CRISC Certified in Risk and Information Systems Control

Page 1   
Question 1

You are the project manager of GHT project. Your hardware vendor left you a voicemail
saying that the delivery of the equipment you have ordered would not arrive on time. She
wanted to give you a heads-up and asked that you return the call. Which of the following
statements is TRUE?

  • A. This is a residual risk.
  • B. This is a trigger.
  • C. This is a contingency plan.
  • D. This is a secondary risk.


Answer : B

Explanation: Triggers are warning signs of an upcoming risk event. Here delay in delivery signifies that there may be a risk event like delay in completion of project. Hence it is referred to as a trigger. Answer: C is incorrect. A contingency plan is a plan devised for a specific situation when things go wrong. Contingency plans are often devised by governments or businesses who want to be prepared for anything that could happen. Here there are no such plans. Answer: A is incorrect. Residual risk is the risk that remains after applying controls. But here in this scenario, risk event has not occurred yet. Answer: D is incorrect. Secondary risks are risks that come about as a result of implementing a risk response. But here in this scenario, risk event has not occurred yet.

Question 2

Which of the following matrices is used to specify risk thresholds?

  • A. Risk indicator matrix
  • B. Impact matrix
  • C. Risk scenario matrix
  • D. Probability matrix


Answer : A

Explanation: Risk indicators are metrics used to indicate risk thresholds, i.e., it gives indication when a risk level is approaching a high or unacceptable level of risk. The main objective of a risk indicator is to ensure tracking and reporting mechanisms that alert staff about the potential risks. Answer: D and B are incorrect. Estimation of risk's consequence and priority for awareness is conducted by using probability and impact matrix. These matrices specify the mixture of probability and impact that directs to rating the risks as low, moderate, or high priority. Answer: C is incorrect. A risk scenario is a description of an event that can lay an impact on business, when and if it would occur. Some examples of risk scenario are of: Having a major hardware failure Failed disaster recovery planning (DRP) Major software failure

Question 3

What are the functions of audit and accountability control?
Each correct answer represents a complete solution. Choose all that apply.

  • A. Provides details on how to protect the audit logs
  • B. Implement effective access control
  • C. Implement an effective audit program
  • D. Provides details on how to determine what to audit


Answer : A,C,D

Explanation: Audit and accountability family of controls helps an organization implement an effective audit program. It provides details on how to determine what to audit. It provides details on how to protect the audit logs. It also includes information on using audit logs for non- repudiation. Answer: B is incorrect. Access Control is the family of controls that helps an organizationimplement effective access control. They ensure that users have the rights and permissions they need to perform their jobs, and no more. It includes principles such as least privilege and separation of duties. Audit and accountability family of controls do not help in implementing effective access control.

Question 4

Your project team has completed the quantitative risk analysis for your project work. Based
on their findings, they need to update the risk register with several pieces of information.
Which one of the following components is likely to be updated in the risk register based on
their analysis?

  • A. Listing of risk responses
  • B. Risk ranking matrix
  • C. Listing of prioritized risks
  • D. Qualitative analysis outcomes


Answer : C

Explanation: The outcome of quantitative analysis can create a listing of prioritized risks that should be updated in the risk register. The project team will create and update the risk register with fourkey components: probabilistic analysis of the project, probability of achieving time and cost objectives, list of quantified risks, and trends in quantitative risk analysis. Answer: D, B, and A are incorrect. These subjects are not updated in the risk register as a result of quantitative risk analysis.

Question 5

Which of the following role carriers will decide the Key Risk Indicator of the enterprise?
Each correct answer represents a part of the solution. Choose two.

  • A. Business leaders
  • B. Senior management
  • C. Human resource
  • D. Chief financial officer


Answer : A,B

Explanation: An enterprise may have hundreds of risk indicators such as logs, alarms and reports. The CRISC will usually need to work with senior management and business leaders to determine which risk indicators will be monitored on a regular basis and be recognized as KRIs. Answer: D and C are incorrect. Chief financial officer and human resource only overview common risk view, but are not involved in risk based decisions.

Question 6

What is the PRIMARY need for effectively assessing controls?

  • A. Control's alignment with operating environment
  • B. Control's design effectiveness
  • C. Control's objective achievement
  • D. Control's operating effectiveness


Answer : C

Explanation: Controls can be effectively assessed only by determining how accurately the control objective is achieved within the environment in which they are operating. No conclusion can be reached as to the strength of the control until the control has been adequately tested. Answer: B is incorrect. Control's design effectiveness is also considered but is latter considered after achieving objectives. Answer: D is incorrect. Control's operating effectiveness is considered but after its accuracy in objective achievement. Answer: A is incorrect. Alignment of control with the operating environment is essential but after the control's accuracy in achieving objective. In other words, achieving objective is the top most priority in assessing controls.

Question 7

You are the project manager of GHT project. You have identified a risk event on your
project that could save $100,000 in project costs if it occurs. Which of the following
statements BEST describes this risk event?

  • A. This risk event should be mitigated to take advantage of the savings.
  • B. This is a risk event that should be accepted because the rewards outweigh the threat to the project.
  • C. This risk event should be avoided to take full advantage of the potential savings.
  • D. This risk event is an opportunity to the project and should be exploited.


Answer : D

Explanation: This risk event has the potential to save money on project costs, so it is an opportunity, and the appropriate strategy to use in this case is the exploit strategy. The exploit response is one of the strategies to negate risks or threats appear in a project. This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. Exploiting a risk event provides opportunities for positive impact on a project. Assigning more talented resources to the project to reduce the time to completion is an example of exploit response. Answer: B is incorrect. To accept risk means that no action is taken relative to a particular risk; loss is accepted if it occurs. But as this risk event bring an opportunity, it should me exploited and not accepted. Answer: A and C are incorrect. Mitigation and avoidance risk response is used in case of negative risk events, and not in positive risk events. Here in this scenario, as it is stated that the event could save $100,000, hence it is a positive risk event. Therefore should not be mitigated or avoided.

Question 8

Wendy has identified a risk event in her project that has an impact of $75,000 and a 60
percent chance of happening. Through research, her project team learns that the risk
impact can actually be reduced to just $15,000 with only a ten percent chance of occurring.
The proposed solution will cost $25,000. Wendy agrees to the $25,000 solution. What type
of risk response is this?

  • A. Mitigation
  • B. Avoidance
  • C. Transference
  • D. Enhancing


Answer : A

Explanation: Risk mitigation implies a reduction in the probability and/or impact of an adverse risk event to be within acceptable threshold limits. Taking early actions to reduce the probability and/orimpact of a risk occurring on the project is often more effective than trying to repair the damage after the risk has occurred. Answer: B is incorrect. Avoidance changes the project plan to avoid the risk altogether. Answer: C is incorrect. Transference requires shifting some or all of the negative impacts of a threat, along with the ownership of the response, to a third party. Transferring the risk simply gives another party the responsibility for its management-it does not eliminate it. Transferring the liability for a risk is most effective in dealing with financial risk exposure. Risk transference nearly always involves payment of a risk premium to the party taking on the risk. Answer: D is incorrect. Enhancing is actually a positive risk response. This strategy is used to increase the probability and/or the positive impact of an opportunity. Identifying and maximizing the key drivers of these positive-impact risks may increase the probability of their occurrence.

Question 9

Harry is the project manager of HDW project. He has identified a risk that could injure
project team members. He does not want to accept any risk where someone could become
injured on this project so he hires a professional vendor to complete this portion of the
project work. What type of risk response is Harry implementing?

  • A. Transference
  • B. Mitigation
  • C. Acceptance
  • D. Avoidance


Answer : A

Explanation: Risk transfer means that impact of risk is reduced by transferring or otherwise sharing a portion of the risk with an external organization or another internal entity. Transfer of risk can occur in many forms but is most effective when dealing with financial risks. Insurance is one form of risk transfer. Hence when Harry hires a professional vendor to manage that risk, the risk event does not go away but the responsibility for the event is transferred to the vendor. Answer:D is incorrect. Avoidance removes the risk event entirely either by adding additional steps to avoid the event or reducing the project scope. Answer:C is incorrect. Mitigation are actions that Harry's project team could take to reduce the probability and/or impact of a risk event. Answer:B is incorrect. Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. Here Harry is not accepting this risk event; he does not want anyone of his team to become injured so he's transferring the event to professional vendor.

Question 10

Which of the following is the MOST important objective of the information system control?

  • A. Business objectives are achieved and undesired risk events are detected and corrected
  • B. Ensuring effective and efficient operations
  • C. Developing business continuity and disaster recovery plans
  • D. Safeguarding assets


Answer : A

Explanation: The basic purpose of Information System control in an organization is to ensure that the business objectives are achieved and undesired risk events are detected and corrected. Some of the IS control objectives are given below : Safeguarding assets Assuring integrity of sensitive and critical application system environments Assuring integrity of general operating system Ensuring effective and efficient operations Fulfilling user requirements, organizational policies and procedures, and applicable laws and regulations Changing management Developing business continuity and disaster recovery plans Developing incident response and handling plans Hence the most important objective is to ensure that business objectives are achieved and undesired risk events are detected and corrected. Answer: B, D, and C are incorrect. These are also the objectives of the information system control but are not the best answer.

Question 11

You are an experienced Project Manager that has been entrusted with a project to develop
a machine which produces auto components. You have scheduled meetings with the
project team and the key stakeholders to identify the risks for your project. Which of the
following is a key output of this process?

  • A. Risk Register
  • B. Risk Management Plan
  • C. Risk Breakdown Structure
  • D. Risk Categories


Answer : A

Explanation: The primary outputs from Identify Risks are the initial entries into the risk register. The risk register ultimately contains the outcomes of other risk management processes as they are conducted, resulting in an increase in the level and type of information contained in the risk register over time. Answer: B, D, and C are incorrect. All these are outputs from the "Plan Risk Management" process, which happens prior to the starting of risk identification.

Question 12

What type of policy would an organization use to forbid its employees from using
organizational e-mail for personal use?

  • A. Anti-harassment policy
  • B. Acceptable use policy
  • C. Intellectual property policy
  • D. Privacy policy


Answer : B

Explanation: An acceptable use policy is a set of rules applied by the owner/manager of a network, website or large computer system that restrict the ways in which the network site or system may be used. Acceptable Use Policies are an integral part of the framework of information security policies. Answer: D is incorrect. Privacy policy is a statement or a legal document (privacy law) that discloses some or all of the ways a party gathers, uses, discloses and manages a customer or client's data. Answer: C and A are incorrect. These two policies are not related to Information system security.

Question 13

You work as the project manager for Bluewell Inc. There has been a delay in your project
work that is adversely affecting the project schedule. You decide, with your stakeholders'
approval, to fast track the project work to get the project done faster. When you fast track
the project, what is likely to increase?

  • A. Human resource needs
  • B. Quality control concerns
  • C. Costs
  • D. Risks


Answer : D

Explanation: Fast tracking allows entire phases of the project to overlap and generally increases risks within the project. Fast tracking is a technique for compressing project schedule. In fast tracking, phases are overlapped that would normally be done in sequence. It is shortening the project schedule without reducing the project scope. Answer: B is incorrect. Quality control concerns usually are not affected by fast tracking decisions. Answer: C is incorrect. Costs do not generally increase based on fast tracking decisions. Answer: A is incorrect. Human resources are not affected by fast tracking in most scenarios.

Question 14

For which of the following risk management capability maturity levels do the statement
given below is true? "Real-time monitoring of risk events and control exceptions exists, as
does automation of policy management"

  • A. Level 3
  • B. Level 0
  • C. Level 5
  • D. Level 2


Answer : C

Explanation: An enterprise's risk management capability maturity level is 5 when real-time monitoring of risk events and control exceptions exists, as does automation of policy management. Answer: B is incorrect. In level 0 of risk management capability maturity model, enterprise does not recognize the importance of considering the risk management or the business impact from IT risk. Answer: A and D are incorrect. In these levels real-time monitoring of risk events is not done.

Question 15

Stephen is the project manager of the GBB project. He has worked with two subject matter
experts and his project team to complete the risk assessment technique. There are
approximately 47 risks that have a low probability and a low impact on the project. Which of
the following answers best describes what Stephen should do with these risk events?

  • A. Because they are low probability and low impact, Stephen should accept the risks.
  • B. The low probability and low impact risks should be added to a watchlist for future monitoring.
  • C. Because they are low probability and low impact, the risks can be dismissed.
  • D. The low probability and low impact risks should be added to the risk register.


Answer : B

Explanation: The low probability and low impact risks should be added to a watchlist for future monitoring. Answer: A is incorrect. The risk response for these events may be to accept them, but the best answer is to first add them to a watchlist. Answer: C is incorrect. Risks are not dismissed; they are at least added to a watchlist for monitoring. Answer: D is incorrect. While the risks may eventually be added to the register, the best answer is to first add them to the watchlist for monitoring.

Page 1