Saturday, December 9, 2023

CRISC EXAM PREPARATIONS - 150 QUESTIONS AND ANSWER PRACTICE

ISACA CRISC EXAM PREPARATIONS - 150 QUESTIONS AND ANSWER PRACTICE

BY MR. HERY PURNAMA , SE.,MM.
CISA, CISM, CRISC, CDPSE, CISSP, PMP, CDMP CTFL, COBIT, TOGAF, CTFL
+62-81223344-506



1. Which of the following would present the GREATEST challenge when assigning accountability for control ownership?

      Unclear reporting relationships

      Weak governance structures

      Senior management scrutiny

      Complex regulatory environment


2. You are working in an enterprise. Your enterprise is willing to accept a certain amount of risk. What is this risk called?

      Hedging

      Aversion

      Appetite

      Tolerance


3. Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?

      Gather scenarios from senior management

      Derive scenarios from IT risk policies and standards

      Benchmark scenarios against industry peers

      Map scenarios to a recognized risk management framework


4. You are using Information system. You have chosen a poor password and also sometimes transmits data over unprotected communication lines. What is this poor quality of password and unsafe transmission referring to?

      Probabilities

      Threats

      Vulnerabilities

      Impacts


5. Out of several risk responses, which of the following risk responses is used for negative risk events?

      Share

      Enhance

      Exploit

      Accept


6. For which of the following risk management capability maturity levels do the statement given below is true? "Real-time monitoring of risk events and control exceptions exists, as does automation of policy management"

      Level 3

      Level

      Level 5

      Level 2


7. Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?

      Enabling risk-based decision making

      Increasing process control efficiencies

      Better understanding of the risk appetite

      Improving audit results


8. Which of the following documents is described in the statement below? "It is developed along with all processes of the risk management. It contains the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning."

      Risk management plan

      Project charter

      Risk register

      Quality management plan


9. Frank is the project manager of the NHQ project for his company. Frank is working with the project team, key stakeholders, and several subject matter experts on risks dealing with the new materials in the project. Frank wants to utilize a risk analysis method that will help the team to make decisions in the presence of the current uncertainty surrounding the new materials. Which risk analysis approach can Frank use to create an approach to make decisions in the presence of uncertainty?

      Monte Carlo Technique

      Qualitative risk analysis process

      Quantitative risk analysis process

      Delphi Technique


10. Which of the following is MOST important to update when an organization's risk appetite changes?

      Key risk indicators (KRIs)

      Risk taxonomy

      Key performance indicators (KPIs)

      Risk reporting methodology


11. One of the risk events you've identified is classified as force majeure. What risk response is likely to be used?

      Acceptance

      Transference

      Enhance

      Mitigation


12. Frank is the project manager of the NHH Project. He is working with the project team to create a plan to document the procedures to manage risks throughout the project. This document will define how risks will be identified and quantified. It will also define how contingency plans will be implemented by the project team.What document is Frank and the NHH Project team creating in this scenario?

      Resource management plan

      Project plan

      Project management plan

      Risk management plan


13. Wendy has identified a risk event in her project that has an impact of $75, and a 6 percent chance of happening. Through research, her project team learns that the risk impact can actually be reduced to just $15, with only a ten percent chance of occurring. The proposed solution will cost $25,. Wendy agrees to the $25, solution. What type of risk response is this?

      Mitigation

      Avoidance

      Transference

      Enhancing


14. Mary is the project manager for the BLB project. She has instructed the project team to assemble, to review the risks. She has included the schedule management plan as an input for the quantitative risk analysis process. Why is the schedule management plan needed for quantitative risk analysis?

      Mary will schedule when the identified risks are likely to happen and affect the project schedul

      Mary will utilize the schedule controls and the nature of the schedule for the quantitative analysis of the schedul

      Mary will use the schedule management plan to schedule the risk identification meetings throughout the remaining project.

      Mary will utilize the schedule controls to determine how risks may be allowed to change the project schedul


15. Ben is the project manager of the CMH Project for his organization. He has identified a risk that has a low probability of happening, but the impact of the risk event could save the project and the organization with a significant amount of capital. Ben assigns Laura to the risk event and instructs her to research the time, cost, and method to improve the probability of the positive risk event. Ben then communicates the risk event and response to management. What risk response has been used here?

      Sharing

      Transference

      Enhance

      Exploit


16. During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?

      Authentication

      Identification

      Data validation

      Data integrity


17. Which of the following is the priority of data owners when establishing risk mitigation method?

      User entitlement changes

      Platform security

      Intrusion detection

      Antivirus controls


18. Della works as a project manager for Tech Perfect Inc. She is studying the documentation of planning of a project. The documentation states that there are twenty- eight stakeholders with the project. What will be the number of communication channels for the project?

      25

      28

      378

      3


19. You have been assigned as the Project Manager for a new project that involves building of a new roadway between the city airport to a designated point within the city. However, you notice that the transportation permit issuing authority is taking longer than the planned time to issue the permit to begin construction. What would you classify this as?

      Project Risk

      Status Update

      Risk Update

      Project Issue


20. You are the project manager of the GGK project for your company. The GGK project has a budget of $1,265,1 and is currently 4 percent complete. In this project, you elected to add labor to the project to increase the likelihood of completing the project early as the project was only scheduled to be 35 percent complete at this time. This positive risk response, while keeping the project ahead of schedule, has added significant costs to the project. You have already spent$575, to reach this point in the project. Management would like to know what your cost performance index and the schedule performance index is for this project. What are these values?

      The CPI is -$68,96 and the SPI is $63,255.

      The CPI is .88 and the SPI is zero.

      The CPI is .88 and the SPI is 1.14.

      The CPI is 1.14 and the SPI is .88.


21. Which of the following characteristics of risk controls answers the aspect about the control given below: "Will it continue to function as expressed over the time and adopts as changes or new elements are introduced to the environment"

      Reliability

      Sustainability

      Consistency

      Distinct


22. Which of the following is an administrative control?

      Water detection

      Reasonableness check

      Data loss prevention program

      Session timeout


23. The only output of qualitative risk analysis is risk register updates. When the project manager updates the risk register he will need to include several pieces of information including all of the following except for which one?

      Trends in qualitative risk analysis

      Risk probability-impact matrix

      Risks grouped by categories

      Watchlist of low-priority risks


24. Which of the following is the MOST important use of KRIs?

      Providing a backward-looking view on risk events that have occurred

      Providing an early warning signal

      Providing an indication of the enterprise's risk appetite and tolerance

      Enabling the documentation and analysis of trends


25. Which of the following should be of MOST concern to a risk practitioner reviewing findings from a recent audit of an organization's data center?

      Ownership of an audit finding has not been assigned

      The data center is not fully redundant

      Audit findings were not communicated to senior management

      Key risk indicators (KRIs) for the data center do not include critical components


26. Which of the following risks is the risk that happen with an important business partner and affects a large group of enterprises within an area or industry?

      Contagious risk

      Reporting risk

      Operational risk

      Systemic risk


27. Which of following is NOT used for measurement of Critical Success Factors of the project?

      Productivity

      Quality

      Quantity

      Customer service


28. You are the project manager of the NHQ Project for your company. You have completed qualitative and quantitative analysis of your identified project risks and you would now like to find an approach to increase project opportunities and to reduce threats within the project. What project management process would best help you?

      Monitor and control project risks

      Create a risk governance approach

      Create the project risk register

      Plan risk responses


29. You are the project manager for your organization to install new workstations, servers, and cabling throughout a new building, where your company will be moving into. The vendor for the project informs you that the cost of the cabling has increased due to some reason. This new cost will cause the cost of your project to increase by nearly eight percent. What change control system should the costs be entered into for review?

      Cost change control system

      Contract change control system

      Scope change control system

      Only changes to the project scope should pass through a change control system.


30. You work as a project manager for BlueWell Inc. Your project is running late and you must respond to the risk. Which risk response can you choose that will also cause you to update the human resource management plan?

      Teaming agreements

      Transference

      Crashing the project

      Fast tracking the project


31. You are the project manager of the GGG project. You have completed the risk identification process for the initial phases of your project. As you begin to document the risk events in the risk register what additional information can you associate with the identified risk events?

      Risk potential responses

      Risk schedule

      Risk owner

      Risk cost


32. Which of the following is described by the definition given below?"It is the expected guaranteed value of taking a risk."

      Certainty equivalent value

      Risk premium

      Risk value guarantee

      Certain value assurance


33. Which of the following would BEST help minimize the risk associated with social engineering threats?

      Reviewing the organizationג€™s risk appetite

      Enforcing employee sanctions

      Enforcing segregation of duties

      Conducting phishing exercises


34. Joan is a project management consultant and she has been hired by a firm to help them identify risk events within the project. Joan would first like to examine the project documents including the plans, assumptions lists, project files, and contracts. What key thing will help Joan to discover risks within the review of the project documents?

      The project documents will help the project manager, or Joan, to identify what risk identification approach is best to pursu

      Lack of consistency between the plans and the project requirements and assumptions can be the indicators of risk in the project.

      Poorly written requirements will reveal inconsistencies in the project plans and documents.

      Plans that have loose definitions of terms and disconnected approaches will reveal risks.


35. You are the project manager of GHT project. You have identified a risk event on your current project that could save $67, in project costs if it occurs. Your organization is considering hiring a vendor to help establish proper project management techniques in order to assure it realizes these savings. Which of the following statements is TRUE for this risk event?

      This risk event should be accepted because the rewards outweigh the threat to the project.

      This risk event should be mitigated to take advantage of the savings.

      This risk event is an opportunity to the project and should be exploite

      This is a risk event that should be shared to take full advantage of the potential savings.


36. You work as a project manager for BlueWell Inc. You are involved with the project team on the different risk issues in your project. You are using the applications of IRGC model to facilitate the understanding and managing the rising of the overall risks that have impacts on the economy and society. One of your team members wants to know that what the need to use the IRGC is. What will be your reply?

      IRGC models aim at building robust, integrative inter-disciplinary governance models for emerging and existing risks.

      IRGC is both a concept and a tool.

      IRGC addresses the development of resilience and the capacity of organizations and people to face unavoidable risks.

      IRGC addresses understanding of the secondary impacts of a risk.

      Question.C, D: Risk governance addresses understanding of the secondary impacts of a risk, the development of resilience and the capacity of organizations and people to face unavoidable risks.


37. You work as the project manager for Company Inc. The project on which you are working has several risks that will affect several stakeholder requirements.Which project management plan will define who will be available to share information on the project risks?

      Resource Management Plan

      Communications Management Plan

      Risk Management Plan

      Stakeholder management strategy


38. Ned is the project manager of the HNN project for your company. Ned has asked you to help him complete some probability distributions for his project. What portion of the project will you most likely use for probability distributions?

      Bias towards risk in new resources

      Risk probability and impact matrixes

      Risk identification

      Uncertainty in values such as duration of schedule activities


39. You are the project manager for your organization. You are preparing for the quantitative risk analysis. Mark, a project team member, wants to know why you need to do quantitative risk analysis when you just completed qualitative risk analysis. Which one of the following statements best defines what quantitative risk analysis is?

      Quantitative risk analysis is the review of the risk events with the high probability and the highest impact on the project objectives.

      Quantitative risk analysis is the process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact.

      Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives.

      Quantitative risk analysis is the planning and quantification of risk responses based on probability and impact of each risk event.


40. A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?

      An increase in attempted distributed denial of service (DDoS) attacks

      An increase in attempted website phishing attacks

      A decrease in remediated web security vulnerabilities

      A decrease in achievement of service level agreements (SLAs)


41. Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the corporate risk register?

      Corporate incident escalation protocols are established

      The organization-wide control budget is expanded

      Exposure is integrated into the organizationג€™s risk profile

      Risk appetite cascades to business unit management


42. You are the risk official in Bluewell Inc. You are supposed to prioritize several risks. A risk has a rating for occurrence, severity, and detection as 4, 5, and 6, respectively. What Risk Priority Number (RPN) you would give to it?

      12

      1

      15

      3


43. Which of the following is a performance measure that is used to evaluate the efficiency of an investment or to compare the efficiency of a number of different investments?

      Return On Security Investment

      Total Cost of Ownership

      Return On Investment

      Redundant Array of Inexpensive Disks


44. You are the project manager in your enterprise. You have identified occurrence of risk event in your enterprise. You have pre-planned risk responses. You have monitored the risks that had occurred. What is the immediate step after this monitoring process that has to be followed in response to risk events?

      Initiate incident response

      Update the risk register

      Eliminate the risk completely

      Communicate lessons learned from risk events


45. Tom works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks, and provides a quantitative assessment of the likely cost to complete the scheduled activities?

      Activity cost estimates

      Cost management plan

      Activity duration estimates

      Risk management plan


46. Which risk response is acceptable for both positive and negative risk events?

      Transferring

      Acceptance

      Sharing

      Enhancing


47. Fred is the project manager of the PKL project. He is working with his project team to complete the quantitative risk analysis process as a part of risk management planning. Fred understands that once the quantitative risk analysis process is complete, the process will need to be completed again in at least two other times in the project. When will the quantitative risk analysis process need to be repeated?

      Quantitative risk analysis process will be completed again after the cost management planning and as a part of monitoring and controllin

      Quantitative risk analysis process will be completed again after new risks are identified and as part of monitoring and controllin

      Quantitative risk analysis process will be completed again after the risk response planning and as a part of monitoring and controllin

      Quantitative risk analysis process will be completed again after the plan risk response planning and as part of procurement.


48. You are the project manager for your organization. You are preparing for the quantitative risk analysis. Mark, a project team member, wants to know why you need to do quantitative risk analysis when you just completed qualitative risk analysis. Which one of the following statements best defines what quantitative risk analysis is?

      Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives.

      Quantitative risk analysis is the planning and quantification of risk responses based on probability and impact of each risk event.

      Quantitative risk analysis is the review of the risk events with the high probability and the highest impact on the project objectives.

      Quantitative risk analysis is the process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact.


49. You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won't affect your project much if they happen. What should you do with these identified risk events?

      All risks must have a valid, documented risk respons

      These risks can be accepte

      These risks can be added to a low priority risk watch list.

      These risks can be dismisse


50. Sam is the project manager of a construction project in south Florida. This area of the United States is prone to hurricanes during certain parts of the year. As part of the project plan Sam and the project team acknowledge the possibility of hurricanes and the damage the hurricane could have on the project's deliverables, the schedule of the project, and the overall cost of the project. Once Sam and the project stakeholders acknowledge the risk of the hurricane they go on planning the project as if the risk is not likely to happen. What type of risk response is Sam using?

      Active acceptance

      Passive acceptance

      Avoidance

      Mitigation


51. Which section of the Sarbanes-Oxley Act specifies "Periodic financial reports must be certified by CEO and CFO"?

      Section 32

      Section 44

      Section 23

      Section 49


52. Which of the following BEST describes the utility of a risk?

      The finance incentive behind the risk

      The potential opportunity of the risk

      The mechanics of how a risk works

      The usefulness of the risk to individuals or groups


53. An organization has outsourced an application to a Software as a Service (SaaS) provider. The risk associated with the use of this service should be owned by the:

      service providerג€™s IT manager

      service providerג€™s risk manager

      organizationג€™s business process manager

      organizationג€™s vendor manager


54. You have identified several risks in your project. You have opted for risk mitigation in order to respond to identified risk. Which of the following ensures that risk mitigation method that you have chosen is effective?

      Reduction in the frequency of a threat

      Minimization of inherent risk

      Reduction in the impact of a threat

      Minimization of residual risk


55. Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?

      Audit trails for updates and deletions

      Encrypted storage of data

      Links to source data

      Check totals on data records and data fields


56. Your project has several risks that may cause serious financial impact should they happen. You have studied the risk events and made some potential risk responses for the risk events but management wants you to do more. They'd like for you to create some type of a chart that identified the risk probability and impact with a financial amount for each risk event. What is the likely outcome of creating this type of chart?

      Risk response

      Quantitative analysis

      Contingency reserve

      Risk response plan


57. You have been assigned as the Project Manager for a new project that involves development of a new interface for your existing time management system. You have completed identifying all possible risks along with the stakeholders and team and have calculated the probability and impact of these risks. Which of the following would you need next to help you prioritize the risks?

      Affinity Diagram

      Risk rating rules

      Project Network Diagram

      Risk categories

      QuestionD: Risk categories are an output of the Perform Qualitative Risk Analysis process and not a tool to complete the process.


58. Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?

      Internal audit reports from the vendor

      A control self-assessment

      A third-party security assessment report

      Service level agreement monitoring


59. You are the project manager of a large construction project. Part of the project involves the wiring of the electricity in the building your project is creating. You and the project team determine the electrical work is too dangerous to perform yourself so you hire an electrician to perform the work for the project. This is an example of what type of risk response?

      Acceptance

      Mitigation

      Transference

      Avoidance


60. Which of the following is the GREATEST concern when using a generic set of IT risk scenarios for risk analysis?

      Inherent risk might not be considered

      Implementation costs might increase

      Risk factors might not be relevant to the organization

      Quantitative analysis might not be possible


61. Which of the following is the BEST defense against successful phishing attacks?

      Intrusion detection system

      Application hardening

      End-user awareness

      Spam filters


62. Who is responsible for the stakeholder expectations management in a high-profile, high-risk project?

      Project risk assessment officer

      Project management office

      Project sponsor

      Project manager


63. Joan is the project manager of the BTT project for her company. She has worked with her project to create risk responses for both positive and negative risk events within the project. As a result of this process Joan needs to update the project document updates. She has updated the assumptions log as a result of the findings and risk responses, but what other documentation will need to be updated as an output of risk response planning?

      Scope statement

      Lessons learned

      Risk Breakdown Structure

      Technical documentation


64. Which of the following processes involves choosing the alternative strategies, executing a contingency or fallback plan, taking corrective action, and modifying the project management plan?

      Monitor and Control risk

      Configuration Management

      Integrated Change control

      Scope Change control


65. You are the project manager for BlueWell Inc. You have noticed that the risk level in your project increases above the risk tolerance level of your enterprise. You have applied several risk responses. Now you have to update the risk register in accordance to risk response process. All of the following are included in the risk register except for which item?

      Risk triggers

      Agreed-upon response strategies

      Network diagram analysis of critical path activities

      Risk owners and their responsibility


66. David is the project manager of HGF project for his company. David, the project team, and several key stakeholders have completed risk identification and are ready to move into qualitative risk analysis. Tracy, a project team member, does not understand why they need to complete qualitative risk analysis. Which one of the following is the best explanation for completing qualitative risk analysis?

      It is a cost-effective means of establishing probability and impact for the project risks.

      Qualitative risk analysis helps segment the project risks, create a risk breakdown structure, and create fast and accurate risk responses.

      All risks must pass through quantitative risk analysis before qualitative risk analysis.

      It is a rapid and cost-effective means of establishing priorities for the plan risk responses and lays the foundation for quantitative analysis.


67. You are the project manager of the NGQQ Project for your company. To help you communicate project status to your stakeholders, you are going to create a stakeholder register. All of the following information should be included in the stakeholder register except for which one?

      Stakeholder management strategy

      Assessment information of the stakeholders' major requirements, expectations, and potential influence

      Identification information for each stakeholder

      Stakeholder classification of their role in the project


68. You work as a project manager for TechSoft Inc. You are working with the project stakeholders on the qualitative risk analysis process in your project. You have used all the tools to the qualitative risk analysis process in your project. Which of the following techniques is NOT used as a tool in qualitative risk analysis process?

      Risk Urgency Assessment

      Risk Reassessment

      Risk Data Quality Assessment

      Risk Categorization


69. An organization uses a vendor to destroy hard drives. Which of the following would BEST reduce the risk of data leakage?

      Implement an encryption policy for the hard drives

      Require the vendor to degauss the hard drives

      Use an accredited vendor to dispose of the hard drives

      Require confirmation of destruction from the IT manager


70. An organization is considering acquiring a new line of business and wants to develop new IT risk scenarios to guide its decisions. Which of the following would add the MOST value to the new risk scenarios?

      Audit findings

      Expected losses

      Cost-benefit analysis

      Organizational threats


71. Which of the following is the most accurate definition of a project risk?

      It is an unknown event that can affect the project scop

      It is an uncertain event or condition within the project execution.

      It is an uncertain event that can affect the project costs.

      It is an uncertain event that can affect at least one project objectiv


72. You are the project manager of the HGT project in Bluewell Inc. The project has an asset valued at $125, and is subjected to an exposure factor of 25 percent.What will be the Single Loss Expectancy of this project?

      12525

      3125

      5

      3125


73. Which of the following interpersonal skills has been identified as one of the biggest reasons for project success or failure?

      Motivation

      Influencing

      Communication

      Political and cultural awareness


74. Which of the following establishes mandatory rules, specifications and metrics used to measure compliance against quality, value, etc.?

      Framework

      Legal requirements

      Standard

      Practices


75. Which of the following processes must be repeated after Plan Risk Responses, as well as part of the Monitor and Control Risks, to determine if the overall project risk has been satisfactorily decreased?

      Risk Limitation

      Perform Qualitative Risk Analysis

      Identify Risk

      Perform Quantitative Risk Analysis


76. Which of the following is the BEST way to identify changes in the risk profile of an organization?

      Monitor key risk indicators (KRIs)

      Monitor key performance indicators (KPIs)

      Conduct a gap analysis

      Interview the risk owner


77. Which of the following do NOT indirect information?

      Information about the propriety of cutoff

      Reports that show orders that were rejected for credit limitations.

      Reports that provide information about any unusual deviations and individual product margins.

      The lack of any significant differences between perpetual levels and actual levels of goods.


78. You work as a project manager for BlueWell Inc. You have declined a proposed change request because of the risk associated with the proposed change request.Where should the declined change request be documented and stored?

      Change request log

      Project archives

      Lessons learned

      Project document updates

      Question. It can be placed into the project documents, but the declined changes are part of the change request log.


79. While considering entity-based risks, which dimension of the COSO ERM framework is being referred?

      Organizational levels

      Risk components

      Strategic objectives

      Risk objectives


80. Harry is the project manager of HDW project. He has identified a risk that could injure project team members. He does not want to accept any risk where someone could become injured on this project so he hires a professional vendor to complete this portion of the project work. What type of risk response is Harry implementing?

      Transference

      Mitigation

      Acceptance

      Avoidance


81. You are preparing to start the qualitative risk analysis process for your project. You will be relying on some organizational process assets to influence the process.Which one of the following is NOT a probable reason for relying on organizational process assets as an input for qualitative risk analysis?

      Studies of similar projects by risk specialists

      Risk databases that may be available from industry sources

      Review of vendor contracts to examine risks in past projects

      Information on prior, similar projects


82. You are the risk official of your enterprise. You have just completed risk analysis process. You noticed that the risk level associated with your project is less than risk tolerance level of your enterprise. Which of following is the MOST likely action you should take?

      Apply risk response

      Update risk register

      No action

      Prioritize risk response options


83. Which of the following BEST indicates the effectiveness of an organization's data loss prevention (DLP) program?

      Reduction in financial impact associated with data loss incidents

      Reduction in the number of false positives and false negatives

      Reduction in the number of approved exceptions to the DLP policy

      Reduction in the severity of detected data loss events


84. An organization is planning to acquire a new financial system. Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?

      Process owner

      Internal auditor

      Risk manager

      Project sponsor


85. Which of the following is the MOST important aspect to ensure that an accurate risk register is maintained?

      Publish the risk register in a knowledge management platform with workflow features that periodically contacts and polls risk assessors to ensure accuracy of content

      Perform regular audits by audit personnel and maintain risk register

      Submit the risk register to business process owners for review and updating

      Monitor key risk indicators, and record the findings in the risk register


86. Which of the following is the BEST key performance indicator (KPI) to measure the maturity of an organization's security incident handling process?

      The number of resolved security incidents

      The number of security incidents escalated to senior management

      The number of newly identified security incidents

      The number of recurring security incidents


87. You work as a project manager for BlueWell Inc. Management has asked you to work with the key project stakeholder to analyze the risk events you have identified in the project. They would like you to analyze the project risks with a goal of improving the project's performance as a whole. What approach can you use to achieve the goal of improving the project's performance through risk analysis with your project stakeholders?

      Focus on the high-priority risks through qualitative risk analysis

      Involve the stakeholders for risk identification only in the phases where the project directly affects them

      Involve subject matter experts in the risk analysis activities

      Use qualitative risk analysis to quickly assess the probability and impact of risk events


88. You are the project manager of RTF project for your organization. You are working with your project team and several key stakeholders to create a diagram that shows causal factors for an effect to be solved. What diagramming technique are you using as a part of the risk identification process?

      Cause and effect diagrams

      System or process flow charts

      Predecessor and successor diagramming

      Influence diagrams


89. An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:

      communicate the consequences for violations

      implement industry best practices

      reduce the organizationג€™s risk appetite

      reduce the risk to an acceptable level


90. Which of the following is the BEST method to identify unnecessary controls?

      Evaluating existing controls against audit requirements

      Reviewing system functionalities associated with business processes

      Monitoring existing key risk indicators (KRIs)

      Evaluating the impact of removing existing controls


91. Which of the following is the HIGHEST risk of a policy that inadequately defines data and system ownership?

      User management coordination does not exist

      Audit recommendations may not be implemented

      Users may have unauthorized access to originate, modify or delete data

      Specific user accountability cannot be established


92. You work as a project manager for BlueWell Inc. You are performing the quantitative risk analysis for your project. One of the project risks has a 5 percent probability of happening, and it will cost the project $55, if the risk happens. What will be the expected monetary value of this risk event?

      Negative $27,5

      Zero - the risk event has not yet occurred

      Negative $26,

      Negative $55,


93. Which of the following will significantly affect the standard information security governance model?

      Currency with changing legislative requirements

      Number of employees

      Complexity of the organizational structure

      Cultural differences between physical locations


94. Jane, the Director of Sales, contacts you and demands that you add a new feature to the software your project team is creating for the organization. In the meeting she tells you how important the scope change would be. You explain to her that the software is almost finished and adding a change now could cause the deliverable to be late, cost additional funds, and would probably introduce new risks to the project. Jane stands up and says to you, "I am the Director of Sales and this change will happen in the project." And then she leaves the room. What should you do with this verbal demand for a change in the project?

      Include the change in the project scope immediately.

      Direct your project team to include the change if they have tim

      Do not implement the verbal change request.

      Report Jane to your project sponsor and then include the chang


95. Which of the following is the PRIMARY consideration when establishing an organization's risk management methodology?

      Risk tolerance level

      Benchmarking information

      Resource requirements

      Business context


96. NIST SP 8-53 identifies controls in three primary classes. What are they?

      Technical, Administrative, and Environmental

      Preventative, Detective, and Corrective

      Technical, Operational, and Management

      Administrative, Technical, and Operational


97. Ted is the project manager of the HRR project for his company. Management has asked that Ted periodically reviews the contingency reserve as risk events happen, pass, or are still pending. What is the purpose of reviewing the contingency reserve?

      It helps to evaluate if the remaining reserve is adequate for the risk exposur

      It helps to determine how much more funds will need to be invested in the project.

      It helps to evaluate secondary and residual risks related to the risk responses and their costs.

      It helps to determine the probability and impact of project risks.


98. You are the project manager of GHT project. You have identified a risk event on your project that could save $1, in project costs if it occurs. Which of the following statements BEST describes this risk event?

      This risk event should be mitigated to take advantage of the savings.

      This is a risk event that should be accepted because the rewards outweigh the threat to the project.

      This risk event should be avoided to take full advantage of the potential savings.

      This risk event is an opportunity to the project and should be exploite


99. Where can a project manager find risk-rating rules?

      Risk management plan

      Organizational process assets

      Enterprise environmental factors

      Risk probability and impact matrix


100. Which of the following processes looks at the complex web of actors, rules, conventions, processes, and mechanisms concerned with how relevant risk information is collected, analyzed and communicated, and how management decisions are taken?

      Risk Communication

      IRGC

      Risk Response Planning

      Risk Governance


101. Holly is the project manager of the NHQ project for her company. Her project sponsor, Tracy, has requested that Thomas, the department manager, from the RiskManagement Department, will work with Holly to determine the effectiveness of the risk responses. Tracy and Thomas are concerned that some of the risks withinHolly's project may not be addressed to depth they would like. In this scenario, who is responsible for ensuring that risk audits are performed at an appropriate frequency throughout the project?

      Thomas

      Tracy

      The project team

      Holly


102. Which of the following is a KEY outcome of risk ownership?

      Risk-related information is communicated

      Risk responsibilities are addressed

      Risk-oriented tasks are defined

      Business process risk is analyzed


103. A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?

      Chief risk officer (CRO)

      Business continuity manager (BCM)

      Human resources manager (HRM)

      Chief information officer (CIO)


104. Which of the following components of risk scenarios has the potential to generate internal or external threat on an enterprise?

      Timing dimension

      Events

      Assets

      Actors


105. You are the project manager of a HGT project that has recently finished the final compilation process. The project customer has signed off on the project completion and you have to do few administrative closure activities. In the project, there were several large risks that could have wrecked the project but you and your project team found some new methods to resolve the risks without affecting the project costs or project completion date. What should you do with the risk responses that you have identified during the project's monitoring and controlling process?

      Include the responses in the project management plan.

      Include the risk responses in the risk management plan.

      Include the risk responses in the organization's lessons learned databas

      Nothin The risk responses are included in the project's risk register already.


106. Which of the following is the MOST important objective of the information system control?

      Business objectives are achieved and undesired risk events are detected and corrected

      Ensuring effective and efficient operations

      Developing business continuity and disaster recovery plans

      Safeguarding assets


107. You are the project manager for your company and a new change request has been approved for your project. This change request, however, has introduced several new risks to the project. You have communicated these risk events and the project stakeholders understand the possible effects these risks could have on your project. You elect to create a mitigation response for the identified risk events. Where will you record the mitigation response?

      Risk register

      Risk log

      Risk management plan

      Project management plan


108. Mary is the project manager for the BLB project. She has instructed the project team to assemble, to review the risks. She has included the schedule management plan as an input for the quantitative risk analysis process. Why is the schedule management plan needed for quantitative risk analysis?

      Mary will schedule when the identified risks are likely to happen and affect the project schedul

      Mary will utilize the schedule controls and the nature of the schedule for the quantitative analysis of the schedul

      Mary will use the schedule management plan to schedule the risk identification meetings throughout the remaining project.

      Mary will utilize the schedule controls to determine how risks may be allowed to change the project schedul

      QuestionC: This is not a valid answer for this

      Question throughout the project, but it is not scheduled during the quantitative risk analysis process.D: Risks may affect the project schedule, but this is not the best answer for the


109. Which among the following acts as a trigger for risk response process?

      Risk level increases above risk appetite

      Risk level increase above risk tolerance

      Risk level equates risk appetite

      Risk level equates the risk tolerance


110. Thomas is the project manager of the NHJ Project for his company. He has identified several positive risk events within his project and he thinks these events can save the project time and money. Positive risk events, such as these within the NHJ Project are also known as what?

      Benefits

      Opportunities

      Ancillary constituent components

      Contingency risks


111. You are a project manager for your organization and you're working with four of your key stakeholders. One of the stakeholders is confused as to why you're not discussing the current problem in the project during the risk identification meeting. Which one of the following statements best addresses when a project risk actually happens?

      Project risks are uncertain as to when they will happen.

      Risks can happen at any time in the project.

      Project risks are always in the futur

      Risk triggers are warning signs of when the risks will happen.


112. You are the project manager of the NHQ Project for your company. You are discussing some of the project issues that need to be resolved in the project. You and the project stakeholders come to an agreement about the risk issues and how they will be resolved. Where should you document this information for issue resolution?

      Project management plan for execution

      Lessons learned documentation

      Issue log

      Risk response plan


113. Rex is the project manager of the BDF Project. This project will last for two years and has a budget of $2,345,. Management has instructed Rex that the project must not go over budget as funds are very tight in the organization. During the project planning Rex and the project team discover a positive risk event to save$75,. Rex wants to make certain that this risk event happens so which risk response method is most appropriate?

      Share

      Mitigation

      Exploit

      Enhance


114. You are the project manager of HJT project. Important confidential files of your project are stored on a computer. Keeping the unauthorized access of this computer in mind, you have placed a hidden CCTV in the room, even on having protection password. Which kind of control CCTV is?

      Technical control

      Physical control

      Administrative control

      Management control


115. You are the project manager of the KJH Project and are working with your project team to plan the risk responses. Consider that your project has a budget of$5, and is expected to last six months. Within the KJH Project you have identified a risk event that has a probability of .7 and has a cost impact of$35,. When it comes to creating a risk response for this event what is the risk exposure of the event that must be considered for the cost of the risk response?

      The risk exposure of the event is $245,.

      The risk exposure of the event is $5,.

      The risk exposure of the event is $35,.

      The risk exposure of the event is $85,.


116. Henry is the project sponsor of the JQ Project and Nancy is the project manager. Henry has asked Nancy to start the risk identification process for the project, butNancy insists that the project team be involved in the process. Why should the project team be involved in the risk identification?

      So that the project team can develop a sense of ownership for the risks and associated risk responsibilities.

      So that the project manager can identify the risk owners for the risks within the project and the needed risk responses.

      So that the project manager isn't the only person identifying the risk events within the project.

      So that the project team and the project manager can work together to assign risk ownership.


117. Marsha is the project manager of the NHQ Project. There's a risk that her project team has identified, which could cause the project to be late by more than a month. Marsha does not want this risk event to happen so she devises extra project activities to ensure that the risk event will not happen. The extra steps, however, will cost the project an additional $1,. What type of risk response is this approach?

      Enhancing

      Exploiting

      Mitigation

      Transference


118. Suppose you are working in Company Inc. and you are using risk scenarios for estimating the likelihood and impact of the significant risks on this organization.Which of the following assessment are you doing?

      IT security assessment

      IT audit

      Threat and vulnerability assessment

      Risk assessment


119. John is the project manager of the NHQ Project for his company. His project has 75 stakeholders, some of which are external to the organization. John needs to make certain that he communicates about risk in the most appropriate method for the external stakeholders. Which project management plan will be the best guide for John to communicate to the external stakeholders?

      Risk Response Plan

      Risk Management Plan

      Communications Management Plan

      Project Management Plan


120. Which of the following is the MOST effective key performance indicator (KPI) for change management?

      Percentage of successful changes

      Number of changes implemented

      Percentage of changes with a fallback plan

      Average time required to implement a change


121. Which of the following techniques examines the degree to which organizational strengths offset threats and opportunities that may serve to overcome weaknesses?

      SWOT Analysis

      Delphi

      Brainstorming

      Expert Judgment


122. You are working with a vendor on your project. A stakeholder has requested a change for the project, which will add value to the project deliverables. The vendor that you're working with on the project will be affected by the change. What system can help you introduce and execute the stakeholder change request with the vendor?

      Contract change control system

      Scope change control system

      Cost change control system

      Schedule change control system


123. You are the project manager of RFT project. You have identified a risk that the enterprise's IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become very expensive. To overcome this risk, the response adopted is re- architecture of the existing system and purchase of new integrated system. In which of the following risk prioritization options would this case be categorized?

      Deferrals

      Quick win

      Business case to be made

      Contagious risk


124. Which of the following is the first MOST step in the risk assessment process?

      Identification of assets

      Identification of threats

      Identification of threat sources

      Identification of vulnerabilities


125. Which of the following matrices is used to specify risk thresholds?

      Risk indicator matrix

      Impact matrix

      Risk scenario matrix

      Probability matrix


126. To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:

      clearly define the project scope

      perform background checks on the vendor

      notify network administrators before testing

      require the vendor to sign a nondisclosure agreement


127. Kelly is the project manager of the NNQ Project for her company. This project will last for one year and has a budget of $35,. Kelly is working with her project team and subject matter experts to begin the risk response planning process. When the project manager begins the plan risk response process, what two inputs will she need?

      Risk register and the risk response plan

      Risk register and power to assign risk responses

      Risk register and the risk management plan

      Risk register and the results of risk analysis


128. If one says that the particular control or monitoring tool is sustainable, then it refers to what ability?

      The ability to adapt as new elements are added to the environment

      The ability to ensure the control remains in place when it fails

      The ability to protect itself from exploitation or attack

      The ability to be applied in same manner throughout the organization


129. Which of the following is MOST helpful in developing key risk indicator thresholds?

      Loss expectancy information

      IT service level agreements

      Control performance results

      Remediation activity progress


130. In response to the threat of ransomware, an organization has implemented cybersecurity awareness activities. The risk practitioner's BEST recommendation to further reduce the impact of ransomware attacks would be to implement:

      encryption for data at rest

      encryption for data in motion

      two-factor authentication

      continuous data backup controls


131. You are the project manager of GHT project. You are performing cost and benefit analysis of control. You come across the result that costs of specific controls exceed the benefits of mitigating a given risk. What is the BEST action would you choose in this scenario?

      The enterprise may apply the appropriate control anyway.

      The enterprise should adopt corrective control.

      The enterprise may choose to accept the risk rather than incur the cost of mitigation.

      The enterprise should exploit the risk.


132. You are working in an enterprise. Assuming that your enterprise periodically compares finished goods inventory levels to the perpetual inventories in its ERP system. What kind of information is being provided by the lack of any significant differences between perpetual levels and actual levels?

      Direct information

      Indirect information

      Risk management plan

      Risk audit information


133. When reviewing a business continuity plan (BCP), which of the following would be the MOST significant deficiency?

      BCP is often tested using the walkthrough method

      BCP testing is not in conjunction with the disaster recovery plan (DRP)

      Each business location has separate, inconsistent BCPs

      Recovery time objectives (RTOs) do not meet business requirements


134. Your organization has a project that is expected to last 2 months but the customer would really like the project completed in 18 months. You have worked on similar projects in the past and believe that you could fast track the project and reach the 18 month deadline. What increases when you fast track a project?

      Resources

      Costs

      Communication

      Risks


135. You are the project manager of HGT project. You are in the first phase of the risk response process and are doing following tasks :Communicating risk analysis resultsReporting risk management activities and the state of complianceInterpreting independent risk assessment findingsIdentifying business opportunitiesWhich of the following process are you performing?

      Articulating risk

      Mitigating risk

      Tracking risk

      Reporting risk


136. A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:

      collaborate with management to meet compliance requirements

      conduct a gap analysis against compliance criteria

      identify necessary controls to ensure compliance

      modify internal assurance activities to include control validation


137. There are seven risk responses, a project manager can use to address risk events. Which one of the following is a risk response that is appropriate for positive or negative risk events depending on the scenario in the project?

      Avoidance

      Acceptance

      Sharing

      Transference


138. What project management plan is most likely to direct the quantitative risk analysis process for a project in a matrix environment?

      Risk analysis plan

      Staffing management plan

      Human resource management plan

      Risk management plan


139. Mary is the project manager of the HGH Project for her company. She and her project team have agreed that if the vendor is late by more than ten days they will cancel the order and hire the NBG Company to fulfill the order. The NBG Company can guarantee orders within three days, but the costs of their products are significantly more expensive than the current vendor. What type of a response strategy is this?

      Internal risk management strategy

      Contingent response strategy

      External risk response

      Expert judgment


140. You are the project manager of the NHQ project for your company. You are working with your project team to complete a risk audit. A recent issue that your project team responded to, and management approved, was to increase the project schedule because there was risk surrounding the installation time of a new material. Your logic was that with the expanded schedule there would be time to complete the installation without affecting downstream project activities. What type of risk response is being audited in this scenario?

      Parkinson's Law

      Mitigation

      Avoidance

      Lag Time


141. You are the project manager of a large project that will last four years. In this project, you would like to model the risk based on its distribution, impact, and other factors. There are three modeling techniques that a project manager can use to include both event-oriented and project-oriented analysis. Which modeling technique does NOT provide event-oriented and project-oriented analysis for identified risks?

      Sensitivity analysis

      Jo-Hari Window

      Expected monetary value

      Modeling and simulation


142. Mary is a project manager in her organization. On her current project she is working with her project team and other key stakeholders to identify the risks within the project. She is currently aiming to create a comprehensive list of project risks so she is using a facilitator to help generate ideas about project risks. What risk identification method is Mary likely using?

      Brainstorming

      Delphi Techniques

      Checklist analysis

      Expert judgment


143. Which of the following aspect of monitoring tool ensures that the monitoring tool has the ability to keep up with the growth of an enterprise?

      Scalability

      Customizability

      Sustainability

      Impact on performance


144. Mark is the project manager of the BFL project for his organization. He and the project team are creating a probability and impact matrix using RAG rating. There is some confusion and disagreement among the project team as to how a certain risk is important and priority for attention should be managed. Where can Mark determine the priority of a risk given its probability and impact?

      Risk management plan

      Project sponsor

      Risk response plan

      Look-up table


145. Harold is the project manager of a large project in his organization. He has been actively communicating and working with the project stakeholders. One of the outputs of the manage stakeholder expectations process can actually create new risk events for Harold's project. Which output of the manage stakeholder expectations process can create risks?

      Project document updates

      Change requests

      Organizational process assets updates

      Project management plan updates


146. An organization has outsourced its IT security management function to an external service provider. The BEST party to own the IT security controls under this arrangement is the:

      organizationג€™s risk function

      service providerג€™s audit function

      organizationג€™s IT management

      service providerג€™s IT security function


147. Gary is the project manager for his organization. He is working with the project stakeholders on the project requirements and how risks may affect their project.One of the stakeholders is confused about what constitutes risks in the project. Which of the following is the most accurate definition of a project risk?

      It is an uncertain event that can affect the project costs.

      It is an uncertain event or condition within the project execution.

      It is an uncertain event that can affect at least one project objectiv

      It is an unknown event that can affect the project scop


148. You are working as the project manager of the ABS project. The project is for establishing a computer network in a school premises. During the project execution, the school management asks to make the campus Wi-Fi enabled. You know that this may impact the project adversely. You have discussed the change request with other stakeholders. What will be your NEXT step?

      Update project management plan.

      Issue a change request.

      Analyze the impact.

      Update risk management plan.


149. Which of the following is NOT true for risk management capability maturity level 1?

      A. There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk

      B. Decisions involving risk lack credible information

      C. Risk appetite and tolerance are applied only during episodic risk assessments

      D. Risk management skills exist on an ad hoc basis, but are not actively developed


150. An enterprise has identified risk events in a project. While responding to these identified risk events, which among the following stakeholders is MOST important for reviewing risk response options to an IT risk.

      A. Information security managers

      B. Internal auditors

      C. Incident response team members

      D. Business managers


Ujian ISACA CRISC (Certified in Risk and Information Systems Control)

Ujian CRISC dari ISACA merupakan sertifikasi yang dirancang untuk profesional TI dan bisnis yang berfokus pada pengelolaan risiko TI dan kontrol informasi. Sertifikasi ini menyoroti kemampuan untuk memahami dan mengimplementasikan program manajemen risiko yang efektif, serta mengidentifikasi dan mengelola risiko TI yang dapat membahayakan organisasi.


Manfaat Sertifikasi CRISC

Pengakuan Profesional: Sertifikasi CRISC memberikan pengakuan internasional atas keahlian dalam manajemen risiko TI.

Pengembangan Karir: Meningkatkan peluang karir, khususnya di bidang yang berkaitan dengan risiko dan kontrol TI.

Kredibilitas dan Kepercayaan: Menambah kredibilitas profesional dan memperkuat kepercayaan dari pihak manajemen dan pemangku kepentingan.

Pengembangan Keterampilan: Memperkuat keterampilan dalam mengidentifikasi, mengevaluasi, dan mengelola risiko TI.

Domain Ujian CRISC

Ujian CRISC mencakup empat domain utama:


IT Risk Identification: Mengidentifikasi risiko TI yang dapat memengaruhi organisasi.

IT Risk Assessment: Menilai risiko untuk menentukan dampak bisnis dan kemungkinan terjadinya.

Risk Response and Mitigation: Menentukan respons terbaik terhadap risiko dan cara menguranginya.

Risk and Control Monitoring and Reporting: Pemantauan dan pelaporan tentang efektivitas kontrol risiko.

Cara Mengambil Ujian

Pendaftaran Online: Mendaftar untuk ujian CRISC melalui situs web ISACA.

Pilih Jadwal dan Lokasi Ujian: Ujian biasanya diadakan di pusat pengujian terakreditasi atau dapat diambil secara online.

Biaya Ujian

Biaya ujian CRISC bervariasi berdasarkan keanggotaan ISACA dan lokasi geografis. Informasi terbaru tentang biaya dapat ditemukan di situs web ISACA.


Persyaratan Ujian

Pengalaman Kerja: Pengalaman kerja di bidang manajemen risiko TI diperlukan.

Pendidikan: Tidak ada persyaratan pendidikan khusus, tetapi pengetahuan di bidang risiko TI sangat dianjurkan.

Jumlah Soal dan Durasi Ujian

Ujian CRISC terdiri dari 150 pertanyaan pilihan ganda, dengan durasi 4 jam.


Manfaat Latihan Soal Ujian

Melakukan latihan soal ujian membantu memahami format dan jenis soal, serta memperkuat pemahaman tentang domain-domain yang diujikan. Ini juga membantu meningkatkan kepercayaan diri saat menghadapi ujian.


Profil Trainer Bapak Hery Purnama sebagai Trainer CRISC Berpengalaman

Mengenai profil Bapak Hery Purnama sebagai trainer CRISC berpengalaman, saya tidak memiliki informasi spesifik tentang individu tersebut. Namun, secara umum, seorang trainer CRISC yang berkualitas biasanya memiliki:


Sertifikasi CRISC: Bersertifikasi CRISC dan memiliki pemahaman mendalam tentang domain-domain ujian.

Pengalaman Praktis: Pengalaman nyata dalam manajemen risiko TI dan implementasi kontrol.

Kemampuan Mengajar: Keterampilan mengajar yang efektif, dapat menyampaikan konsep-konsep kompleks dengan jelas.

Materi Pelatihan yang Relevan: Menyediakan materi pelatihan yang sesuai dengan standar ISACA dan kebutuhan ujian.

Latihan Soal: Memberikan latihan soal dan simulasi ujian untuk mempersiapkan peserta secara efektif.

Seorang trainer seperti Bapak Hery Purnama, jika memang memiliki kualifikasi tersebut, akan sangat berharga dalam membantu calon peserta ujian CRISC mempersiapkan diri dengan baik

0 comments:

Post a Comment

Silahkan isikan comment box untuk komentar Anda..