ISACA CRISC Exam Practice Questions (P. 4)
- Full Access (1896 questions)
- Six months of Premium Access
- Access to one million comments
- Seamless ChatGPT Integration
- Ability to download PDF files
- Anki Flashcard files for revision
- No Captcha & No AdSense
- Advanced Exam Configuration
Question #31
Which of the following is true for Cost Performance Index (CPI)?
- AIf the CPI > 1, it indicates better than expected performance of project
- BCPI = Earned Value (EV) * Actual Cost (AC)
- CIt is used to measure performance of schedule
- DIf the CPI = 1, it indicates poor performance of project
Correct Answer:
A
Cost performance index (CPI) is used to calculate performance efficiencies of project. It is used in trend analysis to predict future performance. CPI is the ratio of earned value to actual cost.
If the CPI value is greater than 1, it indicates better than expected performance, whereas if the value is less than 1, it shows poor performance.
Incorrect Answers:
B: CPI is the ratio of earned value to actual cost, i.e., CPI = Earned Value (EV) / Actual Cost (AC).
C: Cost performance index (CPI) is used to calculate performance efficiencies of project and not its schedule.
D: The CPI value of 1 indicates that the project is right on target.
A
Cost performance index (CPI) is used to calculate performance efficiencies of project. It is used in trend analysis to predict future performance. CPI is the ratio of earned value to actual cost.
If the CPI value is greater than 1, it indicates better than expected performance, whereas if the value is less than 1, it shows poor performance.
Incorrect Answers:
B: CPI is the ratio of earned value to actual cost, i.e., CPI = Earned Value (EV) / Actual Cost (AC).
C: Cost performance index (CPI) is used to calculate performance efficiencies of project and not its schedule.
D: The CPI value of 1 indicates that the project is right on target.
send
light_mode
delete
Question #32
Which of the following do NOT indirect information?
- AInformation about the propriety of cutoff
- BReports that show orders that were rejected for credit limitations.
- CReports that provide information about any unusual deviations and individual product margins.
- DThe lack of any significant differences between perpetual levels and actual levels of goods.
Correct Answer:
A
Information about the propriety of cutoff is a kind of direct information.
Incorrect Answers:
B: Reports that show orders that were rejected for credit limitations provide indirect information that credit checking aspects of the system are working as intended.
C: Reports that provide information about any unusual deviations and individual product margins (whereby, the price of an item sold is compared to its standard cost) provide indirect information that controls over billing and pricing are operating.
D: The lack of any significant differences between perpetual levels and actual levels provides indirect information that its billing controls are operating.
A
Information about the propriety of cutoff is a kind of direct information.
Incorrect Answers:
B: Reports that show orders that were rejected for credit limitations provide indirect information that credit checking aspects of the system are working as intended.
C: Reports that provide information about any unusual deviations and individual product margins (whereby, the price of an item sold is compared to its standard cost) provide indirect information that controls over billing and pricing are operating.
D: The lack of any significant differences between perpetual levels and actual levels provides indirect information that its billing controls are operating.
send
light_mode
delete
Question #33
Ben works as a project manager for the MJH Project. In this project, Ben is preparing to identify stakeholders so he can communicate project requirements, status, and risks. Ben has elected to use a salience model as part of his stakeholder identification process. Which of the following activities best describes a salience model?
- ADescribing classes of stakeholders based on their power (ability to impose their will), urgency (need for immediate attention), and legitimacy (their involvement is appropriate).Most Voted
- BGrouping the stakeholders based on their level of authority ("power") and their level or concern ("interest") regarding the project outcomes.
- CInfluence/impact grid, grouping the stakeholders based on their active involvement ("influence") in the project and their ability to affect changes to the project's planning or execution ("impact").
- DGrouping the stakeholders based on their level of authority ("power") and their active involvement ("influence") in the project.
Correct Answer:
A
A salience model defines and charts stakeholders' power, urgency, and legitimacy in the project.
The salience model is a technique for categorizing stakeholders according to their importance. The various difficulties faced by the project managers are as follows:
✑ How to choose the right stakeholders?
✑ How to prioritize competing claims of the stakeholders communication needs?
Stakeholder salience is determined by the evaluation of their power, legitimacy and urgency in the organization.
✑ Power is defined as the ability of the stakeholder to impose their will.
✑ Urgency is the need for immediate action.
✑ Legitimacy shows the stakeholders participation is appropriate or not.
The model allows the project manager to decide the relative salience of a particular stakeholder.
Incorrect Answers:
B: This defines the power/interest grid.
C: This defines an influence/impact grid.
D: This defines a power/influence grid.
A
A salience model defines and charts stakeholders' power, urgency, and legitimacy in the project.
The salience model is a technique for categorizing stakeholders according to their importance. The various difficulties faced by the project managers are as follows:
✑ How to choose the right stakeholders?
✑ How to prioritize competing claims of the stakeholders communication needs?
Stakeholder salience is determined by the evaluation of their power, legitimacy and urgency in the organization.
✑ Power is defined as the ability of the stakeholder to impose their will.
✑ Urgency is the need for immediate action.
✑ Legitimacy shows the stakeholders participation is appropriate or not.
The model allows the project manager to decide the relative salience of a particular stakeholder.
Incorrect Answers:
B: This defines the power/interest grid.
C: This defines an influence/impact grid.
D: This defines a power/influence grid.
send
light_mode
delete
Question #34
Which of the following is the first MOST step in the risk assessment process?
- AIdentification of assets
- BIdentification of threats
- CIdentification of threat sources
- DIdentification of vulnerabilities
Correct Answer:
A
Asset identification is the most crucial and first step in the risk assessment process. Risk identification, assessment and evaluation (analysis) should always be clearly aligned to assets. Assets can be people, processes, infrastructure, information or applications.
A
Asset identification is the most crucial and first step in the risk assessment process. Risk identification, assessment and evaluation (analysis) should always be clearly aligned to assets. Assets can be people, processes, infrastructure, information or applications.
send
light_mode
delete
Question #35
Which of the following matrices is used to specify risk thresholds?
- ARisk indicator matrix
- BImpact matrix
- CRisk scenario matrix
- DProbability matrix
Correct Answer:
A
Risk indicators are metrics used to indicate risk thresholds, i.e., it gives indication when a risk level is approaching a high or unacceptable level of risk. The main objective of a risk indicator is to ensure tracking and reporting mechanisms that alert staff about the potential risks.
Incorrect Answers:
B, D: Estimation of risk's consequence and priority for awareness is conducted by using probability and impact matrix. These matrices specify the mixture of probability and impact that directs to rating the risks as low, moderate, or high priority.
C: A risk scenario is a description of an event that can lay an impact on business, when and if it would occur.
Some examples of risk scenario are of:
✑ Having a major hardware failure
✑ Failed disaster recovery planning (DRP)
✑ Major software failure
A
Risk indicators are metrics used to indicate risk thresholds, i.e., it gives indication when a risk level is approaching a high or unacceptable level of risk. The main objective of a risk indicator is to ensure tracking and reporting mechanisms that alert staff about the potential risks.
Incorrect Answers:
B, D: Estimation of risk's consequence and priority for awareness is conducted by using probability and impact matrix. These matrices specify the mixture of probability and impact that directs to rating the risks as low, moderate, or high priority.
C: A risk scenario is a description of an event that can lay an impact on business, when and if it would occur.
Some examples of risk scenario are of:
✑ Having a major hardware failure
✑ Failed disaster recovery planning (DRP)
✑ Major software failure
send
light_mode
delete
Question #36
What are the two MAJOR factors to be considered while deciding risk appetite level? Each correct answer represents a part of the solution. (Choose two.)
- AThe amount of loss the enterprise wants to accept
- BAlignment with risk-culture
- CRisk-aware decisions
- DThe capacity of the enterprise's objective to absorb loss.
Correct Answer:
AD
Risk appetite is the amount of risk a company or other entity is willing to accept in pursuit of its mission. This is the responsibility of the board to decide risk appetite of an enterprise. When considering the risk appetite levels for the enterprise, the following two major factors should be taken into account:
The enterprise's objective capacity to absorb loss, e.g., financial loss, reputation damage, etc.
The culture towards risk taking-cautious or aggressive. In other words, the amount of loss the enterprise wants to accept in pursue of its objective fulfillment.
Incorrect Answers:
B: Alignment with risk-culture is also one of the factors but is not as important as these two.
C: Risk aware decision is not the factor, but is the result which uses risk appetite information as its input.
AD
Risk appetite is the amount of risk a company or other entity is willing to accept in pursuit of its mission. This is the responsibility of the board to decide risk appetite of an enterprise. When considering the risk appetite levels for the enterprise, the following two major factors should be taken into account:
The enterprise's objective capacity to absorb loss, e.g., financial loss, reputation damage, etc.
The culture towards risk taking-cautious or aggressive. In other words, the amount of loss the enterprise wants to accept in pursue of its objective fulfillment.
Incorrect Answers:
B: Alignment with risk-culture is also one of the factors but is not as important as these two.
C: Risk aware decision is not the factor, but is the result which uses risk appetite information as its input.
send
light_mode
delete
Question #37
You are the project manager of the GHY Project for your company. You need to complete a project management process that will be on the lookout for new risks, changing risks, and risks that are now outdated. Which project management process is responsible for these actions?
- ARisk planning
- BRisk monitoring and controlling
- CRisk identification
- DRisk analysis
Correct Answer:
B
The risk monitoring and controlling is responsible for identifying new risks, determining the status of risks that may have changed, and determining which risks may be outdated in the project.
Incorrect Answers:
A: Risk planning creates the risk management plan and determines how risks will be identified, analyzed, monitored and controlled, and responded to.
C: Risk identification is a process that identifies risk events in the project.
D: Risk analysis helps determine the severity of the risk events, the risks' priority, and the probability and impact of risks.
B
The risk monitoring and controlling is responsible for identifying new risks, determining the status of risks that may have changed, and determining which risks may be outdated in the project.
Incorrect Answers:
A: Risk planning creates the risk management plan and determines how risks will be identified, analyzed, monitored and controlled, and responded to.
C: Risk identification is a process that identifies risk events in the project.
D: Risk analysis helps determine the severity of the risk events, the risks' priority, and the probability and impact of risks.
send
light_mode
delete
Question #38
You are the project manager of the HGT project in Bluewell Inc. The project has an asset valued at $125,000 and is subjected to an exposure factor of 25 percent.
What will be the Single Loss Expectancy of this project?
What will be the Single Loss Expectancy of this project?
- A$ 125,025
- B$ 31,250
- C$ 5,000
- D$ 3,125,000
Correct Answer:
B
The Single Loss Expectancy (SLE) of this project will be $31,250.
Single Loss Expectancy is a term related to Quantitative Risk Assessment. It can be defined as the monetary value expected from the occurrence of a risk on an asset. It is mathematically expressed as follows:
Single Loss Expectancy (SLE) = Asset Value (AV) * Exposure Factor (EF) where the Exposure Factor represents the impact of the risk over the asset, or percentage of asset lost. As an example, if the Asset Value is reduced two third, the exposure factor value is .66. If the asset is completely lost, the Exposure Factor is 1.0. The result is a monetary value in the same unit as the Single Loss
Expectancy is expressed.
Therefore,
SLE = Asset Value * Exposure Factor
= 125,000 * 0.25
= $31,250
Incorrect Answers:
A, C, D: These are not SLEs of this project.
B
The Single Loss Expectancy (SLE) of this project will be $31,250.
Single Loss Expectancy is a term related to Quantitative Risk Assessment. It can be defined as the monetary value expected from the occurrence of a risk on an asset. It is mathematically expressed as follows:
Single Loss Expectancy (SLE) = Asset Value (AV) * Exposure Factor (EF) where the Exposure Factor represents the impact of the risk over the asset, or percentage of asset lost. As an example, if the Asset Value is reduced two third, the exposure factor value is .66. If the asset is completely lost, the Exposure Factor is 1.0. The result is a monetary value in the same unit as the Single Loss
Expectancy is expressed.
Therefore,
SLE = Asset Value * Exposure Factor
= 125,000 * 0.25
= $31,250
Incorrect Answers:
A, C, D: These are not SLEs of this project.
send
light_mode
delete
Question #39
Which of the following are the principles of access controls?
Each correct answer represents a complete solution. (Choose three.)
Each correct answer represents a complete solution. (Choose three.)
- AConfidentiality
- BAvailability
- CReliability
- DIntegrity
Correct Answer:
ABD
The principles of access controls focus on availability, integrity, and confidentiality, as loss or danger is directly related to these three:
✑ Loss of confidentiality- Someone sees a password or a company's secret formula, this is referred to as loss of confidentiality.
✑ Loss of integrity- An e-mail message is modified in transit, a virus infects a file, or someone makes unauthorized changes to a Web site is referred to as loss of integrity.
✑ Loss of availability- An e-mail server is down and no one has e-mail access, or a file server is down so data files aren't available comes under loss of availability.
ABD
The principles of access controls focus on availability, integrity, and confidentiality, as loss or danger is directly related to these three:
✑ Loss of confidentiality- Someone sees a password or a company's secret formula, this is referred to as loss of confidentiality.
✑ Loss of integrity- An e-mail message is modified in transit, a virus infects a file, or someone makes unauthorized changes to a Web site is referred to as loss of integrity.
✑ Loss of availability- An e-mail server is down and no one has e-mail access, or a file server is down so data files aren't available comes under loss of availability.
send
light_mode
delete
Question #40
You are the project manager of GHT project. You have selected appropriate Key Risk Indicators for your project. Now, you need to maintain those Key Risk
Indicators. What is the MOST important reason to maintain Key Risk Indicators?
Indicators. What is the MOST important reason to maintain Key Risk Indicators?
- ARisk reports need to be timely
- BComplex metrics require fine-tuning
- CThreats and vulnerabilities change over time
- DThey help to avoid risk
Correct Answer:
C
Since the enterprise's internal and external environments are constantly changing, the risk environment is also highly dynamic, i.e., threats and vulnerabilities change over time. Hence KRIs need to be maintained to ensure that KRIs continue to effectively capture these changes.
Incorrect Answers:
A: Timely risk reporting is one of the business requirements, but is not the reason behind KRI maintenance.
B: While most key risk indicator metrics need to be optimized in respect to their sensitivity, the most important objective of KRI maintenance is to ensure that KRIs continue to effectively capture the changes in threats and vulnerabilities over time.
D: Avoiding risk is a type of risk response. Risk responses are based on KRI reporting.
C
Since the enterprise's internal and external environments are constantly changing, the risk environment is also highly dynamic, i.e., threats and vulnerabilities change over time. Hence KRIs need to be maintained to ensure that KRIs continue to effectively capture these changes.
Incorrect Answers:
A: Timely risk reporting is one of the business requirements, but is not the reason behind KRI maintenance.
B: While most key risk indicator metrics need to be optimized in respect to their sensitivity, the most important objective of KRI maintenance is to ensure that KRIs continue to effectively capture the changes in threats and vulnerabilities over time.
D: Avoiding risk is a type of risk response. Risk responses are based on KRI reporting.
send
light_mode
delete
All Pages