Share Isaca CRISC exam questions and answers from Lead4Pass latest updated CRISC dumps free of charge.
Get the latest uploaded CRISC dumps pdf from google driver online. To get the full Isaca CRISC dumps PDF or dumps
VCE visit: (Q&As: 933). all Isaca CRISC exam questions have been updated, the answer has been corrected! Make sure your exam questions are real and effective to help you pass your first exam!

[Isaca CRISC Dumps pdf] Latest Isaca CRISC Dumps PDF collected by Lead4pass Google Drive:

Latest update Isaca CRISC exam questions and answers online practice test

Which of the following should be the PRIMARY consideration when implementing controls for the monitoring user activity
A. Building correlations between logs collected from different sources
B. Ensuring the control is proportional to the risk
C. Implementing log analysis tools to automate controls
D. Ensuring availability of resources for log analysis
Correct Answer: D


FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an
external organization?
A. Annually
B. Quarterly
C. Every three years
D. Never
Correct Answer: A
Inspection of FISMA is required to be done annually. Each year, agencies must have an independent evaluation of their
program. The objective is to determine the effectiveness of the program. These evaluations include: Testing for
effectiveness: Policies, procedures, and practices are to be tested. This evaluation does not test every policy,
procedure, and practice. Instead, a representative sample is tested. An assessment or report: This report identifies the
agency\\’s compliance as well as lists compliance with FISMA. It also lists compliance with other standards and
Incorrect Answers:
B, C, D: Auditing of compliance by the external organization is done annually, not quarterly or every three


Which of the following is a detective control?
A. Limit check
B. Access control software
C. Periodic access review
D. Rerun procedures
Correct Answer: D


The BEST criteria when selecting a risk response is the:
A. effectiveness of risk response options
B. alignment of response to industry standards
C. importance of IT risk within the enterprise
D. capability to implement the response
Correct Answer: A


Which of the following components of risk scenarios has the potential to generate internal or external threat on an
A. Timing dimension
B. Events
C. Assets
D. Actors
Correct Answer: D
Components of risk scenario that are needed for its analysis are:
Actor: Actors are those components of a risk scenario that has the potential to generate a threat that can
be internal or external, human or non-human. Internal actors are within the enterprise like staff,
contractors, etc. On the other hand, external actors include outsiders, competitors, regulators, and the market. Threat
type: Threat type defines the nature of the threat, that is, whether the threat is malicious, accidental, natural, or intentional.
Event: Event is an essential part of a scenario; a scenario always has to contain an event. The event describes the
happenings like whether it is a disclosure of confidential information, or interruption of a system or project, or
modification, theft, destruction, etc. Asset: Assets are the economic resources owned by a business or company. Anything
tangible or intangible that one possesses, usually considered as applicable to the payment of one\\’s debts, is
considered an asset. An asset can also be defined as a resource, process, product, computing infrastructure, and so
forth that an organization has determined must be protected. Tangible asset: Tangible is that asset that has physical
attributes and can be detected with the senses, e.g., people, infrastructure, and finances. Intangible asset: Intangible
are those assets that have no physical attributes and cannot be detected with the senses, e.g., information, reputation, and customer trust. Timing dimension: The timing dimension is the application of the scenario to detect time to respond
to or recover from an event. It identifies if the event occurs at a critical moment and its duration. It also specifies the time
lag between the event and the consequence, that is, if they’re an immediate consequence (e.g., network failure,
immediate downtime) or a delayed consequence (e.g., wrong IT architecture with accumulated high costs over a long
period of time).


Shawn is the project manager of the HWT project. In this project, Shawn\\’s team reports that they have found a way to
complete the project work cheaper than what was originally estimated earlier. The project team presents a new software
that will help to automate the project work. While the software and the associated training costs $25,000 it will save the
project nearly $65,000 in total costs. Shawn agrees to the software and changes the project management plan
accordingly. What type of risk response had been used by him?
A. Avoiding
B. Accepting
C. Exploiting
D. Enhancing
Correct Answer: C
A risk event is being exploited so as to identify the opportunities for positive impacts. Exploit response is one of the
strategies to negate risks or threats that appear in a project. This strategy may be selected for risks with positive
impacts where the organization wishes to ensure that the opportunity is realized. Exploiting a risk event provides
opportunities for a positive impact on a project. Assigning more talented resources to the project to reduce the time to
completion is an example of an exploit response.
Incorrect Answers:
A: To avoid a risk means to evade it together, eliminate the cause of the risk event, or change the project plan to
protect the project objectives from the risk event.
B: Accepting is a risk response that is appropriate for positive or negative risk events. It does not pursue the risk, but
documents the event and allows the risk to happen. Often acceptance is used for low probability and low impact risk
D: Enhancing is a positive risk response that aims to increase the probability and/or impact of the risk event.


Which section of the Sarbanes-Oxley Act specifies “Periodic financial reports must be certified by CEO and CFO”?
A. Section 302
B. Section 404
C. Section 203
D. Section 409
Correct Answer: A
Section 302 of the Sarbanes-Oxley Act requires corporate responsibility for financial reports to be certified by the CEO,
CFO, or designated representative.
Incorrect Answers:
B: Section 404 of the Sarbanes-Oxley Act states that annual assessments of internal controls are the responsibility of
C: Section 203 of the Sarbanes-Oxley Act requires audit partners and review partners to rotate off an assignment every
five years.
D: Section 409 of the Sarbanes-Oxley Act states that the financial reports must be distributed quickly and currently.


Which of the following is the BEST way to validate whether controls have been implemented according to the risk
mitigation action plan?
A. Implement key risk indicators (KRIs)
B. Test the control design
C. Test the control environment
D. Implement key performance indicators (KPIs)
Correct Answer: A


Which of the following laws applies to organizations handling health care information?
Correct Answer: B
HIPAA handles the health care information of an organization.
The Health Insurance Portability and Accountability Act (HIPAA) were introduced in 1996. It ensures that health
information data is protected. Before HIPAA, personal medical information was often available to anyone. Security to
protect the data was lax, and the data was often misused.
If your organization handles health information, HIPAA applies. HIPAA defines health information as any data that is
created or received by health care providers, health plans, public health authorities, employers, life insurers, schools or
universities, and health care clearinghouses.
HIPAA defines any data that is related to the health of an individual, including past/present/future health,
physical/mental health, and past/present/future payments for health care.
Creating a HIPAA compliance plan involves the following phases:
Assessment: An assessment helps in identifying whether an organization is covered by HIPAA. If it is, then
a further requirement is to identify what data is needed to protect.
Risk analysis: A risk analysis helps to identify the risks. In this phase, analyzing method of handling data of
the organization is done.
Plan creation: After identifying the risks, a plan is created. This plan includes methods to reduce the risk.
Plan implementation: In this plan is being implemented.
Continuous monitoring: Security in depth requires continuous monitoring. Monitor regulations for changes.
Monitor risks for changes. Monitor the plan to ensure it is still used.
Assessment: Regular reviews are conducted to ensure that the organization remains in compliance.
Incorrect Answers:
A: GLBA is not used for handling health care information.
C: SOX designed to hold executives and board members personally responsible for financial data.
D: FISMA ensures the protection of data of federal agencies.


Which of the following is NOT true for risk governance?
A. Risk governance is based on the principles of cooperation, participation, mitigation, and sustainability, and is adopted
to achieve more effective risk management.
B. Risk governance requires reporting once a year.
C. Risk governance seeks to reduce risk exposure and vulnerability by filling gaps in risk policy.
D. Risk governance is a systemic approach to decision-making processes associated with natural and technological risks.
Correct Answer: B
Risk governance is a continuous life cycle that requires regular reporting and ongoing review, not once a
Incorrect Answers:
A, C, D: These are true for risk governance.


Which of the following criteria associated with key risk indicators (KRIs) does BEST enable effective risk monitoring?
A. Use of industry risk data sources
B. Sensitivity to changes in risk levels
C. Low cost of development and maintenance
D. Approval by senior management
Correct Answer: A


Which of the following role carriers is accounted for analyzing risks, maintaining risk profile, and risk-aware decisions?
A. Business management
B. Business process owner
C. Chief information officer (CIO)
D. Chief risk officer (CRO)
Correct Answer: D
Business management is the business individuals with roles relating to managing a program. They are typically
accountable for analyzing risks, maintaining risk profiles, and risk-aware decisions. Other than this, they are also
responsible for managing risks, react to events, etc.
Incorrect Answers:
B: A business process owner is an individual responsible for identifying process requirements, approving process design, and managing process performance. He/she is responsible for analyzing risks, maintaining risk profile, and risk-aware
decisions but is not accounted for them.
C: CIO is the most senior official of the enterprise who is accountable for IT advocacy; aligning IT and business
strategies; and planning, resourcing, and managing the delivery of IT services and information, and the deployment of
associated human resources. CIO has some responsibility analyzing risks, maintaining risk profile, and risk-aware
decisions but is not accounted for them.


What should a risk practitioner do NEXT if an ineffective key control is identified on a critical system?
A. Revalidate the risk assessment.
B. Escalate to senior management.
C. Propose acceptance of the risk.
D. Conduct a gap analysis.
Correct Answer: D

For the full Isaca CRISC exam dumps from Lead4pass CRISC Dumps pdf or Dumps VCE visit: (Q&As: 933 dumps)

Get free Isaca CRISC dumps PDF online: