CRISC REVIEW TEST BANK QUESTIONS WITH REVISED AND UPDATED SOLUTIONS GRADED A+
4 views 0 purchase
Course
CRISC
Institution
CRISC
CRISC REVIEW TEST BANK QUESTIONS WITH REVISED AND UPDATED SOLUTIONS GRADED A+
1.1
The PRIMARY reason risk assessments should be repeated at regular intervals is:
A.omissions in earlier assessments can be addressed.
B.periodic assessments allow various methodologies.
C.business threats are co...
CRISC REVIEW TEST BANK
QUESTIONS WITH REVISED AND
UPDATED SOLUTIONS GRADED A+
1.1
The PRIMARY reason risk assessments should be repeated at regular intervals is:
A.omissions in earlier assessments can be addressed.
B.periodic assessments allow various methodologies.
C.business threats are constantly changing.
D.they help raise risk awareness among staff. - Answer-C
A.Performing risk assessments on a periodic basis can find omissions in earlier
assessments, but this is not the primary reason forconducting regular reassessments.
B.Organizations strive to improve their risk management process to more quickly and
accurately assess and address risk, and this may involve changing the methodology.
However, it is not the primary reason for conducting regular assessments.
C.As business objectives and methods change, the nature and relevance of threats also
change. This is the primary reason to conduct periodic risk assessments.
D.Risk assessments are conducted on a periodic basis to address new threats and
changes in the business. Creating more risk awareness is a minor benefit of conducting
periodic risk assessments.
2-5
Which of the following choices BEST assists a risk practitioner in measuring the existing
level of development of risk management processes against their desired state?
A. A capability maturity model (CMM)
B. Risk management audit reports
C. A balanced scorecard (BSC)
D. Enterprise security architectu - Answer-A
A.The capability maturity model (CMM) grades processes on a scale of 0 to 5, based on
their maturity. It is commonly used by entities to measure their existing state and then to
determine the desired one.
B.Risk management audit reports offer a limited view of the current state of risk
management.
,C.A balanced scorecard (BSC) enables management to measure the implementation of
strategy and assists in its translation into action.
D.Enterprise security architecture explains the security architecture of an entity in terms
of business strategy, objectives, relationships, risk, constraints and enablers and
provides a business-driven and business-focused view of security architecture.
2-6
Which of the following choices BEST helps identify information systems control
deficiencies?
A.Gap analysis
B.The current IT risk profile
C.The IT controls framework
D.Countermeasure analysis - Answer-A
A.Controls are deployed to achieve the desired control objectives based on risk
assessments and business requirements. The gap between desired control objectives
and actual IS control design and operational effectiveness identifies IS control
deficiencies.
B.Without knowing the gap between desired state and current state, one cannot identify
the control deficiencies.
C.The IT controls framework is a generic document with no information such as desired
state of IS controls and current state of the enterprise; therefore, it will not help in
identifying IS control deficiencies.
D.Countermeasure analysis only helps in identifying deficiencies in countermeasures,
not in the full set of primary controls.
2-7
Deriving the likelihood and impact of risk scenarios through statistical methods is MOST
LIKELY to be associated with which type of risk analysis?
A.A risk scenario analysis might include any of several risk analysis methods, including
quantitative, semi-quantitative and qualitative; it is not reflective of a particular
approach.
, B.A qualitative risk analysis uses experiential and subjective measures to estimate the
likelihood and impact of adverse events according to ranges; these might include low,
medium and high ratings for both likelihood and impact.
C.The essence of quantitative risk assessment is to derive the likelihood and impact of
risk scenarios based on statistical methods and data.
D.Semi-quantitative analysis typically applies to a wider, numerically delineated range of
values to a qualitative rating mechanism—for example, assigning values from 0 to 100.
The assignment remains qualitative, and it is not associated with statistical analysis.
2-8
Which of the following reviews is BEST suited for the review of IT risk analysis results
before the results are sent to management for approval and use in decision making?
A.An internal audit review is not best suited for the review of IT risk analysis results.
Internal auditing is an independent, objective assurance and consulting activity
designed to add value and improve an enterprise's operations. It helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control and governance processes.
B.It is effective, efficient and good practice to perform a peer review of IT risk analysis
results before sending them to management.
C.A compliance review is not best suited for the review of IT risk analysis results.
Compliance reviews measure the conformance with a specific, measurable standard.
D.A review of the risk policy will change the contents and methods of the risk analysis
eventually, but this is not a way of reviewing IT risk analysis results before sending them
to management.
3-1
When a risk cannot be sufficiently mitigated through manual or automatic controls,
which of the following options will BEST protect the enterprise from the potential
financial impact of the risk?
A.Insuring against the risk
B.Updating the IT risk register
C.Improving staff training in the risk area
D.Outsourcing the related business process to a third party - Answer-A
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Perfectscorer. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $13.49. You're not tied to anything after your purchase.
