[Q175-Q198] Best Quality ISACA CRISC Exam Questions Pass4suresVCE Realistic Practice Exams [2021]

Share

Best Quality ISACA CRISC Exam Questions Pass4suresVCE Realistic Practice Exams [2021]

Critical Information To Certified in Risk and Information Systems Control Pass the First Time

NEW QUESTION 175
Suppose you are working in Techmart Inc. which sells various products through its website. Due to some recent losses, you are trying to identify the most important risks to the Website. Based on feedback from several experts, you have come up with a list. You now want to prioritize these risks. Now in which category you would put the risk concerning the modification of the Website by unauthorized parties.

  • A. Explanation:
    Website defacing is an attack on a website by unauthorized party that changes the visual appearance of the site or a webpage. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own.
  • B. Web defacing
  • C. Denial of service attack
  • D. Ping Flooding Attack
  • E. FTP Bounce Attack

Answer: B

Explanation:
is incorrect. The FTP bounce attack is attack which slips past application-based firewalls. In this hacker uploads a file to the FTP server and then requests this file be sent to an internal server. This file may contain malicious software or a simple script that occupies the internal server and uses up all the memory and CPU resources. Answer: A is incorrect. Ping Flooding is the extreme of sending thousands or millions of pings per second. Ping Flooding attack can make system slow or even shut down an entire site. Answer: C is incorrect. A denial-of-service attack (DoS attack) is an attempt to make a computer or network resource unavailable to its intended users. One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable.

 

NEW QUESTION 176
When collecting information to identify IT-related risk, a risk practitioner should FIRST focus on IT:

  • A. process maps.
  • B. risk appetite.
  • C. risk tolerance level
  • D. security policies

Answer: D

 

NEW QUESTION 177
Which of the following should be PRIMARILY considered while designing information systems controls?

  • A. The existing IT environment
  • B. The present IT budget
  • C. The IT strategic plan
  • D. The organizational strategic plan
  • E. Explanation:
    Review of the enterprise's strategic plan is the first step in designing effective IS controls that
    would fit the enterprise's long-term plans.
  • F. is incorrect. Review of the existing IT environment is also useful and necessary but is
    not the first step that needs to be undertaken.

Answer: D

Explanation:
is incorrect. The present IT budget is just one of the components of the strategic plan. Answer: A is incorrect. The IT strategic plan exists to support the enterprise's strategic plan but is not solely considered while designing information system control.

 

NEW QUESTION 178
You are the risk official of your enterprise. You have just completed risk analysis process. You noticed that the risk level associated with your project is less than risk tolerance level of your enterprise. Which of following is the MOST likely action you should take?

  • A. Prioritize risk response options
  • B. Apply risk response
  • C. Update risk register
  • D. No action

Answer: D

Explanation:
Section: Volume B
Explanation:
When the risk level is less than risk tolerance level of the enterprise than no action is taken against that, because the cost of mitigation will increase over its benefits.
Incorrect Answers:
A: This is not a valid answer, as no response is being applied to such low risk level.
B: Risk register is updates after applying response, and as no response is applied to such low risk level; hence no updating is done.
D: This is not a valid answer, as no response is being applied to such low risk level.

 

NEW QUESTION 179
In response to the threat of ransomware, an organization has implemented cybersecurity awareness activities.
The risk practitioner's BEST recommendation to further reduce the impact of ransomware attacks would be to implement:

  • A. two-factor authentication.
  • B. encryption for data at rest.
  • C. encryption for data in motion.
  • D. continuous data backup controls.

Answer: D

 

NEW QUESTION 180
The MOST effective approach to prioritize risk scenarios is by:

  • A. soliciting input from risk management experts
  • B. assessing impact to the strategic plan
  • C. aligning with industry best practices
  • D. evaluating the cost of risk response

Answer: B

Explanation:
Section: Volume D

 

NEW QUESTION 181
An effective control environment is BEST indicated by controls that:

  • A. minimize senior management's risk tolerance
  • B. manage risk within the organization's risk appetite
  • C. reduce the thresholds of key risk indicators (KRIs)
  • D. are cost-effective to implement

Answer: C

Explanation:
Section: Volume D

 

NEW QUESTION 182
You are working in an enterprise. Your enterprise owned various risks. Which among the following is MOST likely to own the risk to an information system that supports a critical business process?

  • A. IT director
  • B. Senior management
  • C. Risk management department
  • D. System users

Answer: B

Explanation:
Explanation/Reference:
Explanation:
Senior management is responsible for the acceptance and mitigation of all risk. Hence they will also own the risk to an information system that supports a critical business process.
Incorrect Answers:
A: The system users are responsible for utilizing the system properly and following procedures, but they do not own the risk.
C: The IT director manages the IT systems on behalf of the business owners.
D: The risk management department determines and reports on level of risk, but does not own the risk.
Risk is owned by senior management.

 

NEW QUESTION 183
After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?

  • A. The risk owner
  • B. The risk practitioner
  • C. The business process owner
  • D. The control owner

Answer: A

 

NEW QUESTION 184
The PRIMARY benefit associated with key risk indicators (KRls) is that they:

  • A. identify trends in the organization's vulnerabilities.
  • B. benchmark the organization's risk profile.
  • C. enable ongoing monitoring of emerging risk.
  • D. help an organization identify emerging threats.

Answer: C

 

NEW QUESTION 185
You are the project manager of RFT project. You have identified a risk that the enterprise's IT system and application landscape is so complex that, within a few years, extending capacity will become difficult and maintaining software will become very expensive. To overcome this risk the response adopted is re-architecture of the existing system and purchase of new integrated system. In which of the following risk prioritization options would this case be categorized?

  • A. Business case to be made
  • B. Contagious risk
  • C. Explanation:
    This is categorized as a Business case to be made because the project cost is very large. The response to be implemented requires quite large investment. Therefore it comes under business case to be made.
  • D. Quick win
  • E. Deferrals

Answer: A

Explanation:
is incorrect. Quick win is very effective and efficient response that addresses medium to high risk. But in this the response does not require large investments. Answer: A is incorrect. It addresses costly risk response to a low risk. But here the response is less costly than that of business case to be made. Answer: D is incorrect. This is not risk response prioritization option, instead it is a type of risk that happen with the several of the enterprise's business partners within a very short time frame.

 

NEW QUESTION 186
When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?

  • A. Recommend management accept the low risk scenarios.
  • B. Assess management's risk tolerance.
  • C. Re-evaluate the risk scenarios associated with the control
  • D. Propose mitigating controls

Answer: C

 

NEW QUESTION 187
In an organization dependent on data analytics to drive decision-making, which of the following would BEST help to minimize the risk associated with inaccurate data?

  • A. Evaluating each of the data sources for vulnerabilities
  • B. Benchmarking to industry best practice
  • C. Periodically reviewing big data strategies
  • D. Establishing an intellectual property agreement

Answer: A

 

NEW QUESTION 188
Which of the following parameters would affect the prioritization of the risk responses and development of the risk response plan? Each correct answer represents a complete solution. Choose three.

  • A. Cost of the response to reduce risk within tolerance levels
  • B. Importance of the risk
  • C. Effectiveness of the response
  • D. Time required to mitigate risk.

Answer: A,B,C

Explanation:
Explanation/Reference:
Explanation:
The prioritization of the risk responses and development of the risk response plan is influenced by several parameters:
Cost of the response to reduce risk within tolerance levels

Importance of the risk

Capability to implement the response

Effectiveness of the response

Efficiency of the response

Incorrect Answers:
B: Time required to mitigate risk does not influence the prioritization of the risk and development of the risk response plan. It affects the scheduled time of the project.

 

NEW QUESTION 189
An external security audit has reported multiple findings related to control noncompliance. Which of the following would be MOST important for the risk practitioner to communicate to senior management?

  • A. A recommendation for internal audit validation
  • B. Plans for mitigating the associated risk
  • C. Suggestions for improving risk awareness training
  • D. The impact to the organization's risk profile

Answer: B

 

NEW QUESTION 190
The PRIMARY objective for selecting risk response options is to:

  • A. reduce risk factors.
  • B. identify compensating controls.
  • C. minimize residual risk.
  • D. reduce risk to an acceptable level.

Answer: D

Explanation:
Section: Volume D

 

NEW QUESTION 191
Your project is an agricultural-based project that deals with plant irrigation systems. You have
discovered a byproduct in your project that your organization could use to make a profit. If your organization seizes this opportunity it would be an example of what risk response?

  • A. Exploiting
  • B. Explanation:
    This is an example of exploiting a positive risk - a by-product of a project is an excellent example of exploiting a risk. Exploit response is one of the strategies to negate risks or threats that appear in a project. This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. Exploiting a risk event provides opportunities for positive impact on a project. Assigning more talented resources to the project to reduce the time to completion is an example of exploit response.
  • C. Positive
  • D. Opportunistic
  • E. Enhancing

Answer: A,B

Explanation:
is incorrect. Opportunistic is not a valid risk response. Answer: B is incorrect. This is an example of a positive risk, but positive is not a risk response. Answer: A is incorrect. Enhancing is a positive risk response that describes actions taken to increase the odds of a risk event to happen.

 

NEW QUESTION 192
Which of the following is the BEST way to promote adherence to the risk tolerance level set by management?

  • A. Avoiding risks that could materialize into substantial losses
  • B. Communicating external audit results
  • C. Increasing organizational resources to mitigate risks
  • D. Defining expectations in the enterprise risk policy

Answer: A

 

NEW QUESTION 193
An organization is considering adopting artificial intelligence (Al). Which of the following is the risk practitioner's MOST important course of action?

  • A. Identify applicable risk scenarios.
  • B. Identify the organization's critical data.
  • C. Ensure sufficient pre-implementation testing.
  • D. Develop key risk indicators (KRIs).

Answer: B

 

NEW QUESTION 194
Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?

  • A. Control chart
  • B. Decision tree
  • C. Trend analysis
  • D. Sensitivity analysis

Answer: D

 

NEW QUESTION 195
When communicating changes in the IT risk profile, which of the following should be included to BEST enable stakeholder decision making?

  • A. Results of external attacks and related compensating controls
  • B. Gaps between current and desired states of the control environment
  • C. Review of leading IT risk management practices within the industry
  • D. List of recent incidents affecting industry peers

Answer: B

 

NEW QUESTION 196
The FIRST step for a startup company when developing a disaster recovery plan should be to identify:

  • A. critical business processes
  • B. current vulnerabilities
  • C. a suitable alternate site
  • D. recovery time objectives

Answer: A

Explanation:
Section: Volume D

 

NEW QUESTION 197
You are the project manager of your enterprise. You have identified new threats, and then evaluated the ability of existing controls to mitigate risk associated with new threats. You noticed that the existing control is not efficient in mitigating these new risks. What are the various steps you could take in this case?
Each correct answer represents a complete solution. (Choose three.)

  • A. Apply more controls
  • B. Modify of the technical architecture
  • C. Education of staff or business partners
  • D. Deployment of a threat-specific countermeasure

Answer: B,C,D

Explanation:
Section: Volume C
Explanation:
As new threats are identified and prioritized in terms of impact, the first step is to evaluate the ability of existing controls to mitigate risk associated with new threats and if it does not work then in that case facilitate the:
* Modification of the technical architecture
* Deployment of a threat-specific countermeasure
* Implementation of a compensating mechanism or process until mitigating controls are developed
* Education of staff or business partners
Incorrect Answers:
D: Applying more controls is not the good solution. They usually complicate the condition.

 

NEW QUESTION 198
......

CRISC EXAM DUMPS WITH GUARANTEED SUCCESS: https://www.pass4suresvce.com/CRISC-pass4sure-vce-dumps.html

Best Quality ISACA CRISC Exam Questions: https://drive.google.com/open?id=1Gws-CxDkq4gdu3sN8UrA_2tZpJW1v2Up