Certified in Risk and Information Systems Control CRISC (CRISC) — Questions 175

500 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
MCQhard

A board member asks for a summary of the top five risks. The risk practitioner has 10 risks with current residual risk levels. Which approach BEST supports board-level reporting?

A.Present the top five by residual risk level, including a trend indicator
B.Only highlight risks that have increased since last quarter
C.List risks alphabetically with current control status
D.Provide a detailed risk register with all 10 risks and full risk analysis
AnswerA

Trend shows direction and urgency.

Why this answer

The correct answer is A. Reporting should include both current status and trend to inform decision-making. Option B is too granular.

Option C omits risk level. Option D is incomplete without trend.

2
Drag & Dropmedium

Arrange the steps for performing a risk assessment in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Risk assessment begins with asset identification, then threats/vulnerabilities, followed by likelihood and impact analysis, risk calculation, and documentation.

3
MCQmedium

A manufacturing company uses Internet of Things (IoT) sensors to monitor equipment temperature and vibration on the production floor. The sensor data is automatically sent to a central system, but there is a manual log maintained by operators that records their visual inspections. Recently, there have been instances where the sensor data indicated abnormal readings, but the operator logs showed normal conditions, leading to delayed maintenance actions and two equipment breakdowns. The risk manager investigates and finds that operators sometimes forget to update logs or misinterpret sensor alerts. The company wants to improve the reliability of the monitoring process. What should be the primary action?

A.Reduce reliance on IoT sensors and increase manual inspections.
B.Replace all IoT sensors with newer models that have better accuracy.
C.Provide additional training to operators on how to accurately fill in logs and respond to sensor alerts.
D.Implement automated reconciliation between sensor data and operator logs, flagging discrepancies in real time.
AnswerD

Directly addresses the inconsistency and enables timely corrective action.

Why this answer

Automated reconciliation between sensor data and operator logs would highlight discrepancies immediately, allowing quick investigation. Replacing all sensors (A) is costly and not focused; training (C) alone may not overcome human error; reducing sensor reliance (D) ignores the value of automated alerts.

4
MCQeasy

A small online retailer with 15 employees sells handmade crafts through its e-commerce website. The company processes payments via a third-party gateway. The owner manually reviews transaction logs once a week for fraud indicators, but recently discovered three chargebacks due to unauthorized transactions. The retailer has limited IT budget and no dedicated security staff. The owner wants to improve detection of fraudulent transactions without significant investment. The current manual process takes about two hours per week and often results in delayed detection. The payment gateway offers basic fraud detection features such as IP geolocation and velocity checks, but these are not enabled. What is the most practical first step?

A.Enable the built-in fraud detection features offered by the payment gateway.
B.Hire a part-time fraud analyst to review logs daily.
C.Purchase an automated fraud detection system from a third-party vendor.
D.Accept the current risk and set aside a reserve fund for chargebacks.
AnswerA

Leverages existing capability at no additional cost; immediate improvement.

Why this answer

Enabling existing fraud detection features in the payment gateway is quick, low-cost, and can immediately improve detection. Buying a new system (A) is expensive; hiring a staff (C) is not feasible; accepting the risk (D) is not acceptable given recent chargebacks.

5
MCQmedium

A risk assessment reveals that the cost of implementing a control ($500k) exceeds the annualized loss expectancy (ALE) of $300k. The risk is currently within the organization's risk appetite. What is the appropriate risk response?

A.Accept the risk
B.Implement the control
C.Avoid the risk
D.Transfer the risk
AnswerA

Acceptance is justified when mitigation is not cost-effective.

Why this answer

Option C is correct because accepting the risk is cost-effective when control cost exceeds ALE and risk is within appetite. Options A, B, and D are incorrect.

6
MCQmedium

Based on the exhibit, which of the following risks is MOST indicated by the policy configuration?

A.Exposure of web server to untrusted networks without encryption
B.Data exfiltration via MySQL from the internet
C.Unauthorized SSH access to the internal network
D.Policy misconfiguration causing low hits on rule 3
AnswerA

HTTP traffic is unencrypted and allowed from any source.

Why this answer

The policy configuration shows a rule allowing inbound HTTP/HTTPS traffic from the internet to a web server without any associated encryption requirement (e.g., no TLS enforcement or VPN). This directly exposes the web server to untrusted networks, making it vulnerable to man-in-the-middle attacks and data interception, which is the most significant risk indicated.

Exam trap

The trap here is that candidates focus on the specific service (HTTP/HTTPS) and overlook the lack of encryption as the primary risk, instead considering data exfiltration or unauthorized access as more obvious threats, but the policy explicitly permits unencrypted traffic from untrusted networks.

How to eliminate wrong answers

Option B is wrong because data exfiltration via MySQL from the internet would require a specific rule allowing MySQL traffic (port 3306) from the internet, which is not shown in the exhibit; the policy only permits HTTP/HTTPS. Option C is wrong because unauthorized SSH access to the internal network would require a rule allowing SSH traffic (port 22) from the internet, which is absent; SSH is typically blocked or restricted. Option D is wrong because policy misconfiguration causing low hits on rule 3 is a performance or tuning issue, not a risk; the question asks for the most indicated risk, and low hits do not represent a security exposure.

7
Multi-Selectmedium

Which THREE of the following are effective techniques for identifying IT risks?

Select 3 answers
A.Root cause analysis
B.Cost-benefit analysis
C.Brainstorming
D.Vulnerability scanning
E.SWOT analysis
AnswersC, D, E

Brainstorming is a common technique for risk identification.

Why this answer

Brainstorming is a structured group technique that leverages the collective expertise of stakeholders to identify a wide range of IT risks, including emerging threats and vulnerabilities that may not be captured by automated tools. It is effective because it encourages creative thinking and surfaces risks related to business processes, third-party dependencies, and human factors that are often missed by purely technical assessments.

Exam trap

The trap here is confusing risk identification techniques with risk analysis or risk treatment techniques, leading candidates to select root cause analysis (a post-incident technique) or cost-benefit analysis (a decision-making tool) instead of recognizing that brainstorming, vulnerability scanning, and SWOT analysis are all valid methods for initially identifying risks.

8
MCQhard

An organization is implementing a data classification scheme. Which of the following classification categories would be MOST effective for identifying risks related to intellectual property theft?

A.Restricted
B.Internal
C.Confidential
D.Public
AnswerC

Confidential is the standard category for sensitive business information.

Why this answer

Confidential data is the classification category specifically designed to protect sensitive information that, if disclosed, could cause significant harm to the organization, including intellectual property theft. In a data classification scheme, 'Confidential' typically applies to trade secrets, source code, and proprietary designs, making it the most effective category for identifying and mitigating risks related to IP theft.

Exam trap

The trap here is that candidates often confuse 'Restricted' with 'Confidential' due to military/government classification hierarchies, but in a corporate context, 'Confidential' is the standard category for intellectual property, while 'Restricted' is typically reserved for highly sensitive data like PII or PHI under GDPR or HIPAA.

How to eliminate wrong answers

Option A is wrong because 'Restricted' is often a higher classification than Confidential (e.g., in government or military contexts) and may be too narrow or not aligned with standard corporate IP protection tiers, potentially causing overclassification and operational friction. Option B is wrong because 'Internal' data is intended for internal use but does not imply the high level of sensitivity required for intellectual property; it typically covers general business communications and policies, not trade secrets. Option D is wrong because 'Public' data is explicitly intended for unrestricted disclosure and poses no risk of IP theft, as it is already in the public domain.

9
Multi-Selecthard

Which THREE of the following are common challenges when implementing a risk monitoring dashboard? (Select exactly three.)

Select 3 answers
A.Data quality and consistency issues
B.Lack of clear ownership for monitoring
C.Reduced need for manual controls
D.Overwhelming amount of information displayed
E.Improved decision-making
AnswersA, B, D

Common due to multiple sources.

Why this answer

Data quality and consistency issues (A) are a common challenge because risk monitoring dashboards aggregate data from multiple sources, each with its own format, timeliness, and accuracy. Inconsistent data leads to unreliable metrics and false alarms, undermining the dashboard's purpose of providing a single source of truth for risk posture.

Exam trap

The trap here is confusing the challenges of implementation with the benefits or outcomes of the dashboard, leading candidates to select 'reduced need for manual controls' or 'improved decision-making' as challenges instead of recognizing them as positive results.

10
MCQmedium

A financial institution has implemented a continuous monitoring solution for its core banking application. The monitoring team receives an alert indicating that the average response time for a critical transaction has exceeded the threshold for the past 15 minutes. The transaction volume during this period is within normal range. What should be the FIRST step in the incident response process?

A.Contact the application vendor to report a potential performance issue.
B.Verify the alert by reviewing real-time logs and metrics, then assess the potential impact on business operations.
C.Compare current response time with historical baselines to determine if this is an anomaly.
D.Escalate the alert to the IT operations manager and the application owner immediately.
AnswerB

Verification and impact assessment are the correct first steps.

Why this answer

The first step in incident response is to validate the alert by reviewing real-time logs and metrics to confirm it is not a false positive, and then assess the potential impact on business operations. This aligns with the NIST SP 800-61 incident response lifecycle, where detection and analysis precede containment or escalation. Without verification, subsequent actions like vendor contact or escalation may be premature and waste resources.

Exam trap

The trap here is that candidates may confuse 'analysis' (comparing to baselines) or 'escalation' as the first step, but CRISC emphasizes that verification and impact assessment must precede any further action to avoid wasted effort on false alarms.

How to eliminate wrong answers

Option A is wrong because contacting the application vendor should occur only after the alert is verified and the issue is confirmed to be a software defect, not as a first step. Option C is wrong because comparing with historical baselines is part of analysis but should follow verification of the current alert data; it is not the immediate first action. Option D is wrong because immediate escalation without verification risks unnecessary alarm and misdirected effort; escalation is appropriate only after confirming a genuine incident and assessing its severity.

11
MCQeasy

Which of the following is the PRIMARY benefit of using a risk register for monitoring?

A.Provides real-time alerts.
B.Centralized repository of all risks.
C.Eliminates the need for KRIs.
D.Automates control testing.
AnswerB

A risk register provides a single source of truth for risk information.

Why this answer

A risk register serves as a centralized repository for all identified risks, enabling consistent monitoring and reporting. Option A is correct. Option B is incorrect because risk registers do not automate testing.

Option C is wrong as KRIs complement the register. Option D is not a primary benefit; real-time alerts are typically from other tools.

12
MCQmedium

A healthcare organization operates a legacy electronic health record (EHR) system that is manually monitored for access anomalies by a small IT team. The organization is planning to migrate to a new cloud-based EHR with integrated logging and monitoring. However, due to budget constraints, the migration will take two years. In the interim, the risk manager wants to improve monitoring for unauthorized access to patient data. The current manual process involves weekly log reviews, but recent audits have identified instances of delayed detection (up to two weeks) and missed incidents. The IT team can dedicate only 10 additional hours per week for monitoring. What is the best approach to enhance monitoring during the transition period?

A.Outsource the monitoring to a third-party managed security service provider.
B.Implement a full automation suite for access monitoring immediately.
C.Use a phased risk-based approach, prioritizing monitoring of high-risk areas such as privileged accounts and sensitive patient data.
D.Accept the current monitoring state as adequate given the upcoming migration.
AnswerC

Targets the highest risks with limited resources; feasible and effective.

Why this answer

A phased approach focusing on high-risk areas (e.g., privileged accounts, sensitive data) optimizes limited resources. Full automation (A) is too costly; outsourcing (C) may have data privacy issues; accepting the state (D) is irresponsible given audit findings.

13
Multi-Selectmedium

Which TWO of the following are valid risk scenarios that should be documented during IT risk identification?

Select 2 answers
A.An employee may inadvertently share confidential data via email due to lack of data classification training.
B.The organization must comply with GDPR requirements for data protection.
C.An external attacker may exploit weak password policies to gain access to the email system and exfiltrate sensitive data.
D.The database server has not been patched for critical vulnerabilities.
E.The IT department will implement multi-factor authentication to reduce the risk of unauthorized access.
AnswersA, C

This is a risk scenario with threat, vulnerability, and impact.

Why this answer

Option A is correct because it describes a specific risk scenario: an employee inadvertently sharing confidential data via email due to lack of data classification training. This is a valid risk scenario as it identifies a threat (human error), a vulnerability (insufficient training), and a potential impact (data leakage). In IT risk identification, scenarios must be concrete and actionable, not just statements of compliance or controls.

Exam trap

The trap here is that candidates often mistake compliance requirements (option B) or control implementations (option E) for risk scenarios, but CRISC requires scenarios to describe specific threat events with a clear cause-effect chain, not static states or planned actions.

14
MCQmedium

A financial services company uses a legacy mainframe system for core banking transactions. The risk assessment identifies that the system does not support modern encryption standards, and data is transmitted in clear text over internal networks. The IT department has proposed implementing network segmentation and encryption at the application layer using a middleware solution. However, the cost is high and the project would take 18 months. Meanwhile, the company is planning to migrate to a new core system in two years. The risk appetite for data confidentiality is low. As the risk practitioner, what is the MOST appropriate risk response?

A.Implement compensating controls such as strict network access controls and monitoring.
B.Transfer the risk by purchasing cyber insurance covering data breach incidents.
C.Accept the risk because the system will be replaced in two years.
D.Avoid the risk by accelerating the migration to the new system within 18 months.
AnswerA

Compensating controls reduce risk immediately.

Why this answer

The correct response is to implement compensating controls such as strict network access controls and monitoring. Given the low risk appetite for data confidentiality, the 18-month delay for the middleware solution is unacceptable, and the two-year migration timeline leaves a significant exposure window. Compensating controls like VLAN segmentation, ACLs, and continuous traffic monitoring can reduce the likelihood of exploitation of the clear-text transmission without requiring changes to the legacy mainframe itself.

Exam trap

The trap here is that candidates may confuse 'accepting the risk' with a valid response when a migration is planned, but the low risk appetite for data confidentiality makes acceptance inappropriate, and they may overlook that compensating controls can be implemented quickly and cost-effectively to reduce exposure.

How to eliminate wrong answers

Option B is wrong because cyber insurance transfers financial risk but does not reduce the likelihood or impact of a data breach; the low risk appetite for confidentiality requires a control that protects the data, not just compensates for losses. Option C is wrong because accepting the risk for two years violates the stated low risk appetite for data confidentiality, as clear-text transmission over internal networks is a direct exposure that could lead to a breach. Option D is wrong because accelerating the migration to 18 months is not feasible without a detailed project plan and budget, and it still leaves a gap; moreover, 'avoiding' risk by accelerating does not address the immediate exposure during the migration period.

15
MCQmedium

An organization is planning to deploy an IoT solution in a manufacturing plant. The risk manager is asked to identify risks associated with the integration of IoT devices into the plant network. Which of the following techniques would be MOST effective for identifying both technical and operational risks?

A.Conduct a SWOT analysis of the IoT project
B.Facilitate a brainstorming session with IT, operational technology (OT), and safety teams
C.Interview the plant manager about operational challenges
D.Send a risk questionnaire to employees
AnswerB

Brainstorming with diverse teams identifies both technical and operational risks.

Why this answer

A brainstorming session that includes IT, operational technology (OT), and safety teams is the most effective technique because IoT integration creates a convergence of traditional IT risks (e.g., network segmentation, patch management) with OT-specific risks (e.g., real-time control system integrity, safety interlocks) and physical safety hazards. This cross-functional approach surfaces technical risks like unpatched firmware vulnerabilities in programmable logic controllers (PLCs) and operational risks such as unplanned downtime due to misconfigured device-to-controller communication protocols (e.g., Modbus/TCP without authentication).

Exam trap

ISACA often tests the misconception that a single-stakeholder interview or a generic analysis tool is sufficient for risk identification in converged IT/OT environments, when in reality the most effective technique requires collaborative input from all relevant technical and operational domains to capture the full spectrum of risks.

How to eliminate wrong answers

Option A is wrong because a SWOT analysis is a high-level strategic tool that identifies strengths, weaknesses, opportunities, and threats but lacks the granularity to uncover specific technical risks like insecure MQTT broker configurations or operational risks like loss of safety-critical sensor data. Option C is wrong because interviewing only the plant manager provides a narrow, managerial perspective that misses deep technical risks from OT engineers (e.g., legacy fieldbus vulnerabilities) and safety risks from safety engineers (e.g., failure modes of IoT-triggered emergency stops). Option D is wrong because a risk questionnaire sent to employees is a passive, one-way data collection method that cannot dynamically probe or clarify complex IoT-specific risks such as latency-induced control loop instability or interference between Wi-Fi and industrial wireless protocols like WirelessHART.

16
MCQeasy

A company has identified a critical vulnerability in a legacy application that cannot be patched immediately. The application is used by a small number of users and supports a non-critical business process. Which of the following is the MOST appropriate risk response strategy?

A.Avoidance
B.Transfer
C.Acceptance
D.Mitigation
AnswerC

Acceptance is appropriate when risk is low impact and cannot be mitigated or transferred easily.

Why this answer

Option B is correct because acceptance is the appropriate response when the risk is low impact and cannot be mitigated or transferred easily. Option A is wrong because avoidance would mean decommissioning the application which is not necessary. Option C is wrong because transfer would require insurance or outsourcing which is not cost-effective.

Option D is wrong because mitigation would involve patching which is not possible.

17
Multi-Selectmedium

Which TWO of the following are primary purposes of risk and control monitoring? (Choose two.)

Select 2 answers
A.To identify opportunities for implementing new controls.
B.To ensure compliance with all regulatory requirements.
C.To verify that controls are operating as intended.
D.To provide assurance to stakeholders on risk management.
E.To eliminate all residual risk.
AnswersC, D

Verification of control effectiveness is a core monitoring objective.

Why this answer

Options A and D are correct. Monitoring ensures controls are operating effectively and provides evidence for assurance. Option B is wrong because eliminating all risk is not possible; monitoring helps manage but not eliminate risk.

Option C is wrong because implementing new controls is a response, not a purpose of monitoring. Option E is wrong because compliance is a result, but the primary purpose is to assess effectiveness.

18
Matchingmedium

Match each risk assessment method to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses numerical values like ALE and SLE

Uses ordinal scales like high/medium/low

Combines numeric values with qualitative scales

Evaluates risks based on hypothetical events

Why these pairings

Risk assessment methods vary in how they measure and communicate risk.

19
MCQhard

During a quarterly risk review, it is discovered that a previously accepted risk has materialized due to a change in the external environment. What is the MOST appropriate response?

A.Report to regulators.
B.Increase insurance coverage.
C.Accept the impact.
D.Re-evaluate the risk treatment plan.
AnswerD

A materialized risk indicates the original plan is no longer adequate, requiring reassessment.

Why this answer

When a risk materializes, the treatment plan must be re-evaluated to address the new circumstances. Option A is correct. Option B accepts the impact without action.

Option C is a specific treatment that may not be appropriate. Option D is premature without assessment.

20
MCQeasy

A company is migrating its customer database to a public cloud provider. During the planning phase, which of the following is the MOST effective approach to identify risks specific to this migration?

A.Review industry risk reports for similar migrations
B.Rely on the cloud provider's published risk documentation
C.Perform a compliance checklist review
D.Conduct a threat modeling exercise focusing on the cloud architecture
AnswerD

Threat modeling identifies environment-specific threats like data exposure and misconfigurations.

Why this answer

Conducting a threat modeling exercise (D) is the most effective approach because it systematically identifies threats, vulnerabilities, and attack vectors specific to the cloud architecture, data flow, and trust boundaries of the migration. Unlike generic reviews, threat modeling (e.g., using STRIDE or PASTA) directly addresses the unique risks of moving a customer database to a public cloud, such as misconfigured access controls, insecure APIs, or data exposure during transit.

Exam trap

The trap here is that candidates often choose a compliance checklist (C) or industry reports (A) because they seem thorough and authoritative, but the CRISC exam emphasizes that risk identification must be proactive and architecture-specific, not reactive or generic.

How to eliminate wrong answers

Option A is wrong because industry risk reports provide aggregated, historical data that may not reflect the specific architecture, provider, or configuration of this migration, leading to missed context-sensitive risks. Option B is wrong because relying solely on the cloud provider's published risk documentation shifts responsibility and fails to account for the customer's own configuration errors, shared responsibility model gaps, or application-layer vulnerabilities. Option C is wrong because a compliance checklist review only verifies adherence to regulatory standards (e.g., GDPR, PCI DSS) but does not identify technical threats like privilege escalation, data leakage, or denial-of-service risks unique to the cloud deployment.

21
Multi-Selecthard

An organization assesses a risk of intellectual property theft through email exfiltration. They decide to enforce DLP controls, purchase a cyber liability policy, and officially accept the residual risk after controls. Which THREE risk response options are demonstrated?

Select 3 answers
A.Avoid
B.Reduce
C.Mitigate
D.Accept
E.Transfer
AnswersC, D, E

DLP controls mitigate the risk.

Why this answer

Options A, C, and D are correct: Accept residual risk, Transfer via insurance, Mitigate via DLP. Options B and E are not used.

22
MCQmedium

After implementing a set of controls, the risk owner calculates the residual risk and finds it is still above the risk tolerance. However, the cost to further reduce the risk exceeds the potential loss. What is the MOST appropriate next step?

A.Formally accept the residual risk
B.Re-assess the inherent risk
C.Reduce current controls to lower costs
D.Implement additional controls despite the cost
AnswerA

Acceptance with sign-off is appropriate when mitigation is too costly.

Why this answer

Option B is correct because when additional mitigation is cost-prohibitive, acceptance with formal sign-off is appropriate. Option A is wrong as implementing further controls is not cost-effective. Option C is wrong because reducing controls would increase risk.

Option D is wrong because re-assessing inherent risk doesn't change the situation.

23
Multi-Selecteasy

Which TWO of the following are examples of inherent risk?

Select 2 answers
A.Risk of unauthorized access due to weak password policy
B.Risk of data breach due to unencrypted sensitive data
C.Residual risk after implementing firewalls
D.Risk appetite defined by the board
E.Risk reduction achieved by multifactor authentication
AnswersA, B

This is a risk that exists without controls.

Why this answer

Inherent risk is the risk that exists in the absence of any controls or mitigations. Option A describes the risk of unauthorized access due to a weak password policy, which is a vulnerability present before any compensating controls (like multifactor authentication) are applied. Option B describes the risk of a data breach due to unencrypted sensitive data, which is a direct exposure that exists before encryption controls are implemented.

Both represent the raw, uncontrolled risk level.

Exam trap

The trap here is confusing inherent risk with residual risk or control effectiveness; candidates often pick options that describe the result of controls (like risk reduction) or the state after controls (residual risk) instead of the raw, uncontrolled exposure.

24
Multi-Selectmedium

Which TWO of the following are key risk identification techniques used to identify threats and vulnerabilities in IT systems? (Select exactly 2.)

Select 2 answers
A.Risk mitigation
B.Vulnerability scanning
C.Risk transfer
D.Threat modeling
E.Access control implementation
AnswersB, D

Vulnerability scanning identifies known vulnerabilities.

Why this answer

Vulnerability scanning is a key risk identification technique that systematically probes IT systems for known vulnerabilities, such as unpatched software or misconfigurations, using tools like Nessus or OpenVAS. It directly identifies weaknesses that could be exploited by threats, making it essential for the risk identification phase.

Exam trap

The trap here is confusing risk identification techniques (like scanning and modeling) with risk response strategies (like mitigation, transfer, or control implementation), leading candidates to select options that are actually post-identification actions.

25
MCQhard

A risk assessment for a healthcare organization reveals a high likelihood of data breaches due to weak encryption on portable devices. The organization decides to deploy full-disk encryption and enforce multi-factor authentication. Which risk response strategy is being applied?

A.Transfer
B.Acceptance
C.Avoidance
D.Mitigation
AnswerD

Controls reduce risk.

Why this answer

Deploying full-disk encryption and multi-factor authentication directly reduces the likelihood and/or impact of data breaches from weak encryption on portable devices. This is the definition of risk mitigation — applying controls to lower risk to an acceptable level. The organization is actively reducing the vulnerability, not transferring, accepting, or avoiding the risk.

Exam trap

The trap here is that candidates often confuse 'avoidance' with 'mitigation' — avoidance eliminates the risk by discontinuing the activity (e.g., banning portable devices), while mitigation reduces the risk through controls like encryption and MFA.

How to eliminate wrong answers

Option A is wrong because risk transfer involves shifting the financial burden of a loss to a third party (e.g., cyber insurance), not implementing technical controls like encryption or MFA. Option B is wrong because risk acceptance means acknowledging the risk and taking no proactive action to reduce it, which contradicts the decision to deploy new security measures. Option C is wrong because risk avoidance would mean ceasing the use of portable devices entirely or eliminating the process that creates the risk, not strengthening the protection on those devices.

26
MCQeasy

Which of the following is the BEST practice for determining the frequency of control monitoring activities?

A.Standardize all controls to quarterly monitoring
B.Monitor only after a control failure is detected
C.Set frequency based solely on regulatory minimum requirements
D.Align monitoring frequency with risk level and control effectiveness assessment
AnswerD

Risk-based monitoring ensures resources are focused on higher risks.

Why this answer

Option C is correct because monitoring frequency should be based on risk level and control effectiveness. Option A is wrong because fixed intervals ignore risk changes. Option B is wrong because monitoring only after incidents is reactive.

Option D is wrong because regulatory requirements are a minimum, not necessarily optimal.

27
MCQeasy

A risk manager notices that a key risk indicator (KRI) for failed login attempts has exceeded the threshold for three consecutive weeks. Which of the following should be the FIRST action?

A.Investigate the root cause of the increase.
B.Adjust the threshold to reduce false positives.
C.Report the breach to the senior management immediately.
D.Ignore the trend as a statistical anomaly.
AnswerA

First step is to investigate root cause.

Why this answer

Option B is correct because the first step is to investigate the root cause to determine if there is a control failure or a false positive. Option A is wrong because ignoring may lead to undetected risk. Option C is wrong because adjusting threshold without analysis is inappropriate.

Option D is wrong because reporting without investigation may cause unnecessary alarm.

28
MCQmedium

An organization deployed a new intrusion detection system (IDS) that generates many alerts. The security team is overwhelmed and has started ignoring some alerts. What is the BEST way to address this issue?

A.Implement a SIEM to filter and prioritize alerts.
B.Deactivate the IDS until it can be properly configured.
C.Tune the IDS to reduce false positive alerts.
D.Hire additional security analysts to handle the alert volume.
AnswerC

Reducing false positives improves efficiency.

Why this answer

Option C is correct because tuning the IDS to reduce false positives will make alerts more actionable. Option A is wrong because hiring more staff may not be efficient. Option B is wrong because deactivating is risky.

Option D is wrong because filtering without tuning may still miss real threats.

29
MCQmedium

A retail company uses a manual control to verify that all credit card transactions are processed by authorized payment terminals. The control requires a store manager to compare a daily transaction log against a list of approved terminal IDs. The company processes an average of 10,000 transactions per day across 200 stores. During a recent internal audit, it was found that 15% of stores had not completed the reconciliation for the past month. The audit also revealed that several unauthorized terminals had been used to process transactions, resulting in a data breach of customer payment information. The company's risk appetite for payment card data security is very low. The current monitoring approach includes a quarterly review of control performance by the internal audit team. The risk manager needs to recommend improvements to the monitoring of this control. Which of the following is the BEST recommendation?

A.Increase internal audit reviews of the control to monthly.
B.Implement disciplinary actions for store managers who skip reconciliations.
C.Automate the reconciliation by integrating the transaction log with the approved terminal list.
D.Provide refresher training to all store managers on the procedure.
AnswerC

Automation enforces the control, reduces manual effort, and provides real-time monitoring.

Why this answer

Option D is correct because automating the reconciliation process ensures it is performed consistently and promptly, eliminating the manual gaps. Option A is wrong increasing audit frequency does not prevent the control from being skipped. Option B is wrong disciplinary actions may motivate compliance but do not address the process inefficiency.

Option C is wrong additional training may help but does not guarantee consistent performance.

30
MCQmedium

An organization uses a qualitative risk assessment methodology. During a recent assessment, several risks were rated as 'high' due to vague definitions. What is the BEST way to improve the accuracy of the assessment?

A.Switch to a quantitative methodology
B.Assign a single expert to rate all risks
C.Use historical loss data as the primary input
D.Define clear and objective rating criteria for likelihood and impact
AnswerD

Clear criteria reduce subjectivity and improve consistency across assessors.

Why this answer

Vague rating criteria lead to inconsistent and subjective risk scores. By defining clear and objective rating criteria for likelihood and impact, the organization ensures that all assessors apply the same standards, reducing ambiguity and improving the accuracy of the qualitative assessment.

Exam trap

The trap here is that candidates often assume quantitative methods are always more accurate, but the question specifically highlights vague definitions as the root cause, which is best addressed by refining the qualitative criteria rather than changing the methodology.

How to eliminate wrong answers

Option A is wrong because switching to a quantitative methodology does not address the root cause of vague definitions; it introduces new requirements for numerical data that may not be available or reliable, and does not inherently improve the consistency of risk ratings. Option B is wrong because assigning a single expert to rate all risks introduces personal bias and does not eliminate the underlying problem of vague criteria; it merely centralizes the subjectivity. Option C is wrong because historical loss data is often incomplete, not directly applicable to emerging threats, and may not reflect current control effectiveness; using it as the primary input does not resolve the ambiguity in rating definitions.

31
MCQmedium

An organization's security team recommends implementing a web application firewall (WAF) to protect against SQL injection attacks. The risk manager evaluates the cost of the WAF and the likelihood of a successful attack. This evaluation is BEST described as:

A.Residual risk calculation
B.Inherent risk assessment
C.Cost-benefit analysis
D.Risk acceptance
AnswerC

Comparing cost of control to expected loss is cost-benefit analysis.

Why this answer

Option D is correct because cost-benefit analysis compares the cost of controls against the expected loss. Option A is wrong because risk acceptance is a decision. Option B is wrong because residual risk exists after controls.

Option C is wrong because inherent risk is before controls.

32
MCQhard

A company has implemented a risk mitigation plan that includes technical controls. However, six months later, the residual risk is still higher than expected. The risk practitioner suspects that the controls are not being followed. Which of the following is the BEST approach to verify this?

A.Perform a new risk assessment
B.Interview control owners
C.Review risk register updates
D.Conduct a control testing and audit review
AnswerD

Testing provides direct evidence of control operation.

Why this answer

Conducting a control testing and audit review directly assesses whether controls are operating as intended. Option A is indirect. Option C does not verify effectiveness.

Option D is too broad.

33
MCQhard

A company's internal audit function reports that a detective control (manual review of transactions) is operating effectively based on a sample of 50 transactions showing no issues. However, the continuous monitoring system shows that 100 suspicious transactions were not reviewed during the same period. The control owner argues the control is effective. What is the BEST conclusion?

A.The control is effective because the monitoring system is too sensitive.
B.The control is ineffective because the monitoring system is unreliable.
C.The control is ineffective because the audit sample size is too small to detect the actual failure rate.
D.The control is effective because the sample showed no issues.
AnswerC

The large number of unreviewed suspicious transactions indicates a control weakness that the sample missed.

Why this answer

Option D is correct because the audit sample of 50 did not include the suspicious transactions that the continuous monitoring flagged, indicating the sample size was insufficient to detect the actual failure rate. Option A is wrong because the sample alone does not prove effectiveness across all transactions. Option B is wrong because the monitoring system is likely reliable.

Option C is wrong because the monitoring system is not necessarily too sensitive; it revealed actual failures.

34
Multi-Selecthard

A multinational corporation is implementing continuous monitoring of its compliance with data privacy regulations across multiple jurisdictions. Which TWO of the following are significant challenges to this approach?

Select 2 answers
A.Inconsistent regulatory requirements across jurisdictions.
B.The need for manual data collection.
C.High cost of automation tools.
D.Difficulty in establishing a single data repository.
E.Lack of skilled personnel.
AnswersA, D

Different laws require tailored monitoring criteria, complicating a unified system.

Why this answer

Options A and E are correct. A: Inconsistent regulatory requirements make it hard to define a single monitoring standard. E: Data residency and sovereignty issues complicate establishing a unified data repository.

B is a generic challenge but not specific to multi-jurisdiction. C is generic. D: Continuous monitoring by definition automates data collection, so it's not a challenge.

35
MCQeasy

A risk assessment that assigns monetary values to assets and calculates expected loss is called:

A.Qualitative
B.Semi-quantitative
C.Comprehensive
D.Quantitative
AnswerD

Quantitative assigns monetary values.

Why this answer

A quantitative risk assessment assigns specific monetary values to assets and calculates expected loss using formulas such as Single Loss Expectancy (SLE) = Asset Value (AV) × Exposure Factor (EF), and Annualized Loss Expectancy (ALE) = SLE × Annualized Rate of Occurrence (ARO). This approach provides objective, numeric risk metrics that support cost-benefit analysis for risk mitigation decisions.

Exam trap

The trap here is that candidates often confuse 'semi-quantitative' with 'quantitative' because both use numbers, but semi-quantitative methods use ordinal scales or weighted scores (e.g., 1-5) rather than actual monetary values and expected loss calculations.

How to eliminate wrong answers

Option A is wrong because qualitative risk assessment uses subjective ratings (e.g., high, medium, low) rather than monetary values and does not calculate expected loss numerically. Option B is wrong because semi-quantitative risk assessment uses ordinal scales or weighted scores to approximate risk levels, but it does not assign precise monetary values or compute expected loss with formulas like SLE and ALE. Option C is wrong because 'comprehensive' is not a recognized category of risk assessment methodology in the CRISC framework; it describes scope, not the quantitative vs. qualitative distinction.

36
MCQmedium

A risk practitioner notices that a key control is tested only once a year, but the associated risk has a high velocity of change. What is the BEST recommendation?

A.Remove the control if it cannot be tested more often
B.Wait for a control failure before increasing frequency
C.Continue annual testing because it meets regulatory requirements
D.Increase testing frequency to quarterly or monthly
AnswerD

Aligns monitoring with risk velocity.

Why this answer

The correct answer is B. For high velocity risks, more frequent monitoring is needed. Option A does not address velocity.

Option C is reactive. Option D negates the control.

37
MCQeasy

An organization uses a third-party SaaS provider for payroll processing. Which of the following is the BEST technique to identify risks associated with this vendor?

A.Request a penetration test report from the vendor
B.Check online user reviews and ratings
C.Read the vendor's marketing materials and case studies
D.Review the vendor's SOC 2 Type II report and conduct an on-site assessment
AnswerD

SOC 2 provides independent assurance; site visit validates controls.

Why this answer

The SOC 2 Type II report provides an independent auditor's assessment of the vendor's controls over security, availability, processing integrity, confidentiality, and privacy over a period of time, which is critical for identifying risks in a payroll SaaS processing sensitive employee data. An on-site assessment allows the organization to verify physical and logical controls, observe operations, and discuss specific risk scenarios directly with vendor personnel, offering a deeper risk identification than any single document or review.

Exam trap

The trap here is that candidates often overvalue a penetration test report (Option A) as the definitive risk identification tool, forgetting that for a SaaS payroll provider, operational and compliance risks (e.g., data privacy, availability, change management) are equally or more critical than pure technical vulnerabilities.

How to eliminate wrong answers

Option A is wrong because a penetration test report, while useful for identifying technical vulnerabilities, is a point-in-time assessment that does not cover the full breadth of operational, privacy, and compliance controls needed for a payroll processor handling sensitive personal data. Option B is wrong because online user reviews and ratings are anecdotal, lack technical depth, and are not a reliable or auditable source for identifying specific control weaknesses or compliance gaps. Option C is wrong because marketing materials and case studies are promotional content designed to highlight successes, not to disclose risks, control failures, or security incidents.

38
MCQmedium

Based on the exhibit, which aspect of risk monitoring is MOST concerning?

A.The vulnerability has been open for three months with no evidence of monitoring or remediation despite a patch being available.
B.The vulnerability severity is critical.
C.The last scan was three months after the initial detection.
D.The risk was accepted by the system owner.
AnswerA

Indicates lack of ongoing monitoring of accepted risks.

Why this answer

Option C is correct because a critical vulnerability with a patch available has been open for nearly three months with no remediation; risk acceptance alone does not substitute for active monitoring of the accepted risk. Option A is wrong because severity is already labeled critical. Option B is wrong because the risk was accepted, but the monitoring of that acceptance is the issue.

Option D is wrong because the acceptance is recent; the concern is lack of follow-up.

39
MCQhard

A company uses a risk control self-assessment (RCSA) process that is conducted annually. During a quarterly review, management discovers that several high-risk controls are no longer effective due to changes in the business environment. Which of the following is the BEST way to enhance the monitoring of these controls?

A.Increase the frequency of the RCSA to quarterly.
B.Assign a risk owner to perform manual checks monthly.
C.Implement compensating controls to reduce the risk.
D.Deploy automated control monitoring tools for continuous assessment.
AnswerD

Continuous monitoring provides timely and objective evidence of control effectiveness.

Why this answer

Option C is correct because implementing continuous control monitoring provides real-time insights into control effectiveness. Option A is wrong because annual RCSA is too infrequent for rapidly changing risks. Option B is wrong while compensating controls may help, they do not directly improve monitoring of the existing controls.

Option D is wrong because increasing the frequency of RCSA to quarterly still relies on periodic self-assessments, which may not be timely.

40
MCQeasy

Refer to the exhibit. During a risk identification review, the risk manager sees this IDS alert. What risk does this alert MOST directly indicate?

A.Sensitive data is being exfiltrated from the SQL server.
B.A malware infection is spreading across the network.
C.The organization is under a distributed denial-of-service (DDoS) attack.
D.An internal SQL server is exposed to the internet and may be probed for vulnerabilities.
AnswerD

Alert shows external IP probing internal MSSQL server, indicating internet exposure.

Why this answer

The IDS alert indicates an inbound connection attempt to TCP port 1433 (Microsoft SQL Server) from an external IP address. This directly suggests that an internal SQL server is exposed to the internet, which is a security misconfiguration that allows external entities to probe for vulnerabilities, such as weak credentials or unpatched flaws. While data exfiltration or malware could be subsequent outcomes, the alert itself most immediately signals the exposure and probing risk.

Exam trap

The trap here is that candidates may conflate a single IDS alert indicating exposure with a full-blown attack outcome (exfiltration, malware, DDoS), rather than recognizing that the alert most directly signals the underlying misconfiguration risk of internet-facing internal services.

How to eliminate wrong answers

Option A is wrong because the alert only shows a connection attempt to port 1433, not any evidence of data transfer or exfiltration; exfiltration would require additional indicators like large outbound data flows or SQL query patterns. Option B is wrong because the alert does not show lateral movement, propagation behavior, or malware signatures; a single inbound connection to a database port is not indicative of a spreading infection. Option C is wrong because a DDoS attack would involve a high volume of traffic from multiple sources overwhelming bandwidth or services, not a single SYN packet to a specific database port.

41
MCQmedium

A medium-sized e-commerce company has a risk monitoring program that tracks key risk indicators (KRIs) monthly. One KRI is the percentage of orders with failed payment transactions. The threshold is 2%, but for the past three months, the KRI has been 2.5%, 3.1%, and 2.8%. The risk owner says this is due to a seasonal increase in fraudulent transactions and expects it to return to normal next month. The company has a compensating control that manually reviews flagged transactions. The internal audit team recently tested the compensating control and found it to be 100% effective. The risk committee wants to know if the KRI breach requires action. What should the risk practitioner recommend?

A.Immediately implement additional automated controls to reduce the KRI.
B.Escalate the issue to the board and recommend a risk acceptance.
C.Acknowledge the breach but note that the compensating control is effective, so no immediate action is required; continue to monitor.
D.Lower the KRI threshold to 3% to accommodate seasonal variations.
AnswerC

Appropriate response given the circumstances.

Why this answer

Option C is correct because the compensating control (manual review of flagged transactions) has been tested as 100% effective, meaning the residual risk is within acceptable tolerance despite the KRI breach. The risk owner attributes the breach to a seasonal spike, and the risk monitoring program should continue to track the KRI monthly to confirm a return to normal. Immediate action is not warranted when the compensating control fully mitigates the risk, and the risk committee should be informed that the control is effective.

Exam trap

The trap here is that candidates assume any KRI breach automatically requires immediate remediation or escalation, ignoring the critical role of compensating controls in reducing residual risk to an acceptable level.

How to eliminate wrong answers

Option A is wrong because implementing additional automated controls without evidence of control failure is an overreaction that wastes resources; the existing compensating control is 100% effective, so the residual risk is already managed. Option B is wrong because escalation to the board and risk acceptance are premature—the breach is temporary and the compensating control mitigates the risk, so the issue does not meet the threshold for board-level acceptance. Option D is wrong because lowering the KRI threshold to 3% would mask the underlying risk trend and violate the principle of maintaining consistent, objective risk indicators; thresholds should be adjusted only after a formal risk assessment, not to accommodate seasonal variations without analysis.

42
MCQhard

A multinational financial services company has implemented a continuous monitoring program for its trading systems. The program uses automated scripts to check system configurations against a baseline every hour. Recently, the company experienced a significant security incident where a malicious actor exploited a misconfigured firewall rule to exfiltrate sensitive customer data. Post-incident analysis revealed that the misconfiguration had been present for 72 hours before detection. The monitoring scripts did not detect the change because the baseline had been updated two weeks prior to include the misconfiguration as part of a planned change that was later reversed without updating the baseline. The company's change management process requires that all configuration changes be approved and documented, but the reversal of the change was not documented. The incident response team was only alerted when a customer reported suspicious activity. The risk practitioner is tasked with recommending improvements to prevent recurrence. Which of the following is the BEST course of action?

A.Enhance incident response procedures to include notification of customers within 24 hours.
B.Implement a change detection system that compares current configurations to an approved, immutable baseline and alerts on any deviation, with strict change control for baseline updates.
C.Increase the frequency of monitoring scripts to every 30 minutes.
D.Require manual review of all configuration changes by a second analyst.
AnswerB

Addresses root cause of baseline manipulation.

Why this answer

Option B is correct because the root cause is that the baseline was updated to include the misconfiguration, and the subsequent reversal was not documented or reflected in the baseline. A change detection system that compares current configurations to an approved, immutable baseline and alerts on any deviation, with strict change control for baseline updates, directly addresses this by ensuring that only approved changes are in the baseline and any unapproved deviation (including reversals) triggers an alert. This prevents the monitoring system from accepting unauthorized changes as normal.

Exam trap

The trap here is that candidates focus on the monitoring frequency or manual review, but the real failure is the baseline integrity—the monitoring system was working correctly but against a corrupted baseline, so the solution must enforce that the baseline itself is immutable and only updated through strict change control.

How to eliminate wrong answers

Option A is wrong because enhancing incident response procedures to notify customers within 24 hours addresses notification timing after detection, not the root cause of the detection failure—the baseline was corrupted and the monitoring scripts did not detect the misconfiguration. Option C is wrong because increasing the frequency of monitoring scripts to every 30 minutes does not solve the problem; the scripts were already running hourly but failed to detect the change because the baseline had been incorrectly updated, so more frequent checks against a corrupted baseline would still miss the misconfiguration. Option D is wrong because requiring manual review of all configuration changes by a second analyst adds a human check but does not address the automated baseline update process that allowed the misconfiguration to be included without detection; the reversal was not documented, so manual review would not catch the baseline corruption unless the reviewer specifically compares against an immutable approved state.

43
MCQeasy

When assessing IT risks, which of the following is the PRIMARY purpose of developing risk scenarios?

A.To calculate the exact financial loss
B.To identify specific threats and vulnerabilities that could impact objectives
C.To satisfy regulatory compliance
D.To create a business continuity plan
AnswerB

Core purpose of scenario development.

Why this answer

The primary purpose of developing risk scenarios in IT risk assessment is to identify specific threats and vulnerabilities that could impact business objectives. Risk scenarios provide a structured narrative that links threat sources, vulnerabilities, and potential impacts, enabling a focused analysis of how adverse events might occur. This is foundational for prioritizing risks and determining appropriate controls, rather than for calculating exact losses, compliance, or continuity planning.

Exam trap

The trap here is that candidates often confuse the purpose of risk scenarios with downstream activities like financial quantification or compliance, when the core goal is to systematically identify and articulate how threats and vulnerabilities can materialize into risk events.

How to eliminate wrong answers

Option A is wrong because risk scenarios are not designed to calculate exact financial loss; they are qualitative or semi-quantitative constructs that estimate potential impact ranges, not precise monetary values. Option C is wrong because while risk scenarios may support compliance efforts, satisfying regulatory requirements is a secondary benefit, not the primary purpose of scenario development. Option D is wrong because creating a business continuity plan is a separate process that may use risk scenarios as input, but the primary purpose of scenarios is to identify and analyze risks, not to produce continuity plans.

44
MCQmedium

A company is migrating its legacy on-premises applications to a public cloud environment. Which risk identification technique is most appropriate for this scenario?

A.Control self-assessment
B.Threat modeling
C.SWOT analysis
D.Business impact analysis (BIA)
AnswerB

Threat modeling systematically identifies threats and vulnerabilities in system architecture, making it ideal for migration projects.

Why this answer

Threat modeling is the most appropriate risk identification technique for migrating legacy on-premises applications to a public cloud environment because it systematically identifies potential security threats, vulnerabilities, and attack vectors specific to the new cloud architecture. This technique evaluates how the application's design, data flows, and trust boundaries change when moved to a cloud provider like AWS, Azure, or GCP, enabling proactive mitigation of risks such as misconfigured storage, insecure APIs, or compromised identity management.

Exam trap

The trap here is that candidates often confuse SWOT analysis (a business strategy tool) with a technical risk identification technique, or mistakenly think control self-assessment is sufficient for identifying new risks in a fundamentally different architecture like cloud.

How to eliminate wrong answers

Option A is wrong because control self-assessment is a subjective evaluation of existing controls by internal staff, which is not designed to identify new risks arising from a technology migration like cloud adoption. Option C is wrong because SWOT analysis is a high-level strategic planning tool that assesses strengths, weaknesses, opportunities, and threats at an organizational level, not a technical risk identification method for specific application migration scenarios. Option D is wrong because business impact analysis (BIA) focuses on quantifying the impact of disruptions to critical business functions, not on identifying technical threats or vulnerabilities in a new cloud environment.

45
MCQhard

A financial institution is migrating its core banking system from an on-premises data center to a public cloud infrastructure. The migration is planned in phases over 18 months. The IT risk manager is tasked with identifying risks during the transition. During the first phase, the team moves non-critical applications to the cloud. A vulnerability assessment of the cloud environment reveals that several virtual machines have default administrative credentials enabled. Additionally, the cloud security group configuration for the application tier allows inbound SSH from the entire internet (0.0.0.0/0). The risk manager also learns that the cloud provider's shared responsibility model is not fully understood by the operations team, who believe the provider is responsible for all security controls. The institution's risk appetite statement allows for moderate risk tolerance but prohibits any exposure that could lead to unauthorized access to customer financial data. Which of the following risk scenarios should the risk manager identify as the MOST critical to address immediately?

A.The operations team's misunderstanding of the shared responsibility model
B.The cloud provider may not have adequate security controls for the institution's data
C.The phased migration introduces complexity that may cause configuration drift
D.Default credentials on virtual machines combined with unrestricted inbound SSH from the internet
AnswerD

Direct and immediate risk of unauthorized access to systems handling sensitive data.

Why this answer

Correct: C. The combination of default credentials and open SSH access creates an immediate and exploitable vulnerability that could lead to unauthorized access to the application tier, potentially compromising customer data. This directly violates the risk appetite.

A is a general issue but less immediate. B is important but not as critical as C. D is correct but not the most immediate.

46
MCQeasy

An IT manager is identifying risks for a new cloud application. Which of the following is the BEST source for identifying specific threats relevant to cloud services?

A.Employee suggestions
B.Internal audit findings
C.Vendor marketing materials
D.Industry threat reports
AnswerD

Industry reports provide relevant and current threat data.

Why this answer

Industry threat reports (Option D) are the BEST source because they aggregate real-world threat intelligence specific to cloud environments, such as data from the Cloud Security Alliance (CSA) or Verizon DBIR, detailing attack vectors like misconfigured APIs, insecure interfaces, and shared technology vulnerabilities. Unlike internal or vendor sources, these reports provide empirical, up-to-date data on threats actively targeting cloud services, enabling a risk assessment grounded in actual incident patterns rather than assumptions or marketing claims.

Exam trap

The trap here is that candidates may choose internal audit findings (Option B) thinking they are authoritative, but they fail to recognize that internal audits are retrospective and limited to existing controls, whereas industry threat reports provide forward-looking, external threat intelligence essential for identifying emerging cloud-specific risks.

How to eliminate wrong answers

Option A is wrong because employee suggestions are subjective, anecdotal, and lack the systematic, evidence-based threat data needed for a formal risk assessment; they may reflect personal biases or limited visibility into cloud-specific attack patterns. Option B is wrong because internal audit findings focus on compliance gaps and control deficiencies within the organization's existing environment, not on emerging or external threats specific to cloud service models (IaaS, PaaS, SaaS) like side-channel attacks or provider-side vulnerabilities. Option C is wrong because vendor marketing materials are promotional and designed to highlight product strengths, not to disclose realistic threat scenarios; they often downplay risks such as multi-tenancy isolation failures or shared responsibility model ambiguities.

47
MCQeasy

A financial institution monitors the number of unauthorized access attempts to its core banking system. The risk owner recommends increasing the monitoring frequency from daily to hourly because a recent attack exploited a delayed detection. Which of the following is the PRIMARY benefit of this change?

A.Faster detection of anomalies
B.Lower cost of monitoring
C.Increased system performance
D.Reduced false positive rate
AnswerA

Hourly monitoring detects anomalies sooner than daily, reducing the attack window.

Why this answer

Option C is correct because faster detection reduces the window of exposure. Option A is wrong because frequency increase may increase false positives. Option B is wrong because it may degrade system performance.

Option D is wrong because increasing frequency typically increases cost.

48
MCQmedium

A security analyst notices that the number of failed login attempts has significantly increased over the past week. The SIEM alerts are not being triggered because the threshold was set too high. What is the MOST effective immediate action to improve monitoring?

A.Implement a new authentication system with biometrics.
B.Lower the threshold for failed login alerts in the SIEM.
C.Enable all SIEM rules to capture every event.
D.Review logs manually each day to identify anomalies.
AnswerB

Directly fixes the issue of missed alerts.

Why this answer

B is correct because the immediate issue is that the SIEM alert threshold is set too high, causing failed login attempts to go undetected. Lowering the threshold directly addresses the monitoring gap by ensuring that the SIEM generates alerts for anomalous failed login activity, enabling timely incident response without requiring a system overhaul.

Exam trap

The trap here is that candidates may choose a more 'secure' but non-immediate option like biometrics (A) or a broad-brush approach like enabling all rules (C), failing to recognize that the question specifically asks for the 'most effective immediate action' to fix the monitoring gap caused by a misconfigured threshold.

How to eliminate wrong answers

Option A is wrong because implementing a new authentication system with biometrics is a long-term control improvement that does not address the immediate monitoring failure; it also introduces new costs and complexity without fixing the SIEM threshold issue. Option C is wrong because enabling all SIEM rules to capture every event would generate excessive noise, overwhelming analysts with false positives and potentially causing alert fatigue, which degrades monitoring effectiveness. Option D is wrong because reviewing logs manually each day is reactive, inefficient, and does not scale; it fails to provide real-time alerting and relies on human attention, which is error-prone and unsustainable for detecting a surge in failed logins.

49
Multi-Selectmedium

Which THREE are best practices for control monitoring?

Select 3 answers
A.Use a risk-based approach to prioritize.
B.Test controls at least annually.
C.Rely solely on control owners.
D.Combine automated and manual monitoring.
E.Document results and actions.
AnswersA, D, E

Focuses monitoring efforts on highest risk areas.

Why this answer

Best practices include using a risk-based approach, combining automated and manual monitoring, and documenting results. Options A, C, and D are correct. Testing controls at least annually (B) is too prescriptive and not always necessary.

Relying solely on control owners (E) lacks independence.

50
MCQeasy

A multinational corporation is assessing the risk of a new cloud-based customer relationship management (CRM) system. The risk manager conducts a qualitative risk assessment using a risk matrix that plots likelihood vs. impact. Which of the following is the PRIMARY benefit of using a qualitative approach over a quantitative approach in this context?

A.It provides precise monetary values for risk exposure.
B.It reduces the time required for data collection and analysis.
C.It allows for easy comparison of risks across different business units.
D.It eliminates the need for expert judgment.
AnswerB

Qualitative assessment is faster due to less data requirement.

Why this answer

In a qualitative risk assessment, the risk manager uses subjective ratings (e.g., high, medium, low) for likelihood and impact rather than gathering hard financial data. This approach significantly reduces the time and effort needed for data collection and analysis because it avoids the complex calculations, historical loss data gathering, and monetary valuation required by quantitative methods. For a new cloud-based CRM system, where historical incident data may be scarce, qualitative assessment enables a faster initial risk evaluation.

Exam trap

The trap here is that candidates often confuse 'qualitative' with 'easier to compare' (Option C) or think it provides monetary precision (Option A), when in reality the primary benefit is speed and reduced data collection effort, especially for new or cloud-based systems where quantitative data is scarce.

How to eliminate wrong answers

Option A is wrong because qualitative assessments do not provide precise monetary values; they use ordinal scales (e.g., high/medium/low) rather than dollar amounts, which is the defining characteristic of quantitative analysis. Option C is wrong because while qualitative matrices can facilitate comparison, the primary benefit over quantitative is not ease of comparison—quantitative methods actually allow more objective cross-unit comparisons via normalized financial metrics. Option D is wrong because qualitative approaches still heavily rely on expert judgment; they do not eliminate it, and in fact, they depend on subjective input from stakeholders and SMEs.

51
MCQeasy

A risk owner wants to implement continuous monitoring for a set of critical controls. Which of the following is the PRIMARY benefit of continuous monitoring over periodic testing?

A.Timely detection of control failures.
B.Elimination of manual testing.
C.Compliance with regulatory requirements.
D.Reduced cost of control testing.
AnswerA

Continuous monitoring enables immediate awareness of failures.

Why this answer

Option B is correct because continuous monitoring provides real-time or near-real-time detection of control failures, allowing faster response. Option A is wrong because continuous monitoring can be more expensive. Option C is wrong because manual testing may still be needed for some controls.

Option D is wrong while compliance is a benefit, timely detection is the primary advantage.

52
Matchingmedium

Match each key risk indicator (KRI) to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Measures availability risk

Measures access control risk

Measures vulnerability management risk

Measures security awareness risk

Why these pairings

KRIs are metrics that provide early warning of increasing risk exposure.

53
MCQhard

A bank's risk committee reviews a monthly risk report that includes KRIs. One KRI shows that the number of failed transactions due to system errors is trending upward. The control owner states that the trend is within the risk appetite. However, the report also shows that the number of customer complaints is stable. What should the risk manager do FIRST?

A.Escalate to the board of directors.
B.Accept the control owner's assessment and continue monitoring.
C.Investigate the root cause of the increasing failed transactions.
D.Recommend increasing the monitoring frequency.
AnswerC

Understanding the cause is essential before any decision.

Why this answer

Option B is correct because an upward trend in a KRI, even if within appetite, warrants investigation to understand the root cause and prevent escalation. Option A is wrong because accepting without investigation misses potential emerging issues. Option C is wrong because increasing frequency is premature without understanding why.

Option D is wrong because escalation is not needed before investigation.

54
MCQeasy

During a control monitoring review, a risk analyst discovers that the control owner has not been performing the required monthly reconciliations. What should the analyst do FIRST?

A.Contact the control owner to understand the reason for non-performance.
B.Escalate to the risk committee for immediate action.
C.Update the risk register to reflect control deficiency.
D.Recommend removal of the control as it is not being followed.
AnswerA

Understanding the cause helps determine the appropriate response.

Why this answer

Option B is correct because the analyst should first confirm with the control owner to understand why the control was not performed, as it may be a temporary issue or training gap. Option A is wrong escalating immediately without understanding the context is premature. Option C is wrong updating the risk register should follow the investigation.

Option D is wrong assuming the control is ineffective without investigation is not appropriate.

55
MCQeasy

A security team identifies a critical vulnerability in a web application that cannot be patched immediately. They deploy a web application firewall (WAF) to block exploitation attempts. This is an example of:

A.Risk Transfer
B.Risk Mitigation
C.Risk Avoidance
D.Risk Acceptance
AnswerB

Deploying a WAF reduces risk, so it is mitigation.

Why this answer

Option A is correct because deploying a WAF reduces the likelihood of exploitation, which is a risk mitigation strategy.

56
MCQmedium

A risk practitioner is designing a risk dashboard for the executive team. The organization has a high risk appetite for revenue-generating activities but a low risk appetite for regulatory compliance. Which combination of metrics should be prominently displayed?

A.Key risk indicators (KRIs) for revenue-related risks and regulatory compliance status.
B.Percentage of controls tested and employee training completion rates.
C.Vendor risk ratings and number of security incidents.
D.Number of open remediation items and budget variance for risk projects.
AnswerA

Directly aligns to the stated risk appetites.

Why this answer

Option A is correct because KRIs that measure current risk levels against appetite thresholds, along with regulatory compliance status, directly address the dual risk appetites. Option B is wrong because control test results and training completion are input/metrics, not direct risk measures. Option C is wrong because vendor risk ratings and incident counts are important but not specific to the stated appetites.

Option D is wrong because remediation timelines and budget variance are operational metrics.

57
MCQmedium

A university is implementing a new online learning management system (LMS) that will store student records, grades, and personal information. During the risk assessment, the IT team identifies that the LMS vendor's default configuration allows students to see each other's email addresses in the class roster. This could lead to privacy violations under FERPA regulations. The vendor states that this feature can be disabled in the settings but doing so will require manual configuration for each course. The university has a moderate risk appetite and wants to launch the system within two weeks. Which of the following is the MOST appropriate risk response?

A.Transfer the risk by requiring students to sign a consent form allowing email disclosure.
B.Avoid the risk by selecting a different LMS vendor that does not have this issue.
C.Reduce the risk by disabling the feature globally through a script or administrative override before launch.
D.Accept the risk because the exposure is limited to email addresses and not grades.
AnswerC

Quick mitigation without launch delay.

Why this answer

Option C is the most appropriate risk response because it reduces the privacy risk by disabling the email visibility feature globally via a script or administrative override, aligning with the university's moderate risk appetite and two-week launch deadline. This approach directly addresses the FERPA violation without requiring manual per-course configuration, enabling a timely deployment while maintaining control over student data exposure.

Exam trap

The trap here is that candidates may choose 'Accept the risk' (Option D) by underestimating the regulatory weight of FERPA, assuming email addresses are low-risk, while failing to recognize that any PII exposure, even seemingly minor, can trigger compliance violations and reputational damage.

How to eliminate wrong answers

Option A is wrong because transferring risk via student consent forms does not eliminate the FERPA violation; FERPA prohibits disclosure of personally identifiable information (PII) like email addresses without prior written consent, and requiring consent for a default exposure shifts liability but still violates regulatory compliance if consent is not obtained for all students. Option B is wrong because avoiding the risk by selecting a different LMS vendor would likely delay the launch beyond two weeks, contradicting the university's timeline and moderate risk appetite, and may introduce other unassessed risks. Option D is wrong because accepting the risk ignores that email addresses are considered PII under FERPA, and the exposure could lead to privacy violations and regulatory penalties, which is inconsistent with a moderate risk appetite that seeks to mitigate rather than tolerate such compliance risks.

58
MCQmedium

A retail company has a risk monitoring program that tracks key risk indicators (KRIs) for its e-commerce platform. One KRI measures the number of failed payment transactions as a percentage of total transactions. The threshold is set at 2%. Over the past quarter, the KRI has been fluctuating between 1.8% and 2.5%, breaching the threshold several times. Each time the KRI exceeded the threshold, the risk owner performed a manual investigation and found that the failures were due to transient network issues that resolved on their own. The risk owner has now requested that the threshold be raised to 3% to avoid unnecessary investigations. The risk practitioner is evaluating this request. What should the risk practitioner do?

A.Approve the threshold increase since investigations have not found any significant issues.
B.Suggest implementing automated remediation for network issues instead of raising the threshold.
C.Recommend a root cause analysis to determine why network issues are recurring before considering a threshold change.
D.Reject the request and require investigation of every breach.
AnswerC

Addresses the underlying issue.

Why this answer

Option C is correct because the recurring network issues causing threshold breaches indicate an underlying problem that needs to be addressed, not just a threshold adjustment. Raising the threshold without understanding the root cause could mask a significant risk to transaction integrity and revenue. A root cause analysis (RCA) would identify whether the transient network issues stem from infrastructure, configuration, or external dependencies, enabling a proper control response.

Exam trap

The trap here is that candidates may assume raising the threshold is a simple risk acceptance decision, but CRISC emphasizes that risk responses must be based on understanding the root cause, not just adjusting metrics to avoid investigations.

How to eliminate wrong answers

Option A is wrong because approving the threshold increase without investigation ignores the fact that the 2% threshold was set based on risk appetite; raising it to 3% could allow an unacceptable level of failed transactions to go unmonitored, potentially leading to customer dissatisfaction and financial loss. Option B is wrong because suggesting automated remediation assumes the network issues are fully understood and can be programmatically resolved, but without root cause analysis, automation might address symptoms rather than the underlying cause, and could introduce new risks if misconfigured. Option D is wrong because requiring investigation of every breach without considering the pattern of transient, self-resolving issues is inefficient and could lead to alert fatigue, but it does not address the need to understand why the network issues recur.

59
MCQeasy

Which TWO of the following are best practices for risk reporting to senior management?

A.Provide actionable recommendations based on risk trends
B.Avoid discussing risk appetite to prevent confusion
C.Present detailed technical analysis for every risk
D.Focus on key risk areas and exceptions
E.Include all available risk data for transparency
AnswerA, D

Actionable insights drive decision-making.

Why this answer

Options A and D are correct. Reporting should highlight key risk areas (A) and provide actionable insights (D). Option B is wrong because overwhelming amount of data obscures key messages.

Option C is wrong because senior management needs aggregated summaries. Option E is wrong because reporting should address management's risk appetite.

60
MCQeasy

An organization has a risk appetite that is risk-averse. Which risk treatment option would be most aligned with this appetite?

A.Avoid the risk by discontinuing the activity
B.Mitigate the risk with controls
C.Accept the risk
D.Transfer the risk through insurance
AnswerA

Avoidance aligns with risk-averse appetite.

Why this answer

A risk-averse organization prioritizes avoiding exposure to threats. Discontinuing the activity that introduces the risk (option A) eliminates the threat source entirely, ensuring no residual risk remains. This aligns directly with a risk-averse appetite, where even low-probability, high-impact events are unacceptable.

Exam trap

The trap here is that candidates often confuse 'risk transfer' with 'risk elimination,' assuming insurance removes all risk, when in fact it only covers financial loss, leaving operational and reputational risks intact.

How to eliminate wrong answers

Option B is wrong because mitigating with controls reduces risk to an acceptable level but does not eliminate it; residual risk remains, which contradicts a fully risk-averse stance. Option C is wrong because accepting risk means the organization retains the full exposure, which is contrary to a risk-averse appetite that seeks to avoid any potential loss. Option D is wrong because transferring risk through insurance shifts financial liability but does not remove the operational threat; the organization still faces the event's consequences, such as downtime or reputational damage, which a risk-averse entity would find unacceptable.

61
Multi-Selectmedium

Which TWO of the following are essential components of an effective control monitoring program?

Select 2 answers
A.A defined baseline for normal system behavior.
B.A comprehensive list of all controls in the organization.
C.A manual checklist for each control reviewed daily.
D.Real-time alerting for all control failures.
E.Clearly defined roles and responsibilities for monitoring activities.
AnswersA, E

Baselines help identify deviations.

Why this answer

A defined baseline for normal system behavior is essential because it provides the reference point against which monitoring tools can detect anomalies, deviations, or potential control failures. Without a baseline, it is impossible to distinguish routine activity from suspicious or unauthorized changes, rendering monitoring alerts meaningless. This baseline is typically established through statistical modeling, threshold tuning, or historical analysis of logs and metrics.

Exam trap

The trap here is that candidates confuse 'control inventory' (Option B) with 'monitoring program components,' or assume that all control failures must trigger real-time alerts (Option D), when in fact effective monitoring prioritizes based on risk and uses baselines to reduce noise.

62
MCQhard

A large financial institution has implemented a risk monitoring framework that includes KRIs for operational risk. Recently, a critical KRI related to trade settlement errors has been showing an upward trend, but it remains within the approved threshold. The risk manager is concerned because the trend indicates potential control degradation. The control owner argues that since the KRI is still within threshold, no action is needed. The risk manager wants to determine the best course of action to address the trend before it breaches the threshold. The organization's risk policy requires proactive monitoring. What should the risk manager do?

A.Conduct a detailed analysis to understand the root cause and consider adjusting the threshold or implementing control enhancements.
B.Implement additional controls immediately.
C.Report the trend to the audit committee.
D.Update the threshold to reflect the new normal.
AnswerA

Root cause analysis enables informed decision-making aligned with proactive monitoring.

Why this answer

Proactive monitoring requires understanding the root cause of the trend and considering whether the threshold remains appropriate. Option C is correct. Option A adjusts the threshold without analysis, masking the issue.

Option B implements controls without understanding. Option D reports to audit committee prematurely.

63
MCQmedium

Refer to the exhibit. A risk manager reviews the vulnerability scan output. According to the policy, what is the required risk response?

A.Accept the risk
B.Transfer the risk
C.Avoid by disabling the service
D.Mitigate by patching or compensating controls
AnswerD

Remediation is required.

Why this answer

Option C is correct because the policy mandates remediation (mitigation) for CVSS >= 9.0. Options A, B, and D are inconsistent with the policy.

64
MCQhard

During a risk assessment, a risk manager is evaluating the effectiveness of a firewall rule set. The manager notes that the firewall logs show a high number of dropped packets from a specific IP range, but no policy changes have been made. The manager suspects the firewall rule set may be misconfigured. Which of the following should the manager do FIRST?

A.Conduct a penetration test on the firewall.
B.Immediately block the IP range.
C.Review the change management records for the firewall.
D.Update the risk register with a new risk.
AnswerC

Change records can reveal if unauthorized or incorrect changes were made.

Why this answer

Option C is correct because the first step when a misconfiguration is suspected without any known policy changes is to verify the change management records. This ensures that any recent modifications to the firewall rule set are accounted for, ruling out unauthorized or undocumented changes before proceeding with more invasive actions like penetration testing or blocking IP ranges.

Exam trap

The trap here is that candidates often jump to immediate remediation (blocking the IP range) or escalation (updating the risk register) without first investigating the root cause through change management records, which is the foundational step in IT risk assessment.

How to eliminate wrong answers

Option A is wrong because conducting a penetration test on the firewall is an intrusive and resource-intensive step that should only be performed after verifying that no recent changes have been made; it could also disrupt operations if the misconfiguration is severe. Option B is wrong because immediately blocking the IP range is a reactive measure that may disrupt legitimate traffic and does not address the root cause of the suspected misconfiguration; it should only be considered after confirming the issue through change records. Option D is wrong because updating the risk register with a new risk is premature without first understanding the cause of the dropped packets; the risk register should be updated only after the misconfiguration is confirmed and its impact assessed.

65
MCQeasy

Based on the exhibit, what risk does this database error MOST directly indicate?

A.Risk of data inconsistency due to concurrency issues
B.SQL injection vulnerability
C.Unauthorized access to employee records
D.Insufficient disk space for transactions
AnswerA

Deadlocks can cause partial updates and data inconsistency.

Why this answer

The database error indicates a concurrency control failure, such as a deadlock or serialization anomaly, which directly leads to data inconsistency when multiple transactions execute simultaneously without proper isolation. This is a classic risk in multi-user database environments where ACID properties are violated, resulting in lost updates or dirty reads.

Exam trap

The trap here is that candidates confuse a database concurrency error with security vulnerabilities like SQL injection, but the error message and context point to transaction management failures rather than input validation or access control issues.

How to eliminate wrong answers

Option B is wrong because SQL injection is an application-layer attack exploiting unsanitized input, not a database concurrency error. Option C is wrong because unauthorized access involves authentication or authorization failures, not transaction-level conflicts. Option D is wrong because insufficient disk space would cause transaction failures or write errors, not the concurrency-specific error shown in the exhibit.

66
MCQhard

Based on the risk register exhibit, which of the following is the MOST appropriate risk response for R-0042?

A.Mitigate the risk by implementing additional encryption controls
B.Transfer the risk to a third-party insurer
C.Avoid the risk by discontinuing storage of PII
D.Accept the risk and continue monitoring
AnswerD

Since residual risk is below the risk appetite threshold, acceptance is appropriate.

Why this answer

R-0042 is a low-likelihood, low-impact risk involving PII stored with AES-256 encryption and strict access controls. The residual risk is within the organization's risk appetite, making acceptance with continued monitoring the most appropriate response. Mitigation, transfer, or avoidance would introduce unnecessary cost or operational disruption for a risk already well-controlled.

Exam trap

The trap here is that candidates often assume any risk involving PII must be mitigated or avoided, ignoring the risk register's explicit low-likelihood and low-impact ratings and the existing strong controls, which make acceptance the most cost-effective and appropriate response.

How to eliminate wrong answers

Option A is wrong because the risk register shows encryption (AES-256) is already implemented, so adding further encryption controls would provide negligible risk reduction and is not cost-effective. Option B is wrong because transferring the risk to a third-party insurer is typically reserved for high-impact, low-frequency risks (e.g., data breach liability), not for a low-impact, low-likelihood risk already within appetite. Option C is wrong because discontinuing storage of PII would avoid the risk entirely but is a drastic measure that would disrupt business operations and is disproportionate to the low severity of R-0042.

67
MCQeasy

A risk manager is identifying risks for a new mobile payment application. The application will use end-to-end encryption. Which of the following is the BEST source of risk information for identifying potential threats?

A.Industry benchmark risk assessments from similar organizations
B.Threat intelligence feeds specific to the financial services sector
C.Previous internal audit reports on legacy applications
D.Vendor-provided security white papers for the encryption product
AnswerB

Threat intelligence provides current, relevant threat information for risk identification.

Why this answer

Threat intelligence feeds specific to the financial services sector provide real-time, contextualized information about emerging threats, attack patterns, and vulnerabilities targeting mobile payment systems. Since the application uses end-to-end encryption, the risk manager needs to identify threats that could bypass or undermine encryption (e.g., side-channel attacks, key interception, or man-in-the-middle attacks on the handshake), which generic or historical sources would not capture. This source is the best because it is current, sector-specific, and directly relevant to the technology stack.

Exam trap

The trap here is that candidates confuse 'historical internal data' (Option C) or 'generic benchmarks' (Option A) as reliable for risk identification, when in fact only current, external, and sector-specific threat intelligence can identify emerging threats that bypass encryption or target the application's unique implementation.

How to eliminate wrong answers

Option A is wrong because industry benchmark risk assessments from similar organizations are historical and aggregated, lacking the specificity to identify novel threats targeting a new mobile payment application with end-to-end encryption; they may also be outdated by the time of use. Option C is wrong because previous internal audit reports on legacy applications focus on past vulnerabilities and controls for older systems, which do not reflect the unique attack surface of a new mobile payment app using modern encryption protocols like TLS 1.3 or E2EE. Option D is wrong because vendor-provided security white papers for the encryption product are promotional and biased, often omitting real-world threat scenarios or zero-day vulnerabilities that could affect the application's specific implementation.

68
MCQmedium

Based on the exhibit, what is the MOST appropriate immediate risk response?

A.Transfer the risk
B.Accept the risk
C.Implement compensating controls
D.Ignore the risk
AnswerC

Compensating controls reduce risk until a patch is available.

Why this answer

The exhibit indicates a critical vulnerability in a core network device (e.g., a Cisco router with a known CVE in its IOS) that is actively being exploited. Implementing compensating controls, such as deploying an access control list (ACL) to block the exploit's specific traffic pattern or enabling Control Plane Policing (CoPP), immediately reduces the attack surface while a permanent patch is scheduled. This is the most appropriate response because it directly mitigates the risk without waiting for a vendor fix or accepting potential compromise.

Exam trap

The trap here is that candidates often confuse 'accept the risk' as a valid immediate response when the question emphasizes 'immediate,' failing to recognize that compensating controls are the correct first step to reduce exposure before acceptance or transfer can be considered.

How to eliminate wrong answers

Option A is wrong because transferring the risk (e.g., via cyber insurance) does not reduce the immediate technical exposure; the vulnerability remains exploitable on the device. Option B is wrong because accepting the risk would leave the critical network infrastructure open to active exploitation, which is unacceptable given the severity and known exploit. Option D is wrong because ignoring the risk is not a valid risk response in CRISC; it represents negligence and violates the principle of due care, especially when a technical control can be rapidly applied.

69
MCQeasy

Refer to the exhibit. A SIEM correlation rule 'Brute_Force_SSH' has fired excessively due to traffic from internal monitoring servers. What is the BEST course of action?

A.Disable the correlation rule to stop false alerts.
B.Increase the threshold to reduce false positives.
C.Investigate the monitoring servers for compromise.
D.Add an exception in the rule to exclude internal monitoring server IPs.
AnswerD

Targeted tuning reduces false positives.

Why this answer

Option C is correct because the rule is generating false positives from legitimate monitoring servers; tuning the rule to exclude known monitoring sources will reduce noise. Option A is wrong because disabling the rule removes detection for real brute force. Option B is wrong because not addressing false positives may lead to alert fatigue.

Option D is wrong because the traffic is from known servers, not suspicious.

70
MCQmedium

Based on the exhibit, which vulnerability poses the HIGHEST risk to the organization?

A.CVE-2022-9876 on the file server
B.CVE-2023-5678 on the web server
C.CVE-2023-1234 on the critical server
D.All vulnerabilities pose equal risk
AnswerC

Unpatched critical vulnerability with high CVSS score.

Why this answer

Option A is correct because the critical server has an unpatched remote code execution vulnerability with a CVSS score of 9.8, indicating high exploitability and impact. Option B is wrong because the web server vulnerability is patched, so risk is mitigated. Option C is wrong because the file server vulnerability is medium severity and has compensating controls, reducing risk.

Option D is wrong because this is an exhibit question; the answer is among the listed vulnerabilities.

71
MCQhard

Refer to the exhibit. The control test failed because unauthorized access attempts were detected. The remediation plan suggests additional logging. Is this remediation appropriate?

A.No, the control test methodology is flawed.
B.Yes, because the control is detective in nature.
C.Yes, additional logging will help detect future attempts.
D.No, the remediation should focus on strengthening access controls.
AnswerD

Root cause is unauthorized access; need stronger preventive controls.

Why this answer

Option D is correct because the control test failure was due to unauthorized access attempts, which indicates a weakness in preventive controls. Adding logging (a detective control) does not address the root cause; the remediation should focus on strengthening access controls (e.g., tightening authentication, authorization, or firewall rules) to prevent unauthorized access in the first place. Logging alone would only record future incidents without reducing their likelihood.

Exam trap

The trap here is that candidates confuse 'detecting' with 'preventing' and assume that adding logging is always a valid remediation, but CRISC emphasizes that remediation must address the root cause of the control failure, not just add monitoring.

How to eliminate wrong answers

Option A is wrong because the control test methodology is not inherently flawed; the test correctly identified unauthorized access attempts, so the issue lies with the control's effectiveness, not the testing approach. Option B is wrong because while the control may be detective in nature, the remediation of adding logging is still inappropriate—it fails to address the preventive weakness that allowed unauthorized access, and detective controls should complement, not replace, preventive measures. Option C is wrong because although additional logging will help detect future attempts, detection without prevention does not remediate the underlying vulnerability; the goal should be to stop unauthorized access, not just log it.

72
MCQmedium

An organization has received a critical vulnerability alert for a web application firewall. The risk owner is on leave. What should the risk manager do?

A.Escalate to the designated alternate risk owner for decision.
B.Apply the patch immediately without consultation.
C.Accept the risk since the impact is unknown.
D.Wait for the risk owner to return to avoid overstepping authority.
AnswerA

Proper escalation ensures accountability and timely response.

Why this answer

When the risk owner is unavailable, the risk manager must ensure that risk decisions are still made in a timely manner, especially for critical vulnerabilities. Escalating to the designated alternate risk owner is the correct action because it maintains the chain of accountability and enables an informed decision on whether to apply mitigations, such as patching the WAF, without unnecessary delay.

Exam trap

The trap here is that candidates may assume immediate patching (Option B) is always the correct response for a critical vulnerability, but CRISC emphasizes that risk decisions must be made by the designated risk owner or their alternate, not unilaterally by the risk manager.

How to eliminate wrong answers

Option B is wrong because applying the patch immediately without consultation bypasses the risk owner's authority and could introduce unintended side effects, such as breaking WAF rules or causing service disruption, without a proper risk assessment. Option C is wrong because accepting the risk when the impact is unknown violates the principle of informed risk acceptance; the risk manager must first gather information or escalate to someone with the authority to accept or reject the risk. Option D is wrong because waiting for the risk owner to return could leave a critical vulnerability unaddressed for an extended period, increasing the likelihood of exploitation and violating incident response timelines.

73
MCQmedium

Refer to the exhibit. A security analyst reviews firewall logs and sees repeated authentication failures for VPN tunnel attempts between two IP addresses. What is the MOST appropriate action?

A.Block the source IP (203.0.113.5) at the firewall.
B.Contact the destination IP owner to verify credentials.
C.Update the VPN policy to allow all authentication methods.
D.Ignore the logs as routine failed attempts.
AnswerA

Blocking the attacking IP mitigates threat.

Why this answer

Option B is correct because repeated authentication failures indicate a potential brute-force attack or misconfiguration. Blocking the source IP can prevent further attempts. Option A is wrong because ignoring may allow continued attack.

Option C is wrong because updating policy for all sources is too broad. Option D is wrong because contacting the destination without investigation is premature.

74
Multi-Selectmedium

A healthcare organization is migrating its electronic health records (EHR) system to a public cloud. The risk manager identifies several risks. Which TWO of the following are the MOST significant risks related to data privacy and regulatory compliance?

Select 2 answers
A.Potential for service downtime affecting patient care.
B.Data residency and jurisdiction issues.
C.Loss of control over the cloud provider's internal access controls.
D.Insufficient encryption of data at rest and in transit.
E.Vendor lock-in due to proprietary APIs.
AnswersB, D

Data may be stored in countries with inadequate privacy laws.

Why this answer

Data residency and jurisdiction issues (B) are a top risk because healthcare data is subject to strict regulations like HIPAA and GDPR, which may require data to remain within specific geographic boundaries. Migrating EHRs to a public cloud can inadvertently place data in regions with different legal protections, exposing the organization to non-compliance and legal penalties.

Exam trap

The trap here is that candidates often confuse operational risks (like downtime) or general security risks (like access control) with the specific regulatory and privacy risks that are most significant for healthcare data in the cloud, while overlooking the foundational compliance requirements of data residency and encryption.

75
MCQeasy

A global manufacturing company is implementing a new ERP system across multiple regions. The project manager has identified a risk that data migration from legacy systems may cause data corruption, leading to production delays. The risk owner proposes conducting a full data reconciliation after migration. However, the IT director argues that this would be too time-consuming and suggests only sampling data for verification. The risk manager must decide on the risk response. The project timeline is tight, and the company has a low tolerance for data integrity issues. Which of the following is the BEST course of action?

A.Accept the risk and proceed with data sampling to save time
B.Avoid the risk by postponing the ERP implementation
C.Implement the full data reconciliation as proposed by the risk owner
D.Transfer the risk by purchasing insurance for data corruption
AnswerC

Full reconciliation directly addresses the risk and aligns with low tolerance for data integrity issues.

Why this answer

Full data reconciliation is the correct risk response because the company has a low tolerance for data integrity issues and the risk of data corruption could cause production delays. While time-consuming, this approach directly mitigates the identified risk by ensuring all migrated data is verified, aligning with the risk appetite. Sampling would leave a margin of error unacceptable for a low-tolerance environment, and the other options either fail to address the risk or are impractical.

Exam trap

The trap here is that candidates may choose data sampling (Option A) as a compromise to save time, overlooking that the company's low tolerance for data integrity issues demands full verification, not a statistical shortcut.

How to eliminate wrong answers

Option A is wrong because accepting the risk with data sampling ignores the company's low tolerance for data integrity issues and could leave undetected corruption that causes production delays. Option B is wrong because avoiding the risk by postponing the ERP implementation is an extreme overreaction that does not address the immediate need for migration and would cause significant business disruption. Option D is wrong because transferring the risk via insurance does not prevent data corruption or production delays; it only provides financial compensation after the fact, which does not meet the requirement for data integrity.

Page 1 of 7

Page 2

All pages