Get Special Discount Offer of CRISC Certification Exam Sample Questions and Answers [Q444-Q462]

Section: Volume D

Section: Volume D

Section: Volume C
Explanation:
Risk cannot be removed completely from the enterprise; it can only be reduced to a level that an organization is willing to accept. Risk management programs are hence designed to accomplish the task of reducing risks.
Incorrect Answers:
B: Depending on the risk preference of an enterprise, it may or may not choose to pursue risk mitigation to the point at which benefit equals or exceeds the expense. Hence this is not the primary objective of designing the risk management program.
C: Reducing risk to a level too small to measure is not practical and is often cost-prohibitive.
D: Reducing risks to a specific return ignores the qualitative aspects of the risk which should also be considered.

D, and C are incorrect. These are not the values of exposure factor for zero assets.

Section: Volume D

Section: Volume B
Explanation:
A quantitative risk assessment quantifies risk in terms of numbers such as dollar values. This involves gathering data and then entering it into standard formulas. The results can help in identifying the priority of risks. These results are also used to determine the effectiveness of controls. Some of the terms associated with quantitative risk assessments are:
* Single loss expectancy (SLE)-It refers to the total loss expected from a single incident. This incident can occur when vulnerability is being exploited by threat. The loss is expressed as a dollar value such as
$1,000. It includes the value of data, software, and hardware.
SLE = Asset value * Exposure factor
* Annual rate of occurrence (ARO)-It refers to the number of times expected for an incident to occur in a year. If an incident occurred twice a month in the past year, the ARO is 24. Assuming nothing changes, it is likely that it will occur 24 times next year.
* Annual loss expectancy (ALE)-It is the expected loss for a year. ALE is calculated by multiplying SLE with ARO. Because SLE is a given in a dollar value, ALE is also given in a dollar value. For example, if the SLE is $1,000 and the ARO is 24, the ALE is $24,000. ALE = SLE * ARO
* Safeguard value-This is the cost of a control. Controls are used to mitigate risk. For example, antivirus software of an average cost of $50 for each computer. If there are 50 computers, the safeguard value is
$2,500.
Incorrect Answers:
A: The first thing we must do in risk management is to identify the areas of the project where the risks can occur. This is termed as risk identification. Listing all the possible risks is proved to be very productive for the enterprise as we can cure them before it can occur. In risk identification both threats and opportunities are considered, as both carry some level of risk with them.
C: Unlike the quantitative risk assessment, qualitative risk assessment does not assign dollar values. Rather, it determines risk’s level based on the probability and impact of a risk. These values are determined by gathering the opinions of experts.
* Probability- establishing the likelihood of occurrence and reoccurrence of specific risks, independently, and combined. The risk occurs when a threat exploits vulnerability. Scaling is done to define the probability that a risk will occur. The scale can be based on word values such as Low, Medium, or High. Percentage can also be assigned to these words, like 10% to low and 90% to high.
* Impact- Impact is used to identify the magnitude of identified risks. The risk leads to some type of loss.
However, instead of quantifying the loss as a dollar value, an impact assessment could use words such as Low, Medium, or High. Impact is expressed as a relative value. For example, low could be 10, medium could be 50, and high could be 100.
Risk level = Probability*Impact
D: This is the process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness through the project.

Section: Volume C
Explanation:
While defining requirements, there is need to define three requirements of the project- Business requirement, Functional requirement, and Technical requirement Functional requirements and use case models describe how users will interact with a system. Therefore here in this stem you are defining the functional requirement of the project.
Incorrect Answers:
A: Technical requirements and design specifications and coding specifications describe how the system will interact, conditions under which the system will operate and the information criteria the system should meet.
B: Business requirement, Functional requirement, and Technical requirement come under project requirement.
In this stem it is particular defining the functional requirement, hence this is not the best answer.
D: Business requirements contain descriptions of what a system should do.

Section: Volume A
Explanation/Reference:
Explanation:
Review of the enterprise’s strategic plan is the first step in designing effective IS controls that would fit the enterprise’s long-term plans.
Incorrect Answers:
A: The IT strategic plan exists to support the enterprise’s strategic plan but is not solely considered while designing information system control.
B: Review of the existing IT environment is also useful and necessary but is not the first step that needs to be undertaken.
D: The present IT budget is just one of the components of the strategic plan.

Explanation/Reference:
Explanation:
Vulnerability is a weakness or lack of safeguard that can be exploited by a threat, thus causing harm to the information systems or networks. It can exist in hardware, operating systems, firmware, applications, and configuration files. Hence lack of adequate controls represents vulnerability and would ultimately cause threat to the enterprise.
Incorrect Answers:
B: Threat is the potential cause of unwanted incident.
C: Assets are economic resources that are tangible or intangible, and is capable of being owned or controlled to produce value.
D: Impact is the measure of the financial loss that the threat event may have.

Section: Volume D
Explanation:
In a blame culture, business units tend to point the finger at IT when projects are not delivered on time or do not meet expectations. In doing so, they fail to realize how the business unit’s involvement up front affects project success. In extreme cases, the business unit may assign blame for a failure to meet the expectations that the unit never clearly communicated.
Incorrect Answers:
A, B, C: These are not relevant to the pointing of finger at IT when projects are not delivered on time.

Section: Volume D
Explanation

is incorrect. The scenario does not describe risk acceptance, Acceptance is a strategy
that provides for formal acknowledgement of the existence of a risk and the monitoring of that risk.