Free Sales Ending Soon - 100% Valid CRISC Exam Dumps with 1196 Questions [Q345-Q366]

Rate this post

Free Sales Ending Soon – 100% Valid CRISC Exam Dumps with 1196 Questions

Verified CRISC dumps Q&As on your Isaca Certificaton Exam Questions Certain Success!

The ISACA CRISC exam itself is a four-hour test that covers four main domains: risk identification, assessment, response, and monitoring. Each domain is weighted differently, with risk identification and assessment accounting for 27% of the exam, risk response accounting for 23%, and risk monitoring accounting for 21%. The remaining 29% of the exam covers topics related to governance, risk management, and compliance.

NO.345 An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:

identify key process owners.

validate control process execution.

determine if controls are effective.

conduct a baseline assessment.

NO.346 The PRIMARY reason for periodic penetration testing of Internet-facing applications is to:

ensure policy and regulatory compliance.

assess the proliferation of new threats.

verify Internet firewall control settings.

identify vulnerabilities in the system.

NO.347 Which of the following is the FOREMOST root cause of project risk?
Each correct answer represents a complete solution. Choose two.

New system is not meeting the user business needs

Delay in arrival of resources

Lack of discipline in managing the software development process

Selection of unsuitable project methodology

NO.348 Which of the following stakeholders are typically included as part of a line of defense within the three lines of defense model?

Board of directors

Vendors

Regulators

Legal team

NO.349 Which of the following is the BEST way to validate whether controls to reduce user device vulnerabilities have been implemented according to management’s action plan?

Survey device owners.

Review awareness training assessment results.

Re-scan the user environment.

Require annual end user policy acceptance.

NO.350 Which of the following considerations should be taken into account while selecting risk indicators that ensures greater buy-in and ownership?

Lag indicator

Lead indicator

Root cause

Stakeholder

NO.351 When developing a new risk register, a risk practitioner should focus on which of the following risk management activities?

Risk management strategy planning

Risk monitoring and control

Risk identification

Risk response planning

NO.352 Which of the following should be the PRIMARY focus of an independent review of a risk management process?

Accuracy of risk tolerance levels

Consistency of risk process results

Participation of stakeholders

Maturity of the process

NO.353 Walter is the project manager of a large construction project. He’ll be working with several vendors on the project. Vendors will be providing materials and labor for several parts of the project. Some of the works in the project are very dangerous so Walter has implemented safety requirements for all of the vendors and his own project team. Stakeholders for the project have added new requirements, which have caused new risks in the project. A vendor has identified a new risk that could affect the project if it comes into fruition. Walter agrees with the vendor and has updated the risk register and created potential risk responses to mitigate the risk.
What should Walter also update in this scenario considering the risk event?

Project management plan

Project communications plan

Project contractual relationship with the vendor

Project scope statement

NO.354 Who is MOST likely to be responsible for the coordination between the IT risk strategy and the business risk strategy?

Chief financial officer

Information security director

Internal audit director

Chief information officer

NO.355 A vulnerability assessment of a vendor-supplied solution has revealed that the software is susceptible to cross-site scripting and SQL injection attacks. Which of the following will BEST mitigate this issue?

Monitor the databases for abnormal activity

Approve exception to allow the software to continue operating

Require the software vendor to remediate the vulnerabilities

Accept the risk and let the vendor run the software as is

NO.356 Which of the following is the MOST effective way to incorporate stakeholder concerns when developing risk scenarios?

Evaluating risk impact

Creating quarterly risk reports

Establishing key performance indicators

Conducting internal audits

NO.357 Which of the following is the PRIMARY role of a data custodian in the risk management process?

Performing periodic data reviews according to policy

Reporting and escalating data breaches to senior management

Being accountable for control design

Ensuring data is protected according to the classification

NO.358 A risk practitioner has identified that the agreed recovery time objective (RTO) with a Software as a Service (SaaS) provider is longer than the business expectation. Which ot the following is the risk practitioner’s BEST course of action?

Collaborate with the risk owner to determine the risk response plan.

Document the gap in the risk register and report to senior management.

Include a right to audit clause in the service provider contract.

Advise the risk owner to accept the risk.

NO.359 Which among the following is the BEST reason for defining a risk response?

To eliminate risk from the enterprise

To ensure that the residual risk is within the limits of the risk appetite and tolerance

To overview current status of risk

To mitigate risk

NO.360 Which of the following BEST supports ethical IT risk management practices?

Robust organizational communication channels

Mapping of key risk indicators (KRIs) to corporate strategy

Capability maturity models integrated with risk management frameworks

Rigorously enforced operational service level agreements (SLAs)

NO.361 You are the project manager of the NNN Project. Stakeholders in the two-year project have requested to send status reports to them via. email every week. You have agreed and send reports every Thursday. After six months of the project, the stakeholders are pleased with the project progress and they would like you to reduce the status reports to every two weeks. What process will examine the change to this project process and implement it in the project?

Configuration management

Communications management

Perform integrated change control process

Project change control process

Explanation:
Although this appears to be a simple change the project manager must still follow the rules of the project’s change control system. Integrated change control is a way to manage the changes incurred during a project. It is a method that manages reviewing the suggestions for changes and utilizing the tools and techniques to evaluate whether the change should be approved or rejected. Integrated change control is a primary component of the project’s change control system that examines the affect of a proposed change on the entire project.

NO.362 A newly enacted information privacy law significantly increases financial penalties for breaches of personally identifiable information (Pll). Which of the following will MOST likely outcome for an organization affected by the new law?

Increase in compliance breaches

Increase in loss event impact

Increase in residual risk

Increase in customer complaints

NO.363 An organization is considering acquiring a new line of business and wants to develop new IT risk scenarios to guide its decisions. Which of the following would add the MOST value to the new risk scenarios?

Audit findings

Expected losses

Cost-benefit analysis

Organizational threats

NO.364 You work as a Project Manager for www.company.com Inc. You have to measure the probability, impact, and risk exposure. Then, you have to measure how the selected risk response can affect the probability and impact of the selected risk event. Which of the following tools will help you to accomplish the task?

Project network diagrams

Delphi technique

Decision tree analysis

Cause-and-effect diagrams

Explanation:
Decision tree analysis is a risk analysis tool that can help the project manager in determining the best risk response. The tool can be used to measure probability, impact, and risk exposure and how the selected risk response can affect the probability and/or impact of the selected risk event. It helps to form a balanced image of the risks and oppourtunities connected with each possible course of action. This makes them mostly useful for choosing between different strategies, projects, or investment opportunities particularly when the resources are limited. A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible consequences, including chance event outcomes, resource costs, and utility.

NO.365 To reduce costs, an organization is combining the second and third tines of defense in a new department that reports to a recently appointed C-level executive. Which of the following is the GREATEST concern with this situation?

The risk governance approach of the second and third lines of defense may differ.

The independence of the internal third line of defense may be compromised.

Cost reductions may negatively impact the productivity of other departments.

The new structure is not aligned to the organization’s internal control framework.

NO.366 Which of the following is the GREATEST risk associated with the transition of a sensitive data backup solution from on-premise to a cloud service provider?

More complex test restores

Inadequate service level agreement (SLA) with the provider

More complex incident response procedures

Inadequate data encryption