Amazon
Avaya
Checkpoint
Cisco®
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL®
Juniper
Microsoft
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. ISACA
  3. CRISC

ISACA CRISC Exam (page: 46)
ISACA Certified in Risk and Information Systems Control
Updated on: 25-Dec-2025

Viewing Page 46 of 361
CRISC PDF 1895 Questions

Della works as a project manager for Tech Perfect Inc. She is studying the documentation of planning of a project. The documentation states that there are twenty-eight stakeholders with the project. What will be the number of communication channels for the project?

  1. 250
  2. 28
  3. 378
  4. 300

Answer(s): C

Explanation:

According to the twenty- eight stakeholders. Communication channels are paths of communication with stakeholders in a project. The number of communication channels shows the complexity of a project's communication and can be derived through the formula shown below:
Total Number of Communication Channels = n (n-1)/2 where n is the number of stakeholders.

Hence, a project having five stakeholders will have ten communication channels. Putting the value of the number of stakeholders in the formula will provide the number of communication channels. Putting the value of the number of stakeholders in the formula will provide the number of communication channels:
Number of communication channel
= (n (n-1)) / 2
= (28 (28-1)) / 2
= (28 x 27) / 2
= 756 / 2
= 378



Shawn is the project manager of the HWT project. In this project Shawn's team reports that they have found a way to complete the project work cheaply than what was originally estimated earlier. The project team presents a new software that will help to automate the project work. While the software and the associated training costs
$25,000 it will save the project nearly $65,000 in total costs. Shawn agrees to the software and changes the project management plan accordingly. What type of risk response had been used by him?

  1. Avoiding
  2. Accepting
  3. Exploiting
  4. Enhancing

Answer(s): C

Explanation:

A risk event is being exploited so as to identify the opportunities for positive impacts. Exploit response is one of the strategies to negate risks or threats that appear in a project. This strategy may be selected for risks with positive impacts where the organization wishes to ensure that the opportunity is realized. Exploiting a risk event provides opportunities for positive impact on a project. Assigning more talented resources to the project to reduce the time to completion is an example of exploit response.

Incorrect Answers:
A: To avoid a risk means to evade it altogether, eliminate the cause of the risk event, or change the project plan to protect the project objectives from the risk event.

B: Accepting is a risk response that is appropriate for positive or negative risk events. It does not pursue the risk, but documents the event and allows the risk to happen. Often acceptance is used for low probability and low impact risk events.

D: Enhancing is a positive risk response that aims to increase the probability and/or impact of the risk event.



Which among the following is the BEST reason for defining a risk response?

  1. To eliminate risk from the enterprise
  2. To ensure that the residual risk is within the limits of the risk appetite and tolerance
  3. To overview current status of risk
  4. To mitigate risk

Answer(s): B

Explanation:

The purpose of defining a risk response is to ensure that the residual risk is within the limits of the risk appetite and tolerance of the enterprise. Risk response is based on selecting the correct, prioritized response to risk, based on the level of risk, the enterprise's risk tolerance and the cost or benefit of the particular risk response option.

Incorrect Answers:
A: Risk cannot be completely eliminated from the enterprise. C: This is not a valid answer.
D: Mitigation of risk is itself the risk response process, not the reason behind this.



Which of the following is the BEST defense against successful phishing attacks?

  1. Intrusion detection system
  2. Application hardening
  3. End-user awareness
  4. Spam filters

Answer(s): C

Explanation:

Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing attacks are a type of to social engineering attack and are best defended by end-user awareness training.

Incorrect Answers:
A: An intrusion detection system does not protect against phishing attacks since phishing attacks usually do not have a particular pattern or unique signature.

B: Application hardening does not protect against phishing attacks since phishing attacks generally use e-mail as the attack vector, with the end-user as the vulnerable point, not the application.

D: Certain highly specialized spam filters can reduce the number of phishing e-mails that reach the inboxes of user, but they are not as effective in addressing phishing attack as end-user awareness.



Which of the following laws applies to organizations handling health care information?

  1. GLBA
  2. HIPAA
  3. SOX
  4. FISMA

Answer(s): B

Explanation:

HIPAA handles health care information of an organization.

The Health Insurance Portability and Accountability Act (HIPAA) were introduced in 1996. It ensures that health information data is protected. Before HIPAA, personal medical information was often available to anyone.
Security to protect the data was lax, and the data was often misused.

If your organization handles health information, HIPAA applies. HIPAA defines health information as any data that is created or received by health care providers, health plans, public health authorities, employers, life insurers, schools or universities, and health care clearinghouses.

HIPAA defines any data that is related to the health of an individual, including past/present/future health, physical/mental health, and past/present/future payments for health care.

Creating a HIPAA compliance plan involves following phases:
Assessment: An assessment helps in identifying whether organization is covered by HIPAA. If it is, then further requirement is to identify what data is needed to protect.
Risk analysis: A risk analysis helps to identify the risks. In this phase, analyzing method of handling data of organization is done.
Plan creation: After identifying the risks, plan is created. This plan includes methods to reduce the risk. Plan implementation: In this plan is being implemented.
Continuous monitoring: Security in depth requires continuous monitoring. Monitor regulations for changes. Monitor risks for changes. Monitor the plan to ensure it is still used.
Assessment: Regular reviews are conducted to ensure that the organization remains in compliance.

Incorrect Answers:
A: GLBA is not used for handling health care information.

C: SOX designed to hold executives and board members personally responsible for financial data. D: FISMA ensures protection of data of federal agencies.



Viewing Page 46 of 361



Share your comments for ISACA CRISC exam with other users:

vel 8/28/2023 9:17:09 AM

good one with explanation
Anonymous


Gurdeep 1/18/2024 4:00:15 PM

This is one of the most useful study guides I have ever used.
CANADA