CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free CRISC Exam Braindumps (page: 73)

Page 72 of 451
PDF with 1871 Questions

You are working in an enterprise. Your enterprise owned various risks. Which among the following is MOST likely to own the risk to an information system that supports a critical business process?

  1. System users
  2. Senior management
  3. IT director
  4. Risk management department

Answer(s): B

Explanation:

Senior management is responsible for the acceptance and mitigation of all risk. Hence they will also own the risk to an information system that supports a critical business process.

Incorrect Answers:
A: The system users are responsible for utilizing the system properly and following procedures, but they do not own the risk.
C: The IT director manages the IT systems on behalf of the business owners.
D: The risk management department determines and reports on level of risk, but does not own the risk. Risk is owned by senior management.



Which of the following components ensures that risks are examined for all new proposed change requests in the change control system?

  1. Configuration management
  2. Scope change control
  3. Risk monitoring and control
  4. Integrated change control

Answer(s): D

Explanation:

Integrated change control is the component that is responsible for reviewing all aspects of a change's impact on a project - including risks that may be introduced by the new change.

Integrated change control is a way to manage the changes incurred during a project. It is a method that manages reviewing the suggestions for changes and utilizing the tools and techniques to evaluate whether the change should be approved or rejected. Integrated change control is a primary component of the project's change control system that examines the affect of a proposed change on the entire project.

Incorrect Answers:
A: Configuration management controls and documents changes to the features and functions of the product scope.
B: Scope change control focuses on the processes to allow changes to enter the project scope. C: Risk monitoring and control is not part of the change control system, so this choice is not valid.



Which of the following are true for threats?
Each correct answer represents a complete solution. Choose three.

  1. They can become more imminent as time goes by, or it can diminish
  2. They can result in risks from external sources
  3. They are possibility
  4. They are real
  5. They will arise and stay in place until they are properly dealt.

Answer(s): A,B,D

Explanation:

Threat is an act of coercion wherein an act is proposed to elicit a negative response. Threats are real, while the vulnerabilities are a possibility. They can result in risks from external sources, and can become imminent by time or can diminish.

Incorrect Answers:
C, E: These two are true for vulnerability, but not threat. Unlike the threat, vulnerabilities are possibility and can result in risks from internal sources. They will arise and stay in place until they are properly dealt.



Which of the following statements BEST describes policy?

  1. A minimum threshold of information security controls that must be implemented
  2. A checklist of steps that must be completed to ensure information security
  3. An overall statement of information security scope and direction
  4. A technology-dependent statement of best practices

Answer(s): C

Explanation:

A policy is an executive mandate which helps in identifying a topic that contains particular risks to avoid or prevent. Policies are high-level documents signed by a person of high authority with the power to force cooperation. The policy is a simple document stating that a particular high-level control objective is important to the organization's success. Policies are usually only one page in length. The authority of the person mandating a policy will determine the scope of implementation.
Hence in other words, policy is an overall statement of information security scope and direction. Incorrect Answers:
A, B, D: These are not the valid definitions of the policy.






Post your Comments and Discuss ISACA CRISC exam with other Community members:

CRISC Discussions & Posts