• Home
  • Articles
  • Get ISACA CRISC Dumps Questions [2021] To Gain Brilliant Result [Q545-Q565]

Get ISACA CRISC Dumps Questions [2021] To Gain Brilliant Result [Q545-Q565]

Share

Get ISACA CRISC Dumps Questions [2021] To Gain Brilliant Result

CRISC dumps - Actual4Exams - 100% Passing Guarantee


Career Path

The professionals with the ISACA CRISC certification can take up different job roles in the field of information technology and information security. Some popular positions that these specialists can hold include an IT Security Analyst, a Security Risk Strategist, a Technology Risk Analyst, an Information Security Analyst, and an IT Audit Risk Supervisor. As with remuneration in the industry, the specific salary that a certified individual earns will depend on a couple of factors, including job title, level of experience, and type of organization. However, the average annual salary of the certificate holders is $107,399.

 

NEW QUESTION 545
An organization automatically approves exceptions to security policies on a recurring basis. This practice is MOST likely the result of:

  • A. a lack of mitigating actions for identified risk
  • B. ineffective IT governance
  • C. decreased threat levels
  • D. ineffective service delivery

Answer: B

 

NEW QUESTION 546
You are the product manager in your enterprise. You have identified that new technologies, products and services are introduced in your enterprise time-to-time. What should be done to prevent the efficiency and effectiveness of controls due to these changes?

  • A. Add more controls
  • B. Perform Business Impact Analysis (BIA)
  • C. Explanation:
    As new technologies, products and services are introduced, compliance requirements become more complex and strict; business processes and related information flows change over time. These changes can often affect the efficiency and effectiveness of controls. Formerly effective controls become inefficient, redundant or obsolete and have to be removed or replaced. Therefore, the monitoring process has to receive timely feedback from risk assessments and through key risk indicators (KRIs) to ensure an effective control life cycle.
  • D. Nothing, efficiency and effectiveness of controls are not affected by these changes
  • E. Receive timely feedback from risk assessments and through key risk indicators, and update controls

Answer: E

Explanation:
is incorrect. Efficiency and effectiveness of controls are not affected by the changes in technology or product, so some measure should be taken. Answer: B is incorrect. Most of the time, the addition of controls results in degradation of the efficiency and profitability of a process without adding an equitable level of corresponding risk mitigation, hence better controls are adopted in place of adding more controls. Answer: C is incorrect. A BIA is a discovery process meant to uncover the inner workings of any process. It helps to identify about actual procedures, shortcuts, workarounds and the types of failure that may occur. It involves determining the purpose of the process, whoperforms the process and its output. It also involves determining the value of the process output to the enterprise.

 

NEW QUESTION 547
A risk owner has identified a risk with high impact and very low likelihood. The potential loss is covered by insurance. Which of the following should the risk practitioner do NEXT?

  • A. Evaluate outsourcing the process.
  • B. Recommend avoiding the risk.
  • C. Update the risk register.
  • D. Validate the risk response with internal audit.

Answer: D

 

NEW QUESTION 548
You are the project manager of GHT project. A risk event has occurred in your project and you have identified it. Which of the following tasks you would do in reaction to risk event occurrence? Each correct answer represents a part of the solution. Choose three.

  • A. Monitor risk
  • B. Communicate lessons learned from risk events
  • C. Update risk register
  • D. Maintain and initiate incident response plans

Answer: A,B,D

Explanation:
Section: Volume D
Explanation
Explanation:
When the risk events occur then following tasks have to done to react to it:
* Maintain incident response plans
* Monitor risk
* Initiate incident response
* Communicate lessons learned from risk events
Incorrect Answers:
C: Risk register is updated after applying appropriate risk response and at the time of risk event occurrence.

 

NEW QUESTION 549
Which of the following components ensures that risks are examined for all new proposed change requests in the change control system?

  • A. Scope change control
  • B. Integrated change control
  • C. Configuration management
  • D. Risk monitoring and control
  • E. Explanation:
    Integrated change control is the component that is responsible for reviewing all aspects of a change's impact on a project - including risks that may be introduced by the new change. Integrated change control is a way to manage the changes incurred during a project. It is a method that manages reviewing the suggestions for changes and utilizing the tools and techniques to evaluate whether the change should be approved or rejected. Integrated change control is a primary component of the project's change control system that examines the affect of a proposed change on the entire project.

Answer: B,E

Explanation:
is incorrect. Configuration management controls and documents changes to the features and functions of the product scope. Answer:B is incorrect. Scope change control focuses on the processes to allow changes to enter the project scope. Answer:C is incorrect. Risk monitoring and control is not part of the change control system, so this choice is not valid.

 

NEW QUESTION 550
NIST SP 800-53 identifies controls in three primary classes. What are they?

  • A. Technical, Administrative, and Environmental
  • B. Administrative, Technical, and Operational
  • C. Preventative, Detective, and Corrective
  • D. Technical, Operational, and Management

Answer: D

Explanation:
Explanation/Reference:
Explanation:
NIST SP 800-53 is used to review security in any organization, that is, in reviewing physical security. The Physical and Environmental Protection family includes 19 different controls. Organizations use these controls for better physical security. These controls are reviewed to determine if they are relevant to a particular organization or not. Many of the controls described include additional references that provide more details on how to implement them. The National Institute of Standards and Technology (NIST) SP
800-53 rev 3 identifies 18 families of controls. It groups these controls into three classes:
Technical

Operational

Management

 

NEW QUESTION 551
An organization's internal auditors have identified a new IT control deficiency in the organization's identity and access management (IAM) system. It is most important for the risk practitioner to:

  • A. implement compensating controls to address the deficiency
  • B. recommend replacement of the deficient system
  • C. verify that applicable risk owners understand the risk
  • D. perform a follow-up risk assessment to quantify the risk impact

Answer: A

Explanation:
Section: Volume D

 

NEW QUESTION 552
The PRIMARY benefit associated with key risk indicators (KRIs) is that they:

  • A. help an organization identify emerging threats
  • B. benchmark the organization's risk profile
  • C. provide ongoing monitoring of emerging risk
  • D. identify trends in the organization's vulnerabilities

Answer: A

Explanation:
Section: Volume D
Explanation/Reference: https://www.isaca.org/COBIT/Documents/Risk-IT-Framework_fmk_Eng_0610.pdf

 

NEW QUESTION 553
What should a risk practitioner do FIRST upon learning a risk treatment owner has implemented a different control than what was specified in the IT risk action plan?

  • A. Validate that the control has an established testing method.
  • B. Update the action plan in the risk register.
  • C. Seek approval from the control owner.
  • D. Reassess the risk level associated with the new control.

Answer: D

 

NEW QUESTION 554
You are the project manager of GHT project. Your hardware vendor left you a voicemail saying that the delivery of the equipment you have ordered would not arrive on time. You identified a risk response strategy for this risk and have arranged for a local company to lease you the needed equipment until yours arrives. This is an example of which risk response strategy?

  • A. Acceptance
  • B. Transfer
  • C. Explanation:
    Mitigation attempts to reduce the impact of a risk event in case it occurs. Making plans to arrange
    for the leased equipment reduces the consequences of the risk and hence this response in
    mitigation.
  • D. Avoid
  • E. is incorrect. Risk transfer means that impact of risk is reduced by transferring or
    otherwise sharing a portion of the risk with an external organization or another internal entity.
    Transfer of risk can occur in many forms but is most effective when dealing with financial risks.
    Insurance is one form of risk transfer.
    Here there no such action is taken, hence it is not a risk transfer.
  • F. is incorrect. Risk acceptance means that no action is taken relative to a particular risk;
    loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider
    who can accept the risk. Risk should be accepted only by senior management in relationship with
    senior management and the board. There are two alternatives to the acceptance strategy, passive
    and active.
    Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk but
    willing to accept the consequences of the risk.
    Active acceptance is the second strategy and might include developing contingency plans and
    reserves to deal with risks.
  • G. Mitigate

Answer: C,E,F,G

Explanation:
is incorrect. Risk avoidance means to evade risk altogether, eliminate the cause of the
risk event, or change the project plan to protect the project objectives from the risk event. Risk
avoidance is applied when the level of risk, even after the applying controls, would be greater than
the risk tolerance level of the enterprise. Hence this risk response is adopted when:
There is no other cost-effective response that can successfully reduce the likelihood and
magnitude below the defined thresholds for risk appetite.
The risk cannot be shared or transferred.
The risk is deemed unacceptable by management.

 

NEW QUESTION 555
Which among the following acts as a trigger for risk response process?

  • A. Risk level equates risk appetite
  • B. and A are incorrect. Risk appetite level is not relevant in triggering of risk response process. Risk appetite is the amount of risk a company or other entity is willing to accept in pursuit of its mission. This is the responsibility of the board to decide risk appetite of an enterprise. When considering the risk appetite levels for the enterprise, the followingtwo major factors should be
    taken into account:
    The enterprise's objective capacity to absorb loss, e.g., financial loss, reputation damage, etc.
    The culture towards risk taking-cautious or aggressive. In other words, the amount of loss the
    enterprise wants to accept in pursue of its objective fulfillment.
  • C. Explanation:
    The risk response process is triggered when a risk exceeds the enterprise's risk tolerance level. The acceptable variation relative to the achievement of an objective is termed as risk tolerance. In other words, risk tolerance is the acceptable deviation from the level set by the risk appetite and business objectives. Risk tolerance is defined at the enterprise level by the board and clearly communicated to all stakeholders. A process should be in place to review and approve any exceptions to such standards.
  • D. Risk level increase above risk tolerance
  • E. Risk level increases above risk appetite
  • F. Risk level equates the risk tolerance

Answer: D

Explanation:
is incorrect. Risk response process is triggered when the risk level increases the risk
tolerance level of the enterprise, and not when it just equates the risk tolerance level.

 

NEW QUESTION 556
Which of the following would MOST likely result in updates to an IT risk appetite statement?

  • A. Self-assessment reports
  • B. External audit findings
  • C. Changes in senior management
  • D. Feedback from focus groups

Answer: B

Explanation:
Section: Volume D
Explanation

 

NEW QUESTION 557
Which of the following is the BEST Key control indicator KCO to monitor the effectiveness of patch management?

  • A. Number of unremediated vulnerabilities
  • B. Percentage of severs receiving automata patches
  • C. Percentage of legacy servers out of support
  • D. Number of intrusion attempts

Answer: D

 

NEW QUESTION 558
The BEST reason to classify IT assets during a risk assessment is to determine the:

  • A. appropriate level of protection
  • B. priority in the risk register
  • C. enterprise risk profile
  • D. business process owner

Answer: A

Explanation:
Section: Volume D

 

NEW QUESTION 559
Who is accountable for risk treatment?

  • A. Business process owner
  • B. Risk owner
  • C. Enterprise risk management team
  • D. Risk mitigation manager

Answer: B

 

NEW QUESTION 560
Which of the following is the MAIN reason for analyzing risk scenarios?

  • A. Identifying additional risk scenarios
  • B. Assessing loss expectancy
  • C. Establishing a risk appetite
  • D. Updating the heat map

Answer: A

Explanation:
Section: Volume D

 

NEW QUESTION 561
Which of the following risks is associated with not receiving the right information to the right people at the right time to allow the right action to be taken?

  • A. is incorrect. The risk that data cannot be relied on because they are unauthorized,
    incomplete or inaccurate is termed as integrity risk.
  • B. Availability risk
  • C. Explanation:
    Relevance risk is the risk associated with not receiving the right information to the right people (or
    process or systems) at the right time to allow the right action to be taken.
  • D. Relevance risk
  • E. is incorrect. The risk that confidential or private information may be disclosed or made
    available to those without appropriate authority is termed as access or security risk. An aspect of
    this risk is non-compliance with local, national and international laws related to privacy and
    protection of personal information.
  • F. Access risk
  • G. Integrity risk

Answer: D

Explanation:
is incorrect. The risk of loss of service or that data is not available when needed is
referred as availability risk.

 

NEW QUESTION 562
The PRIMARY purpose of a maturity model is to compare the:

  • A. current state of key processes to their desired state.
  • B. organization to industry best practices.
  • C. organization to peers.
  • D. actual KPIs with target KPIs.

Answer: A

 

NEW QUESTION 563
An unauthorized individual has socially engineered entry into an organization's secured physical premises.
Which of the following is the BEST way to prevent future occurrences?

  • A. Conduct security awareness training.
  • B. Install security cameras.
  • C. Employ security guards.
  • D. Require security access badges.

Answer: A

 

NEW QUESTION 564
Which of the following methods involves the use of predictive or diagnostic analytical tool for exposing risk factors?

  • A. Cause and effect analysis
  • B. Sensitivity analysis
  • C. Scenario analysis
  • D. Fault tree analysis

Answer: A

Explanation:
Explanation/Reference:
Explanation:
Cause-and-effect analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes. These tools also help in identifying potential risk.
Incorrect Answers:
A: This analysis is not a method for exposing risk factors. It is used for analyzing scenarios.
B: Sensitivity analysis is the quantitative risk analysis technique that:
Assist in determination of risk factors that have the most potential impact

Examines the extent to which the uncertainty of each element affects the object under consideration

when all other uncertain elements are held at their baseline values
C: Fault tree analysis (FIA) is a technique that provides a systematic description of the combination of possible occurrences in a system, which can result in an undesirable outcome. It combines hardware failures and human failures.

 

NEW QUESTION 565
......

Get 100% Passing Success With True CRISC Exam: https://www.actual4exams.com/CRISC-valid-dump.html

Premium Quality ISACA CRISC Online dumps: https://drive.google.com/open?id=1Ck9yBRhPqk21ZButOhiGoXWUnuyimxH5

Related Articles

more
ISACA CRISC Certification Practice Exam

Take our exam training material as your study reference, and pass your exam with the help of our actual exam dumps. When you choose our latest exam torrent, you will get your IT certification with more confident and more ease.

Latest Actual Exam Dump

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2024 Actual4Exams NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy