CRISC EXAM PRACTICE
Ujian CRISC (Certified in Risk and Information Systems Control) dari ISACA adalah ujian sertifikasi yang penting bagi para profesional TI yang ingin mengukur dan mengembangkan keahlian mereka dalam manajemen risiko informasi. Pentingnya latihan soal dan bimbingan dari trainer terakreditasi tidak dapat diabaikan.
1. Kompleksitas Materi Ujian:
- Ujian CRISC mencakup berbagai aspek dalam manajemen risiko informasi, termasuk identifikasi, penilaian, dan pengelolaan risiko. Latihan soal membantu kandidat untuk terbiasa dengan format dan kerumitan pertanyaan, sementara bimbingan dari trainer membimbing dalam pemahaman konsep-konsep kunci.
2. Mengetahui Format Ujian:
- Latihan soal menghadirkan kandidat dengan format pertanyaan yang sebenarnya, membantu mereka mengembangkan strategi ujian yang efektif. Bimbingan dari trainer memberikan wawasan tentang cara menjawab pertanyaan dengan benar dan efisien.
3. Evaluasi Tingkat Pemahaman:
- Latihan soal memberikan kesempatan untuk mengevaluasi tingkat pemahaman terhadap materi ujian. Hasil dari latihan ini membantu kandidat dan trainer untuk menentukan area-area yang perlu diperkuat.
4. Kesiapan Psikologis:
- Ujian CRISC dapat menimbulkan tekanan psikologis. Melalui latihan soal, kandidat dapat membangun kepercayaan diri dan mengelola tingkat kecemasan. Bimbingan dari trainer dapat memberikan dukungan moral dan strategi pengelolaan stres.
5. Petunjuk Persiapan yang Spesifik:
- Latihan soal dapat memberikan petunjuk persiapan yang spesifik, membantu kandidat untuk fokus pada topik-topik yang mungkin muncul dalam ujian. Bimbingan dari trainer terakreditasi memastikan bahwa persiapan sesuai dengan standar dan kebutuhan ujian.
6. Kepatuhan Terhadap Standar ISACA:
- Latihan soal dan bimbingan dari trainer terakreditasi oleh ISACA memastikan bahwa persiapan kandidat sesuai dengan standar etika dan kebijakan ujian. Hal ini menjamin integritas dan keabsahan sertifikasi CRISC.
Kesimpulan: Pentingnya latihan soal dan bimbingan dari trainer terakreditasi dalam persiapan ujian CRISC tidak hanya meningkatkan peluang kesuksesan dalam ujian, tetapi juga memastikan bahwa para profesional TI memiliki pemahaman yang mendalam tentang manajemen risiko informasi sesuai dengan standar industri. Ini adalah investasi yang krusial untuk karir yang berkelanjutan dalam bidang keamanan informasi dan manajemen risiko.
CRISC EXAM PRACTICE 50 QUESTIONS AND ANSWER
1. Which of the following would present the GREATEST challenge when assigning accountability for control ownership?
⚫ Unclear reporting relationships
⚪ Weak governance structures
⚪ Senior management scrutiny
⚪ Complex regulatory environment
2. You are working in an enterprise. Your enterprise is willing to accept a certain amount of risk. What is this risk called?
⚪ Hedging
⚪ Aversion
⚫ Appetite
⚪ Tolerance
3. Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?
⚪ Gather scenarios from senior management
⚪ Derive scenarios from IT risk policies and standards
⚪ Benchmark scenarios against industry peers
⚫ Map scenarios to a recognized risk management framework
4. You are using Information system. You have chosen a poor password and also sometimes transmits data over unprotected communication lines. What is this poor quality of password and unsafe transmission referring to?
⚪ Probabilities
⚪ Threats
⚫ Vulnerabilities
⚪ Impacts
5. Out of several risk responses, which of the following risk responses is used for negative risk events?
⚪ Share
⚪ Enhance
⚪ Exploit
⚫ Accept
6. For which of the following risk management capability maturity levels do the statement given below is true? "Real-time monitoring of risk events and control exceptions exists, as does automation of policy management"
⚪ Level 3
⚪ Level
⚫ Level 5
⚪ Level 2
7. Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?
⚫ Enabling risk-based decision making
⚪ Increasing process control efficiencies
⚪ Better understanding of the risk appetite
⚪ Improving audit results
8. Which of the following documents is described in the statement below? "It is developed along with all processes of the risk management. It contains the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning."
⚪ Risk management plan
⚪ Project charter
⚫ Risk register
⚪ Quality management plan
9. Frank is the project manager of the NHQ project for his company. Frank is working with the project team, key stakeholders, and several subject matter experts on risks dealing with the new materials in the project. Frank wants to utilize a risk analysis method that will help the team to make decisions in the presence of the current uncertainty surrounding the new materials. Which risk analysis approach can Frank use to create an approach to make decisions in the presence of uncertainty?
⚪ Monte Carlo Technique
⚪ Qualitative risk analysis process
⚫ Quantitative risk analysis process
⚪ Delphi Technique
10. Which of the following is MOST important to update when an organization's risk appetite changes?
⚫ Key risk indicators (KRIs)
⚪ Risk taxonomy
⚪ Key performance indicators (KPIs)
⚪ Risk reporting methodology
11. One of the risk events you've identified is classified as force majeure. What risk response is likely to be used?
⚫ Acceptance
⚪ Transference
⚪ Enhance
⚪ Mitigation
12. Frank is the project manager of the NHH Project. He is working with the project team to create a plan to document the procedures to manage risks throughout the project. This document will define how risks will be identified and quantified. It will also define how contingency plans will be implemented by the project team.What document is Frank and the NHH Project team creating in this scenario?
⚪ Resource management plan
⚪ Project plan
⚪ Project management plan
⚫ Risk management plan
13. Wendy has identified a risk event in her project that has an impact of $75, and a 6 percent chance of happening. Through research, her project team learns that the risk impact can actually be reduced to just $15, with only a ten percent chance of occurring. The proposed solution will cost $25,. Wendy agrees to the $25, solution. What type of risk response is this?
⚫ Mitigation
⚪ Avoidance
⚪ Transference
⚪ Enhancing
14. Mary is the project manager for the BLB project. She has instructed the project team to assemble, to review the risks. She has included the schedule management plan as an input for the quantitative risk analysis process. Why is the schedule management plan needed for quantitative risk analysis?
⚪ Mary will schedule when the identified risks are likely to happen and affect the project schedul
⚫ Mary will utilize the schedule controls and the nature of the schedule for the quantitative analysis of the schedul
⚪ Mary will use the schedule management plan to schedule the risk identification meetings throughout the remaining project.
⚪ Mary will utilize the schedule controls to determine how risks may be allowed to change the project schedul
15. Ben is the project manager of the CMH Project for his organization. He has identified a risk that has a low probability of happening, but the impact of the risk event could save the project and the organization with a significant amount of capital. Ben assigns Laura to the risk event and instructs her to research the time, cost, and method to improve the probability of the positive risk event. Ben then communicates the risk event and response to management. What risk response has been used here?
⚪ Sharing
⚪ Transference
⚫ Enhance
⚪ Exploit
16. During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?
⚫ Authentication
⚪ Identification
⚪ Data validation
⚪ Data integrity
17. Which of the following is the priority of data owners when establishing risk mitigation method?
⚫ User entitlement changes
⚪ Platform security
⚪ Intrusion detection
⚪ Antivirus controls
18. Della works as a project manager for Tech Perfect Inc. She is studying the documentation of planning of a project. The documentation states that there are twenty- eight stakeholders with the project. What will be the number of communication channels for the project?
⚪ 25
⚪ 28
⚫ 378
⚪ 3
19. You have been assigned as the Project Manager for a new project that involves building of a new roadway between the city airport to a designated point within the city. However, you notice that the transportation permit issuing authority is taking longer than the planned time to issue the permit to begin construction. What would you classify this as?
⚪ Project Risk
⚪ Status Update
⚪ Risk Update
⚫ Project Issue
20. You are the project manager of the GGK project for your company. The GGK project has a budget of $1,265,1 and is currently 4 percent complete. In this project, you elected to add labor to the project to increase the likelihood of completing the project early as the project was only scheduled to be 35 percent complete at this time. This positive risk response, while keeping the project ahead of schedule, has added significant costs to the project. You have already spent$575, to reach this point in the project. Management would like to know what your cost performance index and the schedule performance index is for this project. What are these values?
⚪ The CPI is -$68,96 and the SPI is $63,255.
⚪ The CPI is .88 and the SPI is zero.
⚫ The CPI is .88 and the SPI is 1.14.
⚪ The CPI is 1.14 and the SPI is .88.
21. Which of the following characteristics of risk controls answers the aspect about the control given below: "Will it continue to function as expressed over the time and adopts as changes or new elements are introduced to the environment"
⚪ Reliability
⚫ Sustainability
⚪ Consistency
⚪ Distinct
22. Which of the following is an administrative control?
⚪ Water detection
⚪ Reasonableness check
⚫ Data loss prevention program
⚪ Session timeout
23. The only output of qualitative risk analysis is risk register updates. When the project manager updates the risk register he will need to include several pieces of information including all of the following except for which one?
⚪ Trends in qualitative risk analysis
⚫ Risk probability-impact matrix
⚪ Risks grouped by categories
⚪ Watchlist of low-priority risks
24. Which of the following is the MOST important use of KRIs?
⚪ Providing a backward-looking view on risk events that have occurred
⚫ Providing an early warning signal
⚪ Providing an indication of the enterprise's risk appetite and tolerance
⚪ Enabling the documentation and analysis of trends
25. Which of the following should be of MOST concern to a risk practitioner reviewing findings from a recent audit of an organization's data center?
⚪ Ownership of an audit finding has not been assigned
⚪ The data center is not fully redundant
⚫ Audit findings were not communicated to senior management
⚪ Key risk indicators (KRIs) for the data center do not include critical components
26. Which of the following risks is the risk that happen with an important business partner and affects a large group of enterprises within an area or industry?
⚪ Contagious risk
⚪ Reporting risk
⚪ Operational risk
⚫ Systemic risk
27. Which of following is NOT used for measurement of Critical Success Factors of the project?
⚪ Productivity
⚪ Quality
⚫ Quantity
⚪ Customer service
28. You are the project manager of the NHQ Project for your company. You have completed qualitative and quantitative analysis of your identified project risks and you would now like to find an approach to increase project opportunities and to reduce threats within the project. What project management process would best help you?
⚪ Monitor and control project risks
⚪ Create a risk governance approach
⚪ Create the project risk register
⚫ Plan risk responses
29. You are the project manager for your organization to install new workstations, servers, and cabling throughout a new building, where your company will be moving into. The vendor for the project informs you that the cost of the cabling has increased due to some reason. This new cost will cause the cost of your project to increase by nearly eight percent. What change control system should the costs be entered into for review?
⚫ Cost change control system
⚪ Contract change control system
⚪ Scope change control system
⚪ Only changes to the project scope should pass through a change control system.
30. You work as a project manager for BlueWell Inc. Your project is running late and you must respond to the risk. Which risk response can you choose that will also cause you to update the human resource management plan?
⚪ Teaming agreements
⚪ Transference
⚫ Crashing the project
⚪ Fast tracking the project
31. You are the project manager of the GGG project. You have completed the risk identification process for the initial phases of your project. As you begin to document the risk events in the risk register what additional information can you associate with the identified risk events?
⚫ Risk potential responses
⚪ Risk schedule
⚪ Risk owner
⚪ Risk cost
32. Which of the following is described by the definition given below?"It is the expected guaranteed value of taking a risk."
⚫ Certainty equivalent value
⚪ Risk premium
⚪ Risk value guarantee
⚪ Certain value assurance
33. Which of the following would BEST help minimize the risk associated with social engineering threats?
⚪ Reviewing the organization×’€™s risk appetite
⚪ Enforcing employee sanctions
⚪ Enforcing segregation of duties
⚫ Conducting phishing exercises
34. Joan is a project management consultant and she has been hired by a firm to help them identify risk events within the project. Joan would first like to examine the project documents including the plans, assumptions lists, project files, and contracts. What key thing will help Joan to discover risks within the review of the project documents?
⚪ The project documents will help the project manager, or Joan, to identify what risk identification approach is best to pursu
⚫ Lack of consistency between the plans and the project requirements and assumptions can be the indicators of risk in the project.
⚪ Poorly written requirements will reveal inconsistencies in the project plans and documents.
⚪ Plans that have loose definitions of terms and disconnected approaches will reveal risks.
35. You are the project manager of GHT project. You have identified a risk event on your current project that could save $67, in project costs if it occurs. Your organization is considering hiring a vendor to help establish proper project management techniques in order to assure it realizes these savings. Which of the following statements is TRUE for this risk event?
⚪ This risk event should be accepted because the rewards outweigh the threat to the project.
⚪ This risk event should be mitigated to take advantage of the savings.
⚪ This risk event is an opportunity to the project and should be exploite
⚫ This is a risk event that should be shared to take full advantage of the potential savings.
36. You work as a project manager for BlueWell Inc. You are involved with the project team on the different risk issues in your project. You are using the applications of IRGC model to facilitate the understanding and managing the rising of the overall risks that have impacts on the economy and society. One of your team members wants to know that what the need to use the IRGC is. What will be your reply?
⚫ IRGC models aim at building robust, integrative inter-disciplinary governance models for emerging and existing risks.
⚪ IRGC is both a concept and a tool.
⚪ IRGC addresses the development of resilience and the capacity of organizations and people to face unavoidable risks.
⚪ IRGC addresses understanding of the secondary impacts of a risk.
⚪ Question.C, D: Risk governance addresses understanding of the secondary impacts of a risk, the development of resilience and the capacity of organizations and people to face unavoidable risks.
37. You work as the project manager for Company Inc. The project on which you are working has several risks that will affect several stakeholder requirements.Which project management plan will define who will be available to share information on the project risks?
⚪ Resource Management Plan
⚫ Communications Management Plan
⚪ Risk Management Plan
⚪ Stakeholder management strategy
38. Ned is the project manager of the HNN project for your company. Ned has asked you to help him complete some probability distributions for his project. What portion of the project will you most likely use for probability distributions?
⚪ Bias towards risk in new resources
⚪ Risk probability and impact matrixes
⚪ Risk identification
⚫ Uncertainty in values such as duration of schedule activities
39. You are the project manager for your organization. You are preparing for the quantitative risk analysis. Mark, a project team member, wants to know why you need to do quantitative risk analysis when you just completed qualitative risk analysis. Which one of the following statements best defines what quantitative risk analysis is?
⚪ Quantitative risk analysis is the review of the risk events with the high probability and the highest impact on the project objectives.
⚪ Quantitative risk analysis is the process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact.
⚫ Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives.
⚪ Quantitative risk analysis is the planning and quantification of risk responses based on probability and impact of each risk event.
40. A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?
⚫ An increase in attempted distributed denial of service (DDoS) attacks
⚪ An increase in attempted website phishing attacks
⚪ A decrease in remediated web security vulnerabilities
⚪ A decrease in achievement of service level agreements (SLAs)
41. Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the corporate risk register?
⚫ Corporate incident escalation protocols are established
⚪ The organization-wide control budget is expanded
⚪ Exposure is integrated into the organization×’€™s risk profile
⚪ Risk appetite cascades to business unit management
42. You are the risk official in Bluewell Inc. You are supposed to prioritize several risks. A risk has a rating for occurrence, severity, and detection as 4, 5, and 6, respectively. What Risk Priority Number (RPN) you would give to it?
⚫ 12
⚪ 1
⚪ 15
⚪ 3
43. Which of the following is a performance measure that is used to evaluate the efficiency of an investment or to compare the efficiency of a number of different investments?
⚪ Return On Security Investment
⚪ Total Cost of Ownership
⚫ Return On Investment
⚪ Redundant Array of Inexpensive Disks
44. You are the project manager in your enterprise. You have identified occurrence of risk event in your enterprise. You have pre-planned risk responses. You have monitored the risks that had occurred. What is the immediate step after this monitoring process that has to be followed in response to risk events?
⚫ Initiate incident response
⚪ Update the risk register
⚪ Eliminate the risk completely
⚪ Communicate lessons learned from risk events
45. Tom works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks, and provides a quantitative assessment of the likely cost to complete the scheduled activities?
⚫ Activity cost estimates
⚪ Cost management plan
⚪ Activity duration estimates
⚪ Risk management plan
46. Which risk response is acceptable for both positive and negative risk events?
⚪ Transferring
⚫ Acceptance
⚪ Sharing
⚪ Enhancing
47. Fred is the project manager of the PKL project. He is working with his project team to complete the quantitative risk analysis process as a part of risk management planning. Fred understands that once the quantitative risk analysis process is complete, the process will need to be completed again in at least two other times in the project. When will the quantitative risk analysis process need to be repeated?
⚪ Quantitative risk analysis process will be completed again after the cost management planning and as a part of monitoring and controllin
⚪ Quantitative risk analysis process will be completed again after new risks are identified and as part of monitoring and controllin
⚫ Quantitative risk analysis process will be completed again after the risk response planning and as a part of monitoring and controllin
⚪ Quantitative risk analysis process will be completed again after the plan risk response planning and as part of procurement.
48. You are the project manager for your organization. You are preparing for the quantitative risk analysis. Mark, a project team member, wants to know why you need to do quantitative risk analysis when you just completed qualitative risk analysis. Which one of the following statements best defines what quantitative risk analysis is?
⚫ Quantitative risk analysis is the process of numerically analyzing the effect of identified risks on overall project objectives.
⚪ Quantitative risk analysis is the planning and quantification of risk responses based on probability and impact of each risk event.
⚪ Quantitative risk analysis is the review of the risk events with the high probability and the highest impact on the project objectives.
⚪ Quantitative risk analysis is the process of prioritizing risks for further analysis or action by assessing and combining their probability of occurrence and impact.
49. You and your project team are identifying the risks that may exist within your project. Some of the risks are small risks that won't affect your project much if they happen. What should you do with these identified risk events?
⚪ All risks must have a valid, documented risk respons
⚪ These risks can be accepte
⚫ These risks can be added to a low priority risk watch list.
⚪ These risks can be dismisse
50. Sam is the project manager of a construction project in south Florida. This area of the United States is prone to hurricanes during certain parts of the year. As part of the project plan Sam and the project team acknowledge the possibility of hurricanes and the damage the hurricane could have on the project's deliverables, the schedule of the project, and the overall cost of the project. Once Sam and the project stakeholders acknowledge the risk of the hurricane they go on planning the project as if the risk is not likely to happen. What type of risk response is Sam using?
⚪ Active acceptance
⚫ Passive acceptance
⚪ Avoidance
⚪ Mitigation
0 Komentar