Certified in Risk and Information Systems Control v1.0

Page:    1 / 120   
Exam contains 1800 questions

Which of the following is true for Cost Performance Index (CPI)?

  • A. If the CPI > 1, it indicates better than expected performance of project
  • B. CPI = Earned Value (EV) * Actual Cost (AC)
  • C. It is used to measure performance of schedule
  • D. If the CPI = 1, it indicates poor performance of project


Answer : A

Cost performance index (CPI) is used to calculate performance efficiencies of project. It is used in trend analysis to predict future performance. CPI is the ratio of earned value to actual cost.
If the CPI value is greater than 1, it indicates better than expected performance, whereas if the value is less than 1, it shows poor performance.
Incorrect Answers:
B: CPI is the ratio of earned value to actual cost, i.e., CPI = Earned Value (EV) / Actual Cost (AC).
C: Cost performance index (CPI) is used to calculate performance efficiencies of project and not its schedule.
D: The CPI value of 1 indicates that the project is right on target.

Which of the following do NOT indirect information?

  • A. Information about the propriety of cutoff
  • B. Reports that show orders that were rejected for credit limitations.
  • C. Reports that provide information about any unusual deviations and individual product margins.
  • D. The lack of any significant differences between perpetual levels and actual levels of goods.


Answer : A

Information about the propriety of cutoff is a kind of direct information.
Incorrect Answers:
B: Reports that show orders that were rejected for credit limitations provide indirect information that credit checking aspects of the system are working as intended.
C: Reports that provide information about any unusual deviations and individual product margins (whereby, the price of an item sold is compared to its standard cost) provide indirect information that controls over billing and pricing are operating.
D: The lack of any significant differences between perpetual levels and actual levels provides indirect information that its billing controls are operating.

Ben works as a project manager for the MJH Project. In this project, Ben is preparing to identify stakeholders so he can communicate project requirements, status, and risks. Ben has elected to use a salience model as part of his stakeholder identification process. Which of the following activities best describes a salience model?

  • A. Describing classes of stakeholders based on their power (ability to impose their will), urgency (need for immediate attention), and legitimacy (their involvement is appropriate).
  • B. Grouping the stakeholders based on their level of authority ("power") and their level or concern ("interest") regarding the project outcomes.
  • C. Influence/impact grid, grouping the stakeholders based on their active involvement ("influence") in the project and their ability to affect changes to the project's planning or execution ("impact").
  • D. Grouping the stakeholders based on their level of authority ("power") and their active involvement ("influence") in the project.


Answer : A

A salience model defines and charts stakeholders' power, urgency, and legitimacy in the project.
The salience model is a technique for categorizing stakeholders according to their importance. The various difficulties faced by the project managers are as follows:
✑ How to choose the right stakeholders?
✑ How to prioritize competing claims of the stakeholders communication needs?
Stakeholder salience is determined by the evaluation of their power, legitimacy and urgency in the organization.
✑ Power is defined as the ability of the stakeholder to impose their will.
✑ Urgency is the need for immediate action.
✑ Legitimacy shows the stakeholders participation is appropriate or not.
The model allows the project manager to decide the relative salience of a particular stakeholder.
Incorrect Answers:
B: This defines the power/interest grid.
C: This defines an influence/impact grid.
D: This defines a power/influence grid.

Which of the following is the first MOST step in the risk assessment process?

  • A. Identification of assets
  • B. Identification of threats
  • C. Identification of threat sources
  • D. Identification of vulnerabilities


Answer : A

Asset identification is the most crucial and first step in the risk assessment process. Risk identification, assessment and evaluation (analysis) should always be clearly aligned to assets. Assets can be people, processes, infrastructure, information or applications.

Which of the following matrices is used to specify risk thresholds?

  • A. Risk indicator matrix
  • B. Impact matrix
  • C. Risk scenario matrix
  • D. Probability matrix


Answer : A

Risk indicators are metrics used to indicate risk thresholds, i.e., it gives indication when a risk level is approaching a high or unacceptable level of risk. The main objective of a risk indicator is to ensure tracking and reporting mechanisms that alert staff about the potential risks.
Incorrect Answers:
B, D: Estimation of risk's consequence and priority for awareness is conducted by using probability and impact matrix. These matrices specify the mixture of probability and impact that directs to rating the risks as low, moderate, or high priority.
C: A risk scenario is a description of an event that can lay an impact on business, when and if it would occur.
Some examples of risk scenario are of:
✑ Having a major hardware failure
✑ Failed disaster recovery planning (DRP)
✑ Major software failure

What are the two MAJOR factors to be considered while deciding risk appetite level? Each correct answer represents a part of the solution. (Choose two.)

  • A. The amount of loss the enterprise wants to accept
  • B. Alignment with risk-culture
  • C. Risk-aware decisions
  • D. The capacity of the enterprise's objective to absorb loss.


Answer : AD

Risk appetite is the amount of risk a company or other entity is willing to accept in pursuit of its mission. This is the responsibility of the board to decide risk appetite of an enterprise. When considering the risk appetite levels for the enterprise, the following two major factors should be taken into account:
The enterprise's objective capacity to absorb loss, e.g., financial loss, reputation damage, etc.
The culture towards risk taking-cautious or aggressive. In other words, the amount of loss the enterprise wants to accept in pursue of its objective fulfillment.
Incorrect Answers:
B: Alignment with risk-culture is also one of the factors but is not as important as these two.
C: Risk aware decision is not the factor, but is the result which uses risk appetite information as its input.

You are the project manager of the GHY Project for your company. You need to complete a project management process that will be on the lookout for new risks, changing risks, and risks that are now outdated. Which project management process is responsible for these actions?

  • A. Risk planning
  • B. Risk monitoring and controlling
  • C. Risk identification
  • D. Risk analysis


Answer : B

The risk monitoring and controlling is responsible for identifying new risks, determining the status of risks that may have changed, and determining which risks may be outdated in the project.
Incorrect Answers:
A: Risk planning creates the risk management plan and determines how risks will be identified, analyzed, monitored and controlled, and responded to.
C: Risk identification is a process that identifies risk events in the project.
D: Risk analysis helps determine the severity of the risk events, the risks' priority, and the probability and impact of risks.

You are the project manager of the HGT project in Bluewell Inc. The project has an asset valued at $125,000 and is subjected to an exposure factor of 25 percent.
What will be the Single Loss Expectancy of this project?

  • A. $ 125,025
  • B. $ 31,250
  • C. $ 5,000
  • D. $ 3,125,000


Answer : B

The Single Loss Expectancy (SLE) of this project will be $31,250.
Single Loss Expectancy is a term related to Quantitative Risk Assessment. It can be defined as the monetary value expected from the occurrence of a risk on an asset. It is mathematically expressed as follows:
Single Loss Expectancy (SLE) = Asset Value (AV) * Exposure Factor (EF) where the Exposure Factor represents the impact of the risk over the asset, or percentage of asset lost. As an example, if the Asset Value is reduced two third, the exposure factor value is .66. If the asset is completely lost, the Exposure Factor is 1.0. The result is a monetary value in the same unit as the Single Loss
Expectancy is expressed.
Therefore,
SLE = Asset Value * Exposure Factor
= 125,000 * 0.25
= $31,250
Incorrect Answers:
A, C, D: These are not SLEs of this project.

Which of the following are the principles of access controls?
Each correct answer represents a complete solution. (Choose three.)

  • A. Confidentiality
  • B. Availability
  • C. Reliability
  • D. Integrity


Answer : ABD

The principles of access controls focus on availability, integrity, and confidentiality, as loss or danger is directly related to these three:
✑ Loss of confidentiality- Someone sees a password or a company's secret formula, this is referred to as loss of confidentiality.
✑ Loss of integrity- An e-mail message is modified in transit, a virus infects a file, or someone makes unauthorized changes to a Web site is referred to as loss of integrity.
✑ Loss of availability- An e-mail server is down and no one has e-mail access, or a file server is down so data files aren't available comes under loss of availability.

You are the project manager of GHT project. You have selected appropriate Key Risk Indicators for your project. Now, you need to maintain those Key Risk
Indicators. What is the MOST important reason to maintain Key Risk Indicators?

  • A. Risk reports need to be timely
  • B. Complex metrics require fine-tuning
  • C. Threats and vulnerabilities change over time
  • D. They help to avoid risk


Answer : C

Since the enterprise's internal and external environments are constantly changing, the risk environment is also highly dynamic, i.e., threats and vulnerabilities change over time. Hence KRIs need to be maintained to ensure that KRIs continue to effectively capture these changes.
Incorrect Answers:
A: Timely risk reporting is one of the business requirements, but is not the reason behind KRI maintenance.
B: While most key risk indicator metrics need to be optimized in respect to their sensitivity, the most important objective of KRI maintenance is to ensure that KRIs continue to effectively capture the changes in threats and vulnerabilities over time.
D: Avoiding risk is a type of risk response. Risk responses are based on KRI reporting.

Which of the following controls do NOT come under technical class of control?

  • A. Program management control
  • B. System and Communications Protection control
  • C. Identification and Authentication control
  • D. Access Control


Answer : A

Program Management control comes under management class of controls, not technical.
Program Management control is driven by the Federal Information Security Management Act (FISMA). It provides controls to ensure compliance with FISMA.
These controls complement other controls. They don't replace them.
Incorrect Answers:
B, C, D: These controls comes under technical class of control.
The Technical class of controls includes four families. These families include over 75 individual controls. Following is a list of each of the families in the Technical class:
✑ Access Control (AC): This family of controls helps an organization implement effective access control. They ensure that users have the rights and permissions they need to perform their jobs, and no more. It includes principles such as least privilege and separation of duties.
✑ Audit and Accountability (AU): This family of controls helps an organization implement an effective audit program. It provides details on how to determine what to audit. It provides details on how to protect the audit logs. It also includes information on using audit logs for non-repudiation.
Identification and Authentication (IA): These controls cover different practices to identify and authenticate users. Each user should be uniquely identified. In

other words, each user has one account. This account is only used by one user. Similarly, device identifiers uniquely identify devices on the network.
✑ System and Communications Protection (SC): The SC family is a large group of controls that cover many aspects of protecting systems and communication channels. Denial of service protection and boundary protection controls are included. Transmission integrity and confidentiality controls are also included.

Mary is a project manager in her organization. On her current project she is working with her project team and other key stakeholders to identify the risks within the project. She is currently aiming to create a comprehensive list of project risks so she is using a facilitator to help generate ideas about project risks. What risk identification method is Mary likely using?

  • A. Delphi Techniques
  • B. Expert judgment
  • C. Brainstorming
  • D. Checklist analysis


Answer : C

Mary is using brainstorming in this example. Brainstorming attempts to create a comprehensive list of risks and often is led by a moderator or facilitator to move the process along.
Brainstorming is a technique to gather general data. It can be used to identify risks, ideas, or solutions to issues by using a group of team members or subject- matter expert. Brainstorming is a group creativity technique that also provides other benefits, such as boosting morale, enhancing work enjoyment, and improving team work.
Incorrect Answers:
A: The Delphi technique uses rounds of anonymous surveys to generate a consensus on the identified risks.
B: Expert judgment is not the best answer for this; projects experts generally do the risk identification, in addition to the project team.
D: Checklist analysis uses historical information and information from similar projects within the organization's experience.

Which of the following is an administrative control?

  • A. Water detection
  • B. Reasonableness check
  • C. Data loss prevention program
  • D. Session timeout


Answer : C

You are the project manager of the NHH Project. You are working with the project team to create a plan to document the procedures to manage risks throughout the project. This document will define how risks will be identified and quantified. It will also define how contingency plans will be implemented by the project team.
What document do you and your team is creating in this scenario?

  • A. Project plan
  • B. Resource management plan
  • C. Project management plan
  • D. Risk management plan


Answer : D

The risk management plan, part of the comprehensive management plan, defines how risks will be identified, analyzed, monitored and controlled, and even responded to.
A Risk management plan is a document arranged by a project manager to estimate the effectiveness, predict risks, and build response plans to mitigate them. It also consists of the risk assessment matrix.
Risks are built in with any project, and project managers evaluate risks repeatedly and build plans to address them. The risk management plan consists of analysis of possible risks with both high and low impacts, and the mitigation strategies to facilitate the project and avoid being derailed through which the common problems arise. Risk management plans should be timely reviewed by the project team in order to avoid having the analysis become stale and not reflective of actual potential project risks. Most critically, risk management plans include a risk strategy for project execution.
Incorrect Answers:
A: The project plan is not an official PMBOK project management plan.
B: The resource management plan defines the management of project resources, such as project team members, facilities, equipment, and contractors.
C: The project management plan is a comprehensive plan that communicates the intent of the project for all project management knowledge areas.

Where are all risks and risk responses documented as the project progresses?

  • A. Risk management plan
  • B. Project management plan
  • C. Risk response plan
  • D. Risk register


Answer : D

All risks, their responses, and other characteristics are documented in the risk register. As the project progresses and the conditions of the risk events change, the risk register should be updated to reflect the risk conditions.
Incorrect Answers:
A: The risk management plan addresses the project management's approach to risk management, risk identification, analysis, response, and control.
B: The project management plan is the overarching plan for the project, not the specifics of the risk responses and risk identification.
C: The risk response plan only addresses the planned risk responses for the identified risk events in the risk register.

Page:    1 / 120   
Exam contains 1800 questions

Talk to us!


Have any questions or issues ? Please dont hesitate to contact us

Certlibrary.com is owned by MBS Tech Limited: Room 1905 Nam Wo Hong Building, 148 Wing Lok Street, Sheung Wan, Hong Kong. Company registration number: 2310926
Certlibrary doesn't offer Real Microsoft Exam Questions. Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
Terms & Conditions | Privacy Policy