Which of the following is the MOST important use of KRIs?
Correct Answer: B
is incorrect. KRIs provide an indication of the enterprise's risk appetite and tolerance through metric setting, but this is not as important as giving early warning.
CRISC Exam Question 407
When it appears that a project risk is going to happen, what is this term called?
Correct Answer: C
Explanation/Reference: Explanation: A trigger is a warning sign or a condition that a risk event is likely to occur within the project. Incorrect Answers: A: Issues are events that come about as a result of risk events. Risks become issues only after they have actually occurred. B: A contingency response is a pre-planned response for a risk event, such as a rollback plan. D: A threshold is a limit that the risk passes to actually become an issue in the project.
CRISC Exam Question 408
Which of the following should a risk practitioner recommend FIRST when an increasing trend of risk events and subsequent losses has been identified?
Correct Answer: B
CRISC Exam Question 409
Which of the following are sub-categories of threat? Each correct answer represents a complete solution. Choose three.
Correct Answer: C,D,E
Section: Volume B Explanation: A threat is any event which have the potential to cause a loss. In other word, it is any activity that represents a possible danger. The loss or danger is directly related to one of the following: * Loss of confidentiality- Someone sees a password or a company's secret formula, this is referred to as loss of confidentiality. Loss of integrity- An e-mail message is modified in transit, a virus infects a file, or someone makes unauthorized changes to a Web site is referred to as loss of integrity. * Loss of availability- An e-mail server is down and no one has e-mail access, or a file server is down so data files aren't available comes under loss of availability. Threat identification is the process of creating a list of threats. This list attempts to identify all the possible threats to an organization. The list can be extensive. Threats are often sub-categorized as under: * External or internal- External threats are outside the boundary of the organization. They can also be thought of as risks that are outside the control of the organization. While internal threats are within the boundary of the organization. They could be related to employees or other personnel who have access to company resources. Internal threats can be related to any hardware or software controlled by the business. * Natural or man-made- Natural threats are often related to weather such as hurricanes, tornadoes, and ice storms. Natural disasters like earthquakes and tsunamis are also natural threats. A human or man-made threat is any threat which is caused by a person. Any attempt to harm resources is a man-made threat. Fire could be man-made or natural depending on how the fire is started. * Intentional or accidental- An attempt to compromise confidentiality, integrity, or availability is intentional. While employee mistakes or user errors are accidental threats. A faulty application that corrupts data could also be considered accidental.
CRISC Exam Question 410
The risk associated with an asset before controls are applied can be expressed as:
