The CRISC certification is second only to the CISSP terms in which would be reported earnings. It would be validating your ability to work with IT risk management at the level off. If your career goals are focused solely on audit-related roles, then the CISA might be considered the right credential for you.

01. Which of the following is MOST important to determine when defining risk management strategies?

A. Risk assessment criteria

B. IT architecture complexity

C. Enterprise disaster recovery plan

D. Business objectives and operations

 

CORRECT ANSWER: D. Business objectives and operations

EXPLANATION: Information on the internal and external environments must be collected to define a strategy and identify its impact. Risk assessment criteria alone are not sufficient.

 

 

02. The GREATEST risk posed by an absence of strategic planning is:

A. increase in the number of licensing violations.

B. increase in the number of obsolete systems.

C. improper oversight of IT investment.

D. unresolved current and past problems.

 

CORRECT ANSWER: C. improper oversight of IT investment.

EXPLANATION: Licensing violations can lead to fines and penalties from software companies; however, absence of strategic planning does not necessarily entail an increase in licensing violations.

 

 

03. Which of the following risk management roles is part of first line of defense?

A. Chief risk officer

B. Risk steering committee

C. Risk owner

D. Board of directors

 

CORRECT ANSWER: C. Risk owner

EXPLANATION: The chief risk officer holds a supervisory position and, therefore, is part of the second line of defense.

 

 

04. According to the three lines of defense model, where would the data ethics function MOST likely reside in an enterprise?

A. The first line of defense

B. The second line of defense

C. The third line of defense

D. The board of directors

 

YOUR ANSWER: B. The second line of defense

EXPLANATION: The second line of defense includes compliance, ethics and risk management and is intended to provide guidance.

 

 

05. Which of the following is MOST relevant to include in a cost-benefit analysis of a two-factor authentication system?

A. The approved budget of the project

B. The frequency of incidents

C. The annual loss expectancy of security incidents

D. The total cost of ownership

CORRECT ANSWER: D. The total cost of ownership

EXPLANATION: The frequency of security incidents can help measure the benefit but the relationship is indirect because not all security incidents may be mitigated by implementing a two-factor authentication system.

 

 

06. Which of the following BEST ensures that appropriate mitigation occurs on identified information systems vulnerabilities?

A. Presenting root cause analysis to the management of the enterprise

B. Implementing software to input the action points

C. Incorporating the findings into the annual report to shareholders

D. Assigning action plans with deadlines to responsible personnel

 

CORRECT ANSWER: D. Assigning action plans with deadlines to responsible personnel

EXPLANATION: Software can help in monitoring the progress of mitigations, but it will not ensure that the mitigation will be completed.

 

 

07. What is the MOST important control that should be in place to safeguard against the misuse of the corporate social media account?

A. Social media account monitoring

B. Two-factor authentication

C. Awareness training

D. Strong passwords

 

CORRECT ANSWER: B. Two-factor authentication

EXPLANATION: Awareness training may be effective with legitimate users; however, two-factor authentication is a preventive control as opposed to a deterrent control.

 

 

08. A business case developed to support risk mitigation efforts for a complex application development project should be retained until:

A. the project is approved.

B. user acceptance of the application.

C. the application is deployed.

D. the application’s end of life.

 

CORRECT ANSWER: D. the application’s end of life.

EXPLANATION: The business case should be retained even after user acceptance to validate the return on investment.

 

 

09. Which of the following factors should be assessed after the likelihood of a loss event has been determined?

A. Risk tolerance

B. Magnitude of impact

C. Residual risk

D. Compensating controls

 

CORRECT ANSWER: B. Magnitude of impact

EXPLANATION: Residual risk is the risk that remains after management implements a risk response. It cannot be calculated until controls are selected.

 

 

10. If risk has been identified, but not yet mitigated, the enterprise would:

A. record and mitigate serious risk and disregard low-level risk.

B. obtain management commitment to mitigate all identified risk within a reasonable time frame.

C. document identified risk in the risk register and maintain the remediation status.

D. conduct an annual risk assessment, but disregard previous assessments to prevent risk bias.

 

CORRECT ANSWER: C. document identified risk in the risk register and maintain the remediation status.

EXPLANATION: Not all identified risk will necessarily be mitigated. The enterprise will conduct a cost-benefit analysis before determining the appropriate risk response.

Conclusion:

SPOTO dumps will be the most beneficial option for people who need aid with their preparation. When you take the SPOTO Dumps Exam using our Verified Exam Questions, you’ll notice that every question on the test matches to the SPOTO Dumps.

Latest SPOTO Candidates Pass Feedback

Last modified: 2021-10-28

Author

Comments

Write a Reply or Comment

Your email address will not be published.