Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← IT Risk Identification practice sets

CRISC IT Risk Identification • Complete Question Bank

CRISC IT Risk Identification — All Questions With Answers

Complete CRISC IT Risk Identification question bank — all 0 questions with answers and detailed explanations.

124
Questions
Free
No signup
Certifications/CRISC/Practice Test/IT Risk Identification/All Questions
Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A company recently experienced a data breach due to an unpatched vulnerability in a public-facing web application. During the post-incident review, the IT risk manager notes that the vulnerability was identified by the vulnerability scanner six months ago but was not remediated because the patch required a critical database server restart. Which of the following is the BEST risk treatment decision to prevent a recurrence?

Question 2hardmultiple choice
Read the full IT Risk Identification explanation →

During a risk assessment, an organization identifies that its legacy ERP system has a high likelihood of failure during peak transaction periods. The system supports critical financial operations. The risk owner proposes to upgrade the system, but the project would take 18 months and require significant capital investment. The CEO questions whether the risk can be reduced to an acceptable level more quickly. Which of the following is the MOST appropriate immediate risk response?

Question 3easymultiple choice
Read the full IT Risk Identification explanation →

An organization is considering migrating its customer database to a public cloud provider. Which of the following is the PRIMARY risk identification technique that should be used to identify potential data exposure risks?

Question 4mediummultiple choice
Read the full IT Risk Identification explanation →

An IT risk manager is reviewing the results of a recent risk assessment. The organization has a risk appetite that allows for low residual risk. One identified risk has an inherent risk score of 15 (on a scale of 1-25) and currently has no controls. Which of the following is the BEST recommendation for this risk?

Question 5hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation uses a common identity management system (IdM) across all subsidiaries. During a risk assessment, it is discovered that the IdM system has a critical vulnerability that could allow privilege escalation. The patch requires a 4-hour downtime. The risk manager must decide the best course of action considering the organization's risk appetite of 'low' and the fact that the IdM system is critical for business operations. Which of the following is the BEST approach?

Question 6easymultiple choice
Read the full IT Risk Identification explanation →

Which of the following is the BEST example of a key risk indicator (KRI) for the risk of unauthorized access to sensitive data?

Question 7mediummultiple choice
Read the full IT Risk Identification explanation →

A large retailer is implementing a new point-of-sale (POS) system. The project manager wants to identify risks related to payment card data security. Which risk identification technique would be MOST effective for this purpose?

Question 8hardmultiple choice
Read the full IT Risk Identification explanation →

During a risk assessment, an organization identifies that its remote workforce uses personal devices for work. The risk manager is concerned about data leakage. The organization has a risk appetite that is 'moderate' and wants to treat the risk. Which of the following is the MOST effective risk treatment option?

Question 9easymultiple choice
Read the full IT Risk Identification explanation →

Which of the following is the PRIMARY purpose of a risk register?

Question 10mediummulti select
Read the full IT Risk Identification explanation →

Which TWO of the following are key risk identification techniques used to identify threats and vulnerabilities in IT systems? (Select exactly 2.)

Question 11hardmulti select
Read the full IT Risk Identification explanation →

Which THREE of the following are valid risk identification methods according to ISACA's Risk IT Framework? (Select exactly 3.)

Question 12easymulti select
Read the full IT Risk Identification explanation →

Which TWO of the following are primary sources of risk identification for IT projects? (Select exactly 2.)

Question 13hardmultiple choice
Read the full IT Risk Identification explanation →

You are the IT risk manager for a mid-sized e-commerce company. The company processes credit card payments and stores customer data. Recently, the company experienced a security incident where an attacker exploited a SQL injection vulnerability in the web application, exfiltrating a database of customer records. The vulnerability was introduced three months ago during a feature upgrade. The development team claims they followed secure coding guidelines, but the vulnerability was missed due to insufficient testing. The company's risk appetite is moderate, and they have a risk management policy that requires risks to be treated within 30 days of identification. The CISO wants to know the most effective way to reduce the likelihood of similar incidents. You have assessed that the current risk score for web application vulnerabilities is 16 (High). The company has a bug bounty program, but it has not been effective. Which of the following courses of action would BEST address the root cause and reduce the risk?

Question 14mediummultiple choice
Read the full NAT/PAT explanation →

You are a risk analyst for a financial institution that uses a legacy mainframe system for core banking transactions. The mainframe is critical for daily operations, but it is no longer supported by the vendor. The system has known vulnerabilities that cannot be patched due to compatibility issues. The institution has a risk appetite that is very low for any disruption to core banking services. Recently, there was a minor outage caused by a hardware failure, which was resolved quickly, but it highlighted the system's fragility. The IT director proposes to migrate to a modern system, but the migration will take 2 years and cost $5 million. The board is concerned about the cost and timeline. You need to recommend an immediate risk treatment to reduce the likelihood of a major outage while the migration is underway. Which of the following is the BEST course of action?

Question 15mediummultiple choice
Read the full IT Risk Identification explanation →

A retail company recently deployed a point-of-sale (POS) system that processes credit card transactions. The system is connected to the corporate network and transmits transaction data to a payment processor over the internet. During a risk assessment, the IT risk manager identifies that the POS system is vulnerable to malware injection via unvalidated input from barcode scanners. Which of the following is the MOST appropriate risk mitigation strategy?

Question 16hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is expanding its cloud infrastructure to include a new SaaS application that stores sensitive customer data. The vendor claims compliance with SOC 2 Type II and ISO 27001. The risk manager must determine if the remaining residual risk after vendor controls is within the company's risk appetite. Which of the following is the MOST critical next step?

Question 17easymultiple choice
Read the full IT Risk Identification explanation →

An organization is implementing a new identity and access management (IAM) system. The risk manager is tasked with identifying risks associated with the migration from legacy authentication to single sign-on (SSO). Which of the following is the GREATEST risk during this migration?

Question 18mediummultiple choice
Read the full IT Risk Identification explanation →

A financial institution uses a third-party cloud service for data analytics. The service has access to non-public personal information (NPI). During a risk assessment, the risk manager discovers that the cloud provider uses subprocessors without notifying the institution. The contract does not require notification of subprocessor changes. What should the risk manager do FIRST?

Question 19mediummulti select
Read the full IT Risk Identification explanation →

A healthcare organization is migrating its electronic health records (EHR) system to a public cloud. The risk manager identifies several risks. Which TWO of the following are the MOST significant risks related to data privacy and regulatory compliance?

Question 20hardmultiple choice
Read the full IT Risk Identification explanation →

You are the IT risk manager for a mid-sized e-commerce company that processes over 10,000 transactions per day. The company recently migrated its customer database from an on-premises SQL Server to a cloud-based PostgreSQL instance on AWS RDS. The database contains personally identifiable information (PII) including names, addresses, and credit card numbers (stored as encrypted tokens). The migration was performed by the DevOps team with minimal involvement from the security team. Two weeks after the migration, the company experienced a data breach where an attacker exfiltrated a subset of customer records. The forensic investigation revealed that the attacker exploited a misconfigured security group that allowed inbound traffic from the internet on port 5432 (PostgreSQL default port). Additionally, the database had a publicly accessible endpoint, and the master user password was weak (eight characters, no special characters). The attacker used a brute-force attack to guess the password. The security group has since been corrected, and the password has been changed to a strong one. The breach notification laws require reporting within 72 hours. The CEO wants to understand the root cause and prevent recurrence. As the risk manager, which of the following actions should you recommend as the MOST effective to prevent a similar incident?

Question 21mediummultiple choice
Read the full NAT/PAT explanation →

A multinational e-commerce company has experienced multiple security incidents involving unauthorized access to customer payment data. The incidents originated from different regional offices and exploited misconfigured firewall rules. The risk manager needs to identify the root cause of these risks. Which approach would BEST help in identifying the root cause of the IT risk?

Question 22hardmultiple choice
Read the full IT Risk Identification explanation →

A financial institution is integrating a new cloud-based analytics platform that will process sensitive customer data. The project team is conducting risk identification. Which technique would be MOST effective for identifying risks related to the integration of this platform with existing on-premises systems?

Question 23easymultiple choice
Read the full IT Risk Identification explanation →

A retail company uses a legacy inventory system that is no longer supported by the vendor. The IT department is planning to migrate to a modern cloud-based system. During risk identification, which of the following should be considered a PRIMARY risk?

Question 24mediummultiple choice
Read the full NAT/PAT explanation →

A hospital uses a patient portal that allows patients to access their medical records. The portal has experienced multiple brute-force login attempts. The risk manager wants to identify the most critical risk scenario. Which of the following should be prioritized?

Question 25hardmultiple choice
Read the full IT Risk Identification explanation →

A technology startup is developing a mobile payment application. During a risk identification workshop, the team identifies a risk that the application may not comply with Payment Card Industry Data Security Standard (PCI DSS) requirements. What is the BEST way to categorize this risk?

Question 26easymultiple choice
Read the full IT Risk Identification explanation →

A manufacturing company uses an industrial control system (ICS) that is connected to the corporate network for monitoring. The risk manager is identifying risks related to this connectivity. Which of the following is the MOST significant risk?

Question 27mediumdrag order
Read the full IT Risk Identification explanation →

Arrange the steps for performing a risk assessment in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 28mediumdrag order
Read the full IT Risk Identification explanation →

Order the steps for incident response handling.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 29mediumdrag order
Read the full IT Risk Identification explanation →

Sequence the steps for developing a disaster recovery plan (DRP).

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 30mediummatching
Read the full IT Risk Identification explanation →

Match each CRISC domain to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Establish and maintain a risk management framework

Identify and analyze IT risks

Select and implement risk mitigation controls

Continuously monitor and report risk status

Question 31mediummatching
Read the full IT Risk Identification explanation →

Match each control type to its example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Firewall blocking unauthorized traffic

Intrusion detection system alerts

Backup restoration after data loss

Security warning banners

Question 32mediummatching
Read the full IT Risk Identification explanation →

Match each compliance framework to its primary focus.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Information security management system

Cybersecurity risk management framework

Payment card data security

Healthcare data privacy and security

Question 33easymultiple choice
Read the full IT Risk Identification explanation →

A company is migrating its customer database to a public cloud provider. During the planning phase, which of the following is the MOST effective approach to identify risks specific to this migration?

Question 34mediummultiple choice
Read the full IT Risk Identification explanation →

During a merger and acquisition (M&A) due diligence, the acquiring company's IT risk manager is tasked with identifying risks in the target's IT environment. Which of the following would be the MOST effective technique to uncover hidden risks?

Question 35hardmultiple choice
Read the full IT Risk Identification explanation →

A software development team is adopting Agile methodology and wants to integrate risk identification into their sprints. Which approach BEST aligns with Agile principles while ensuring effective risk identification?

Question 36easymultiple choice
Read the full IT Risk Identification explanation →

An organization uses a third-party SaaS provider for payroll processing. Which of the following is the BEST technique to identify risks associated with this vendor?

Question 37mediummultiple choice
Read the full NAT/PAT explanation →

An internal audit report identifies that the IT department did not patch a critical vulnerability in a database server for 90 days. The risk manager wants to identify the root cause risk. Which approach should be used?

Question 38hardmultiple choice
Read the full IT Risk Identification explanation →

A financial institution is implementing a new real-time payment system that will process high-value transactions. To identify emerging risks, which method would be MOST effective during the development phase?

Question 39easymultiple choice
Read the full IT Risk Identification explanation →

An IT risk manager is facilitating a workshop to identify risks for a new mobile banking application. Which technique is MOST appropriate for generating a comprehensive list of risks?

Question 40mediummultiple choice
Read the full IT Risk Identification explanation →

A business continuity manager wants to identify risks that could disrupt critical business processes. Which source of information would be MOST valuable for identifying such risks?

Question 41hardmultiple choice
Read the full IT Risk Identification explanation →

A security operations center (SOC) analyst notices multiple failed login attempts from an internal IP address followed by a successful login from an unusual geographic location. Which risk identification technique should the risk manager use to assess this as a potential risk?

Question 42mediummulti select
Read the full IT Risk Identification explanation →

Which TWO of the following are recognized techniques for identifying IT risks? (Select exactly 2.)

Question 43hardmulti select
Read the full IT Risk Identification explanation →

Which THREE of the following are essential components of a risk register that should be documented during risk identification? (Select exactly 3.)

Question 44easymulti select
Read the full IT Risk Identification explanation →

A SIEM generates alerts for the following events. Which TWO events should be considered potential emerging risks? (Select exactly 2.)

Question 45mediummultiple choice
Read the full IT Risk Identification explanation →

Based on the exhibit, which of the following risks is MOST indicated by the policy configuration?

Exhibit

Refer to the exhibit.

Exhibit:
```
# show security policies
policy from zone: untrust to zone: trust
  rule 1: source-address any, destination-address 10.0.1.0/24, application ssh, deny
  rule 2: source-address any, destination-address 10.0.1.5, application http, permit
  rule 3: source-address 192.168.2.0/24, destination-address 10.0.1.10, application mysql, permit
counter: 1245 hits
```
Question 46hardmultiple choice
Read the full IT Risk Identification explanation →

Based on the exhibit, what risk is indicated by the IAM policy?

Exhibit

Refer to the exhibit.

Exhibit:
```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::corporate-data/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::corporate-data/*",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/external-auditor"
      }
    }
  ]
}
```
Question 47easymultiple choice
Read the full IT Risk Identification explanation →

Based on the exhibit, what risk does this database error MOST directly indicate?

Exhibit

Refer to the exhibit.

Exhibit:
```
[2025-03-15 14:23:11] ERROR: Deadlock detected in database 'HR_DB'.
Transaction (ID 4567) was chosen as the victim. Rollback initiated.
Query: UPDATE employees SET salary = ? WHERE dept_id = ?;
```
Question 48easymultiple choice
Read the full IT Risk Identification explanation →

A company is identifying risks associated with a new cloud-based CRM. Which of the following is the MOST effective method for identifying potential threats?

Question 49mediummultiple choice
Read the full IT Risk Identification explanation →

An organization wants to identify risks related to third-party vendors. Which approach best supports continuous risk identification?

Question 50hardmultiple choice
Read the full IT Risk Identification explanation →

During a risk identification workshop, the team identifies a potential data leakage from a legacy system. What is the FIRST step the risk owner should take?

Question 51easymultiple choice
Read the full IT Risk Identification explanation →

Which risk identification technique relies on analyzing past incidents to predict future risks?

Question 52mediummultiple choice
Read the full IT Risk Identification explanation →

A retail company is identifying risks in its supply chain. Which approach is most effective for identifying previously unknown risks?

Question 53hardmultiple choice
Read the full IT Risk Identification explanation →

A company is conducting a Risk Identification for a new payment processing system. The team discovers that the system does not have encryption at rest. This is an example of:

Question 54easymultiple choice
Read the full IT Risk Identification explanation →

Which of the following is the PRIMARY purpose of a risk register in the risk identification phase?

Question 55mediummultiple choice
Read the full IT Risk Identification explanation →

An organization is using the OCTAVE method for risk identification. Which activity is typically performed FIRST?

Question 56hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is identifying risks associated with cross-border data transfers. Which regulation's risk identification requirements are most relevant?

Question 57mediummultiple choice
Read the full IT Risk Identification explanation →

Refer to the exhibit. What is the MOST immediate risk identification action?

Exhibit

Vulnerability Scan Report:

Vulnerability: CVE-2023-1234 (Critical) - Remote code execution in Apache Struts 2
Affected Hosts: 10.1.1.10, 10.1.1.20, 10.1.1.30
Port: 8080
Impact: CVSS 9.8
Patch available: Yes
Question 58hardmultiple choice
Read the full IT Risk Identification explanation →

Refer to the exhibit. What is the PRIMARY risk identified from this policy?

Exhibit

{
  "PolicyName": "S3-Bucket-Policy",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::confidential-data/*"
    }
  ]
}
Question 59easymultiple choice
Read the full IT Risk Identification explanation →

Refer to the exhibit. Which risk is MOST directly identified?

Exhibit

Firewall Rule Configuration:

Rule 10: Allow TCP 3389 from 192.168.1.0/24 to 10.0.0.5
Question 60easymulti select
Read the full IT Risk Identification explanation →

Which TWO are primary objectives of IT risk identification?

Question 61mediummulti select
Read the full IT Risk Identification explanation →

Which THREE of the following are effective techniques for identifying IT risks?

Question 62hardmulti select
Read the full IT Risk Identification explanation →

Which TWO risk identification techniques are most appropriate for identifying emerging risks from new technologies?

Question 63mediummultiple choice
Read the full IT Risk Identification explanation →

A company is migrating its legacy on-premises applications to a public cloud environment. Which risk identification technique is most appropriate for this scenario?

Question 64easymultiple choice
Read the full IT Risk Identification explanation →

A SOC analyst observes repeated failed login attempts from an external IP address targeting a user account. What is the best next step in the IT risk identification process?

Question 65easymultiple choice
Read the full IT Risk Identification explanation →

A company uses a third-party SaaS application for payroll processing. What is the most important activity to identify IT risks associated with this service?

Question 66mediummultiple choice
Read the full IT Risk Identification explanation →

A new web application is being developed using several open-source libraries. Which risk identification method is most effective for identifying vulnerabilities in these libraries?

Question 67mediummultiple choice
Read the full IT Risk Identification explanation →

A company plans to deploy an AI-based customer service chatbot that processes personal data. What risk should be identified as the highest priority?

Question 68hardmultiple choice
Read the full IT Risk Identification explanation →

During a merger and acquisition (M&A) due diligence, the IT risk manager needs to identify risks in the target company's IT environment. Which approach is most effective for comprehensive risk identification?

Question 69mediummultiple choice
Read the full NAT/PAT explanation →

A company operates a legacy system for which the vendor no longer provides security patches. What is the most critical risk to identify regarding this system?

Question 70easymultiple choice
Read the full IT Risk Identification explanation →

After a data breach has been contained, what is the most important action for identifying underlying IT risks?

Question 71mediummultiple choice
Read the full IT Risk Identification explanation →

A company uses a DevOps approach with a continuous integration/continuous deployment (CI/CD) pipeline. Which risk identification technique is best suited for detecting code vulnerabilities early in the development lifecycle?

Question 72mediummulti select
Read the full IT Risk Identification explanation →

Which TWO of the following are primary sources of IT risk identification? (Select exactly TWO.)

Question 73hardmulti select
Read the full IT Risk Identification explanation →

Which THREE of the following are effective risk identification techniques for a cloud migration project? (Select exactly THREE.)

Question 74easymulti select
Read the full IT Risk Identification explanation →

Which THREE of the following are indicators of potential IT risk in an organization? (Select exactly THREE.)

Question 75mediummultiple choice
Read the full IT Risk Identification explanation →

Refer to the exhibit. What risk is most directly indicated by this log entry?

Exhibit

Firewall log:
2025-03-15 14:23:45 src=10.0.1.100 dst=192.168.2.50 port=3389 action=deny
Question 76hardmultiple choice
Read the full IT Risk Identification explanation →

Refer to the exhibit. What risk is introduced by this IAM policy?

Exhibit

{
  "Policy": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "*",
        "Resource": "*"
      }
    ]
  }
}
Question 77easymultiple choice
Read the full IT Risk Identification explanation →

Refer to the exhibit. What is the most likely risk indicated by this error log?

Exhibit

Error log:
Error: SQL syntax error near ' OR 1=1 --
Question 78easymultiple choice
Read the full IT Risk Identification explanation →

A company has implemented a new cloud-based customer relationship management (CRM) system. The IT risk manager is tasked with identifying risks related to this system. Which of the following is the MOST important risk identification technique to use initially?

Question 79mediummultiple choice
Read the full IT Risk Identification explanation →

During a risk assessment for a new financial application, the risk manager identifies that the application processes sensitive customer data and is accessible from the internet. Which of the following is the MOST appropriate risk scenario to document?

Question 80hardmultiple choice
Read the full NAT/PAT explanation →

A multinational organization uses a third-party vendor for cloud-based identity management. The vendor recently suffered a data breach that exposed user credentials. The risk manager is now re-evaluating the associated risk. Which of the following steps should the risk manager perform FIRST to identify potential new risks?

Question 81easymultiple choice
Read the full IT Risk Identification explanation →

A risk manager is identifying risks for a new mobile payment application. The application will use end-to-end encryption. Which of the following is the BEST source of risk information for identifying potential threats?

Question 82mediummultiple choice
Read the full IT Risk Identification explanation →

An organization is planning to deploy an IoT solution in a manufacturing plant. The risk manager is asked to identify risks associated with the integration of IoT devices into the plant network. Which of the following techniques would be MOST effective for identifying both technical and operational risks?

Question 83hardmultiple choice
Read the full IT Risk Identification explanation →

A risk manager is reviewing the risk register and notices that several risks have been identified as 'high' but no risk owner has been assigned. Which of the following is the MOST appropriate action to ensure proper risk identification going forward?

Question 84easymultiple choice
Read the full IT Risk Identification explanation →

An organization is implementing a new data loss prevention (DLP) solution. The risk manager is identifying potential risks related to the DLP solution itself. Which of the following is a risk that should be considered?

Question 85mediummultiple choice
Read the full IT Risk Identification explanation →

A risk manager is identifying risks for an organization that uses a hybrid cloud environment. The organization stores sensitive data on-premises and in the cloud. Which of the following is the MOST effective method for identifying risks related to data residency and compliance?

Question 86hardmultiple choice
Read the full IT Risk Identification explanation →

A risk manager discovers that a business unit has been using an unapproved software-as-a-service (SaaS) application for three months. The application stores customer PII. Which of the following risk identification techniques should the risk manager use to understand the full extent of the risk?

Question 87easymulti select
Read the full IT Risk Identification explanation →

Which TWO of the following are primary sources of risk identification for IT projects?

Question 88mediummulti select
Read the full IT Risk Identification explanation →

Which TWO of the following are valid risk scenarios that should be documented during IT risk identification?

Question 89hardmulti select
Read the full IT Risk Identification explanation →

Which THREE of the following are commonly used techniques for identifying IT risks in a large enterprise?

Question 90mediummultiple choice
Read the full IT Risk Identification explanation →

Refer to the exhibit. During a risk identification exercise for the internal network, the risk manager reviews this firewall log entry. Which of the following risks is MOST directly suggested by this log entry?

Exhibit

Refer to the exhibit.

=== Firewall Log Entry ===
Time: 2023-08-15 14:32:17
Source IP: 192.168.1.100
Destination IP: 10.0.0.50
Port: 445 (SMB)
Action: ALLOW
Rule: INTERNAL_ACCESS
=== End of Entry ===
Question 91hardmultiple choice
Read the full IT Risk Identification explanation →

Refer to the exhibit. A risk manager is reviewing IAM policies for an S3 bucket used for sensitive data. This policy allows which of the following?

Exhibit

Refer to the exhibit.

=== AWS IAM Policy (JSON) ===
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::company-data/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    }
  ]
}
=== End of Policy ===
Question 92easymultiple choice
Read the full IT Risk Identification explanation →

Refer to the exhibit. During a risk identification review, the risk manager sees this IDS alert. What risk does this alert MOST directly indicate?

Exhibit

Refer to the exhibit.

=== IDS Alert ===
Timestamp: 2024-01-10 09:45:22
Signature ID: 2100498
Signature Name: ET POLICY Suspicious Inbound to MSSQL Port
Source IP: 203.0.113.5
Destination IP: 192.168.10.50
Destination Port: 1433
Protocol: TCP
Alert Severity: High
=== End of Alert ===
Question 93mediummultiple choice
Read the full IT Risk Identification explanation →

During a cloud migration project, the IT risk manager is identifying risks associated with data residency. Which of the following is the MOST effective method to identify applicable regulatory requirements?

Question 94easymultiple choice
Read the full NAT/PAT explanation →

A vulnerability scan of the internal network reveals a critical vulnerability in a legacy application that cannot be patched immediately. What is the FIRST step the risk practitioner should take?

Question 95hardmultiple choice
Read the full IT Risk Identification explanation →

An organization is evaluating threat intelligence feeds to improve IT risk identification. Which of the following criteria should be given the HIGHEST priority when selecting a feed?

Question 96mediummultiple choice
Read the full IT Risk Identification explanation →

A company is conducting a risk assessment of a critical third-party service provider. Which of the following is the BEST source of information to identify risks associated with the provider's sub-processors?

Question 97easymultiple choice
Read the full IT Risk Identification explanation →

An organization is updating its asset inventory to improve IT risk identification. Which of the following asset attributes is MOST critical for assessing cybersecurity risk?

Question 98hardmultiple choice
Read the full IT Risk Identification explanation →

A risk practitioner is analyzing the results of a phishing simulation. The simulation had a 15% click rate on a test email targeting finance department staff. Which of the following conclusions is MOST valid regarding IT risk identification?

Question 99mediummultiple choice
Read the full IT Risk Identification explanation →

During a risk identification workshop, the business process owner states that a key system has no documented dependencies. What is the BEST next step for the risk practitioner?

Question 100hardmultiple choice
Read the full IT Risk Identification explanation →

An organization is implementing a data classification scheme. Which of the following classification categories would be MOST effective for identifying risks related to intellectual property theft?

Question 101easymultiple choice
Read the full IT Risk Identification explanation →

A risk practitioner is reviewing system logs and notices multiple failed login attempts from a foreign IP address. This observation is an example of which type of risk identification activity?

Question 102mediummulti select
Read the full IT Risk Identification explanation →

Which TWO of the following are primary techniques for identifying IT risks in an organization? (Choose two.)

Question 103hardmulti select
Read the full IT Risk Identification explanation →

Which THREE of the following are key indicators that a risk identification process is effective? (Choose three.)

Question 104easymulti select
Read the full IT Risk Identification explanation →

Which TWO of the following are examples of external risk identification sources? (Choose two.)

Question 105hardmultiple choice
Read the full IT Risk Identification explanation →

Based on the firewall log exhibit, which of the following conclusions is MOST appropriate for risk identification?

Exhibit

Refer to the exhibit.

Exhibit (Firewall Log):
```
2024-02-10 08:23:45 DENY TCP 10.0.1.15 3389 203.0.113.50 443
2024-02-10 08:23:46 DENY TCP 10.0.1.15 3389 203.0.113.50 443
2024-02-10 08:23:47 DENY TCP 10.0.1.15 3389 203.0.113.50 443
2024-02-10 08:23:48 ALLOW TCP 10.0.1.10 443 198.51.100.20 3389
```
Question 106mediummultiple choice
Read the full IT Risk Identification explanation →

A mid-sized retail company operates 50 stores across three regions. Each store uses a point-of-sale (POS) system that transmits credit card transactions to a centralized payment processor. The company recently deployed a new SaaS-based inventory management application that connects to the POS system via API. The IT department has no formal process for tracking third-party connections. The risk manager suspects that unknown or unauthorized connections may exist. During a risk identification review, the risk manager discovers that the POS vendor's API documentation was shared with the inventory SaaS provider without a non-disclosure agreement (NDA). Additionally, the API keys for the POS system are stored in plain text configuration files on the inventory SaaS application server. The company's security policy requires encryption of all sensitive data in transit and at rest. Which of the following should the risk manager prioritize as the HIGHEST risk scenario to document in the risk register?

Question 107hardmultiple choice
Read the full IT Risk Identification explanation →

A financial institution is migrating its core banking system from an on-premises data center to a public cloud infrastructure. The migration is planned in phases over 18 months. The IT risk manager is tasked with identifying risks during the transition. During the first phase, the team moves non-critical applications to the cloud. A vulnerability assessment of the cloud environment reveals that several virtual machines have default administrative credentials enabled. Additionally, the cloud security group configuration for the application tier allows inbound SSH from the entire internet (0.0.0.0/0). The risk manager also learns that the cloud provider's shared responsibility model is not fully understood by the operations team, who believe the provider is responsible for all security controls. The institution's risk appetite statement allows for moderate risk tolerance but prohibits any exposure that could lead to unauthorized access to customer financial data. Which of the following risk scenarios should the risk manager identify as the MOST critical to address immediately?

Question 108mediummultiple choice
Read the full IT Risk Identification explanation →

During a risk assessment for a cloud migration project, the risk team identifies that the new SaaS application has not been tested for interoperability with existing identity management systems. The project manager argues that the integration will be straightforward and asks to remove this from the risk register. Which of the following is the BEST response from the risk practitioner?

Question 109hardmultiple choice
Read the full IT Risk Identification explanation →

An organization has recently suffered a ransomware attack that encrypted critical files. During the post-incident review, the risk team is identifying key risk indicators (KRIs) to improve early detection. Which of the following KRIs would be MOST effective in detecting similar attacks in the future?

Question 110easymultiple choice
Read the full IT Risk Identification explanation →

A risk practitioner is facilitating a workshop to identify IT risks for a new product launch. Which technique BEST encourages participants to think about risks from different perspectives?

Question 111mediummultiple choice
Read the full IT Risk Identification explanation →

During a review of third-party vendor risks, the risk team identifies that a cloud service provider's data center is located in a country with unstable political conditions. What should the risk practitioner do FIRST?

Question 112easymulti select
Read the full IT Risk Identification explanation →

A risk practitioner is identifying risks related to a new API gateway implementation. Which TWO of the following are MOST likely to be significant risks?

Question 113mediummulti select
Read the full IT Risk Identification explanation →

An organization is migrating on-premises applications to a public cloud. Which THREE of the following should be considered as key risk identification activities?

Question 114hardmulti select
Read the full IT Risk Identification explanation →

A company's IT risk team is conducting a risk identification exercise for a new blockchain-based supply chain solution. Which THREE risks are MOST specific to this technology?

Question 115easymultiple choice
Read the full IT Risk Identification explanation →

A medium-sized e-commerce company recently experienced a denial-of-service (DoS) attack that took down its website for two hours. The incident response team quickly mitigated the attack by blocking the source IPs. In the aftermath, the risk manager is tasked with identifying risks to prevent recurrence. The company relies heavily on a single internet service provider (ISP) and has no DDoS protection service. The IT director suggests purchasing additional server capacity to absorb future attacks. The CEO is concerned about the cost. The risk team has identified that the likelihood of a similar attack is high based on recent industry trends, and the impact includes lost revenue and customer trust. What is the MOST effective risk identification action the risk team should take next?

Question 116mediummultiple choice
Read the full IT Risk Identification explanation →

A large healthcare organization is implementing a new electronic health record (EHR) system. During the risk identification process, the risk team discovers that the EHR vendor has a history of minor security incidents but has always resolved them quickly. The vendor’s data center is located in a region prone to earthquakes. Additionally, the EHR system will integrate with several legacy systems that have known vulnerabilities. The project sponsor is keen to proceed and believes the vendor is reputable. The risk team needs to ensure all relevant risks are identified and documented. Which of the following should be the PRIORITY for the risk team?

Question 117hardmultiple choice
Read the full NAT/PAT explanation →

An international bank is expanding its operations into a new country with strict data localization laws. The IT department plans to use a cloud service provider that stores data in neighboring countries but promises compliance. The risk team has identified several potential risks: regulatory fines for non-compliance, data interception during cross-border transmission, and difficulty in auditing the cloud provider. The legal team advises that the contract includes data protection clauses, but these have not been tested. The risk manager must now prioritize risk identification efforts. What is the MOST important risk identification step the risk team should undertake?

Question 118mediummultiple choice
Read the full wireless explanation →

A manufacturing company uses IoT sensors on the factory floor to monitor equipment performance. The sensors transmit data to a central server via Wi-Fi. During a risk identification workshop, the operations manager reveals that some sensors are operating on outdated firmware with known vulnerabilities. The IT director proposes replacing all sensors at a high cost. The risk team notes that a breach could cause production downtime but the sensors only collect non-sensitive operational data. The company has a low tolerance for downtime. What should the risk team identify as the most critical risk?

Question 119hardmultiple choice
Read the full IT Risk Identification explanation →

A software development company uses a DevOps pipeline with automated code deployment. Recently, a developer accidentally pushed a configuration file containing database credentials to a public repository. The credentials were changed within an hour, but the file remained public for a few hours. The risk team is now identifying risks in the CI/CD process. The security team has proposed adding static code analysis to detect secrets in code. The development team objects, citing false positives. The risk manager must identify the most significant risk that could lead to a data breach. Which risk should be prioritized?

Question 120easymultiple choice
Read the full IT Risk Identification explanation →

A retail company is planning to launch a mobile payment app. The risk team is identifying potential risks related to payment card industry (PCI) compliance. The app will process credit card numbers. The development team has implemented tokenization to replace card numbers with tokens, but the token vault is located on-premises. The network architect proposes exposing the token vault to the internet for mobile app access. The compliance officer is concerned about PCI DSS requirements. The risk manager needs to identify the highest risk related to this setup. What is the primary risk?

Question 121mediummultiple choice
Read the full IT Risk Identification explanation →

A university's IT department is implementing a single sign-on (SSO) solution for students and faculty. The solution will integrate with existing Active Directory and a cloud-based learning management system (LMS). During risk identification, the team learns that the SSO vendor had a minor security incident last year. The university's security policy requires multi-factor authentication (MFA) for all administrative access, but the SSO solution does not support MFA for student accounts. The project manager insists that MFA for students is not necessary because they only access academic records. The risk team must identify the most significant risk that could affect the university's reputation. Which risk should be documented?

Question 122mediummulti select
Read the full IT Risk Identification explanation →

A risk manager is facilitating a risk identification workshop for a new cloud migration initiative. Which TWO techniques are most effective for identifying potential IT risks at this stage?

Question 123hardmultiple choice
Read the full IT Risk Identification explanation →

What is the most significant risk identified by this configuration?

Exhibit

Refer to the exhibit.

{
  "PolicyName": "S3BucketAccessPolicy",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::critical-data/*"
    }
  ]
}
Question 124easymultiple choice
Read the full IT Risk Identification explanation →

A smart manufacturing company has deployed hundreds of IoT sensors and actuators across its production line. These devices are connected directly to the corporate network without any segmentation and communicate using unencrypted protocols. A third-party vendor manages all IoT devices and has administrative access from their own network. Recently, the IT team detected unusual outbound traffic from the IoT segment to unknown IP addresses on the internet. The risk manager is leading a risk identification workshop. Based on this scenario, what is the most critical risk to the organization that should be identified and documented?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CRISC Practice Test 1 — 10 Questions→CRISC Practice Test 2 — 10 Questions→CRISC Practice Test 3 — 10 Questions→CRISC Practice Test 4 — 10 Questions→CRISC Practice Test 5 — 10 Questions→CRISC Practice Exam 1 — 20 Questions→CRISC Practice Exam 2 — 20 Questions→CRISC Practice Exam 3 — 20 Questions→CRISC Practice Exam 4 — 20 Questions→Free CRISC Practice Test 1 — 30 Questions→Free CRISC Practice Test 2 — 30 Questions→Free CRISC Practice Test 3 — 30 Questions→CRISC Practice Questions 1 — 50 Questions→CRISC Practice Questions 2 — 50 Questions→CRISC Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

IT Risk IdentificationRisk Response and MitigationRisk and Control Monitoring and ReportingIT Risk Assessment

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All IT Risk Identification setsAll IT Risk Identification questionsCRISC Practice Hub