference:
Explanation:
This is categorized as a "quick win" because the allocation of existing resources or a minor resource investment provides measurable benefits. Quick win is very effective and efficient response that addresses medium to high risk.
Incorrect Answers:
A: "Business case to be made" requires careful analysis and management decisions on investments that are more expensive or difficult risk responses to medium to high risk. Here in this scenario, there is only minor investment that is why, it is not "business case to be made".
C: Risk avoidance is a type of risk response and not risk response prioritization option.
D: Deferral addresses costly risk response to a low risk, and hence in this specified scenario it is not used.
QUESTION 176
What are the PRIMARY objectives of a control?
A. Detect, recover, and attack B. Prevent, respond, and log C. Prevent, control, and attack D. Prevent, recover, and detect
Correct Answer: D Section: Volume C Explanation
Explanation/Reference:
Explanation:
Controls are the policies, procedures, practices and guidelines designed to provide appropriate assurance that business objectives are achieved and undesired events are detected, prevented, and corrected. Controls, or countermeasures, will reduce or neutralize threats or vulnerabilities.
Controls have three primary objectives: Prevent
Recover Detect
Incorrect Answers:
A, B, C: One or more objectives stated in these choices is not correct objective of control.
QUESTION 177
Sensitive data has been lost after an employee inadvertently removed a file from the premises, in violation of organizational policy. Which of the following controls MOST likely failed?
A. Background checks B. Awareness training C. User access
D. Policy management
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
QUESTION 178
You are the project manager of the GHY project for your company. This project has a budget of $543,000 and is expected to last 18 months. In this project, you have identified several risk events and created risk response plans. In what project management process group will you implement risk response plans?
A. Monitoring and Controlling
B. In any process group where the risk event resides C. Planning
D. Executing
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
Explanation:
The monitor and control project risk process resides in the monitoring and controlling project management process group. This process is responsible for implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness through the project.
Incorrect Answers:
B: Risk response plans are implemented as part of the monitoring and controlling process group.
C: Risk response plans are not implemented as part of project planning.
D: Risk response plans are not implemented as part of project execution.
QUESTION 179
During which of the following processes, probability and impact matrix are prepared?
A. Risk response
B. Monitoring and Control Risk C. Quantitative risk assessment
D. Qualitative risk assessment
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
Explanation:
The probability and impact matrix is a technique to prioritize identified risks of the project on their risk rating, and are being prepared while performing qualitative risk analysis. Evaluation of each risk's importance and, hence, priority for attention, is typically conducted using a look-up table or a probability and impact matrix. This matrix specifies combinations of probability and impact that lead to rating the risks as low, moderate, or high priority.
Incorrect Answers:
A, B: These processes are part of Risk Management. The probability and impact matrix is prepared during the qualitative risk analysis for further quantitative analysis and response based on their risk rating.
C: SLE, ARO and ALE are used in quantitative risk assessment.
QUESTION 180
Your project has several risks that may cause serious financial impact if they occur. You have studied the risk events and made some potential risk responses for the risk events but management wants you to do more. They'd like you to create some type of a chart that identified the risk probability and impact with a financial amount for each risk event. What is the likely outcome of creating this type of chart?
A. Risk response plan B. Contingency reserve C. Risk response
D. Quantitative analysis
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
Explanation:
This chart is a probability-impact matrix in a quantitative analysis process. The probability and financial impact of each risk is learned through research, testing, and subject matter experts. The probability of the event is multiplied by the financial impact to create a risk event value for each risk. The sum of the risk event values will lead to the contingency reserve for the project.
Incorrect Answers:
A: The risk response plan is based on the risk responses, not the risk probability-impact matrix.
C: The risk responses are needed but this chart doesn't help the project manager to create them.
D: This chart is created as part of quantitative analysis.
QUESTION 181
Which of the following are parts of SWOT Analysis?
Each correct answer represents a complete solution. (Choose four.)
A. Weaknesses B. Tools
C. Threats
D. Opportunities E. Strengths
Correct Answer: ACDE Section: Volume D Explanation
Explanation/Reference:
Explanation:
SWOT analysis is a strategic planning method used to evaluate the Strengths, Weaknesses, Opportunities, and Threats involved in a project or in a business venture. It involves specifying the objective of the business venture or project and identifying the internal and external factors that are favorable and unfavorable to achieving that objective. The technique is credited to Albert Humphrey, who led a research project at Stanford University in the 1960s and 1970s using data from Fortune 500 companies.
Incorrect Answers:
B: Tools are not the parts of SWOT analysis.
QUESTION 182
You are working in an enterprise. Assuming that your enterprise periodically compares finished goods inventory levels to the perpetual inventories in its ERP system. What kind of information is being provided by the lack of any significant differences between perpetual levels and actual levels?
A. Direct information
B. Indirect information
C. Risk management plan D. Risk audit information
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
Explanation:
The lack of any significant differences between perpetual levels and actual levels provides indirect information that its billing controls are operating. It does not provide any direct information.
Incorrect Answers:
A: It does not provide direct information as there is no information about the propriety of cutoff.
C, D: These are not the types of information.
QUESTION 183
In which of the following risk management capability maturity levels does the enterprise takes major business decisions considering the probability of loss and the probability of reward? Each correct answer represents a complete solution. Choose two.
A. Level 0 B. Level 2 C. Level 5 D. Level 4
Correct Answer: CD Section: Volume D Explanation
Explanation/Reference:
Explanation:
Enterprise having risk management capability maturity level 4 and 5 takes business decisions considering the probability of loss and the probability of reward, i.e., considering all the aspects of risk.
Incorrect Answers:
A: Enterprise having risk management capability maturity level 0 takes business decisions without considering risk credential information.
B: At this low level of risk management capability the enterprise takes decisions considering specific risk issues within functional and business silos (e.g., security, business continuity, operations).
QUESTION 184
Henry is the project sponsor of the JQ Project and Nancy is the project manager. Henry has asked Nancy to start the risk identification process for the project, but Nancy insists that the project team be involved in the process. Why should the project team be involved in the risk identification?
A. So that the project team can develop a sense of ownership for the risks and associated risk responsibilities.
B. So that the project manager can identify the risk owners for the risks within the project and the needed risk responses. C. So that the project manager isn't the only person identifying the risk events within the project.
D. So that the project team and the project manager can work together to assign risk ownership.
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
Explanation:
The best answer to include the project team members is that they'll need to develop a sense of ownership for the risks and associated risk responsibilities.
Incorrect Answers:
B: The reason to include the project team is that the project team needs to develop a sense of ownership for the risks and associated risk responsibilities, not to assign risk ownership and risk responses at this point.
C: While the project manager shouldn't be the only person to identify the risk events, this isn't the best answer.
D: The reason to include the project team is that the project team needs to develop a sense of ownership for the risks and associated risk responsibilities, not to assign risk ownership.
QUESTION 185
Which of the following establishes mandatory rules, specifications and metrics used to measure compliance against quality, value, etc.?
A. Framework
B. Legal requirements C. Standard
D. Practices
Correct Answer: C Section: Volume D Explanation
Explanation/Reference:
Explanation:
Standard establishes mandatory rules, specifications and metrics used to measure compliance against quality, value, etc. Standards are usually intended for compliance purposes and to provide assurance to others who interact with a process or outputs of a process.
Incorrect Answers:
A: Frameworks are generally accepted, business-process-oriented structures that establish a common language and enable repeatable business processes.
B: These are legal rules underneath which project has to be.
D: Practices are frequent or usual actions performed as an application of knowledge. A leading practice would be defined as an action that optimally applies knowledge in a particular area. They are issued by a "recognized authority" that is appropriate to the subject matter. issuing bodies may include professional associations and academic institutions or commercial entities such as software vendors. They are generally based on a combination of research, expert insight and peer review.
QUESTION 186
You are the project manager of your enterprise. While performing risk management, you are given a task to identify where your enterprise stands in certain practice and also to suggest the priorities for improvements. Which of the following models would you use to accomplish this task?
A. Capability maturity model B. Decision tree model
C. Fishbone model
D. Simulation tree model
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
Explanation:
Capability maturity models are the models that are used by the enterprise to rate itself in terms of the least mature level (having nonexistent or unstructured processes) to the most mature (having adopted and optimized the use of good practices).
The levels within a capability maturity model are designed to allow an enterprise to identify descriptions of its current and possible future states. In general, the purpose is to:
Identify, where enterprises are in relation to certain activities or practices. Suggest how to set priorities for improvements
Incorrect Answers:
D: There is no such model exists in risk management process.
B: Decision tree analysis is a risk analysis tool that can help the project manager in determining the best risk response. The tool can be used to measure probability, impact, and risk exposure and how the selected risk response can affect the probability and/or impact of the selected risk event. It helps to form a balanced image of the risks and opportunities connected with each possible course of action. This makes them mostly useful for choosing between different strategies, projects, or investment opportunities particularly when the resources are limited. A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible consequences, including chance event outcomes, resource costs, and utility.
C: Fishbone diagrams or Ishikawa diagrams shows the relationships between the causes and effects of problems.
QUESTION 187
You are the risk official in Techmart Inc. You are asked to perform risk assessment on the impact of losing a server. For this assessment you need to calculate monetary value of the server. On which of the following bases do you calculate monetary value?
A. Cost to obtain replacement B. Original cost to acquire
C. Annual loss expectancy
D. Cost of software stored
Correct Answer: A Section: Volume D Explanation
Explanation/Reference:
Explanation:
The monetary value of the server should be based on the cost of its replacement. However, the financial impact to the enterprise may be much broader, based on the function that the server performs for the business and the value it brings to the enterprise.
Incorrect Answers:
B, C, D: Cost of software is not been counted because it can be restored from the back-up media. On the other hand' Ale for all risk related to the server does not represent the server's value. Lastly, the original cost may be significantly different from the current cost and, therefore, not relevant to this.
QUESTION 188
John is the project manager of the NHQ Project for his company. His project has 75 stakeholders, some of which are external to the organization. John needs to make certain that he communicates about risk in the most appropriate method for the external stakeholders. Which project management plan will be the best guide for John to communicate to the external stakeholders?
A. Risk Response Plan
B. Communications Management Plan C. Project Management Plan
D. Risk Management Plan
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
Explanation:
The Communications Management Plan will direct John on the information to be communicated, when to communicate, and how to communicate with external stakeholders.
The Communications Management Plan aims to define the communication necessities for the project and how the information will be circulated. The Communications Management Plan sets the communication structure for the project. This structure provides guidance for communication throughout the project's life and is updated as communication needs change. The Communication Managements Plan identifies and defines the roles of persons concerned with the project. It includes a matrix known as the communication matrix to map the communication requirements of the project.
Incorrect Answers:
A: The Risk Response Plan identifies how risks will be responded to.
C: The Project Management Plan is the parent of all subsidiary management plans and it is not the most accurate choice for this question
D: The Risk Management Plan defines how risks will be identified, analyzed, responded to, and controlled throughout the project.
QUESTION 189
Adrian is a project manager for a new project using a technology that has recently been released and there's relatively little information about the technology. Initial testing of the technology makes the use of it look promising, but there's still uncertainty as to the longevity and reliability of the technology. Adrian wants to consider the technology factors a risk for her project. Where should she document the risks associated with this technology so she can track the risk status and responses?
A. Project scope statement B. Project charter
C. Risk low-level watch list D. Risk register
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
Explanation:
A risk register is an inventory of risks and exposure associated with those risks. Risks are commonly found in project management practices, and provide
information to identify, analyze, and manage risks. Typically a risk register contains: A description of the risk
The impact should this event actually occur
The probability of its occurrence
Risk Score (the multiplication of Probability and Impact)
A summary of the planned response should the event occur
A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the event) Ranking of risks by Risk Score so as to highlight the highest priority risks to all involved.
It records the initial risks, the potential responses, and tracks the status of each identified risk in the project.
Incorrect Answers:
A: The project scope statement does document initially defined risks but it is not a place that will record risks responses and status of risks.
B: The project charter does not define risks.
C: The risk low-level watch list is for identified risks that have low impact and low probability in the project.
QUESTION 190
You are the administrator of your enterprise. Which of the following controls would you use that BEST protects an enterprise from unauthorized individuals gaining access to sensitive information?
A. Monitoring and recording unsuccessful logon attempts B. Forcing periodic password changes
C. Using a challenge response system
D. Providing access on a need-to-know basis
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
Explanation:
Physical or logical system access should be assigned on a need-to-know basis, where there is a legitimate business requirement based on least privilege and segregation of duties. This is done by user authentication.
Incorrect Answers:
A: Monitoring and recording unsuccessful logon attempts does not address the risk of appropriate access rights. In other words, it does not prevent unauthorized access.
B: Forcing users to change their passwords does not ensure that access control is appropriately assigned.
C: Challenge response system is used to verify the user's identification but does not completely address the issue of access risk if access was not appropriately designed in the first place.
QUESTION 191
You are the project manager of GHT project. You have identified a risk event on your current project that could save $670,000 in project costs if it occurs. Your organization is considering hiring a vendor to help establish proper project management techniques in order to assure it realizes these savings. Which of the following statements is TRUE for this risk event?
A. This risk event should be accepted because the rewards outweigh the threat to the project. B. This risk event should be mitigated to take advantage of the savings.
C. This risk event is an opportunity to the project and should be exploited.
D. This is a risk event that should be shared to take full advantage of the potential savings.
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
Explanation:
This risk event has the potential to save money on project costs and organization is hiring a vendor to assure that all these saving are being realized. Hence this risk event involves sharing with a third party to help assure that the opportunity take place.
Incorrect Answers:
A: This risk event is not accepted as this event has potential to save money as well as it is shared with a vendor so that all these savings are being realized.
B: The risk event is mitigated when it has negative impacts. But here it is positive consequences (i.e., saving), therefore it is not mitigated.
C: This risk event can be exploited but as here in this scenario, it is stated that organization is hiring vendor, therefore event is being shared not exploited.
QUESTION 192
Which of the following interpersonal skills has been identified as one of the biggest reasons for project success or failure?
A. Motivation
B. Influencing
C. Communication
D. Political and cultural awareness
Correct Answer: C
Section: Volume D Explanation
Explanation/Reference:
Explanation:
Communication has been identified as one of the biggest reasons for why projects succeeds or fails. Effective communication is essential for good project management.
Communication is a process in which information is passed from one person to another. A manager asks his subordinates to accomplish the task assigned to them. He should successfully pass the information to his subordinates. It is a means of motivating and guiding the employees of an enterprise.
Incorrect Answers:
A: While motivation is one of the important interpersonal skill, but it is not the best answer.
B: Influencing the project stakeholders is a needed interpersonal skill, but it is not the best answer.
D: Political and cultural awareness is an important part of every project, but it is not the best answer for this question
QUESTION 193
You are the project manager of the GHY project for your organization. You are working with your project team to begin identifying risks for the project. As part of your preparation for identifying the risks within the project you will need eleven inputs for the process. Which one of the following is NOT an input to the risk identification process?
A. Quality management plan
B. Stakeholder register
C. Cost management plan
D. Procurement management plan
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
Explanation:
The procurement management plan is not one of the eleven inputs for the risk identification process. The eleven inputs to this process are: risk management plan
activity cost estimates
activity duration estimates
scope baseline
stakeholder register
cost management plan schedule management plan quality management plan project documents
enterprise environmental factors organizational process assets.
QUESTION 194
How are the potential choices of risk based decisions are represented in decision tree analysis?
A. End node
B. Root node
C. Event node
D. Decision node
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
Explanation:
The potential choices of risk based decisions are represented in decision tree analysis via. Decision node, as decision nodes refers to the available choices.
Incorrect Answers:
A: End nodes are the final outcomes of the entire decision tree framework, especially in multilayered decision-making situations.
B: Root nodes represent the start of a decision tree.
C: Event nodes represents the possible uncertain outcomes of the decision, and not the available choices.
QUESTION 195
You are the project manager of HFD project. You have identified several project risks. You have adopted alternatives to deal with these risks which do not attempt to reduce the probability of a risk event or its impacts. Which of the following response have you implemented?
A. Acceptance
B. Mitigation
C. Avoidance
D. Contingent response
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
Explanation:
Contingent response strategy, also known as contingency planning, involves adopting alternatives to deal with the risks in case of their occurrence. Unlike the mitigation planning in which mitigation looks to reduce the probability of the risk and its impact, contingency planning doesn't necessarily attempt to reduce the probability of a risk event or its impacts. Contingency comes into action when the risk event actually occurs.
Incorrect Answers:
A: Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider who can accept the risk. Risk should be accepted only by senior management in relationship with senior management and the board. There are two alternatives to the acceptance strategy, passive and active.
Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk but willing to accept the consequences of the risk. Active acceptance is the second strategy and might include developing contingency plans and reserves to deal with risks.
B: Risk mitigation attempts to reduce the probability of a risk event and its impacts to an acceptable level. Risk mitigation can utilize various forms of control carefully integrated together. The main control types are:
Managerial(e.g.,policies)
Technical (e.g., tools such as firewalls and intrusion detection systems) Operational (e.g., procedures, separation of duties)
Preparedness activities
C: Risk avoidance means to evade risk altogether, eliminate the cause of the risk event, or change the project plan to protect the project objectives from the risk event.
QUESTION 196
In which of the following risk management capability maturity levels risk appetite and tolerance are applied only during episodic risk assessments?
A. Level 3 B. Level 2 C. Level 4 D. Level 1
Correct Answer: D Section: Volume D Explanation
Explanation/Reference:
Explanation:
An enterprise's risk management capability maturity level is 1 when:
There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk.
Any risk identification criteria vary widely across the enterprise.
Risk appetite and tolerance are applied only during episodic risk assessments.
Enterprise risk policies and standards are incomplete and/or reflect only external requirements and lack defensible rationale and enforcement mechanisms. Risk management skills exist on an ad hoc basis, but are not actively developed.
Ad hoc inventories of controls that are unrelated to risk are dispersed across desktop applications.
Incorrect Answers:
A: In level 3 of risk management capability maturity model, local tolerances drive the enterprise risk tolerance.
B: In level 2 of risk management capability maturity model, risk tolerance is set locally and may be difficult to aggregate.
C: In level 4 of risk management capability maturity model, business risk tolerance is reflected by enterprise policies and standards reflect.
QUESTION 197
You are the project manager of HJT project. Important confidential files of your project are stored on a computer. Keeping the unauthorized access of this computer in mind, you have placed a hidden CCTV in the room, even on having protection password. Which kind of control CCTV is?
A. Technical control
B. Physical control
C. Administrative control D. Management control
Correct Answer: B Section: Volume D Explanation
Explanation/Reference:
Explanation:
CCTV is a physical control.
Physical controls protect the physical environment. They include basics such as locks to protect access to secure areas. They also include environmental controls. This section presents the following examples of physical controls:
Locked doors, guards, access logs, and closed-circuit television Fire detection and suppression
Temperature and humidity detection Electrical grounding and circuit breakers Water detection
Incorrect Answers:
A, C, D CCTV is a physical control.
Certified in Risk and Information Systems Control CRISC Questions + Answers Part 5
-
answerhappygod
- Site Admin
- Posts: 899603
- Joined: Mon Aug 02, 2021 8:13 am