ISACA CRISC Exam Practice Questions (P. 3)
- Full Access (1896 questions)
- Six months of Premium Access
- Access to one million comments
- Seamless ChatGPT Integration
- Ability to download PDF files
- Anki Flashcard files for revision
- No Captcha & No AdSense
- Advanced Exam Configuration
Question #21
An enterprise has identified risk events in a project. While responding to these identified risk events, which among the following stakeholders is MOST important for reviewing risk response options to an IT risk.
- AInformation security managers
- BInternal auditors
- CIncident response team members
- DBusiness managers
Correct Answer:
D
Business managers are accountable for managing the associated risk and will determine what actions to take based on the information provided by others.
Incorrect Answers:
A: Information security managers may best understand the technical tactical situation, but business managers are accountable for managing the associated risk and will determine what actions to take based on the information provided by others, which includes collaboration with, and support from, lT security managers.
C: The incident response team must ensure open communication to management and stakeholders to ensure that business managers understand the associated risk and are provided enough information to make informed risk-based decisions. They are not responsible for reviewing risk response options.
D
Business managers are accountable for managing the associated risk and will determine what actions to take based on the information provided by others.
Incorrect Answers:
A: Information security managers may best understand the technical tactical situation, but business managers are accountable for managing the associated risk and will determine what actions to take based on the information provided by others, which includes collaboration with, and support from, lT security managers.
C: The incident response team must ensure open communication to management and stakeholders to ensure that business managers understand the associated risk and are provided enough information to make informed risk-based decisions. They are not responsible for reviewing risk response options.
send
light_mode
delete
Question #22
Which of the following is a technique that provides a systematic description of the combination of unwanted occurrences in a system?
- ASensitivity analysis
- BScenario analysis
- CFault tree analysisMost Voted
- DCause and effect analysis
Correct Answer:
C
Fault tree analysis (FIA) is a technique that provides a systematic description of the combination of possible occurrences in a system, which can result in an undesirable outcome. It combines hardware failures and human failures.
Incorrect Answers:
A: Sensitivity analysis is the quantitative risk analysis technique that:
Assist in determination of risk factors that have the most potential impact Examines the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline values
B: This analysis provides ability to see a range of values across several scenarios to identify risk in specific situation. It provides ability to identify those inputs which will provide the greatest level of uncertainty.
D: Cause-and-effect analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes. These tools also help in identifying potential risk.
C
Fault tree analysis (FIA) is a technique that provides a systematic description of the combination of possible occurrences in a system, which can result in an undesirable outcome. It combines hardware failures and human failures.
Incorrect Answers:
A: Sensitivity analysis is the quantitative risk analysis technique that:
Assist in determination of risk factors that have the most potential impact Examines the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline values
B: This analysis provides ability to see a range of values across several scenarios to identify risk in specific situation. It provides ability to identify those inputs which will provide the greatest level of uncertainty.
D: Cause-and-effect analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes. These tools also help in identifying potential risk.
send
light_mode
delete
Question #23
What is the process for selecting and implementing measures to impact risk called?
- ARisk Treatment
- BControl
- CRisk Assessment
- DRisk Management
Correct Answer:
A
The process for selecting and implementing measures for impacting risk in the environment is called risk treatment.
Incorrect Answers:
C: The process of analyzing and evaluating risk is called risk assessment.
D: Risk management is the coordinated activities for directing and controlling the treatment of risk in the organization.
A
The process for selecting and implementing measures for impacting risk in the environment is called risk treatment.
Incorrect Answers:
C: The process of analyzing and evaluating risk is called risk assessment.
D: Risk management is the coordinated activities for directing and controlling the treatment of risk in the organization.
send
light_mode
delete
Question #24
Which section of the Sarbanes-Oxley Act specifies "Periodic financial reports must be certified by CEO and CFO"?
- ASection 302
- BSection 404
- CSection 203
- DSection 409
Correct Answer:
A
Section 302 of the Sarbanes-Oxley Act requires corporate responsibility for financial reports to be certified by CEO, CFO, or designated representative.
Incorrect Answers:
B: Section 404 of the Sarbanes-Oxley Act states that annual assessments of internal controls are the responsibility of management.
C: Section 203 of the Sarbanes-Oxley Act requires audit partners and review partners to rotate off an assignment every five years.
D: Section 409 of the Sarbanes-Oxley Act states that the financial reports must be distributed quickly and currently.
A
Section 302 of the Sarbanes-Oxley Act requires corporate responsibility for financial reports to be certified by CEO, CFO, or designated representative.
Incorrect Answers:
B: Section 404 of the Sarbanes-Oxley Act states that annual assessments of internal controls are the responsibility of management.
C: Section 203 of the Sarbanes-Oxley Act requires audit partners and review partners to rotate off an assignment every five years.
D: Section 409 of the Sarbanes-Oxley Act states that the financial reports must be distributed quickly and currently.
send
light_mode
delete
Question #25
What is the PRIMARY need for effectively assessing controls?
- AControl's alignment with operating environment
- BControl's design effectiveness
- CControl's objective achievement
- DControl's operating effectiveness
Correct Answer:
C
Controls can be effectively assessed only by determining how accurately the control objective is achieved within the environment in which they are operating. No conclusion can be reached as to the strength of the control until the control has been adequately tested.
Incorrect Answers:
A: Alignment of control with the operating environment is essential but after the control's accuracy in achieving objective. In other words, achieving objective is the top most priority in assessing controls.
B: Control's design effectiveness is also considered but is latter considered after achieving objectives.
D: Control's operating effectiveness is considered but after its accuracy in objective achievement.
C
Controls can be effectively assessed only by determining how accurately the control objective is achieved within the environment in which they are operating. No conclusion can be reached as to the strength of the control until the control has been adequately tested.
Incorrect Answers:
A: Alignment of control with the operating environment is essential but after the control's accuracy in achieving objective. In other words, achieving objective is the top most priority in assessing controls.
B: Control's design effectiveness is also considered but is latter considered after achieving objectives.
D: Control's operating effectiveness is considered but after its accuracy in objective achievement.
send
light_mode
delete
Question #26
You work as the project manager for Bluewell Inc. There has been a delay in your project work that is adversely affecting the project schedule. You decide, with your stakeholders' approval, to fast track the project work to get the project done faster. When you fast track the project, what is likely to increase?
- AHuman resource needs
- BQuality control concerns
- CCosts
- DRisks
Correct Answer:
D
Fast tracking allows entire phases of the project to overlap and generally increases risks within the project.
Fast tracking is a technique for compressing project schedule. In fast tracking, phases are overlapped that would normally be done in sequence. It is shortening the project schedule without reducing the project scope.
Incorrect Answers:
A: Human resources are not affected by fast tracking in most scenarios.
B: Quality control concerns usually are not affected by fast tracking decisions.
C: Costs do not generally increase based on fast tracking decisions.
D
Fast tracking allows entire phases of the project to overlap and generally increases risks within the project.
Fast tracking is a technique for compressing project schedule. In fast tracking, phases are overlapped that would normally be done in sequence. It is shortening the project schedule without reducing the project scope.
Incorrect Answers:
A: Human resources are not affected by fast tracking in most scenarios.
B: Quality control concerns usually are not affected by fast tracking decisions.
C: Costs do not generally increase based on fast tracking decisions.
send
light_mode
delete
Question #27
David is the project manager of the HRC Project. He has identified a risk in the project, which could cause the delay in the project. David does not want this risk event to happen so he takes few actions to ensure that the risk event will not happen. These extra steps, however, cost the project an additional $10,000. What type of risk response has David adopted?
- AAvoidance
- BMitigation
- CAcceptance
- DTransfer
Correct Answer:
B
As David is taking some operational controls to reduce the likelihood and impact of the risk, hence he is adopting risk mitigation. Risk mitigation means that actions are taken to reduce the likelihood and/or impact of risk.
Incorrect Answers:
A: Risk avoidance means that activities or conditions that give rise to risk are discontinued. But here, no such actions are taken, therefore risk in not avoided.
C: Risk acceptance means that no action is taken relative to a particular risk; loss is accepted in case it occurs. As David has taken some actions in case to defend, therefore he is not accepting risk.
D: David has not hired a vendor to manage the risk for his project; therefore he is not transferring the risk.
B
As David is taking some operational controls to reduce the likelihood and impact of the risk, hence he is adopting risk mitigation. Risk mitigation means that actions are taken to reduce the likelihood and/or impact of risk.
Incorrect Answers:
A: Risk avoidance means that activities or conditions that give rise to risk are discontinued. But here, no such actions are taken, therefore risk in not avoided.
C: Risk acceptance means that no action is taken relative to a particular risk; loss is accepted in case it occurs. As David has taken some actions in case to defend, therefore he is not accepting risk.
D: David has not hired a vendor to manage the risk for his project; therefore he is not transferring the risk.
send
light_mode
delete
Question #28
Which of the following is the MOST important objective of the information system control?
- ABusiness objectives are achieved and undesired risk events are detected and corrected
- BEnsuring effective and efficient operations
- CDeveloping business continuity and disaster recovery plans
- DSafeguarding assets
Correct Answer:
A
The basic purpose of Information System control in an organization is to ensure that the business objectives are achieved and undesired risk events are detected and corrected. Some of the IS control objectives are given below:
✑ Safeguarding assets
✑ Assuring integrity of sensitive and critical application system environments
✑ Assuring integrity of general operating system
✑ Ensuring effective and efficient operations
✑ Fulfilling user requirements, organizational policies and procedures, and applicable laws and regulations
✑ Changing management
✑ Developing business continuity and disaster recovery plans
✑ Developing incident response and handling plans
Hence the most important objective is to ensure that business objectives are achieved and undesired risk events are detected and corrected.
Incorrect Answers:
B, C, D: These are also the objectives of the information system control but are not the best answer.
A
The basic purpose of Information System control in an organization is to ensure that the business objectives are achieved and undesired risk events are detected and corrected. Some of the IS control objectives are given below:
✑ Safeguarding assets
✑ Assuring integrity of sensitive and critical application system environments
✑ Assuring integrity of general operating system
✑ Ensuring effective and efficient operations
✑ Fulfilling user requirements, organizational policies and procedures, and applicable laws and regulations
✑ Changing management
✑ Developing business continuity and disaster recovery plans
✑ Developing incident response and handling plans
Hence the most important objective is to ensure that business objectives are achieved and undesired risk events are detected and corrected.
Incorrect Answers:
B, C, D: These are also the objectives of the information system control but are not the best answer.
send
light_mode
delete
Question #29
Which of the following is prepared by the business and serves as a starting point for producing the IT Service Continuity Strategy?
- ABusiness Continuity Strategy
- BIndex of Disaster-Relevant Information
- CDisaster Invocation Guideline
- DAvailability/ ITSCM/ Security Testing Schedule
Correct Answer:
A
The Business Continuity Strategy is an outline of the approach to ensure the continuity of Vital Business Functions in the case of disaster events. The Business
Continuity Strategy is prepared by the business and serves as a starting point for producing the IT Service Continuity Strategy.
Incorrect Answers:
B: Index of Disaster-Relevant Information is a catalog of all information that is relevant in the event of disasters. This document is maintained and circulated by IT
Service Continuity Management to all members of IT staff with responsibilities for fighting disasters.
C: Disaster Invocation Guideline is a document produced by IT Service Continuity Management with detailed instructions on when and how to invoke the procedure for fighting a disaster. Most importantly, the guideline defines the first step to be taken by the Service Desk after learning that a disaster has occurred.
D: Availability/ ITSCM/ Security Testing Schedule is a schedule for the regular testing of all availability, continuity, and security mechanisms jointly maintained by
Availability, IT Service Continuity, and IT Security Management.
A
The Business Continuity Strategy is an outline of the approach to ensure the continuity of Vital Business Functions in the case of disaster events. The Business
Continuity Strategy is prepared by the business and serves as a starting point for producing the IT Service Continuity Strategy.
Incorrect Answers:
B: Index of Disaster-Relevant Information is a catalog of all information that is relevant in the event of disasters. This document is maintained and circulated by IT
Service Continuity Management to all members of IT staff with responsibilities for fighting disasters.
C: Disaster Invocation Guideline is a document produced by IT Service Continuity Management with detailed instructions on when and how to invoke the procedure for fighting a disaster. Most importantly, the guideline defines the first step to be taken by the Service Desk after learning that a disaster has occurred.
D: Availability/ ITSCM/ Security Testing Schedule is a schedule for the regular testing of all availability, continuity, and security mechanisms jointly maintained by
Availability, IT Service Continuity, and IT Security Management.
send
light_mode
delete
Question #30
For which of the following risk management capability maturity levels do the statement given below is true? "Real-time monitoring of risk events and control exceptions exists, as does automation of policy management"
- ALevel 3
- BLevel 0
- CLevel 5
- DLevel 2
Correct Answer:
C
An enterprise's risk management capability maturity level is 5 when real-time monitoring of risk events and control exceptions exists, as does automation of policy management.
Incorrect Answers:
A, D: In these levels real-time monitoring of risk events is not done.
B: In level 0 of risk management capability maturity model, enterprise does not recognize the importance of considering the risk management or the business impact from IT risk.
C
An enterprise's risk management capability maturity level is 5 when real-time monitoring of risk events and control exceptions exists, as does automation of policy management.
Incorrect Answers:
A, D: In these levels real-time monitoring of risk events is not done.
B: In level 0 of risk management capability maturity model, enterprise does not recognize the importance of considering the risk management or the business impact from IT risk.
send
light_mode
delete
All Pages