A company is adopting a DevSecOps approach and wants to conduct threat modeling early in the development lifecycle. Which threat modeling methodology is BEST suited for this environment due to its focus on agile and continuous integration?
During a risk identification workshop, a risk owner proposes a scenario: 'A disgruntled employee with privileged access exfiltrates customer data to a competitor.' In the context of the ISACA risk scenario template, which element is missing if the scenario only includes the actor, threat type, event, and asset?
An organization is categorizing IT risks. Which of the following risk categories would include the risk of regulatory fines due to non-compliance with data protection laws?
A risk analyst is building a risk register. After identifying a list of risks, what is the NEXT step in the risk identification process according to ISACA best practices?
A multinational corporation uses commercial threat intelligence feeds and participates in an ISAC. However, they recently missed a critical vulnerability exploited in the wild that was not in their feeds. Which additional source should they incorporate to improve vulnerability identification?
A company is developing risk scenarios for business impact analysis. Which of the following scenario components directly links the risk event to potential financial loss?
A financial services firm uses SAST and DAST tools in its application security testing. However, they are struggling to prioritize vulnerabilities from the large number of findings. Which additional technique would BEST help identify the most critical vulnerabilities in the context of business risk?
An organization's board has set a risk appetite statement that says: 'We accept moderate levels of operational risk but will not tolerate any compliance violations.' During risk identification, which type of risk should be given the HIGHEST priority?
A security team is using the STRIDE threat modeling methodology for a new web application. Which threat type under STRIDE would be MOST relevant to a SQL injection vulnerability?
An organization is conducting a vulnerability assessment of its IT assets. Which of the following sources is MOST authoritative for identifying known software vulnerabilities?
A risk manager is developing risk scenarios to present to the board. Which TWO elements are essential for connecting a risk scenario to business impact?
A company is implementing a risk identification process for third-party risks. Which THREE factors should be considered when identifying risks from a critical software vendor?
An IT risk manager is categorizing risks identified during a recent assessment. Which TWO categories would include the risk of a system outage caused by a software bug?
During a risk assessment, the risk practitioner is identifying threats to an application. Which threat modeling technique is specifically designed to analyze application threats using categories such as Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege?
An organization has a risk appetite statement that says 'We accept up to $5 million in operational losses per year.' However, a new cloud migration project is estimated to have a potential operational loss of $8 million if a critical failure occurs. The risk capacity of the organization is $20 million. What should the risk practitioner recommend?
A risk practitioner is creating a risk scenario for a ransomware attack. Which of the following is the BEST sequence to describe the scenario using the ISACA risk scenarios template?
Which of the following is a threat intelligence source that provides information about known exploited vulnerabilities, maintained by a government agency?
During a vulnerability assessment, a risk practitioner identifies that a web application is vulnerable to SQL injection, which is listed in the OWASP Top 10. Which type of vulnerability identification technique MOST likely discovered this issue?
An organization has a risk register that includes risks related to regulatory compliance, such as GDPR and SOX. The risk practitioner is now categorizing these risks. Which risk category would BEST fit these compliance-related risks?
A risk practitioner is developing a risk scenario for a data breach caused by an insider threat. Which of the following is the MOST realistic and complete risk scenario?
A risk practitioner is updating the risk register after a third-party security incident. Which of the following is the MOST important information to include in the risk register entry for this third-party risk?
A risk practitioner is developing risk scenarios for a new cloud service. Which THREE of the following elements should be included in a complete risk scenario?
A security analyst is using a threat modeling approach that focuses on identifying threats based on the system's requirements and design. Which threat modeling methodology is being used?
An organization has identified a new vulnerability in its web application that could allow SQL injection attacks. Which of the following sources would MOST likely have been used to identify this vulnerability?
During a risk assessment, the risk practitioner develops a scenario involving a disgruntled employee exfiltrating sensitive customer data through a USB drive. The organization has a strict policy against removable media but lacks technical controls to prevent USB usage. Which element of the risk scenario is the vulnerability?
An organization is implementing a new cloud-based customer relationship management (CRM) system. Which of the following risk categories would BEST describe the risk of the CRM system failing to meet performance expectations?
A risk practitioner is using the ISACA risk scenario template to document a scenario. The template includes elements such as threat actor, threat type, event, asset/resource, timing, detection, and response. Which element describes the likelihood that the threat event will occur within a specific timeframe?
An organization's board has issued a risk appetite statement indicating that the company is willing to accept a moderate level of operational risk but has zero tolerance for compliance violations. This statement primarily defines which of the following?
When using STRIDE for threat modeling, which threat category involves an attacker gaining unauthorized access to a system by pretending to be a legitimate user?
A risk practitioner is connecting a risk scenario to business impact. The scenario involves a ransomware attack that encrypts critical financial systems, resulting in a two-week outage. Which of the following is the MOST appropriate business impact category?
An organization is assessing risks related to a third-party cloud provider. Which of the following is the BEST source of threat intelligence for identifying threats targeting the cloud infrastructure?
A risk practitioner is updating the risk register and needs to categorize risks. Which TWO of the following are standard risk categories used in IT risk management?
A project manager is identifying risks for a new software development project using Agile methodology. Which THREE threat modeling techniques are BEST suited for Agile/DevSecOps environments?
An organization is assessing risks related to a new cloud-based CRM system. The risk team is developing a risk scenario. Which of the following is the BEST example of a complete risk scenario following the ISACA template?
In the context of threat modeling for a web application, which technique is specifically designed to be integrated into Agile and DevSecOps processes, emphasizing collaboration and visualization?
A company's risk appetite statement specifies that the organization is willing to accept a moderate level of operational risk to achieve strategic agility. This statement directly influences which activity during IT risk identification?
Which of the following is a primary source of threat intelligence that provides real-time information about active cyber threats and indicators of compromise?
A bank is identifying IT risks and categorizes a potential data breach as both a compliance risk (due to GDPR) and a reputational risk. This is an example of:
During a threat modeling exercise using the STRIDE methodology, a security analyst identifies a threat where an attacker can modify data in transit between a web server and database. Which STRIDE category does this threat belong to?
An organization uses the CISA Known Exploited Vulnerabilities (KEV) catalog as a primary source for vulnerability identification. This catalog is BEST described as:
In developing a risk scenario, connecting a threat event to business impact is crucial. Which of the following is the BEST example of a properly connected risk scenario?
When performing asset-based vulnerability identification, a security analyst uses the Common Vulnerabilities and Exposures (CVE) database along with the National Vulnerability Database (NVD). Which of the following BEST describes the relationship between CVE and NVD?
A financial institution is identifying IT risks associated with a new mobile banking application. Which TWO threat modeling techniques are best suited for this scenario? (Select two.)
A risk manager is developing a risk scenario for a potential data breach involving a third-party cloud provider. According to the ISACA risk scenario template, which THREE elements must be included? (Select three.)
During a risk identification workshop, the team identifies several vulnerabilities. Which TWO of the following are examples of operational vulnerability identification? (Select two.)
An organization's risk register contains a scenario: 'A nation-state actor exploits an unpatched vulnerability in a public-facing web application, leading to data exfiltration of customer PII.' According to ISACA's risk scenario template, which element is MISSING from this description?
A risk practitioner is categorizing IT risks for a manufacturing company. Which of the following risks would be classified as an 'operational' IT risk?
A company's risk appetite statement says it is willing to accept moderate levels of operational risk but has low tolerance for compliance risk. During risk identification, which of the following scenarios should be IMMEDIATELY escalated to senior management?
A risk scenario is being developed for a phishing attack leading to credential theft. Using ISACA's risk scenario template, which component would describe the 'threat event'?
When developing IT risk scenarios, connecting them to business impact is critical. Which of the following BEST describes how a risk practitioner should link a technical scenario to business impact?
An organization is conducting a threat identification exercise using the STRIDE model. Which threat type would be MOST relevant when analyzing a banking application that allows fund transfers between accounts?
A risk practitioner is identifying vulnerabilities in an organization's IT environment. Which TWO of the following are examples of 'operational vulnerability identification'? (Choose two.)
During risk identification, a risk manager is reviewing threat intelligence sources. Which THREE of the following are considered legitimate sources of threat intelligence? (Choose three.)
A risk register is being created for a new ERP implementation project. Which TWO of the following risks should be included in the project's risk register? (Choose two.)
During a threat modeling exercise for a new web application, the team uses STRIDE. Which threat type under STRIDE corresponds to an attacker modifying data in transit?
A risk practitioner is developing a risk scenario for a potential ransomware attack. Using the ISACA risk scenario template, which element describes the entity that initiates the attack?
A financial institution uses threat intelligence from an Information Sharing and Analysis Center (ISAC). This is an example of which type of threat intelligence source?
A security analyst is reviewing CVE entries and NVD data to identify vulnerabilities in software assets. This activity is part of which vulnerability identification approach?
During a VAST threat modeling session for a DevSecOps pipeline, the team focuses on threats that align with agile development. Which of the following is a key advantage of VAST?
A multinational corporation is developing a new e-commerce platform using microservices architecture. The security team is conducting a threat modeling exercise to identify potential application-level threats. Which TWO threat modeling methodologies are most appropriate for this DevSecOps environment?
An organization is updating its IT risk universe to include emerging threats. The CISO wants to ensure the risk register captures realistic risk scenarios. Which THREE components are essential for constructing a complete risk scenario according to ISACA's risk scenario template?
A financial services firm is assessing vulnerabilities in its web application. The team wants to identify application-level vulnerabilities that could be exploited. Which TWO vulnerability identification techniques should be prioritized for this purpose?
An organization is creating a risk register for its IT risk universe. The risk manager needs to categorize risks to align with the enterprise risk management framework. Which TWO risk categories are most commonly used in IT risk identification?
A critical infrastructure organization is enhancing its threat identification capabilities. The risk team wants to leverage threat intelligence sources to identify emerging threats. Which THREE sources are most relevant for obtaining actionable threat intelligence?