CRISC exam questions for practice in 2021 Updated 930 Questions
Updated Dec-2021 Premium CRISC Exam Engine pdf - Download Free Updated 930 Questions
Who should take the CRISC exam
The ISACA Certified in Risk and Information Systems Control Consultants CRISC Exam certification is an internationally-recognized validation that identifies persons who earn it as possessing skilled as Certified in Risk and Information Systems Control. If a candidate wants significant improvement in career growth needs enhanced knowledge, skills, and talents. The ISACA Certified in Risk and Information Systems Control Consultants CRISC Exam certification provides proof of this advanced knowledge and skill. If a candidate has knowledge and skills that are required to pass the ISACA Certified in Risk and Information Systems Control Consultants CRISC Exam then he should take this exam.
Isaca CRISC Practice Test Questions, Isaca CRISC Exam Practice Test Questions
It is a known fact that the certified professionals in the field of IT have more career potentials than their non-certified counterparts. If you are looking to get certified, ISACA CRISC is an industry recognized option that validates your knowledge and experience in enterprise risk management. The Certified in Risk and Information Systems Control (CRISC) certification demonstrates one’s expertise in identifying and managing corporate IT risks and implementing and maintaining information systems control.
NEW QUESTION 219
You are the project manager for TTP project. You are in the Identify Risks process. You have to create the risk register. Which of the following are included in the risk register?
Each correct answer represents a complete solution. Choose two.
- A. List of key stakeholders
- B. List of identified risks
- C. List of mitigation techniques
- D. List of potential responses
Answer: B,D
Explanation:
Explanation/Reference:
Explanation:
Risk register primarily contains the following:
List of identified risks: A reasonable description of the identified risks is noted in the risk register. The
description includes event, cause, effect, impact related to the risks identified. In addition to the list of identified risks, the root causes of those risks may appear in the risk register.
List of potential responses: Potential responses to a risk may be identified during the Identify Risks
process. These responses are useful as inputs to the Plan Risk Responses process.
Incorrect Answers:
B: This is not a valid content of risk register.
A risk register is an inventory of risks and exposure associated with those risks. Risks are commonly found in project management practices, and provide information to identify, analyze, and manage risks. Typically a risk register contains:
A description of the risk
The impact should this event actually occur
The probability of its occurrence
Risk Score (the multiplication of Probability and Impact)
A summary of the planned response should the event occur
A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the
event)
Ranking of risks by Risk Score so as to highlight the highest priority risks to all involved.
C: Risk register do contain the summary of mitigation, but only after the applying risk response. Here in this scenario you are in risk identification phase, hence mitigation techniques cannot be documented at this situation.
NEW QUESTION 220
Which of the following should be a risk practitioner's NEXT step upon learning the organization is not in compliance with a specific legal regulation?
- A. Notify senior compliance executives of the associated risk.
- B. Assess the likelihood and magnitude of the associated risk.
- C. Determine the penalties for lack of compliance.
- D. Identify mitigation activities and compensating controls.
Answer: B
Explanation:
Section: Volume D
NEW QUESTION 221
When reporting risk assessment results to senior management, which of the following is MOST important to include to enable risk-based decision making?
- A. Potential losses compared to treatment cost
- B. A list of assets exposed to the highest risk
- C. Risk action plans and associated owners
- D. Recent audit and self-assessment results
Answer: A
NEW QUESTION 222
Suppose you are working in Techmart Inc. which sells various products through its website. Due to some recent losses, you are trying to identify the most important risks to the Website. Based on feedback from several experts, you have come up with a list. You now want to prioritize these risks. Now in which category you would put the risk concerning the modification of the Website by unauthorized parties.
- A. Ping Flooding Attack
- B. Web defacing
- C. Denial of service attack
- D. FTP Bounce Attack
Answer: B
Explanation:
Section: Volume B
Explanation:
Website defacing is an attack on a website by unauthorized party that changes the visual appearance of the site or a webpage. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own.
Incorrect Answers:
A: Ping Flooding is the extreme of sending thousands or millions of pings per second. Ping Flooding attack can make system slow or even shut down an entire site.
C: A denial-of-service attack (DoS attack) is an attempt to make a computer or network resource unavailable to its intended users. One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable.
D: The FTP bounce attack is attack which slips past application-based firewalls. In this hacker uploads a file to the FTP server and then requests this file be sent to an internal server. This file may contain malicious software or a simple script that occupies the internal server and uses up all the memory and CPU resources.
NEW QUESTION 223
A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management. The BEST way to support risk-based decisions by senior management would be to:
- A. map findings to objectives.
- B. recommend risk tolerance thresholds.
- C. provide a quantified detailed analysts.
- D. quantify key risk indicators (KRls).
Answer: A
NEW QUESTION 224
Which of the following is the GREATEST concern associated with redundant data in an organization's inventory system?
- A. Poor access control
- B. Data inconsistency
- C. Unnecessary costs of program changes
- D. Unnecessary data storage usage
Answer: B
NEW QUESTION 225
Which of the following is the STRONGEST indication that controls implemented as part of a risk action plan are not effective?
- A. Changes are put into production without management approval.
- B. Internal audit identifies recurring exceptions.
- C. A security breach occurs.
- D. A sample is used to validate the action plan.
Answer: B
Explanation:
Section: Volume D
NEW QUESTION 226
Which section of the Sarbanes-Oxley Act specifies "Periodic financial reports must be certified by CEO and CFO"?
- A. Section 203
- B. Section 404
- C. Section 409
- D. is incorrect. Section 203 of the Sarbanes-Oxley Act requires audit partners and review
partners to rotate off an assignment every five years. - E. is incorrect. Section 409 of the Sarbanes-Oxley Act states that the financial reports
must be distributed quickly and currently. - F. Section 302
- G. Explanation:
Section 302 of the Sarbanes-Oxley Act requires corporate responsibility for financial reports to be
certified by CEO, CFO, or designated representative.
Answer: F
Explanation:
is incorrect. Section 404 of the Sarbanes-Oxley Act states that annual assessments of
internal controls are the responsibility of management.
NEW QUESTION 227
A large organization needs to report risk at all levels for a new centralized visualization project to reduce cost and improve performance. Which of the following would MOST effectively represent the overall risk of the project to senior management?
- A. Key risk indicators (KRIs)
- B. Centralized risk register
- C. Aggregated key performance indicators (KPls)
- D. Risk heat map
Answer: D
NEW QUESTION 228
To mitigate the risk of using a spreadsheet to analyze financial data, IT has engaged a third-party vendor to deploy a standard application to automate the process. Which of the following parties should own the risk associated with calculation errors?
- A. business owner
- B. IT department
- C. Risk manager
- D. Third-party provider
Answer: A
NEW QUESTION 229
When assessing the maturity level of an organization's risk management framework, which of the following deficiencies should be of GREATEST concern to a risk practitioner?
- A. Unclear organizational risk appetite
- B. Lack of senior management participation
- C. Use of highly customized control frameworks
- D. Reliance on qualitative analysis methods
Answer: A
NEW QUESTION 230
The MAIN purpose of having a documented risk profile is to:
- A. enable well-informed decision making.
- B. keep the risk register up-to-date.
- C. comply with external and internal requirements.
- D. prioritize investment projects.
Answer: A
Explanation:
Section: Volume D
NEW QUESTION 231
There are five inputs to the quantitative risk analysis process. Which one of the following is NOT an input to quantitative risk analysis process?
- A. Risk register
- B. Cost management plan
- C. Enterprise environmental factors
- D. Risk management plan
Answer: C
Explanation:
Explanation/Reference:
Explanation:
Enterprise environmental factor is not an input to the quantitative risk analysis process. The five inputs to the perform quantitative risk analysis process are: risk register, risk management plan, cost management plan, schedule management plan, and organizational process assets.
Incorrect Answers:
A, C, D: These are the valid inputs to the perform quantitative risk analysis process.
NEW QUESTION 232
If one says that the particular control or monitoring tool is sustainable, then it refers to what ability?
- A. The ability to be applied in same manner throughout the organization
- B. The ability to protect itself from exploitation or attack
- C. The ability to adapt as new elements are added to the environment
- D. The ability to ensure the control remains in place when it fails
Answer: C
Explanation:
Section: Volume D
Explanation/Reference:
Explanation:
Sustainability of the controls or monitoring tools refers to its ability to function as expected over time or when changes are made to the environment.
Incorrect Answers:
B: Sustainability ensures that controls changes with the conditions, so as not to fail in any circumstances.
Hence this in not a valid answer.
C: This is not a valid answer.
D: This is not a valid definition for defining sustainability of a tool.
NEW QUESTION 233
A newly enacted information privacy law significantly increases financial penalties for breaches of personally identifiable information (Pll). Which of the following will MOST likely outcome for an organization affected by the new law?
- A. Increase in residual risk
- B. Increase in loss event impact
- C. Increase in compliance breaches
- D. Increase in customer complaints
Answer: B
NEW QUESTION 234
Within the three lines of defense model, the accountability for the system of internal control resides with:
- A. the board of directors
- B. the risk practitioner
- C. the chief information officer (CIO).
- D. enterprise risk management
Answer: A
NEW QUESTION 235
Which of the following MOST effectively limits the impact of a ransomware attack?
- A. End user training
- B. Data backups
- C. Cryptocurrency reserve
- D. Cyber insurance
Answer: A
NEW QUESTION 236
The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner's BEST recommendation?
- A. Implement version control software
- B. Perform a root cause analysis
- C. Perform a code review
- D. Implement training on coding best practices
Answer: C
Explanation:
Section: Volume D
NEW QUESTION 237
Which of the following is NOT true for risk governance?
- A. Risk governance is a systemic approach to decision making processes associated to natural and technological risks.
- B. Risk governance requires reporting once a year.
- C. Risk governance seeks to reduce risk exposure and vulnerability by filling gaps in risk policy.
- D. Risk governance is based on the principles of cooperation, participation, mitigation and sustainability, and is adopted to achieve more effective risk management.
Answer: B
Explanation:
Section: Volume B
Explanation:
Risk governance is a continuous life cycle that requires regular reporting and ongoing review, not once a year.
Incorrect Answers:
A, C, D: These are true for risk governance.
NEW QUESTION 238
An organization is considering acquiring a new line of business and wants to develop new IT risk scenarios to guide its decisions. Which of the following would add the MOST value to the new risk scenarios?
- A. Cost-benefit analysis
- B. Audit findings
- C. Expected losses
- D. Organizational threats
Answer: A
Explanation:
Section: Volume D
NEW QUESTION 239
An organization maintains independent departmental risk registers that are not automatically aggregated. Which of the following is the GREATEST concern?
- A. Resources may be inefficiently allocated.
- B. Multiple risk treatment efforts may be initiated to treat a given risk.
- C. The same risk factor may be identified in multiple areas.
- D. Management may be unable to accurately evaluate the risk profile.
Answer: D
NEW QUESTION 240
A risk practitioner is assisting with the preparation of a report on the organization's disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile?
- A. The percentage of systems meeting recovery target times has increased
- B. The number of systems tested in the last year has increased
- C. The percentage of systems with long recovery target times has decreased
- D. The number of systems requiring a recovery plan has increased
Answer: D
Explanation:
Section: Volume D
NEW QUESTION 241
......
Information Technology Risk Assessment: 28%
- Review risk situations based on predetermined organizational criteria to determine the possibility and effect of identified risks;
- Analyze the outcomes of risk and control reviews to evaluate possible gaps between present and preferred states of an IT risk environment;
- Ensure that the ownership of risk is assigned at the relevant level to put accountability;
- Establish the present state of on-going controls and review their efficiency for the mitigation of IT risk;
- Communicate the outcomes of risk assessment to the relevant stakeholders and senior management to allow for risk-based decision making;
- Revise a risk register in alignment with the result from a risk assessment project.
Authentic CRISC Dumps With 100% Passing Rate Practice Tests Dumps: https://www.exam4labs.com/CRISC-practice-torrent.html
ISACA CRISC Real Exam Questions Guaranteed Updated Dump from Exam4Labs : https://drive.google.com/open?id=1kPGTstsZ2BNoBiWAsSqXL1g7i2jsAeyb