Login / Register   My Cart (0)

Here are all the actual test exam dumps for IT exams. Most people prepare for the actual exams with our test dumps to pass their exams. So it's critical to choose and actual test pdf to succeed.

All Products Contact now
  • Home
  • Articles
  • [Q173-Q194] Real CRISC dumps - Real ISACA dumps PDF in here [Dec-2021]

[Q173-Q194] Real CRISC dumps - Real ISACA dumps PDF in here [Dec-2021]

Share

Real CRISC dumps - Real ISACA dumps PDF in here [Dec-2021]

Realistic Actual4test CRISC Dumps PDF - 100% Passing Guarantee

NEW QUESTION 173
FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?

  • A. Quarterly
  • B. Never
  • C. Every three years
  • D. Annually

Answer: D

Explanation:
Section: Volume B
Explanation
Explanation:
Inspection of FISMA is required to be done annually. Each year, agencies must have an independent evaluation of their program. The objective is to determine the effectiveness of the program. These evaluations include:
* Testing for effectiveness: Policies, procedures, and practices are to be tested. This evaluation does not test every policy, procedure, and practice. Instead, a representative sample is tested.
* An assessment or report: This report identifies the agency's compliance as well as lists compliance with FISMA. It also lists compliance with other standards and guidelines.
Incorrect Answers:
B, C, D: Auditing of compliance by external organization is done annually, not quarterly or every three years.

 

NEW QUESTION 174
When assessing the maturity level of an organization's risk management framework, which of the following deficiencies should be of GREATEST concern to a risk practitioner?

  • A. Reliance on qualitative analysis methods
  • B. Use of highly customized control frameworks
  • C. Unclear organizational risk appetite
  • D. Lack of senior management participation

Answer: B

 

NEW QUESTION 175
How residual risk can be determined?

  • A. By risk assessment
  • B. By transferring all risks.
  • C. By determining remaining vulnerabilities after countermeasures are in place.
  • D. By threat analysis
  • E. is incorrect. Risk cannot be determined by threat analysis alone, regardless whether it is
    residual or not.
  • F. Explanation:
    All risks are determined by risk assessment, regardless whether risks are residual or not.
  • G. is incorrect. Determining remaining vulnerabilities after countermeasures are in place
    says nothing about threats, therefore risk cannot be determined.

Answer: A,E,F,G

Explanation:
is incorrect. Transferring all the risks in not relevant to determining residual risk. It is one
of the method of risk management.

 

NEW QUESTION 176
You are working as a project manager in Bluewell Inc.. You are nearing the final stages of project execution and looking towards the final risk monitoring and controlling activities. For your project archives, which one of the following is an output of risk monitoring and control?

  • A. Risk audits
  • B. Requested changes
  • C. Quantitative risk analysis
  • D. Qualitative risk analysis

Answer: B

Explanation:
Explanation/Reference:
Explanation:
Of all the choices given, only requested changes is an output of the monitor and control risks process. You might also have risk register updates, recommended corrective and preventive actions, organizational process assets, and updates to the project management plan.
Incorrect Answers:
A, C: These are the plan risk management processes.
B: Risk audit is a risk monitoring and control technique.

 

NEW QUESTION 177
Which of the following are the responsibilities of Enterprise risk committee?
Each correct answer represents a complete solution. Choose three.

  • A. Risk aware decision
  • B. Analyze risk
  • C. Articulate risk
  • D. React to risk events

Answer: A,B,C

Explanation:
Section: Volume D
Explanation:
Risk aware decision, analyzing risk, and articulating risk are the responsibilities of Enterprise risk committee.
They are the executives who are accountable for the enterprise level collaboration and consensus required to support enterprise risk management (ERM) activities and decisions. An IT risk council may be established to consider IT risk in more detail and advise the enterprise risk committee. ERC ensure that these activities are completed successfully.
Incorrect Answers:
A: ERM is not responsible for reaction over risk events. Business process owners are accounted for this task.

 

NEW QUESTION 178
Which of the following laws applies to organizations handling health care information?

  • A. FISMA
  • B. HIPAA
  • C. GLBA
  • D. SOX

Answer: B

Explanation:
Explanation/Reference:
Explanation:
HIPAA handles health care information of an organization.
The Health Insurance Portability and Accountability Act (HIPAA) were introduced in 1996. It ensures that health information data is protected. Before HIPAA, personal medical information was often available to anyone. Security to protect the data was lax, and the data was often misused.
If your organization handles health information, HIPAA applies. HIPAA defines health information as any data that is created or received by health care providers, health plans, public health authorities, employers, life insurers, schools or universities, and health care clearinghouses.
HIPAA defines any data that is related to the health of an individual, including past/present/future health, physical/mental health, and past/present/future payments for health care.
Creating a HIPAA compliance plan involves following phases:
Assessment: An assessment helps in identifying whether organization is covered by HIPAA. If it is, then

further requirement is to identify what data is needed to protect.
Risk analysis: A risk analysis helps to identify the risks. In this phase, analyzing method of handling

data of organization is done.
Plan creation: After identifying the risks, plan is created. This plan includes methods to reduce the risk.

Plan implementation: In this plan is being implemented.

Continuous monitoring: Security in depth requires continuous monitoring. Monitor regulations for

changes. Monitor risks for changes. Monitor the plan to ensure it is still used.
Assessment: Regular reviews are conducted to ensure that the organization remains in compliance.

Incorrect Answers:
A: GLBA is not used for handling health care information.
C: SOX designed to hold executives and board members personally responsible for financial data.
D: FISMA ensures protection of data of federal agencies.

 

NEW QUESTION 179
From a business perspective, which of the following is the MOST important objective of a disaster recovery test?

  • A. All business critical systems are successfully tested.
  • B. All critical data is recovered within recovery time objectives (RTOs).
  • C. Errors are discovered in the disaster recovery process.
  • D. The organization gains assurance it can recover from a disaster

Answer: C

 

NEW QUESTION 180
Controls should be defined during the design phase of system development because:

  • A. structured analysis techniques exclude identification of controls.
  • B. structured programming techniques require that controls be designed before coding begins.
  • C. it is more cost-effective to determine controls in the early design phase.
  • D. technical specifications are defined during this phase.

Answer: D

 

NEW QUESTION 181
You are the administrator of your enterprise. Which of the following controls would you use that BEST protects an enterprise from unauthorized individuals gaining access to sensitive information?

  • A. Explanation:
    Physical or logical system access should be assigned on a need-to-know basis, where there is a legitimate business requirement based on least privilege and segregation of duties. This is done by user authentication.
  • B. Forcing periodic password changes
  • C. Using a challenge response system
  • D. Monitoring and recording unsuccessful logon attempts
  • E. Providing access on a need-to-know basis

Answer: A,E

Explanation:
is incorrect. Challenge response system is used to verify the user's identification but does not completely address the issue of access risk if access was not appropriately designed in the first place. Answer:B is incorrect. Forcing users to change their passwords does not ensure that access control is appropriately assigned. Answer:A is incorrect. Monitoring and recording unsuccessful logon attempts does not address the risk of appropriate access rights. In other words, it does not prevent unauthorized access.

 

NEW QUESTION 182
Which of the following is the GREATEST concern when an organization uses a managed security service provider as a firewall administrator?

  • A. Exposure of log data
  • B. Lack of agreed-upon standards
  • C. Lack of governance
  • D. Increased number of firewall rules

Answer: C

 

NEW QUESTION 183
IT disaster recovery point objectives (RPOs) should be based on the:

  • A. maximum tolerable loss of data.
  • B. type of business.
  • C. maximum tolerable downtime.
  • D. need of each business unit.

Answer: A

 

NEW QUESTION 184
The PRIMARY reason for periodically monitoring key risk indicators (KRIs) is to:

  • A. rectify errors in results of KRIs.
  • B. reduce costs of risk mitigation controls
  • C. detect changes in the risk profile.
  • D. continually improve risk assessments.

Answer: C

 

NEW QUESTION 185
According to the Section-302 of the Sarbanes-Oxley Act of 2002, what does certification of reports implies?
Each correct answer represents a complete solution. Choose three.

  • A. The financial statement does not contain any materially untrue or misleading information.
  • B. The signing officer has presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.
  • C. The signing officer has evaluated the effectiveness of the issuer's internal controls as of a date at the time to report.
  • D. The signing officer has reviewed the report.

Answer: A,B,D

Explanation:
Explanation/Reference:
Explanation:
Section 302 of Sarbanes-Oxley act has the tremendous impact on the risk management solution adopted by corporations. This section specifies that the reports must be certified by the CEO, CFO, or other senior officer performing similar functions.
Certification of reports establishes:
The signing officer has reviewed the report.

The financial statement do not contain, to the knowledge of signing officer, any materially untrue or

misleading information and represent fairly all financial conditions and results of the enterprise's operations.
The signing officers:

- are responsible for establishing and maintaining internal controls
- have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made - known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared
- have evaluated the effectiveness of the issuer's internal controls as of a date within 90 days prior to the report
- have presented in the report their conclusions about the effectiveness of their internal controls base on their evaluation as of that date The signing officer have disclosed to external auditors, audit committee, and other directors:

- all significant deficiencies in the design or operation of internal controls which could adversely affect the reliability of the reported financial data
- any fraud, whether or not material, that involves management or other employees who have a significant role in the internal controls of the enterprise The signing officer have indicated in the report any internal controls or changes to those internal

controls which have been implemented since they were evaluated.
Incorrect Answers:
A: The signing officer has evaluated the effectiveness of the issuer's internal controls as of a date within 90 days prior to the report, not at the time of the report.

 

NEW QUESTION 186
The annualized loss expectancy (ALE) method of risk analysis:

  • A. helps in calculating the expected cost of controls
  • B. can be used to determine the indirect business impact
  • C. can be used in a cost-benefit analysis
  • D. uses qualitative risk rankings such as low, medium, and high

Answer: C

Explanation:
Section: Volume D
Explanation/Reference:

 

NEW QUESTION 187
Several newly identified risk scenarios are being integrated into an organization's risk register. The MOST appropriate risk owner would be the individual who:

  • A. is responsible for enterprise risk management (ERM)
  • B. can implement remediation action plans.
  • C. is in charge of information security.
  • D. is accountable for loss if the risk materializes.

Answer: B

 

NEW QUESTION 188
Which of the following role carriers is accounted for analyzing risks, maintaining risk profile, and risk-aware decisions?

  • A. Chief risk officer (CRO)
  • B. Chief information officer (CIO)
  • C. Business management
  • D. Business process owner

Answer: C

Explanation:
Section: Volume C
Explanation:
Business management is the business individuals with roles relating to managing a program. They are typically accountable for analyzing risks, maintaining risk profile, and risk-aware decisions. Other than this, they are also responsible for managing risks, react to events, etc.
Incorrect Answers:
B: Business process owner is an individual responsible for identifying process requirements, approving process design and managing process performance. He/she is responsible for analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them.
C: CIO is the most senior official of the enterprise who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services and information and the deployment of associated human resources. CIO has some responsibility analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them.
D: CRO is the individual who oversees all aspects of risk management across the enterprise. He/she is responsible for analyzing risks, maintaining risk profile, and risk-aware decisions but is not accounted for them.

 

NEW QUESTION 189
An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:

  • A. validate control process execution.
  • B. determine if controls are effective.
  • C. identify key process owners.
  • D. conduct a baseline assessment.

Answer: C

 

NEW QUESTION 190
Which of the following MUST be updated to maintain an IT risk register?

  • A. Enterprise-wide IT risk assessment
  • B. Risk appetite
  • C. Risk tolerance
  • D. Expected frequency and potential impact

Answer: D

 

NEW QUESTION 191
It is MOST appropriate for changes to be promoted to production after they are;

  • A. tested by business owners.
  • B. approved by the business owner.
  • C. initiated by business users.
  • D. communicated to business management

Answer: B

 

NEW QUESTION 192
Which of the following risk responses include feedback and guidance from well-qualified risk officials and those internal to the project?

  • A. Expert judgment
  • B. Risk Acceptance
  • C. Explanation:
    Expert judgment is utilized in developing risk responses, including feedback and guidance from risk management experts and those internal to the project qualified to provide assistance in this process. Expert judgment is a technique based on a set of criteria that has been acquired in a specific knowledge area or product area. It is obtained when the project manager or project team requires specialized knowledge that they do not possess. Expert judgment involves people most familiar with the work of creating estimates. Preferably, the project team member who will be doing the task should complete the estimates. Expert judgment is applied when performing administrative closure activities, and experts should ensure the project or phase closure is performed to the appropriate standards.
  • D. Contingent response strategy
  • E. Risk transfer

Answer: A

Explanation:
is incorrect. Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider who can accept the risk. Risk should be accepted only by senior management in relationship with senior management and the board. There are two alternatives to the acceptance strategy, passive and active. Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk but willing to accept the consequences of the risk. Active acceptance is the second strategy and might include developing contingency plans and reserves to deal with risks. Answer:D is incorrect. Risk transfer means that impact of risk is reduced by transferring or otherwise sharing a portion of the risk with an external organization or another internal entity. Transfer of risk can occur in many forms but is most effective when dealing with financial risks. Insurance is one form of risk transfer. Answer:A is incorrect. Contingent response strategy, also known as contingency planning, involves adopting alternatives to deal with the risks in case of their occurrence. Unlike the mitigation planning in which mitigation looks to reduce the probability of the risk and its impact, contingency planning doesn't necessarily attempt to reduce the probability of a risk event or its impacts. Contingency comes into action when the risk event actually occurs.

 

NEW QUESTION 193
Which of the following is the MOST critical security consideration when an enterprise outsource its major part of IT department to a third party whose servers are in foreign company?

  • A. Additional network intrusion detection sensors should be installed, resulting in additional cost
  • B. Laws and regulations of the country of origin may not be enforceable in foreign country
  • C. A security breach notification may get delayed due to time difference
  • D. The enterprise could not be able to monitor the compliance with its internal security and privacy guidelines

Answer: B

Explanation:
Explanation/Reference:
Explanation:
Laws and regulations of the country of origin may not be enforceable in foreign country and conversely, it is also true that laws and regulations of the foreign outsourcer may also impact the enterprise. Hence violation of applicable laws may not be recognized or rectified due to lack of knowledge of the local laws.
Incorrect Answers:
A: Security breach notification is not a problem and also time difference does not play any role in 24/7 environment. Pagers, cellular phones, telephones, etc. are there to communicate the notifications.
B: Outsourcing does not remove the enterprise's responsibility regarding internal requirements. Hence monitoring the compliance with its internal security and privacy guidelines is not a problem.
D: The need for additional network intrusion detection sensors is not a major problem as it can be easily managed. It only requires addition funding, but can be addressed.

 

NEW QUESTION 194
......

Verified CRISC dumps Q&As Latest CRISC  Download: https://examtorrent.actual4test.com/CRISC_examcollection.html

Related Articles

more
ISACA CRISC Certification Practice Exam

Here are all the actual test exam dumps for IT exams. Most people prepare for the actual exams with our test dumps to pass their exams. So it's critical to choose and actual test pdf to succeed.

Latest Actual Test

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 Actual4test NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy