Free Access to ISACA.CRISC.v2024-01-06.q281 with Valid Practice Test (Page 21)

Question 96

The MAIN goal of the risk analysis process is to determine the:

A.potential severity of impact.
B.control deficiencies.
C.frequency and magnitude of loss.
D.threats and vulnerabilities.

Question 97

Which of the following is MOST important to have in place to ensure the effectiveness of risk and security metrics reporting?

A.Organizational reporting process.
B.Incident reporting procedures.
C.Regularly scheduled audits.
D.Incident management policy.

Question 98

Which of the following risk responses include feedback and guidance from well-qualified risk officials and those internal to the project?

A.Contingent response strategy
B.Risk Acceptance
C.Expert judgment
D.Risk transfer

Correct Answer: C

Section: Volume D
Explanation:
Expert judgment is utilized in developing risk responses, including feedback and guidance from risk management experts and those internal to the project qualified to provide assistance in this process. Expert judgment is a technique based on a set of criteria that has been acquired in a specific knowledge area or product area. It is obtained when the project manager or project team requires specialized knowledge that they do not possess. Expert judgment involves people most familiar with the work of creating estimates. Preferably, the project team member who will be doing the task should complete the estimates. Expert judgment is applied when performing administrative closure activities, and experts should ensure the project or phase closure is performed to the appropriate standards.
Incorrect Answers:
A: Contingent response strategy, also known as contingency planning, involves adopting alternatives to deal with the risks in case of their occurrence. Unlike the mitigation planning in which mitigation looks to reduce the probability of the risk and its impact, contingency planning doesn't necessarily attempt to reduce the probability of a risk event or its impacts. Contingency comes into action when the risk event actually occurs.
B: Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider who can accept the risk. Risk should be accepted only by senior management in relationship with senior management and the board. There are two alternatives to the acceptance strategy, passive and active.
* Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk but willing to accept the consequences of the risk.
* Active acceptance is the second strategy and might include developing contingency plans and reserves to deal with risks.
D: Risk transfer means that impact of risk is reduced by transferring or otherwise sharing a portion of the risk with an external organization or another internal entity. Transfer of risk can occur in many forms but is most effective when dealing with financial risks. Insurance is one form of risk transfer.

Question 99

The BEST reason to classify IT assets during a risk assessment is to determine the:

A.appropriate level of protection
B.enterprise risk profile
C.priority in the risk register
D.business process owner

Question 100

The PRIMARY purpose of IT control status reporting is to:

A.ensure compliance with IT governance strategy.
B.facilitate the comparison of the current and desired states.
C.benchmark IT controls with Industry standards.
D.assist internal audit in evaluating and initiating remediation efforts.

Question 96

Question 97

Question 98

Question 99

Question 100

Download PDF File