May 02, 2023 Detailed New CRISC Exam Questions for Concept Clearance [Q319-Q337]

May 02, 2023 Detailed New CRISC Exam Questions for Concept Clearance

CRISC Exam Preparation Material with New CRISC Dumps Questions.

What is the duration of the CRISC Exam

• Format: Multiple choices, multiple answers
• Length of Examination: 4 hours

Exam Syllabus

The ISACA CRISC exam is aimed at those professionals who want to build a career in the field of IT and, in particular, in the risk management domain. The test validates that the candidates possess the basic knowledge and skills in the area of risk and information systems control. The topics covered in the exam are highlighted below:

Information Technology Risk Identification: 27%

• Identify possible vulnerabilities and threats to people, process, and technology of an organization;
• Recognize risk appetite and tolerance as defined by the key stakeholders and senior leadership to align with the business objectives.
• Create an IT risk register for documenting an identified IT risk scenario and incorporate the same in the risk profile of the enterprise;
• Gather and analyze information, such as existing documentation to identify possible IT risk or its impact on the business operations and objectives of an organization;
• Partner in developing a risk awareness program and carry out the required training to educate the stakeholders on the risk potential and promote the organizational risk-aware culture;

 

NEW QUESTION 319
The PRIMARY goal of a risk management program is to:

• A. safeguard corporate assets.
• B. help prevent operational losses.
• C. help ensure objectives are met.
• D. facilitate resource availability.

Answer: C

 

NEW QUESTION 320
Which of the following is a drawback in the use of quantitative risk analysis?

• A. It produces the results in numeric form.
• B. It requires more resources than other methods
• C. It assigns numeric values to exposures of assets.
• D. It is based on impact analysis of information assets.

Answer: A

 

NEW QUESTION 321
After the review of a risk record, internal audit questioned why the risk was lowered from medium to low. Which of the following is the BEST course of action in responding to this inquiry?

• A. Notify the business at the next risk briefing.
• B. Provide justification for the lower risk rating.
• C. Obtain industry benchmarks related to the specific risk.
• D. Reopen the risk issue and complete a full assessment.

Answer: B

 

NEW QUESTION 322
What is the MAIN purpose of designing risk management programs?

• A. To reduce the risk to a level that the enterprise is willing to accept
• B. To reduce the risk to a rate of return that equals the current cost of capital
• C. To reduce the risk to the point at which the benefit exceeds the expense
• D. To reduce the risk to a level that is too small to be measurable

Answer: A

Explanation:
Explanation/Reference:
Explanation:
Risk cannot be removed completely from the enterprise; it can only be reduced to a level that an organization is willing to accept. Risk management programs are hence designed to accomplish the task of reducing risks.
Incorrect Answers:
B: Depending on the risk preference of an enterprise, it may or may not choose to pursue risk mitigation to the point at which benefit equals or exceeds the expense. Hence this is not the primary objective of designing the risk management program.
C: Reducing risk to a level too small to measure is not practical and is often cost-prohibitive.
D: Reducing risks to a specific return ignores the qualitative aspects of the risk which should also be considered.

 

NEW QUESTION 323
A risk practitioner observes that hardware failure incidents have been increasing over the last few months. However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:

• A. no action is required as there was no impact
• B. a root cause analysis is required
• C. hardware needs to be upgraded
• D. controls are effective for ensuring continuity

Answer: B

 

NEW QUESTION 324
An organization is planning to acquire a new financial system. Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?

• A. Project sponsor
• B. Process owner
• C. Internal auditor
• D. Risk manager

Answer: D

Explanation:
Section: Volume D

 

NEW QUESTION 325
There are five inputs to the quantitative risk analysis process. Which one of the following is NOT an input to quantitative risk analysis process?

• A. Cost management plan
• B. Risk register
• C. Risk management plan
• D. Enterprise environmental factors
• E. Explanation:
  Enterprise environmental factor is not an input to the quantitative risk analysis process. The five inputs to the perform quantitative risk analysis process are: risk register, risk management plan, cost management plan, schedule management plan, and organizational process assets.

Answer: D

Explanation:
A, and C are incorrect. These are the valid inputs to the perform quantitative risk analysis process.

 

NEW QUESTION 326
A payroll manager discovers that fields in certain payroll reports have been modified without authorization. Which of the following control weaknesses could have contributed MOST to this problem?

• A. The programmer did not involve the user in testing.
• B. The programmer had access to the production programs.
• C. The user requirements were not documented.
• D. Payroll files were not under the control of a librarian.

Answer: D

 

NEW QUESTION 327
Which of the following business requirements MOST relates to the need for resilient business and information systems processes?

• A. Integrity
• B. Confidentiality
• C. Effectiveness
• D. Explanation:
  Availability relates to information being available when required by the business process in present as well as in future. Resilience is the ability to provide and maintain an acceptable level of service during disasters or when facing operational challenges. Hence they are most closely related.
• E. Availability

Answer: D,E

Explanation:
is incorrect. Confidentiality deals with the protection of sensitive information from unauthorized disclosure. While the lack of system resilience can in some cases affect data confidentiality, resilience is more closely linked to the business information requirement of availability. Answer:A is incorrect. Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations. While the lack of system resilience can in some cases affect data integrity, resilience is more closely linked to the business information requirement of availability. Answer:C is incorrect. Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner. While the lack of system resilience can in some cases affect effectiveness, resilience is more closely linked to the business information requirement of availability.

 

NEW QUESTION 328
You are the project manager of GHT project. A risk event has occurred in your project and you have identified it. Which of the following tasks you would do in reaction to risk event occurrence? Each correct answer represents a part of the solution. Choose three.

• A. Maintain and initiate incident response plans
• B. Update risk register
• C. Monitor risk
• D. Communicate lessons learned from risk events

Answer: A,C,D

Explanation:
Explanation/Reference:
Explanation:
When the risk events occur then following tasks have to done to react to it:
Maintain incident response plans

Monitor risk

Initiate incident response

Communicate lessons learned from risk events

Incorrect Answers:
C: Risk register is updated after applying appropriate risk response and at the time of risk event occurrence.

 

NEW QUESTION 329
You are the project manager of HJT project. You want to measure the operational effectiveness of risk management capabilities. Which of the following is the BEST option to measure the operational effectiveness?

• A. Capability maturity models
• B. Metric thresholds
• C. Key risk indicators
• D. Key performance indicators

Answer: D

Explanation:
Section: Volume D
Explanation:
Key performance indicators are a set of quantifiable measures that a company or industry uses to gauge or compare performance in terms of meeting their strategic and operational goals. Key performance indicators (KPIs) provide insights into the operational effectiveness of the concept or capability that they monitor.
Incorrect Answers:
A: Key risk Indicators (KRIs) only provide insights into potential risks that may exist or be realized within a concept or capability that they monitor.
B: Capability maturity models (CMMs) assess the maturity of a concept or capability and do not provide insights into operational effectiveness.
D: Metric thresholds are decision or action points that are enacted when a KPI or KRI reports a specific value or set of values.

 

NEW QUESTION 330
Which among the following is the BEST reason for defining a risk response?

• A. To overview current status of risk
• B. To ensure that the residual risk is within the limits of the risk appetite and tolerance
• C. is incorrect. Risk cannot be completely eliminated from the enterprise.
• D. Explanation:
  The purpose of defining a risk response is to ensure that the residual risk is within the limits of the
  risk appetite and tolerance of the enterprise. Risk response is based on selecting the correct,
  prioritized response to risk, based on the level of risk, the enterprise's risk tolerance and the cost
  or benefit of the particular risk response option.
• E. To mitigate risk
• F. is incorrect. Mitigation of risk is itself the risk response process, not the reason behind
  this.
• G. To eliminate risk from the enterprise

Answer: B

Explanation:
is incorrect. This is not a valid answer.

 

NEW QUESTION 331
Which of the following control audit is performed to assess the efficiency of the productivity in the operations environment?

• A. Administrative
• B. Specialized
• C. Operational
• D. Financial

Answer: A

Explanation:
Explanation/Reference:
Explanation:
The administrative audit is used to assess the efficiency of the productivity in the operations environment.
Incorrect Answers:
A: It evaluates the internal control structure of process of functional area.
B: Audits that assesses the correctness of financial statements is called financial audit.
D: They are the IS audits with specific intent to examine areas, such as processes, services, or technologies, usually by third party auditors.

 

NEW QUESTION 332
Which of the following is an acceptable method for handling positive project risk?

• A. Exploit
• B. Mitigate
• C. Transfer
• D. Avoid

Answer: A

Explanation:
Explanation/Reference:
Explanation:
Exploit is a method for handling positive project risk.
Incorrect Answers:
B, C, D: These are all responses which is used for negative risks, and not the positive risk.

 

NEW QUESTION 333
Which of the following is prepared by the business and serves as a starting point for producing the IT Service Continuity Strategy?

• A. Disaster Invocation Guideline
• B. Business Continuity Strategy
• C. Explanation:
  The Business Continuity Strategy is an outline of the approach to ensure the continuity of Vital Business Functions in the case of disaster events. The Business Continuity Strategy is prepared by the business and serves as a starting point for producing the IT Service Continuity Strategy.
• D. Index of Disaster-Relevant Information
• E. Availability/ ITSCM/ Security Testing Schedule

Answer: B

Explanation:
is incorrect. Disaster Invocation Guideline is a document produced by IT Service Continuity Management with detailed instructions on when and how to invoke the procedure for fighting a disaster. Most importantly, the guideline defines the first step to be taken by the Service Desk after learning that a disaster has occurred. Answer: B is incorrect. Index of Disaster-Relevant Information is a catalogue of all information that is relevant in the event of disasters. This document is maintained and circulated by IT Service Continuity Management to all members of IT staff with responsibilities for fighting disasters. Answer: D is incorrect. Availability/ ITSCM/ Security Testing Schedule is a schedule for the regular testing of all availability, continuity, and security mechanisms jointly maintained by Availability, IT Service Continuity, and IT Security Management.

 

NEW QUESTION 334
Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

• A. Enforce the use of digital signatures.
• B. Implement segregation of duties.
• C. Apply single sign-on for access control.
• D. Enforce an internal data access policy.

Answer: D

 

NEW QUESTION 335
A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?

• A. Chief risk officer (CRO)
• B. Human resources manager (HRM)
• C. Chief information officer (CIO)
• D. Business continuity manager (BCM)

Answer: C

Explanation:
Section: Volume D
Explanation/Reference:

 

NEW QUESTION 336
Which of the following BEST illustrates the relationship of actual risk exposure to appetite?

• A. Residual risk that exceeds appetite.
• B. Percentage of high risk scenarios.
• C. Controls that exceed risk appetite.
• D. Risk events in the risk profile.

Answer: C

Explanation:
Section: Volume D
Explanation

 

NEW QUESTION 337
......

CRISC 2023 Training With 1014 QA's: https://testinsides.actualpdf.com/CRISC-real-questions.html