The GREATEST benefit of including low-probability, high-impact events in a risk assessment is the ability to:
Correct Answer: D
Section: Volume D
CRISC Exam Question 442
A risk practitioner is reviewing accountability assignments for data risk in the risk register. Which of the following would pose the GREATEST concern?
Correct Answer: C
CRISC Exam Question 443
Which of the following is a PRIMARY reason for considering existing controls during initial risk assessment?
Correct Answer: C
During an initial risk assessment, it is crucial to consider existing controls primarily to determine the current risk level. Here's a detailed explanation: * Understanding Existing Controls: * Existing controls are measures already in place to mitigate risks. These controls can include technical, administrative, and physical safeguards designed to protect organizational assets. * Knowing what controls are currently in place helps to understand the organization's current defense mechanisms against potential threats. * Assessing the Current Risk Level: * The current risk level is the risk that remains after considering the effectiveness of existing controls, often referred to as residual risk. * By evaluating these controls, one can determine how much risk is actually mitigated and what level of risk remains. * For instance, if an organization has implemented firewalls and intrusion detection systems, these controls would reduce the risk of cyber attacks. The effectiveness of these controls will determine the residual risk level. * Differentiating Between Risk Types: * Inherent Risk: This is the level of risk that exists before any controls are applied. It's the raw risk associated with a particular asset or process. * Residual Risk: This is the risk that remains after existing controls have been applied. It's the actual risk that an organization faces after mitigation efforts. * Current Risk: This term is often used interchangeably with residual risk but focuses on the risk level at the present moment, considering the existing controls. * Primary Objective in Initial Risk Assessment: * The primary objective of considering existing controls during the initial risk assessment is to gain an accurate picture of the current risk landscape. This allows risk practitioners to understand what additional controls or modifications might be needed to further reduce risk to acceptable levels. * Without considering existing controls, the assessment would only reflect the inherent risk, which doesn't provide a realistic view of the organization's risk exposure. * References: * The CRISC Review Manual emphasizes the importance of understanding the current risk level by assessing existing controls (CRISC Review Manual, Chapter 2: IT Risk Assessment, Section 2.9.3 Current Risk).
CRISC Exam Question 444
Which of the following vulnerability assessment software can check for weak passwords on the network?
Correct Answer: A
Explanation/Reference: Explanation: A password cracker is an application program that is used to identify an unknown or forgotten password on a computer or network resources. It can also be used to help a human cracker obtain unauthorized access to resources. A password cracker can also check for weak passwords on the network and give notifications to put another password. Incorrect Answers: B: Antivirus or anti-virus software is used to prevent, detect, and remove malware. It scans the computer for viruses. C: Anti-spyware software is a type of program designed to prevent and detect unwanted spyware program installations and to remove those programs if installed. D: Wireshark is a free and open-source protocol analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.
CRISC Exam Question 445
An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action?
