Skip to main content

Stworzony, aby pozna─ç i zrozumie─ç, nie tylko by zda─ç egzamin

Ôťů┬áPytania Ôťů┬áOdpowiedzi Ôťů┬áWyja┼Ťnienia Ôťů┬áOdwo┼éania┬ái┬ácytaty Ôťů┬áDownloads

Przewiń do Symulatora!
0
ÔÇÄ pyta┼ä
z obja┼Ťnieniami odpowiedzi

Average score: 50%

Mobile Friendly
CRISC Exam Simulator by Miroslaw Dabrowski

Szczegółowe
wyja┼Ťnienia
odpowiedzi

Odwołania
i cytaty
źródłowe

Kategorie
w tabeli
wynik├│w

Tryb
skupienia
(fullscreen)

Oznaczanie
pytań do
przegl─ůdu

Zgłaszanie
uwag do
pytań

Icon toglle fullscreen mode PL

Report a question

You cannot submit an empty report. Please add some details.
Utworzony przez Miroslaw Dabrowski

ISACA CRISC® Exam Simulator

multiple choice exam (ABCD)
one or multiple correct answers per question
# of questions: 150 | ~56% to pass
duration: 240 minutes
closed book exam

Copyright ┬ę Miros┼éaw D─ůbrowski

1 / 150

1. Which of the following is MOST essential for an effective change control environment?

2 / 150

2. Which of the following BEST improves decision making related to risk?

3 / 150

3. Which of the following is the FIRST step when developing a business case to drive the adoption of a risk remediation project by senior management?

4 / 150

4. Which of the following is the BEST course of action to help reduce the probability of an incident recurring?

5 / 150

5. The board of directors of a one-year-old start-up company has asked their Chief Information Oofficer (CIO) to create all of the enterprise's IT policies and procedures, which will be managed and approved by the IT steering committee. The IT steering committee will make all of the IT decisions for the enterprise, including those related to the technology budget. Which type of IT organizational structure does the enterprise have?

6 / 150

6. Which section of the Sarbanes-Oxley Act specifies "Periodic financial reports must be certified by CEO and CFO"?

7 / 150

7. Which of the following is MOST important for senior management to review during an acquisition?

8 / 150

8. Which of the following is the PRIMARY factor when deciding between conducting a quantitative or qualitative risk assessment?

9 / 150

9. Which of the following is MOST critical when designing controls?

10 / 150

10. An organization recently implemented an automated interface for uploading payment files to its banking system to replace manual processing. Which of the following elements of the risk register is MOST appropriate for the risk practitioner to update to reflect the improved control?

11 / 150

11. You are preparing to complete the quantitative risk analysis process with your project team and several subject matter experts. You gather the necessary inputs including the project's cost management plan. Why is it necessary to include the project's cost management plan in the preparation for the quantitative risk analysis process?

12 / 150

12. Which of the following risk assessment outputs is MOST suitable to help justify an organizational information security program?

13 / 150

13. You are the project manager for your organization. You are preparing for the quantitative risk analysis. Mark, a project team member, wants to know why you need to do quantitative risk analysis when you just completed qualitative risk analysis. Which one of the following statements BEST defines what quantitative risk analysis is?

14 / 150

14. Jane, the Director of Sales, contacts you and demands that you add a new feature to the software your project team is creating for the organization. In the meeting, she tells you how important the scope change would be. You explain to her that the software is almost finished and adding a change now could cause the deliverable to be late, cost additional funds, and would probably introduce new risks to the project. Jane stands up and says to you, "I am the Director of Sales and this change will happen in the project." And then she leaves the room. What should you do with this verbal demand for a change in the project?

15 / 150

15. You are the project manager for your company and a new change request has been approved for your project. This change request, however, has introduced several new risks to the project. You have communicated these risk events and the project stakeholders understand the possible effects these risks could have on your project. You elect to create a mitigation response for the identified risk events. Where will you record the mitigation response?

16 / 150

16. Risk management strategies are PRIMARILY adopted to:

17 / 150

17. Who is BEST suited to provide objective input when updating residual risk to reflect the results of control effectiveness?

18 / 150

18. Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are:

19 / 150

19. Which of the following should be the PRIMARY input to determine risk tolerance?

20 / 150

20. Which of the following would BEST prevent an unscheduled application of a patch?

21 / 150

21. You are the project manager of ABC project. Important confidential files of your project are stored on a computer. Keeping the unauthorized access of this computer in mind, you have placed a hidden CCTV in the room, even on having protection password. Which kind of control CCTV is?

22 / 150

22. What are the recommended guidelines/principles to adhere to for efficient risk management? Choose THREE OPTIONS THAT APPLY, each representing a complete solution.

23 / 150

23. Which of the following individuals is responsible for identifying process requirements, approving process design and managing process performance?

24 / 150

24. Information that is no longer required to support the main purpose of the business from an information security perspective should be:

25 / 150

25. What is the MAIN benefit of using a top-down approach to develop risk scenarios?

26 / 150

26. Which of the following should be a risk practitioner's GREATEST concern upon learning of failures in a data migration activity?

27 / 150

27. Which of the following helps ensure that the cost is justifiable when selecting an IT control?

28 / 150

28. An organization learns of a new ransomware attack affecting organizations worldwide. Which of the following should be done FIRST to reduce the likelihood of infection from the attack?

29 / 150

29. Which of the following is the MOST relevant input to an organizationÔÇÖs risk profile?

30 / 150

30. Which of the following BEST indicates that additional or improved controls ate needed m the environment?

31 / 150

31. At which risk management capability maturity level does the enterprise base significant business decisions on the likelihood/probability of both loss and gain/reward? Choose TWO OPTIONS THAT APPLY, each representing a complete solution.

32 / 150

32. Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?

33 / 150

33. The PRIMARY purpose of using a framework for risk analysis is to:

34 / 150

34. Which of the following is the MOST important information to include in a risk management strategic plan?

35 / 150

35. Which of the following is NOT true for risk management capability maturity level 1?

36 / 150

36. Which of the following is the BEST control for securing data on mobile universal serial bus (USB) drives?

37 / 150

37. You are the project manager of a ABC project that has recently finished the final compilation process. The project customer has signed off on the project completion and you have to do few administrative closure activities. In the project, there were several large risks that could have wrecked the project but you and your project team found some new methods to resolve the risks without affecting the project costs or project completion date. What should you do with the risk responses that you have identified during the project's monitoring and controlling process?

38 / 150

38. What are the PRIMARY risk components that must be communicated among all the stakeholders? Choose THREE OPTIONS THAT APPLY, each representing a complete solution.

39 / 150

39. Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:

40 / 150

40. Improvements in the design and implementation of a control will MOST likely result in an update to:

41 / 150

41. An organization has decided to postpone the assessment and treatment of several risk scenarios because stakeholders are unavailable. As a result of this decision, the risk associated with these new entries has been;

42 / 150

42. Which of the following is MOST important for determining what security measures to put in place for a critical information system?

43 / 150

43. Deriving the likelihood and impact of risk scenarios through statistical methods is BEST described as:

44 / 150

44. What is the MAIN purpose of designing risk management programs?

45 / 150

45. An organization's internal audit department is considering the implementation of robotics process automation (RPA) to automate certain continuous auditing tasks. Who would own the risk associated with ineffective design of the software bots?

46 / 150

46. Which of the following processes is described in the statement? "It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project."

47 / 150

47. Which of the following is the BEST risk identification technique for an enterprise that allows employees to identify risk anonymously?

48 / 150

48. Which of the following provides the BEST assurance of the effectiveness of vendor security controls?

49 / 150

49. Which of the following describes the relationship between risk appetite and risk tolerance?

50 / 150

50. You are the project manager in your enterprise. You have identified the occurrence of a risk event in your enterprise. You have pre-planned risk responses. You have monitored the risks that had occurred. What is the immediate step after this monitoring process that has to be followed in response to risk events?

51 / 150

51. The board of directors wants to know the financial impact of specific, individual risk scenarios. What type of approach is BEST suited to fulfil this requirement?

52 / 150

52. What are the PRIMARY requirements for creating risk scenarios? Choose TWO OPTIONS THAT APPLY, each representing a part of the solution.

53 / 150

53. Security administration efforts are BEST reduced through the deployment of:

54 / 150

54. Which of the following practices is MOST closely associated with risk monitoring?

55 / 150

55. As part of an enterprise risk management (ERM) program, a risk practitioner BEST leverages the work performed by an internal audit function by having it:

56 / 150

56. You are the project manager of the ABC project. You are accessing data for further analysis. You have chosen such a data extraction method in which management monitors its controls. Which of the following data extraction methods you are using here?

57 / 150

57. When developing IT risk scenarios, it is CRITICAL to involve:

58 / 150

58. When reviewing a business continuity plan (BCP), which of the following would be the MOST significant deficiency?

59 / 150

59. Joan is the project manager of the ABC project for her company. She has worked with her project to create risk responses for both positive and negative risk events within the project. As a result of this process Joan needs to update the project document updates. She has updated the assumptions log as a result of the findings and risk responses, but what other documentation will need to be updated as an output of risk response planning?

60 / 150

60. Who is accountable for business risk related to IT

61 / 150

61. Which of the following would be of MOST concern to a risk practitioner reviewing risk action plans for documented IT risk scenarios?

62 / 150

62. Calculation of the recovery time objective (RTO) is necessary to determine the:

63 / 150

63. What duties does the CRO hold? Choose THREE OPTIONS THAT APPLY, each representing a complete solution.

64 / 150

64. A penetration test reveals several vulnerabilities in a web-facing application. Which of the following should be the FIRST step in selecting a risk response?

65 / 150

65. Which of the following is the BEST defense against successful phishing attacks?

66 / 150

66. You are the project manager of an ABC project. You have been actively communicating and working with the project stakeholders. One of the outputs of the "manage stakeholder expectations" process can actually create new risk events for your project. Which output of the manage stakeholder expectations process can create risks?

67 / 150

67. Which of the following would MOST likely cause management to unknowingly accept excessive risk?

68 / 150

68. The BEST metric to monitor the risk associated with changes deployed to production is the percentage of:

69 / 150

69. After the announcement of a new IT regulatory requirement, it is MOST important for a risk practitioner to:

70 / 150

70. Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?

71 / 150

71. Malware has been detected that redirects users' computers to websites crafted specifically for fraud. The malware changes domain name system (DNS) server settings, redirecting users to sites under the hackers' control. This scenario BEST describes a:

72 / 150

72. Risk assessment techniques should be used by a risk practitioner to:

73 / 150

73. Which of the following risks is the risk that happens with an important business partner and affects a large group of enterprises within an area or industry?

74 / 150

74. Which of the following presents the GREATEST privacy risk related to personal data processing for a global organization?

75 / 150

75. Which of the following is the PRIMARY requirement before choosing the Key performance indicators of an enterprise?

76 / 150

76. Which of the following is responsible for evaluating the effectiveness of existing internal information security (IS) controls within an enterprise?

77 / 150

77. Which of the following is MOST likely to cause a key risk indicator (KRI) to exceed thresholds?

78 / 150

78. Which of the following is true for Single loss expectancy (SLE), Annual rate of occurrence (ARO), and Annual loss expectancy (ALE)?

79 / 150

79. The only output of qualitative risk analysis is risk register updates. When the project manager updates the risk register he will need to include several pieces of information including all of the following except for which one?

80 / 150

80. Which of the following BEST facilitates the identification of appropriate key performance indicators (KPIs) for a risk management program?

81 / 150

81. As the Project Manager overseeing the ABC project, you're currently in the Identify Risks process, tasked with compiling the risk register. What elements are typically incorporated into the risk register? Choose TWO OPTIONS THAT APPLY, each representing a complete solution.

82 / 150

82. An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?

83 / 150

83. Prior to releasing an operating system security patch into production, a leading practice is to have the patch:

84 / 150

84. In the risk management process, a cost-benefit analysis is MAINLY performed:

85 / 150

85. An enterprise has learned of a security breach at another entity that utilizes similar technology. The MOST important action a risk practitioner should take is to:

86 / 150

86. What are the requirements for monitoring risk? Choose THREE OPTIONS THAT APPLY, each representing a part of the solution.

87 / 150

87. Which of the following would be an IT business ownerÔÇÖs BEST course of action following an unexpected increase in emergency changes?

88 / 150

88. You work as a project manager for ACMECompany Inc. Management has asked you to work with the key project stakeholders to analyze the risk events you have identified in the project. They would like you to analyze the project risks to improve the project's performance as a whole. What approach can you use to achieve this goal of improving the project's performance through risk analysis with your project stakeholders?

89 / 150

89. Which of the following is the MOST important factor affecting risk management in an organization?

90 / 150

90. Sam is the project manager of a construction project in south Florida. This area of the United States is prone to hurricanes during certain parts of the year. As part of the project plan Sam and the project team acknowledge the possibility of hurricanes and the damage the hurricane could have on the project's deliverables, the schedule of the project, and the overall cost of the project. Once Sam and the project stakeholders acknowledge the risk of the hurricane they go on planning the project as if the risk is not likely to happen. What type of risk response is Sam using?

91 / 150

91. You work as a project manager for ACMECompany Inc. You are about to complete the quantitative risk analysis process for your project. You can use three available tools and techniques to complete this process. Which one of the following is NOT a tool or technique that is appropriate for the quantitative risk analysis process?

92 / 150

92. Out of several risk responses, which of the following risk responses is used for negative risk events?

93 / 150

93. An organization uses a web application hosted by a cloud service that is populated by data sent to the vendor via email on a monthly basis. Which of the following should be the FIRST consideration when analyzing the risk associated with the application?

94 / 150

94. The MOST effective starting point to determine whether an IT system continues to meet the enterprise's business objectives is to conduct interviews with:

95 / 150

95. FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?

96 / 150

96. Which of the following BEST enables detection of ethical violations committed by employees?

97 / 150

97. Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system?

98 / 150

98. When defining thresholds for control key performance indicators (KPIs). it is MOST helpful to align:

99 / 150

99. You are the product manager in your enterprise. You have identified that new technologies, products and services are introduced in your enterprise time-to-time. What should be done to prevent the efficiency and effectiveness of controls due to these changes?

100 / 150

100. Marsha is the project manager of the ABC Project. There's a risk that her project team has identified, which could cause the project to be late by more than a month. Marsha does not want this risk event to happen so she devises extra project activities to ensure that the risk event will not happen. The extra steps, however, will cost the project an additional $10000.00. What type of risk response is this approach?

101 / 150

101. A recent risk workshop has identified risk owners and responses for newly identified risk scenarios. Which of the following should be the risk practitioner's NEXT step?

102 / 150

102. Which of the following areas is MOST susceptible to the introduction of an information-security-related vulnerability?

103 / 150

103. Testing the compliance of a response and recovery plan should begin with conducting a:

104 / 150

104. You are the project manager of the ABC Project for your company. You have completed qualitative and quantitative analysis of your identified project risks and you would now like to find an approach to increase project opportunities and to reduce threats within the project. What project management process would best help you?

105 / 150

105. Which of the following business requirements MOST relates to the need for resilient business and information systems processes?

106 / 150

106. An organization uses one centralized single sign-on (SSO) control to cover many applications. Which of the following is the BEST course of action when a new application is added to the environment after testing of the SSO control has been completed?

107 / 150

107. Which of the following is MOST important for measuring the effectiveness of a security awareness program?

108 / 150

108. An organization has built up its cash reserves and has now become financially able to support additional risk while meeting its objectives. What is this change MOST likely to impact?

109 / 150

109. When using a formal approach to respond to a security-related incident, which of the following provides the GREATEST benefit from a legal perspective?

110 / 150

110. What is the FIRST phase of the IS monitoring and maintenance process?

111 / 150

111. The board of directors of a one-year-old start-up company has asked their Chief Information Officer (CIO) to create all of the enterprise's IT policies and procedures. Which of the following should the CIO create FIRST?

112 / 150

112. Which of the following BEST helps to respond to risk in a cost-effective manner?

113 / 150

113. Which of the following has the GREATEST influence on an organization's risk appetite?

114 / 150

114. When creating a separate IT risk register for a large organization, which of the following is MOST important to consider with regard to the existing corporate risk 'register?

115 / 150

115. Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability management process?

116 / 150

116. You are the project manager of ABC project. You have selected appropriate Key Risk Indicators for your project. Now, you need to maintain those Key Risk Indicators. What is the MOST important reason to maintain Key Risk Indicators?

117 / 150

117. During qualitative risk analysis, you want to define the risk urgency assessment. All of the following are indicators of risk priority except for which one?

118 / 150

118. Which of the following BEST addresses the risk of data leakage?

119 / 150

119. What criteria/requirements need to be fulfilled to develop risk scenarios? Choose THREE OPTIONS THAT APPLY, each representing a part of the solution.

120 / 150

120. Management has required information security awareness training to reduce the risk associated with credential compromise. What is the BEST way to assess the effectiveness of the training?

121 / 150

121. Which of the following is the PRIMARY objective of risk management?

122 / 150

122. You are the risk official at ACMECompany Inc. You are asked to perform a risk assessment on the impact of losing network connectivity for 1 day. Which of the following factors would you include?

123 / 150

123. An organization has been notified that a dis grunted, terminated IT administrator has tried to break into the corporate network. Which of the following discoveries should be of GREATEST concern to the organization?

124 / 150

124. Which of the following is the BEST metric to manage the information security program?

125 / 150

125. Which of the following comes under the phases of risk management? Choose ALL OPTIONS THAT APPLY.

126 / 150

126. Which of the following choices will BEST protect the enterprise from financial risk?

127 / 150

127. Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?

128 / 150

128. Risk response should focus on which of the following?

129 / 150

129. Which of the following is a key component of a strong internal control environment?

130 / 150

130. Which of the following statements is true for risk analysis?

131 / 150

131. After migrating a key financial system to a new provider, it was discovered that a developer could gain access to the production environment. Which of the following is the BEST way to mitigate the risk in this situation?

132 / 150

132. The BEST control to mitigate the risk associated with project scope creep is to:

133 / 150

133. What are the functions of the auditor while analyzing risk? Choose THREE OPTIONS THAT APPLY, each representing a complete solution.

134 / 150

134. Which of the following is the GREATEST concern associated with redundant data in an organizationÔÇÖs inventory system?

135 / 150

135. After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to: