CRISC Certified in Risk and Information Systems Control – Question274

You are the Risk Official in Bluewell Inc. You have detected much vulnerability during risk assessment process. What you should do next?

A.
Prioritize vulnerabilities for remediation solely based on impact.
B. Handle vulnerabilities as a risk, even though there is no threat.
C. Analyze the effectiveness of control on the vulnerabilities' basis.
D. Evaluate vulnerabilities for threat, impact, and cost of mitigation.

Correct Answer: D

Explanation:

Explanation: Vulnerabilities detected during assessment should be first evaluated for threat, impact and cost of mitigation. It should be evaluated and prioritized on the basis whether they impose credible threat or not.
Incorrect Answers: A, C: These are the further steps that are taken after evaluating vulnerabilities. So, these are not immediate action after detecting vulnerabilities.
B: If detected vulnerabilities impose no/negligible threat on an enterprise then it is not cost effective to address it as risk.

CRISC Certified in Risk and Information Systems Control – Question273

Which of the following is the MOST critical security consideration when an enterprise outsource is major part of IT department to a third party whose servers are in foreign company?

A.
A security breach notification may get delayed due to time difference
B. The enterprise could not be able to monitor the compliance with its internal security and privacy guidelines
C. Laws and regulations of the country of origin may not be enforceable in foreign country
D. Additional network intrusion detection sensors should be installed, resulting in additional cost

Correct Answer: C

Explanation:

Explanation:
Laws and regulations of the country of origin may not be enforceable in foreign country and conversely, it is also true that laws and regulations of the foreign outsourcer may also impact the enterprise. Hence violation of applicable laws may not be recognized or rectified due to lack of knowledge of the local laws.
Incorrect Answers:
A: Security breach notification is not a problem and also time difference does not play any role in 24/7 environment. Pagers, cellular phones, telephones, etc. are there to communicate the notifications.
B: Outsourcing does not remove the enterprise’s responsibility regarding internal requirements. Hence monitoring the compliance with its internal security and privacy guidelines is not a problem.
D: The need for additional network intrusion detection sensors is not a major problem as it can be easily managed. It only requires addition funding, but can be addressed.

CRISC Certified in Risk and Information Systems Control – Question272

Out of several risk responses, which of the following risk responses is used for negative risk events?

A.
Share
B. Enhance
C. Exploit
D. Accept

Correct Answer: D

Explanation:

Explanation:
Among the given choices only Acceptance response is used for negative risk events. Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider who can accept the risk. Risk should be accepted only by senior management in relationship with senior management and the board. There are two alternatives to the acceptance strategy, passive and active.

  • Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk but willing to accept the consequences of the risk.
  • Active acceptance is the second strategy and might include developing contingency plans and reserves to deal with risks.

Incorrect Answers: A, B, C: These all are used to deal with opportunities or positive risks, and not with negative risks.

CRISC Certified in Risk and Information Systems Control – Question271

Which of the following processes addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget?

A.
Monitor and Control Risk
B. Plan risk response
C. Identify Risks
D. Qualitative Risk Analysis

Correct Answer: B

Explanation:

Explanation:
The plan risk response project management process aims to reduce the threats to the project objectives and to increase opportunities. It follows the perform qualitative risk analysis process and perform quantitative risk analysis process. Plan risk response process includes the risk response owner to take the job for each agreed-to and funded risk response. This process addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget. The inputs to the plan risk response process are as follows: Risk register Risk management plan
Incorrect Answers:
A: Monitor and Control Risk is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project. It can involve choosing alternative strategies, executing a contingency or fallback plan, taking corrective action, and modifying the project management plan.
C: Identify Risks is the process of determining which risks may affect the project. It also documents risks’ characteristics. The Identify Risks process is part of the Project Risk Management knowledge area. As new risks may evolve or become known as the project progresses through its life cycle, Identify Risks is an iterative process. The process should involve the project team so that they can develop and maintain a sense of ownership and responsibility for the risks and associated risk response actions. Risk Register is the only output of this process.

  • D: Qualitative analysis is the definition of risk factors in terms of high/medium/low or a numeric scale (1 to 10). Hence it determines the nature of risk on a relative scale.
  • Some of the qualitative methods of risk analysis are:
  • Scenario analysis- This is a forward-looking process that can reflect risk for a given point in time.
  • Risk Control Self -assessment (RCSA) – RCSA is used by enterprises (like banks) for the identification and evaluation of operational risk exposure. It is a logical first step and assumes that business owners and managers are closest to the issues and have the most expertise as to the source of the risk. RCSA is a constructive process in compelling business owners to contemplate, and then explain, the issues at hand with the added benefit of increasing their accountability.

CRISC Certified in Risk and Information Systems Control – Question270

Wendy has identified a risk event in her project that has an impact of $75,000 and a 60 percent chance of happening. Through research, her project team learns that the risk impact can actually be reduced to just $15,000 with only a ten percent chance of occurring. The proposed solution will cost $25,000. Wendy agrees to the $25,000 solution. What type of risk response is this?

A.
Mitigation
B. Avoidance
C. Transference
D. Enhancing

Correct Answer: A

Explanation:

Explanation:
Risk mitigation implies a reduction in the probability and/or impact of an adverse risk event to be within acceptable threshold limits. Taking early actions to reduce the probability and/or impact of a risk occurring on the project is often more effective than trying to repair the damage after the risk has occurred.
Incorrect Answers:
B: Avoidance changes the project plan to avoid the risk altogether.
C: Transference requires shifting some or all of the negative impacts of a threat, along with the ownership of the response, to a third party. Transferring the risk simply gives another party the responsibility for its management-it does not eliminate it.
Transferring the liability for a risk is most effective in dealing with financial risk exposure. Risk transference nearly always involves payment of a risk premium to the party taking on the risk.
D: Enhancing is actually a positive risk response. This strategy is used to increase the probability and/or the positive impact of an opportunity. Identifying and maximizing the key drivers of these positive-impact risks may increase the probability of their occurrence.

CRISC Certified in Risk and Information Systems Control – Question269

What type of policy would an organization use to forbid its employees from using organizational e-mail for personal use?

A.
Anti-harassment policy
B. Acceptable use policy
C. Intellectual property policy
D. Privacy policy

Correct Answer: B

Explanation:

Explanation:
An acceptable use policy is a set of rules applied by the owner/manager of a network, website or large computer system that restrict the ways in which the network site or system may be used. Acceptable Use Policies are an integral part of the framework of information security policies.
Incorrect Answers: A, C: These two policies are not related to Information system security.
D: Privacy policy is a statement or a legal document (privacy law) that discloses some or all of the ways a party gathers, uses, discloses and manages a customer or client’s data.

CRISC Certified in Risk and Information Systems Control – Question268

Which of the following terms is described in the statement below? "They are the prime monitoring indicators of the enterprise, and are highly relevant and possess a high probability of predicting or indicating important risk."

A.
Key risk indicators
B. Lag indicators
C. Lead indicators
D. Risk indicators

Correct Answer: A

Explanation:

Explanation:
Key Risk Indicators are the prime monitoring indicators of the enterprise. KRIs are highly relevant and possess a high probability of predicting or indicating important risk. KRIs help in avoiding excessively large number of risk indicators to manage and report that a large enterprise may have.
Incorrect Answers:
B: Lag indicators are the risk indicators that is used to indicate risk after events have occurred.
C: Lead indicators are the risk indicators that is used to indicate which capabilities are in place to prevent events from occurring.
D: Risk indicators are metrics used to indicate risk thresholds, i.e., it gives indication when a risk level is approaching a high or unacceptable level of risk. The main objective of a risk indicator is to ensure tracking and reporting mechanisms that alert staff about the potential risks.

CRISC Certified in Risk and Information Systems Control – Question267

What is the MAIN purpose of designing risk management programs?

A.
To reduce the risk to a level that the enterprise is willing to accept
B. To reduce the risk to the point at which the benefit exceeds the expense
C. To reduce the risk to a level that is too small to be measurable
D. To reduce the risk to a rate of return that equals the current cost of capital

Correct Answer: A

Explanation:

Explanation: Risk cannot be removed completely from the enterprise; it can only be reduced to a level that an organization is willing to accept. Risk management programs are hence designed to accomplish the task of reducing risks.
Incorrect Answers:
B: Depending on the risk preference of an enterprise, it may or may not choose to pursue risk mitigation to the point at which benefit equals or exceeds the expense. Hence this is not the primary objective of designing the risk management program.
C: Reducing risk to a level too small to measure is not practical and is often cost-prohibitive.
D: Reducing risks to a specific return ignores the qualitative aspects of the risk which should also be considered.

CRISC Certified in Risk and Information Systems Control – Question266

You are the project manager of a project in Bluewell Inc. You and your project team have identified several project risks, completed risk analysis, and are planning to apply most appropriate risk responses. Which of the following tools would you use to choose the appropriate risk response?

A.
Project network diagrams
B. Cause-and-effect analysis
C. Decision tree analysis
D. Delphi Technique

Correct Answer: C

Explanation:

Explanation:
Decision tree analysis is a risk analysis tool that can help the project manager in determining the best risk response. The tool can be used to measure probability, impact, and risk exposure and how the selected risk response can affect the probability and/or impact of the selected risk event. It helps to form a balanced image of the risks and opportunities connected with each possible course of action. This makes them mostly useful for choosing between different strategies, projects, or investment opportunities particularly when the resources are limited. A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible consequences, including chance event outcomes, resource costs, and utility.
Incorrect Answers:
A: Project network diagrams help the project manager and stakeholders visualize the flow of the project work, but they are not used as a part of risk response planning.
B: Cause-and-effect analysis is used for exposing risk factors and not an effective one in risk response planning. This analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes.
D: Delphi technique is used for risk analysis, i.e., for identifying the most probable risks. Delphi is a group of experts who used to rate independently the business risk of an organization. Each expert analyzes the risk independently and then prioritizes the risk, and the result is combined into a consensus.

CRISC Certified in Risk and Information Systems Control – Question265

Which of the following statements is NOT true regarding the risk management plan?

A.
The risk management plan is an output of the Plan Risk Management process.
B. The risk management plan is an input to all the remaining risk-planning processes.
C. The risk management plan includes a description of the risk responses and triggers.
D. The risk management plan includes thresholds, scoring and interpretation methods, responsible parties, and budgets.

Correct Answer: C

Explanation:

Explanation:
The risk management plan details how risk management processes will be implemented, monitored, and controlled throughout the life of the project. The risk management plan does not include responses to risks or triggers. Responses to risks are documented in the risk register as part of the Plan Risk Responses process.
Incorrect Answers: A, B, D: These all statements are true for risk management plan. The risk management plan details how risk management processes will be implemented, monitored, and controlled throughout the life of the project. It includes thresholds, scoring and interpretation methods, responsible parties, and budgets. It also acts as input to all the remaining risk-planning processes.