×

Quiz Session - Attempts With Random Questions

ISACA CRISC Exam Questions

Page 9 of 25

161.

As it relates to risk response, which of the following is NOT a factor that is considered when determining the appropriate response?

  • Employee opinion

  • Complexity of recommended controls

  • Response option costs

  • Risk impact

Correct answer: Employee opinion

Risk response is determined by conducting a data-driven, fact-based analysis. The results of the analysis are mapped against the overall risk appetite and tolerance of the organization.

Complexity of recommended controls is a critical factor in risk response because it determines resources or time put into a response.

Response option costs are essential in determining which risk response is appropriate because organizations must balance the cost of controls with the level of risk mitigation they provide.

Risk impact is a fundamental factor because the severity of the potential risk outcomes directly influences which response is chosen.

162.

Which risk response prioritization decision is appropriate when the risk treatment effectiveness is low and the current risk level is low?

  • Defer

  • Quick win

  • Build business case

  • Avoid

Correct answer: Defer

When both risk and the effectiveness of the risk treatment are low, an organization may decide not to invest in or take action in the risk response. This decision is typically made when there are other, more highly visible risks and more effective risk treatment options.

The quick win risk response prioritization decision is appropriate when addressing risks that can be mitigated or resolved with minimal effort and resources yet have a significant positive impact on the project or organizational objectives.  

The build business case risk response prioritization decision is appropriate when dealing with complex risks that require significant resources, investments, or changes to address effectively. 

The avoid risk response prioritization decision is appropriate when a risk poses a threat significant enough to potentially derail a project's objectives or an organization's operations and when altering plans, processes, or strategies can effectively eliminate the risk.

163.

A KPI is written based on SMART metrics. What does the T stand for?

  • Timely

  • Tested

  • Tertiary

  • Transparent

Correct answer: Timely

KPIs should be grounded in a specific timeframe. Timeliness adds accountability and focus to the individuals or team responsible for attaining the goal.

SMART stands for specific, measurable, attainable, relevant, and timely.

164.

What is the ceiling for how high a GDPR penalty can be for noncompliance?

  • 4% of an enterprise's income

  • There is no ceiling

  • 50% of an enterprise's income

  • 100% of an enterprise's income

Correct answer: 4% of an enterprise's income

GDPR considers noncompliance to be a serious issue. Therefore, it has put in place extremely stringent penalties on an organization's operating profit.

The GDPR does indeed specify a clear ceiling.

50% of an enterprise's income would be too severe of a penalty for a business.

100% of an enterprise's income would effectively destroy most businesses, which is not the intention of the regulation.

165.

What project management risk response addresses prevention of scope creep?

  • Implementing a change control board

  • Hiring more developers

  • Increasing project managers

  • Maintaining loyalty to suppliers

Correct answer: Implementing a change control board 

The change control board reviews, assesses, and approves any scope changes. They have the accountability to deny a scope increase. They also can increase resources to address additional scope if necessary. Without a change control board, the scope of a project can quickly become unmanageable.

Hiring more developers won't prevent unauthorized scope changes and could lead to confusion if tasks are not well-defined.

Increasing project managers could help with oversight, but it does not directly prevent scope creep.

Maintaining loyalty to suppliers does not affect scope creep directly, as they focus on resource or material provision rather than scope management.

166.

As it relates to risk response options, which option refers to actions that an organization takes to reduce the risk?

  • Risk mitigation

  • Risk reduction

  • Risk avoidance

  • Risk transfer

Correct answer: Risk mitigation

Risk mitigation involves activities and strategies to lessen the probability of risk occurrence or the impact of risk. The goal of risk mitigation is to reduce risk to an acceptable level, not eliminate it entirely.

Risk avoidance refers to avoiding the risk entirely, often by foregoing a project that would introduce risk. 

Risk transfer transitions the risk to a third party, often via insurance. 

Risk reduction is not correct terminology.

167.

Which step in the risk management workflow takes actions against the risks?

  • Risk response

  • Risk context

  • Risk reporting and communication

  • Risk analysis

Correct answer: Risk response

Risk response addresses risks, either proactively or reactively. This can involve risk acceptance, risk elimination, or risk mitigation.

Risk context involves understanding the environment in which risks exist and the factors that affect risk assessment.

Risk reporting and communication occurs after the risk response step.

Risk analysis is the process of understanding the nature, sources, and potential impacts of identified risks, often quantifying the likelihood and impact of risk events to prioritize risk management activities.

168.

Disaster recovery and business continuity are terms that are used interchangeably. 

Which one refers to maintaining key-reduced levels of availability?

  • Business continuity

  • Disaster recovery

  • Both terms

  • Neither term

Correct answer: Business continuity

The scope of business continuity is to maintain operations if an event occurs that impacts normal service levels. The event that triggers the reduction in availability can come from internal sources or be triggered by a user.

Disaster recovery focuses on restoring IT systems and data after a disruptive event. 

While related, these terms are not fully interchangeable. 

Business continuity is the term that fits the scenario of maintaining reduced availability.

169.

What type of controls are typically implemented using the abrupt changeover approach?

  • Limited scope

  • Wide scope

  • Enterprise-level

  • Mission-critical

Correct answer: Limited scope 

An abrupt changeover is done quickly and in a very short period of time. Additionally, the old system is completely decommissioned. If there are errors in the new system, rolling back the old system is no longer enough. Therefore, the abrupt approach is best suited for small or limited scale controls.

Wide-scope controls may be important, but they are often phased in gradually to ensure smooth implementation across large systems.

Enterprise-level controls might require more gradual or phased implementation due to their complexity, reducing the risk of system failures.

Mission-critical controls usually require a more gradual or phased approach to minimize the risk of significant disruptions.

170.

Which of the following is the FIRST step in the IT risk management lifecycle?

  •  IT risk identification

  • IT risk assessment

  • Risk response and mitigation

  • Risk monitoring and reporting

Correct answer: IT risk identification

Risk identification is the first step in the IT risk management lifecycle because it discovers and inventories possible risks. The scope and result of this discovery process is then fed into the assessment step.

The IT risk assessment, risk response and mitigation, and risk monitoring and reporting steps all follow the IT risk identification in the lifecycle.

171.

When implementing new controls, what type of plan should the risk practitioner have if there is a need to revert back to the old system?

  • Fallback plan

  • Roll forward plan

  • Backup plan

  • Recovery plan

Correct answer: Fallback plan

When implementing or changing controls, there is always a possibility that the change will not work as expected. The team needs to have the option and plan to return to the pre-change status and environment. A fallback or rollback plan is a contingency plan used during the implementation of new systems, software, or controls to revert back to a previous, known-good state if the new implementation causes unexpected problems. 

Roll forward involves applying subsequent changes to a system or data after a specific checkpoint or backup, which could be useful in database recovery (e.g., applying transaction logs after restoring a backup). 

A backup plan refers to having backup systems or data but does not specifically focus on reverting to the old system.

A recovery plan is used for restoring systems after a failure, but more focused on recovering functionality rather than reverting to an old system.

172.

Which acronym should KPIs be based on?

  • SMART

  • HAZOP

  • SWIFT

  • FAIR

Correct answer: SMART

A KPI's progress must be measured to determine if the risk control is meeting its goal. SMART stands for Specific, Measurable, Attainable, Relevant, and Timely. 

HAZOP stands for Hazard and Operability Study, a risk management technique used to identify potential hazards in a process.

FAIR stands for Factor Analysis of Information Risk, which is a framework for understanding, analyzing, and quantifying information risk.

SWIFT stands for Structured What-If Technique, a risk assessment method that is unrelated to defining KPIs.

173.

What is the term for "the amount of risk that an entity is willing to accept in pursuit of its mission"?

  • Risk appetite

  • Risk tolerance

  • Risk capacity

  • Risk management

Correct answer: Risk appetite

The term risk appetite means the amount of risk an enterprise is willing to take before it puts actions in place to reduce the risk. Risk appetite can be higher or lower than risk capacity.

Risk tolerance is the acceptable level of variation that management is willing to allow for a specific risk.

Risk capacity is the maximum level of risk an organization can bear without jeopardizing its ability to achieve its objectives.

Risk management is the overall process of identifying, assessing, and controlling risks to an organization.

174.

Which of the following is a regulatory risk associated with the adoption of Big Data?

  • Data governance

  • Financial considerations

  • Vendor lock-in

  • New people skills

Correct answer: Data governance

Big Data houses significant amounts of structured and unstructured and diverse data. The number of data oriented regulations is trending upward and creating increased regulatory reporting requirements.

Financial considerations are more related to budgeting and investment rather than specific operational risks.

New people skills is a challenge related to human resources and training but is not strictly an operational risk. 

Vendor lock-in is not directly an operational risk but, rather, a strategic and contractual concern.

175.

Which risk response prioritization decision is appropriate when the risk treatment effectiveness is high and the current risk level is high?

  • Quick win

  • Defer

  • Build business case

  • Accept the risk

Correct answer: Quick win 

When both risk level and risk treatment effectiveness are high, the organization can quickly gain success by putting a risk treatment plan in place. This is because the level of risk is so high that even a moderate or conservative risk treatment plan would have a positive impact.

Deferring is typically used when the risk level is lower or when the treatment isn't urgent or ready for implementation, not when both risk and treatment effectiveness are high.

Building a business case is relevant when the risk treatment requires more resources or justification and is not ideal for situations needing immediate action.

Accepting the risk is generally done when the risk level is low or when treatment options are not cost-effective.

176.

A risk manager at an AI company is faced with a situation where they must decide whether to disclose a potential conflict of interest that could impact a project. 

Which of the following BEST describes the principles that guide the risk manager’s decision-making process in this scenario?

  • Professional ethics

  • Compliance

  • Risk appetite

  • Contractual requirements

Correct answer: Professional ethics

Professional ethics guidelines require the disclosure of conflicts of interest. That helps to ensure unbiased decision-making and integrity within the company.

Compliance refers to adhering to laws, regulations, and standards, but disclosing conflicts of interest is more closely related to ethical responsibility than regulations.

Contractual requirements may contain provisions for handling conflicts, but this situation is driven more by ethical principles.

Risk appetite refers to the level of risk an organization is willing to accept, which is unrelated to the ethical decision of disclosing conflicts of interest.

177.

What is the main purpose of risk policies?

  • Provide direction regarding acceptable and unacceptable behaviors as it relates to risk

  • Provide direction regarding acceptable and unacceptable technologies that can be implemented

  • Provide direction regarding acceptable and unacceptable training that employees should take

  • Provide direction regarding acceptable and unacceptable risk investments

Correct answer: Provide direction regarding acceptable and unacceptable behaviors as it relates to risk

Risk policies are designed to outline specific expectations and behaviors for all operations of the business. Typically, these policies are part of employee training and require an annual refresh to ensure that every employee understands their accountability to the organization's risk practices.

Providing direction regarding acceptable and unacceptable technologies that can be implemented may be influenced by risk policies, but the main focus of risk policies is on behaviors and practices related to risk management.

Providing direction regarding acceptable and unacceptable training that employees should take is usually outlined in training or development policies.

Providing direction regarding acceptable and unacceptable risk investments would be guided by investment policies or strategies.

178.

Which recovery metric is driven by the acceptable level of data loss?

  • RPO

  • RTO

  • SLA

  • OLA

Correct answer: RPO 

Recovery point objective (RPO) measures the point in which the state of data is restored back to. Critical systems have a very strict RPO because they cannot sustain large amounts of data loss.

The recovery time objective (RTO) measures the time within which systems and processes must be restored after a disruption, but it is not related to the amount of data loss.

A service level agreement (SLA) is a contract that defines the expected service levels between a provider and a customer, such as uptime, response times, and performance.

An operational level agreement (OLA) is an internal agreement that outlines the responsibilities of different teams within an organization to support SLA achievement.

179.

When projects fail, they bring business, financial, and technical risk to an organization. Which of the following is NOT an example of why a project may be considered a failure?

  • Instituting change requests

  • Surpassing the allotted budget

  • Not meeting scheduling deadlines

  • Not meeting customer expectations

Correct answer: Instituting change requests

A project is considered to be a failure when it does not meet its baseline objectives. This includes budget, schedule, and end-user outcomes. During the course of project delivery, a change request to any of these parameters can be approved by the accountable stakeholder. If the project team delivers against the new objectives, then it would be considered a success.

A change request is a normal process that occurs in information security, information technology, projects, etc. A change request could be a reason for success, depending on the change and the effects of that change.

180.

The typical malicious insider is a current employee or business partner who has access to the organization's system and data. 

Which of the following is NOT a step in addressing potential personnel threats?

  • Waiving the requirement for a nondisclosure agreement

  • Conducting a thorough review of employee qualifications and attitudes

  • Requiring all employees and partners to sign a nondisclosure agreement

  • Conducting comprehensive background checks

Correct answer: Waiving the requirement for a nondisclosure agreement

A nondisclosure agreement prevents employees and business partners from exposing internal information about the organization. It is important to have this agreement in place for everybody who is conducting business operations on behalf of the organization.

Conducting a thorough review of employee qualifications and attitudes evaluates potential hires to ensure they are trustworthy, reducing the risk of malicious insiders.

Requiring all employees and partners to sign a nondisclosure agreement binds individuals to confidentiality, helping to prevent the unauthorized disclosure of sensitive information.

Conducting comprehensive background checks can reveal past behavior or criminal records that may indicate a higher risk of malicious activity.

×