Certified in Risk and Information Systems Control CRISC (CRISC) — Questions 676750

982 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
Multi-Selecteasy

A risk register is being created for a new ERP implementation project. Which TWO of the following risks should be included in the project's risk register? (Choose two.)

Select 2 answers
A.Risk of data breach due to misconfigured cloud storage
B.Risk of regulatory non-compliance with new data protection laws
C.Risk of project delays due to resource shortages
D.Risk of budget overrun due to scope creep
E.Risk of hardware failure in the data center
AnswersC, D

Correct. Resource shortage is a common project risk.

Why this answer

Project risks include delays, budget overruns, and scope changes. Data breach and regulatory non-compliance are operational/compliance risks that may apply post-implementation but are not specific to the project's execution.

677
MCQmedium

A risk practitioner is prioritizing IT risks for treatment. Which factor should be the PRIMARY basis for prioritization?

A.Ease of implementing controls
B.Risk level (inherent or residual)
C.Cost of controls
D.Business unit manager's preference
AnswerB

Higher risk levels warrant higher priority.

Why this answer

Risk prioritization is primarily based on the level of risk (inherent or residual) to allocate resources to the most critical risks. Ease of mitigation, cost, and business unit preference are secondary.

678
MCQhard

A company calculates the annualized loss expectancy (ALE) for a server outage as $75,000. The cost to implement a high-availability solution is $200,000 with a lifespan of 5 years and annual maintenance of $10,000. What is the residual risk if the solution reduces outage likelihood by 90%?

A.$50,000
B.$7,500
C.$42,500
D.$57,500
AnswerB

Residual risk is the ALE after control implementation: $75,000 * 0.1 = $7,500.

Why this answer

The correct answer is B: $7,500. The annualized loss expectancy (ALE) before mitigation is $75,000. The high-availability solution reduces outage likelihood by 90%, so the residual ALE is 10% of $75,000 = $7,500.

The cost of the solution ($200,000 capital with $10,000 annual maintenance over 5 years) is used to calculate the cost-benefit or net present value, but does not directly affect the residual risk figure, which is purely the remaining expected loss after controls are applied.

Exam trap

The trap here is that candidates often mistakenly include the cost of the control (annualized or total) in the residual risk calculation, confusing residual risk (the remaining expected loss) with the net financial benefit or cost of the solution.

How to eliminate wrong answers

Option A ($50,000) is wrong because it incorrectly subtracts the annualized cost of the solution (e.g., $40,000 annualized capital plus $10,000 maintenance = $50,000) from the original ALE, confusing residual risk with net benefit. Option C ($42,500) is wrong because it likely results from subtracting only the capital cost annualized ($40,000) from the original ALE, ignoring the 90% reduction factor. Option D ($57,500) is wrong because it appears to subtract the annual maintenance ($10,000) and a partial capital cost from the original ALE, or mistakenly applies the 90% reduction to the cost instead of the likelihood.

679
Multi-Selecteasy

Which THREE of the following are examples of risk mitigation controls? (Select THREE.)

Select 3 answers
A.Firewall
B.Outsourcing IT helpdesk
C.Encryption
D.Security awareness training
E.Cyber insurance
AnswersA, C, D

Firewalls reduce the likelihood of network attacks.

Why this answer

A firewall is a risk mitigation control because it enforces network security policies by filtering traffic based on rules, thereby reducing the likelihood of unauthorized access or attacks. It directly reduces the probability of a threat exploiting a vulnerability, which is the essence of mitigation.

Exam trap

The trap here is confusing risk mitigation (which reduces likelihood or impact) with risk transfer (which shifts the financial burden to another party), leading candidates to incorrectly select outsourcing or insurance as mitigation controls.

680
MCQhard

An organization uses the PASTA threat modeling methodology for a new e-commerce platform. Which of the following is a key characteristic of PASTA?

A.It is a requirements-based model that uses a risk management perspective
B.It uses visual diagrams to represent threats in an agile manner
C.It emphasizes business impact analysis and attack simulation
D.It focuses on agile development and integrates with DevSecOps
AnswerC

Why this answer

PASTA (Process for Attack Simulation and Threat Analysis) is a risk-centric threat modeling methodology that includes business impact analysis and attack simulation, aligning security with business objectives.

681
Multi-Selectmedium

Which THREE of the following are components of an effective IT risk reporting structure for a large enterprise? (Select THREE)

Select 3 answers
A.Strategic risk reporting to the board on a semi-annual basis
B.Tactical risk reporting to the CISO on a quarterly basis
C.Annual risk reporting to IT operational staff
D.Daily risk reporting to the board
E.Operational risk reporting to IT management on a weekly basis
AnswersA, B, E

Strategic reporting provides high-level risk information for governance.

Why this answer

Strategic risk reporting to the board on a semi-annual basis is correct because the board requires high-level, aggregated risk information that aligns with enterprise strategy and risk appetite. Semi-annual reporting provides sufficient frequency for oversight without overwhelming the board with operational details, as mandated by governance frameworks like COBIT and ISO 31000.

Exam trap

The trap here is that candidates confuse the frequency and audience for risk reporting, assuming that more frequent reporting to higher levels is always better, when in fact the board needs less frequent, strategic summaries and operational staff need more frequent, detailed updates.

682
MCQeasy

You are the risk manager for a healthcare provider. A risk assessment identified that patient data is transmitted over unencrypted connections between clinics and the data center. The existing controls include strong network perimeter defenses. The risk is rated as high. Management is concerned about the cost of implementing encryption. You have proposed a control that encrypts data in transit. However, the network team argues that the perimeter controls are sufficient. What is the MOST appropriate response?

A.Transfer the risk to a third party by outsourcing data transmission.
B.Accept the risk because perimeter controls are in place.
C.Reduce the risk rating to medium since perimeter controls provide compensating security.
D.Implement encryption as recommended because it addresses the vulnerability directly.
AnswerD

Provides necessary protection for data in transit.

Why this answer

Option D is correct because encrypting data in transit directly addresses the vulnerability of unencrypted connections, which is the root cause of the high risk. Perimeter controls like firewalls and IDS/IPS do not protect the confidentiality of data once it leaves the protected network boundary, as they cannot prevent interception on the wire. Implementing encryption (e.g., TLS 1.2/1.3 or IPsec) ensures end-to-end confidentiality regardless of perimeter strength.

Exam trap

The trap here is that candidates may overestimate the effectiveness of perimeter controls (e.g., firewalls) as a compensating control for data-in-transit encryption, failing to recognize that they operate at different OSI layers and cannot prevent interception of unencrypted traffic after it leaves the network boundary.

How to eliminate wrong answers

Option A is wrong because transferring risk to a third party does not eliminate the vulnerability; the third party would still need to encrypt data in transit, and outsourcing introduces additional risks like vendor management and data sovereignty. Option B is wrong because accepting the risk ignores the high-risk rating and the fact that perimeter controls do not protect data in transit from eavesdropping attacks such as packet sniffing or man-in-the-middle (MITM) exploits. Option C is wrong because reducing the risk rating based on compensating controls is a subjective adjustment that violates risk assessment principles; perimeter controls do not compensate for the lack of encryption, as they operate at different layers (network vs. transport/application).

683
MCQeasy

Which of the following is a limitation of qualitative risk analysis?

A.It cannot be used for regulatory compliance.
B.It provides subjective results that are not comparable across organizations.
C.It requires specialized software to perform.
D.It is too data-intensive and time-consuming.
AnswerB

Subjectivity and lack of comparability are key limitations.

Why this answer

Qualitative analysis is subjective and results may not be comparable across different organizations due to varying risk appetites and interpretations.

684
MCQmedium

An organization is designing an IT risk management program. Which of the following should be the PRIMARY consideration when developing a risk register?

A.Aligning risk categories with the COSO internal control framework
B.Ensuring that the register is integrated with the enterprise risk management system
C.Automating the risk register with real-time risk monitoring tools
D.Capturing risk details, including impact, likelihood, and mitigation status
AnswerD

The risk register must contain key risk attributes for tracking and reporting.

Why this answer

A risk register should capture and track identified risks, their assessed impact and likelihood, and planned mitigation actions to enable effective risk management.

685
MCQmedium

A financial institution is evaluating cyber insurance to cover potential losses from a ransomware attack. Which factor is most likely to increase the insurance premium?

A.Weak access controls and lack of multi-factor authentication
B.Regular third-party security audits
C.Comprehensive security awareness training for all employees
D.Implementation of multi-factor authentication across all systems
AnswerA

Higher risk leads to higher premium.

Why this answer

Weak access controls (e.g., lack of multi-factor authentication) increase the likelihood and potential impact of a ransomware attack, leading insurers to charge higher premiums.

686
MCQmedium

A company relies on a third-party cloud provider for critical data processing. As part of its vendor risk management program, the company wants to implement continuous monitoring of the provider's controls. Which of the following is the BEST approach?

A.Monitor the provider's service level agreements (SLAs) for uptime
B.Conduct monthly manual attestation surveys with the provider
C.Require the provider to perform quarterly penetration tests
D.Obtain and review the provider's SOC 2 Type II report on an ongoing basis
AnswerD

SOC 2 reports provide continuous assurance over relevant controls.

Why this answer

A SOC 2 Type II report provides independent assurance over a service provider's controls related to security, availability, processing integrity, confidentiality, and privacy. Obtaining and reviewing this report on an ongoing basis (e.g., annually or upon issuance) is the most effective continuous monitoring approach because it offers a comprehensive, third-party assessment of control effectiveness over a period of time, directly addressing the need for ongoing vendor risk monitoring.

Exam trap

The trap here is that candidates often confuse operational monitoring (e.g., SLA uptime) with control monitoring, or they assume periodic testing (e.g., quarterly pen tests) is sufficient for continuous assurance, but the CRISC exam emphasizes independent, ongoing evidence of control effectiveness, which a SOC 2 Type II report uniquely provides.

How to eliminate wrong answers

Option A is wrong because monitoring SLAs for uptime only tracks availability metrics, not the effectiveness of security or privacy controls, and SLAs are contractual commitments, not evidence of control operation. Option B is wrong because monthly manual attestation surveys are subjective, rely on self-reporting, and are not continuous; they introduce latency and potential bias, failing to provide independent, verifiable evidence of control performance. Option C is wrong because quarterly penetration tests are point-in-time assessments that test specific technical vulnerabilities, not the ongoing operation of the provider's overall control environment, and they do not cover all control domains (e.g., access management, change management).

687
MCQeasy

Which of the following BEST describes inherent risk?

A.The risk level before any controls are applied
B.The level of risk after implementing controls
C.The amount of risk the organization is willing to accept
D.The risk level that remains after considering existing controls
AnswerA

Inherent risk is the gross risk without mitigation.

Why this answer

Inherent risk is defined as the level of risk that exists in the absence of any controls or mitigations. It represents the raw, untreated risk exposure that an organization faces from a specific threat-vulnerability pair, such as the risk of data exfiltration from an unpatched web server before any firewall rules, intrusion detection systems, or encryption are applied.

Exam trap

The trap here is confusing inherent risk with residual risk, as many candidates mistakenly think that 'risk after controls' is the starting point, but CRISC defines inherent risk as the risk level before any controls are applied.

How to eliminate wrong answers

Option B is wrong because it describes residual risk, which is the risk level after controls are implemented. Option C is wrong because it defines risk appetite, the amount of risk an organization is willing to accept, not inherent risk. Option D is wrong because it also describes residual risk, which is the risk remaining after considering existing controls, not the baseline before controls.

688
MCQhard

Based on the exhibit, which control is most critical to address first to reduce the risk of unauthorized access?

A.Segregation of duties conflict resolution timeliness.
B.Privileged access review frequency.
C.User access recertification completion rate.
D.Terminated employee account disabling timeliness.
AnswerA

At 85% vs target 90%, unresolved SoD conflicts pose a significant risk of unauthorized transactions.

Why this answer

Option A is correct because segregation of duties (SoD) conflict resolution timeliness directly addresses the risk that unresolved conflicts could allow a single user to execute unauthorized actions across multiple systems. If SoD conflicts are not resolved promptly, a user might retain incompatible roles (e.g., both creating and approving purchase orders), enabling fraud or unauthorized access without detection. This control is foundational because it prevents the accumulation of excessive privileges that bypass other access controls.

Exam trap

ISACA often tests the misconception that reactive controls like access reviews or account disabling are more critical than proactive controls like SoD conflict resolution, but the question specifically targets the root cause of unauthorized access—accumulation of incompatible privileges—which only timeliness of SoD resolution can prevent in real time.

How to eliminate wrong answers

Option B is wrong because privileged access review frequency, while important, is a detective control that identifies excessive privileges after they have been granted; it does not prevent the initial accumulation of incompatible roles that enable unauthorized access. Option C is wrong because user access recertification completion rate focuses on periodic validation of existing access, but it does not address the real-time risk of unresolved SoD conflicts that can be exploited immediately. Option D is wrong because terminated employee account disabling timeliness is a critical control for removing access of ex-employees, but it does not mitigate the risk of current employees with conflicting roles that allow unauthorized actions within their legitimate sessions.

689
MCQmedium

A large retail company is implementing a new cloud-based inventory management system. The system will store sensitive customer data and integrate with existing on-premises ERP. The risk manager is asked to identify the most critical risk to address in the shared responsibility model. Which risk is MOST likely to be overlooked?

A.Vendor lock-in
B.Multi-tenancy isolation
C.Misconfiguration of access controls
D.Data sovereignty compliance
AnswerC

Access control misconfiguration is a leading cause of cloud data breaches and is often underestimated in the shared responsibility model.

Why this answer

In the shared responsibility model, the customer is responsible for data classification and access controls. Misconfiguration of access controls is a common overlooked risk that can lead to data breaches.

690
MCQmedium

An organization is evaluating the risk of a ransomware attack. Using the FAIR framework, which of the following components directly multiplies to calculate Loss Event Frequency (LEF)?

A.Control Effectiveness and Residual Risk
B.Annual Loss Expectancy and Single Loss Expectancy
C.Primary Loss and Secondary Loss
D.Threat Event Frequency and Vulnerability
AnswerD

Correct. LEF = TEF × Vulnerability.

Why this answer

In FAIR, Loss Event Frequency (LEF) is calculated as Threat Event Frequency (TEF) multiplied by Vulnerability (V).

691
MCQhard

After implementing controls for a high-risk IT process, the residual risk is calculated as medium. The risk owner argues that the controls are not adequate because the inherent risk was critical. Which of the following should be the primary basis for determining control adequacy?

A.The number of controls implemented
B.The reduction from inherent risk to residual risk based on control effectiveness
C.The cost of controls relative to the asset value
D.The industry standards for similar processes
AnswerB

Correct. Adequacy is measured by how effectively controls reduce risk.

Why this answer

Control adequacy is determined by assessing both design adequacy and operating effectiveness, which together reduce inherent risk to the desired residual risk level.

692
Multi-Selectmedium

A risk manager is integrating the NIST Cybersecurity Framework with the organization's risk management processes. Which TWO functions of the NIST CSF directly support risk assessment?

Select 2 answers
A.Detect
B.Identify
C.Recover
D.Protect
E.Respond
AnswersB, D

Identify includes risk assessment, asset management, and governance.

Why this answer

The Identify function covers risk assessment and management, and the Protect function involves safeguards that are assessed for effectiveness.

693
Multi-Selecthard

A company's IT risk manager is evaluating Key Risk Indicators (KRIs) for the cybersecurity function. Which TWO of the following are valid examples of leading KRIs?

Select 2 answers
A.System downtime due to security incidents
B.Patch lag metric for critical systems
C.Failed authentication spike detection
D.Number of audit findings related to access controls
E.Number of successful cyber attacks in the past quarter
AnswersB, C

Patch lag is a leading indicator of vulnerability risk.

Why this answer

Option B is correct because a patch lag metric measures the time taken to apply security patches to critical systems, which is a proactive indicator of potential vulnerability exposure before an exploit occurs. As a leading KRI, it predicts future security incidents by highlighting delayed remediation efforts, aligning with the CRISC focus on forward-looking risk indicators.

Exam trap

The trap here is confusing lagging indicators (which measure past events like downtime or audit findings) with leading indicators (which predict future risk), leading candidates to select outcome-based metrics like successful attacks instead of proactive measures like patch lag.

694
MCQhard

In the FAIR model, which component represents the probable frequency, within a given timeframe, that a threat agent will act against an asset?

A.Vulnerability
B.Loss Event Frequency (LEF)
C.Annualized Rate of Occurrence (ARO)
D.Threat Event Frequency (TEF)
AnswerD

TEF measures how often a threat agent acts.

Why this answer

In the FAIR model, Threat Event Frequency (TEF) is the component that estimates how often, within a given timeframe, a threat agent (such as a hacker or malware) will initiate an action against an asset. This directly matches the question's definition of 'probable frequency that a threat agent will act against an asset.' TEF is a primary input for calculating Loss Event Frequency (LEF) and ultimately risk.

Exam trap

The trap here is that candidates confuse Loss Event Frequency (LEF) with Threat Event Frequency (TEF), because LEF is the more commonly cited output in risk reports, but the question specifically asks for the frequency of the threat agent acting, not the resulting loss event.

How to eliminate wrong answers

Option A is wrong because Vulnerability represents the probability that an asset cannot resist a threat event, not the frequency of threat agent actions. Option B is wrong because Loss Event Frequency (LEF) is the probable frequency of loss events occurring, which is derived from Threat Event Frequency (TEF) and Vulnerability, not the raw frequency of threat agent actions. Option C is wrong because Annualized Rate of Occurrence (ARO) is a quantitative risk assessment metric used in other frameworks (like NIST or ISO) to estimate the number of times a loss is expected per year, not a specific FAIR component for threat agent action frequency.

695
MCQmedium

An organization's risk report shows a risk heat map with several risks in the high-likelihood, high-impact quadrant. What is the most appropriate action for the risk owner?

A.Report to the board without any analysis
B.Ignore the risks as they are inherent
C.Accept the risk without further action
D.Evaluate current controls and consider additional treatment
AnswerD

This is the appropriate risk response.

Why this answer

Controls should be evaluated for effectiveness, and if inadequate, additional risk treatment options should be considered to reduce risk to an acceptable level.

696
Multi-Selectmedium

Which TWO of the following are primary objectives of control monitoring?

Select 2 answers
A.To calculate the financial impact of control failures.
B.To provide assurance to stakeholders that controls are functioning.
C.To determine the design adequacy of controls.
D.To verify that controls are operating effectively.
E.To identify new risks that were not previously assessed.
AnswersB, D

Monitoring provides ongoing assurance.

Why this answer

Control monitoring's primary objectives are to provide assurance to stakeholders that controls are functioning as intended and to verify that controls are operating effectively on an ongoing basis. This aligns with the CRISC framework's emphasis on continuous assurance over control performance, not just periodic assessment.

Exam trap

The trap here is confusing the objectives of control monitoring with those of risk assessment or control design, leading candidates to select options about identifying new risks or calculating financial impact, which belong to separate CRISC domains.

697
MCQeasy

Which COBIT 2019 domain objective focuses on ensuring that risk is optimized through evaluation, direction, and monitoring?

A.EDM01 — Ensure Governance Framework Setting and Maintenance
B.EDM02 — Ensure Benefits Delivery
C.EDM04 — Ensure Resource Optimization
D.EDM03 — Ensure Risk Optimization
AnswerD

This is the correct objective for risk optimization.

Why this answer

EDM03 — Ensure Risk Optimization is the governance objective that addresses risk management evaluation, direction, and monitoring.

698
MCQhard

You are a risk practitioner at a financial institution that is migrating its core banking system to a cloud provider. The migration plan includes a phased approach, with the first phase moving non-critical applications. However, during the second phase (moving customer-facing applications), the cloud provider experiences a major outage that lasts 6 hours. The outage was caused by a misconfiguration in the provider's network. The institution had conducted a risk assessment and identified cloud provider downtime as a risk, but the treatment plan only included a service level agreement (SLA) with financial penalties. The SLA does not cover the reputational damage and loss of customer trust. The risk register shows that the residual risk level was marked as 'low' before the incident. After the incident, senior management is demanding a review. Which of the following is the MOST appropriate action for the risk practitioner to take?

A.Negotiate a higher penalty in the SLA
B.Initiate a legal claim against the provider
C.Update the risk register to reflect the incident and accept the residual risk
D.Reassess the risk and recommend implementing a multi-cloud architecture for critical applications
AnswerD

Multi-cloud reduces dependency on a single provider and addresses the impact.

Why this answer

Option D is correct because the incident revealed that the existing risk treatment (SLA financial penalties) was insufficient to address the actual impact (reputational damage and loss of customer trust). The risk practitioner must reassess the risk with the new information and recommend a more robust mitigation strategy, such as multi-cloud architecture, to reduce the likelihood or impact of a single provider's outage affecting critical customer-facing applications.

Exam trap

The trap here is that candidates may think updating the risk register (Option C) is sufficient, but CRISC emphasizes that after a risk materializes with greater impact than assessed, the risk must be reassessed and the treatment plan revised, not just documented.

How to eliminate wrong answers

Option A is wrong because negotiating a higher penalty in the SLA still does not address the unmitigated reputational damage and loss of customer trust; financial penalties compensate for direct costs but not intangible impacts. Option B is wrong because initiating a legal claim is a reactive, punitive measure that does not improve future resilience and may be precluded by the SLA's limitation of liability clauses. Option C is wrong because simply updating the risk register to reflect the incident and accepting the residual risk ignores the need to reassess and improve controls after a realized risk that exceeded the accepted level.

699
MCQhard

A quantitative risk analysis for a phishing campaign estimates that threat event frequency is 50 per year, vulnerability is 0.1 (10% of users will click), and loss magnitude per successful attack is $10,000. However, the analyst notes a 90% confidence interval of $5,000 to $20,000 for loss magnitude. Which of the following best describes a limitation of this quantitative analysis?

A.The analysis requires extensive data and is time-consuming
B.The analysis is subjective and not comparable across organizations
C.The results are always accurate and reliable
D.The results are easy to communicate to non-technical stakeholders
AnswerA

Quantitative analysis is data-intensive and time-consuming, especially when dealing with uncertainty ranges.

Why this answer

Quantitative analysis often produces uncertainty ranges, making results less precise than they appear, and requiring careful interpretation.

700
MCQmedium

A risk practitioner is designing a monitoring dashboard for senior management. Which key performance indicator (KPI) would be MOST useful for tracking control effectiveness over time?

A.Number of security incidents reported.
B.Number of transactions processed per hour.
C.Value at Risk (VaR) for operational risk.
D.Percentage of controls passing automated tests.
AnswerD

Directly indicates control effectiveness.

Why this answer

Option D is correct because the percentage of controls passing automated tests directly measures the effectiveness of controls over time. A trend of increasing or stable high percentages indicates that controls are functioning as intended, while a decline signals degradation. This KPI is specifically designed for control monitoring, unlike metrics that measure activity or outcomes.

Exam trap

The trap here is that candidates confuse outcome-based metrics (like incident counts) with control effectiveness metrics, failing to recognize that a KPI for control effectiveness must directly measure control performance, not the consequences of control failure.

How to eliminate wrong answers

Option A is wrong because the number of security incidents reported is a lagging indicator of control failure, not a direct measure of control effectiveness; a low incident count could result from poor detection rather than strong controls. Option B is wrong because transactions processed per hour is a throughput metric for operational efficiency, not a measure of control effectiveness; it does not indicate whether controls on those transactions are working. Option C is wrong because Value at Risk (VaR) for operational risk is a statistical estimate of potential loss, not a real-time or trendable indicator of individual control performance; it aggregates risk rather than measuring control pass/fail rates.

701
MCQhard

Refer to the exhibit. Based on the control test results, which of the following is the most immediate risk?

A.Material misstatement in financial statements
B.Non-compliance with credit policy
C.Inefficient order processing
D.Fraud due to lack of segregation of duties
AnswerD

The failed control directly indicates that a user can both enter and approve orders, increasing the risk of fraudulent transactions.

Why this answer

The control test results show that the same individual can both create purchase orders and approve invoices, which violates segregation of duties. This lack of segregation creates an immediate risk of fraud because the employee could create fictitious orders and approve payments to themselves or accomplices without detection.

Exam trap

The trap here is that candidates often focus on the financial reporting impact (Option A) as the most immediate risk, but CRISC emphasizes that the control deficiency itself—the lack of segregation of duties—creates an immediate fraud exposure before any financial misstatement can occur.

How to eliminate wrong answers

Option A is wrong because material misstatement in financial statements is a downstream consequence that would occur only if fraudulent transactions are actually processed and recorded, not an immediate risk from the control weakness itself. Option B is wrong because non-compliance with credit policy relates to extending credit to customers, which is not directly impacted by the purchase-to-pay segregation issue described. Option C is wrong because inefficient order processing refers to operational delays or bottlenecks, whereas the control failure here is a deliberate fraud opportunity, not a process speed issue.

702
Multi-Selecthard

Which THREE of the following control monitoring techniques are considered continuous monitoring?

Select 3 answers
A.Quarterly internal control self-assessments
B.Automated logging and alerting from SIEM tools
C.Real-time validation of input data in applications
D.Annual penetration testing
E.Automated reconciliation of transactions at day end
AnswersB, C, E

Continuous real-time monitoring.

Why this answer

Automated logging and alerting from SIEM tools is considered continuous monitoring because SIEM systems ingest and analyze log data in near real-time, generating alerts for suspicious activities as they occur. This provides ongoing, automated oversight of security events rather than periodic review.

Exam trap

The trap here is that candidates often confuse periodic activities (like quarterly self-assessments or annual penetration tests) with continuous monitoring, failing to recognize that continuous monitoring requires automated, ongoing, or frequent execution rather than scheduled, manual reviews.

703
MCQmedium

A retail company is identifying risks in its supply chain. Which approach is most effective for identifying previously unknown risks?

A.Scenario analysis with supply chain partners
B.Employee surveys
C.Financial audit reports
D.Review of standard risk checklists
AnswerA

Scenario analysis explores potential future events, uncovering previously unidentified risks.

Why this answer

Scenario analysis with supply chain partners is most effective for identifying previously unknown risks because it leverages collaborative brainstorming and 'what-if' thinking to uncover emergent threats that are not captured by historical data or static checklists. This approach is particularly valuable in supply chain contexts where interdependencies, third-party vulnerabilities, and novel disruptions (e.g., a new cyberattack vector targeting a logistics provider) can surface only through joint exploration of hypothetical events. It aligns with the CRISC emphasis on proactive risk identification beyond known patterns.

Exam trap

The trap here is that candidates often choose 'Review of standard risk checklists' because it seems efficient and structured, but CRISC tests the understanding that checklists are inherently limited to known risks and cannot identify novel or previously unencountered threats.

How to eliminate wrong answers

Option B is wrong because employee surveys are typically backward-looking and capture only known or perceived risks based on individual experience, making them ineffective for surfacing novel, systemic, or previously unencountered supply chain threats. Option C is wrong because financial audit reports focus on historical financial controls and compliance gaps, not on forward-looking identification of operational or strategic risks like supplier cyber incidents or geopolitical disruptions. Option D is wrong because standard risk checklists are static and based on known risk categories (e.g., vendor lock-in, natural disasters), so they inherently miss emerging or context-specific risks that have not been codified into the checklist.

704
MCQhard

A risk manager is evaluating the risk of quantum computing for the organization's encryption. The organization uses RSA-2048 for data encryption. What is the PRIMARY consideration in planning for post-quantum cryptography migration?

A.The timeline for quantum computers to break RSA-2048
B.The cost of new encryption algorithms
C.The availability of quantum-resistant hardware
D.The performance impact of post-quantum algorithms
AnswerA

Understanding when quantum computers will be capable of breaking current cryptography is essential for planning migration.

Why this answer

Quantum computers capable of breaking RSA-2048 are not expected within the next few years, so the primary consideration is the timeline for quantum advantage to prioritize migration efforts.

705
MCQmedium

A security analyst is reviewing CVE entries and NVD data to identify vulnerabilities in software assets. This activity is part of which vulnerability identification approach?

A.Configuration vulnerability assessment
B.Application vulnerability identification
C.Operational vulnerability identification
D.Asset-based vulnerability identification
AnswerD

Asset-based identification uses CVE/NVD to find known vulnerabilities in assets.

Why this answer

CVE and NVD are databases for known software vulnerabilities, aligning with asset-based vulnerability identification.

706
MCQmedium

A regional bank uses a centralized GRC platform to monitor key risk indicators (KRIs) for operational risk. The chief risk officer (CRO) reviews the monthly risk report and notices that the KRI 'number of system outages exceeding 4 hours' has been consistently reported as 0 for the past six months. However, the IT incident log shows three such outages in the same period. The CRO suspects the KRI is not being accurately reported. What should the risk manager do next?

A.Add additional controls to reduce the likelihood of system outages
B.Update the risk register to reflect the recent outage incidents
C.Investigate the KRI calculation and data feed to identify why outages are not being captured
D.Increase the KRI threshold to 2 outages to align with historical data
AnswerC

Understanding the data integrity issue is the first step to ensure accurate monitoring and reporting.

Why this answer

The correct answer is C because the risk manager must first investigate the KRI calculation and data feed to determine why the IT incident log shows three outages but the KRI reports zero. Without understanding the root cause of the reporting discrepancy—whether it is a data integration error, a threshold misconfiguration, or a failure in the GRC platform's automated data collection—any subsequent action would be premature and could mask the underlying control monitoring failure.

Exam trap

The trap here is that candidates may confuse the need to remediate the reporting failure with the need to remediate the risk itself, leading them to choose an option that addresses the outages directly (like adding controls or updating the register) rather than first diagnosing the KRI data pipeline.

How to eliminate wrong answers

Option A is wrong because adding additional controls does not address the immediate issue of inaccurate KRI reporting; it assumes the problem is a lack of controls rather than a data integrity or calculation error. Option B is wrong because updating the risk register with the outage incidents is a record-keeping step that does not resolve the root cause of why the KRI failed to capture them; the risk register should reflect accurate data, but the priority is to fix the reporting mechanism. Option D is wrong because increasing the KRI threshold to 2 outages would simply hide the discrepancy by aligning the threshold with the observed data, thereby undermining the KRI's purpose as an early warning indicator and failing to correct the underlying reporting failure.

707
MCQmedium

In the FAIR framework, Loss Event Frequency (LEF) is calculated as:

A.Threat Event Frequency × Vulnerability
B.Annualized Rate of Occurrence × Single Loss Expectancy
C.Threat Event Frequency × Loss Magnitude
D.Vulnerability × Loss Magnitude
AnswerA

LEF = TEF × Vulnerability.

Why this answer

FAIR defines LEF = Threat Event Frequency (TEF) multiplied by Vulnerability (Vuln).

708
MCQeasy

Which of the following best describes the purpose of an IT risk universe?

A.A catalog of all IT assets and their vulnerabilities
B.A list of all past security incidents
C.A set of risk scenarios used for quantitative analysis
D.A comprehensive inventory of all potential IT risks facing the organization
AnswerD

Correct definition of IT risk universe.

Why this answer

The IT risk universe is a comprehensive inventory of all potential IT risks that could affect the organization, serving as a foundational input for risk identification and assessment.

709
MCQmedium

During a risk identification workshop, the business process owner states that a key system has no documented dependencies. What is the BEST next step for the risk practitioner?

A.Ask the system administrator to provide a list after the workshop
B.Postpone the workshop until dependencies are mapped
C.Assume the system has no dependencies
D.Document the missing dependency information as a risk in the risk register
AnswerD

The absence of dependency data itself is a risk to accurate risk identification.

Why this answer

Option D is correct because undocumented dependencies represent an unknown risk that must be captured in the risk register to ensure visibility and subsequent analysis. By documenting the missing dependency information as a risk, the risk practitioner formally acknowledges the gap, enabling further investigation into potential single points of failure, cascading failures, or unmonitored interconnections that could impact system availability or integrity.

Exam trap

The trap here is that candidates may think the immediate priority is to gather the missing data (Option A) or halt the workshop (Option B), rather than recognizing that the risk practitioner's first duty is to formally record the identified gap as a risk to ensure it is tracked and managed.

How to eliminate wrong answers

Option A is wrong because asking the system administrator to provide a list after the workshop delays the identification process and does not immediately address the risk of unknown dependencies; the risk practitioner should capture the gap in the risk register first to ensure it is not forgotten. Option B is wrong because postponing the workshop halts the entire risk identification effort unnecessarily; the workshop can continue with other items while the dependency gap is noted and addressed later. Option C is wrong because assuming the system has no dependencies is a dangerous assumption that ignores the possibility of hidden integration points, shared infrastructure, or upstream/downstream services that could cause significant disruption if unaccounted for.

710
MCQeasy

Which risk treatment option involves eliminating the activity that creates the risk?

A.Accept
B.Transfer
C.Avoid
D.Mitigate
AnswerC

Avoidance eliminates the risk by stopping the activity.

Why this answer

Option C (Avoid) is correct because risk avoidance involves discontinuing the activity or process that gives rise to the risk. In IT risk management, this means removing the vulnerable system, decommissioning a service, or ceasing a business function entirely to eliminate the risk exposure. For example, if an organization decides to shut down a legacy FTP server to avoid the risk of data interception, it is applying the avoid treatment.

Exam trap

The trap here is that candidates often confuse 'avoid' with 'mitigate' because both involve reducing risk, but avoid eliminates the activity entirely while mitigate keeps the activity running with controls in place.

How to eliminate wrong answers

Option A is wrong because risk acceptance means acknowledging the risk and choosing to tolerate it without taking action to reduce or eliminate it, which does not remove the activity. Option B is wrong because risk transfer shifts the financial impact of a risk to a third party (e.g., through cyber insurance or outsourcing) but does not eliminate the underlying activity or threat. Option D is wrong because risk mitigation (or reduction) implements controls to lower the likelihood or impact of a risk, such as applying patches or encrypting data, but the activity that creates the risk continues to operate.

711
MCQeasy

An organization is implementing a new access control system to prevent unauthorized access to sensitive data. Which type of control is being implemented?

A.Detective control
B.Compensating control
C.Preventive control
D.Corrective control
AnswerC

Correct. Preventive controls aim to stop incidents before they happen.

Why this answer

An access control system that prevents unauthorized access to sensitive data is a preventive control because it enforces security policies before access is granted. Technologies like mandatory access control (MAC) or role-based access control (RBAC) with Access Control Lists (ACLs) block unauthorized users at the point of entry, reducing the risk of data exposure.

Exam trap

The trap here is that candidates confuse preventive controls with detective controls because both involve monitoring, but preventive controls actively block access (e.g., firewall deny rules) while detective controls only log or alert after the fact.

How to eliminate wrong answers

Option A is wrong because detective controls, such as audit logs or intrusion detection systems, identify unauthorized access after it has occurred, not prevent it. Option B is wrong because compensating controls are alternative measures used when primary controls are not feasible, such as additional monitoring for legacy systems, not the primary access control system itself. Option D is wrong because corrective controls, like data restoration from backups or revoking compromised credentials, address damage after an incident, not prevent initial unauthorized access.

712
MCQeasy

Which control type is designed to stop a risk event from occurring?

A.Detective
B.Compensating
C.Preventive
D.Corrective
AnswerC

Preventive controls are designed to stop risk events.

Why this answer

Preventive controls aim to prevent risk events from happening, e.g., access controls, encryption.

713
Multi-Selecthard

A manufacturing company is evaluating the risks of connecting its OT network to the IT network. Which THREE risks are MOST significant due to IT/OT convergence?

Select 3 answers
A.Expansion of attack paths from IT to OT systems
B.Legacy OT devices lacking modern security controls
C.Compliance with GDPR
D.Potential for physical damage and safety incidents
E.Increased data storage costs
AnswersA, B, D

The connection creates new vectors for attackers to reach OT.

Why this answer

Convergence increases attack paths, legacy OT devices lack security, and attacks can have physical safety consequences.

714
MCQhard

A risk assessment reveals that the likelihood of a phishing attack is high, and the impact is moderate. The organization decides to implement security awareness training and email filtering. This is an example of which risk treatment?

A.Risk acceptance
B.Risk avoidance
C.Risk mitigation
D.Risk transfer
AnswerC

Controls are implemented to reduce risk.

Why this answer

Mitigation involves implementing controls to reduce likelihood (training reduces susceptibility) or impact (filtering reduces successful attacks).

715
Multi-Selectmedium

A risk practitioner is evaluating the effectiveness of a security awareness program. Which TWO indicators would BEST measure whether the program is positively influencing risk culture? (Select TWO)

Select 2 answers
A.Time spent on training per employee
B.Number of security policies updated
C.Increase in reported phishing attempts by employees
D.Number of employees who completed training
E.Decrease in incidents caused by human error
AnswersC, E

Increased reporting indicates employees are more vigilant and willing to report.

Why this answer

An increase in reported phishing attempts indicates that employees are more vigilant and willing to report suspicious activity, which is a direct behavioral measure of a positive risk culture. A decrease in incidents caused by human error shows that the training has effectively changed behavior and reduced risk exposure. Both indicators reflect actual risk-aware actions rather than mere completion metrics.

Exam trap

The trap here is confusing activity-based metrics (time spent, completion rates) with outcome-based metrics (behavior change, incident reduction), which is a common CRISC pitfall when evaluating program effectiveness.

716
MCQmedium

A risk is assessed with inherent risk score of 25 on a 5x5 matrix. After implementing controls, the residual risk score is 10. The control effectiveness is considered:

A.Not measurable
B.Highly effective
C.Ineffective
D.Moderately effective
AnswerD

Correct; 60% reduction shows moderate effectiveness.

Why this answer

Control effectiveness can be measured as reduction in risk score. Inherent 25 to residual 10 is a 60% reduction (15/25). This indicates controls are moderately effective, but not extremely.

717
MCQeasy

Which of the following is the PRIMARY purpose of a risk register in the risk identification phase?

A.Assign risk owners
B.Document identified risks and their characteristics
C.Calculate risk scores
D.Track remediation progress
AnswerB

The primary purpose is to record risks for further analysis.

Why this answer

The primary purpose of a risk register during the risk identification phase is to systematically document each identified risk along with its key characteristics, such as the risk description, cause, impact, and potential triggers. This foundational record ensures that all risks are captured before any subsequent analysis or response planning occurs, aligning with the CRISC domain of IT Risk Identification.

Exam trap

The trap here is that candidates confuse the risk register's role in identification with later-phase activities like ownership assignment or scoring, leading them to select options that describe downstream processes rather than the immediate documentation purpose.

How to eliminate wrong answers

Option A is wrong because assigning risk owners is a governance activity that typically occurs after risks have been documented and analyzed, not during the initial identification phase. Option C is wrong because calculating risk scores is part of the risk analysis phase, which follows identification and relies on the documented characteristics in the register. Option D is wrong because tracking remediation progress belongs to the risk response and monitoring phases, long after the register has been populated with identified risks.

718
Multi-Selecteasy

A company is considering using a qualitative risk assessment approach to evaluate IT risks. Which TWO of the following are advantages of qualitative risk analysis over quantitative risk analysis?

Select 2 answers
A.Easily comparable across organizations
B.Provides financially meaningful results
C.Quick to perform
D.Easy to communicate to stakeholders
E.Objective and repeatable
AnswersC, D

Qualitative analysis can be performed rapidly using expert judgment.

Why this answer

Qualitative analysis is quicker and easier to communicate because it uses ordinal scales (e.g., high/medium/low) rather than numerical data.

719
Multi-Selecthard

A multinational corporation is developing its IT risk reporting structure. The risk manager must align reports with different audiences. Which THREE of the following reporting frequencies and audiences are correctly matched?

Select 3 answers
A.Strategic risk reporting: semi-annual to the board
B.Operational risk reporting: weekly to IT management
C.Operational risk reporting: monthly to IT management
D.Tactical risk reporting: monthly to the board
E.Strategic risk reporting: weekly to the board
AnswersA, B, C

Strategic reports are semi-annual or annual to the board.

Why this answer

Option A is correct because strategic risk reporting, which addresses high-level enterprise risks and long-term objectives, is appropriately directed to the board of directors on a semi-annual basis. This frequency aligns with the board's oversight role and the need for periodic, aggregated risk insights without overwhelming them with operational details.

Exam trap

The trap here is that candidates confuse the appropriate audience and frequency for tactical versus strategic reporting, often assuming the board needs frequent updates, when in fact the board requires high-level, less frequent strategic reports, while operational and tactical reports are more frequent and directed to management.

720
MCQmedium

An organization is designing a risk dashboard for senior management. Which of the following is the MOST important characteristic of the key risk indicators (KRIs) displayed?

A.They are updated in real-time.
B.They are directly linked to the risk appetite thresholds.
C.They are based on accurate historical data.
D.They are cost-effective to collect and maintain.
AnswerB

KRIs must reflect risk appetite so management can quickly assess risk status.

Why this answer

For a risk dashboard designed for senior management, the most important characteristic of KRIs is that they are directly linked to risk appetite thresholds. This linkage ensures that the dashboard provides actionable insights by immediately signaling when risk levels exceed or approach the organization's defined tolerance limits, enabling timely decision-making. Without this direct connection, even real-time or accurate data would fail to convey whether the organization is operating within acceptable risk boundaries.

Exam trap

The trap here is that candidates often choose 'real-time updates' (Option A) because they assume senior management needs the most current data, but the CRISC exam emphasizes that KRIs must be actionable and aligned with risk appetite thresholds to be meaningful for decision-making, not just timely.

How to eliminate wrong answers

Option A is wrong because real-time updates are not the most important characteristic; while timeliness is valuable, a KRI that updates in real-time but is not tied to risk appetite thresholds provides no context for whether the current risk level is acceptable or requires action. Option C is wrong because accurate historical data, though useful for trend analysis, does not by itself indicate whether current risk levels are within the organization's risk appetite; the dashboard's primary purpose is to monitor current status against thresholds, not to display historical accuracy. Option D is wrong because cost-effectiveness is an operational consideration, not a defining characteristic of KRI effectiveness; a KRI that is cheap to collect but not linked to risk appetite thresholds fails to serve the dashboard's core monitoring and alerting function.

721
MCQhard

During a risk identification workshop, the team identifies a potential data leakage from a legacy system. What is the FIRST step the risk owner should take?

A.Implement encryption immediately
B.Document the risk and its source
C.Assign a risk score
D.Report to senior management
AnswerB

Documentation ensures the risk is properly captured for subsequent analysis.

Why this answer

The first step for the risk owner is to formally document the risk and its source. This ensures that the identified data leakage from the legacy system is captured in the risk register, establishing a baseline for analysis and treatment. Without documentation, subsequent steps like risk scoring, control implementation, or escalation cannot be properly justified or tracked.

Exam trap

The trap here is that candidates often jump to immediate remediation (like encryption) or escalation, forgetting that formal documentation is the mandatory first step to ensure traceability and compliance with risk management processes.

How to eliminate wrong answers

Option A is wrong because implementing encryption immediately is a premature control decision; the risk must first be documented and analyzed to determine if encryption is appropriate, feasible, and cost-effective for the legacy system. Option C is wrong because assigning a risk score occurs after the risk has been documented and its impact and likelihood have been assessed, not as the first step. Option D is wrong because reporting to senior management is an escalation step that typically follows risk analysis and prioritization, not the initial action upon identification.

722
MCQmedium

During a post-mortem of a security incident, the risk manager notes that the response team failed to execute the incident response plan correctly because the plan was outdated. Which of the following is the BEST corrective action?

A.Conduct a tabletop exercise with the updated plan
B.Add more detective controls
C.Update the risk register
D.Increase insurance coverage
AnswerA

Tabletop exercises test and improve the team's ability to execute the plan.

Why this answer

A tabletop exercise validates the updated incident response plan by simulating a realistic scenario, allowing the response team to practice their roles and identify gaps in the new procedures. This directly addresses the root cause—the plan was outdated and the team failed to execute it correctly—by ensuring the plan is current and the team is familiar with its execution. Without this validation, the updated plan remains untested and the same failure mode could recur.

Exam trap

The trap here is that candidates confuse corrective action with compensating controls, choosing to add detective controls or insurance instead of recognizing that the root cause is a procedural failure requiring validation of the updated plan through a practical exercise.

How to eliminate wrong answers

Option B is wrong because adding more detective controls (e.g., additional IDS/IPS signatures or log monitoring) does not correct the failure to execute an outdated incident response plan; it addresses detection, not response execution. Option C is wrong because updating the risk register is a documentation activity that records the incident and its impact but does not fix the procedural failure or ensure the team can execute the plan correctly. Option D is wrong because increasing insurance coverage transfers financial risk but does not improve the team's ability to follow the incident response plan, leaving the operational failure unaddressed.

723
Multi-Selectmedium

A risk practitioner is developing a tactical risk report for the CISO. Which TWO of the following elements should be included in the report? (Select TWO)

Select 2 answers
A.Long-term risk trend analysis
B.Risk heat map
C.Detailed log analysis from SIEM
D.Control performance metrics
E.Top risks and their status
AnswersD, E

Control performance is relevant for tactical management.

Why this answer

Tactical risk reporting typically includes control performance metrics and top risks with status. Risk heat maps and trend analyses are more strategic, and detailed logs are operational.

724
Multi-Selectmedium

A third-party vendor has been assessed as high risk due to its access to sensitive data. Which TWO ongoing monitoring activities are most appropriate for this vendor? (Select two.)

Select 2 answers
A.Daily manual review of vendor logs
B.Monthly conference calls with vendor management
C.Annual reassessment of security controls
D.Continuous monitoring via threat intelligence sharing platforms
E.Single initial onboarding assessment
AnswersC, D

Annual reassessment is typical for high-risk vendors.

Why this answer

Ongoing monitoring for high-risk vendors should include periodic reassessments and continuous monitoring via shared intelligence platforms. Annual reassessment is common, and continuous monitoring provides timely risk information.

725
MCQmedium

During a threat modeling exercise for a new web application, the team uses STRIDE. Which threat type under STRIDE corresponds to an attacker modifying data in transit?

A.Repudiation
B.Information Disclosure
C.Tampering
D.Spoofing
AnswerC

Tampering is the unauthorized modification of data.

Why this answer

Tampering refers to unauthorized modification of data, which is a threat type in STRIDE.

726
Multi-Selectmedium

An organization is implementing a risk-aware culture. Which TWO of the following are effective practices?

Select 2 answers
A.Conduct annual security awareness training only.
B.Encourage incident reporting without fear of blame.
C.Provide incentives for risk identification.
D.Tone from top: leadership demonstrates commitment to risk management.
E.Blame individuals for incidents to deter future occurrences.
AnswersB, D

Psychological safety promotes reporting, strengthening culture.

Why this answer

Tone from top and incident reporting without blame are key to promoting a risk-aware culture. Security awareness training is also important, but the question asks for TWO practices, and these are most directly related to culture.

727
MCQmedium

An IT risk manager is reviewing the results of a recent risk assessment. The organization has a risk appetite that allows for low residual risk. One identified risk has an inherent risk score of 15 (on a scale of 1-25) and currently has no controls. Which of the following is the BEST recommendation for this risk?

A.Accept the risk because the score is moderate.
B.Implement controls to reduce the residual risk to an acceptable level.
C.Transfer the risk via cyber insurance.
D.Avoid the risk by discontinuing the business process.
AnswerB

Controls are necessary to lower the residual risk to within appetite.

Why this answer

The inherent risk score of 15 (out of 25) is moderate, but the organization's risk appetite allows only low residual risk. Since there are currently no controls, the residual risk equals the inherent risk of 15, which exceeds the acceptable threshold. Therefore, implementing controls is the best recommendation to reduce the residual risk to a level that aligns with the risk appetite.

Exam trap

The trap here is that candidates see a moderate score (15 out of 25) and assume acceptance is appropriate, but they overlook the specific risk appetite constraint that requires low residual risk, making acceptance invalid without controls.

How to eliminate wrong answers

Option A is wrong because accepting the risk when the residual risk (currently 15) exceeds the low-risk appetite threshold violates the organization's risk tolerance policy; acceptance is only appropriate when residual risk is within appetite. Option C is wrong because transferring risk via cyber insurance does not reduce the inherent or residual risk score—it only provides financial compensation after a loss, and the organization's risk appetite requires low residual risk, not just financial coverage. Option D is wrong because avoiding the risk by discontinuing the business process is an extreme measure typically reserved for risks that cannot be mitigated to an acceptable level or where the cost of mitigation exceeds the benefit; here, controls can likely reduce the residual risk to an acceptable level without eliminating the business process.

728
MCQeasy

A risk practitioner is reviewing system logs and notices multiple failed login attempts from a foreign IP address. This observation is an example of which type of risk identification activity?

A.Control self-assessment
B.Threat intelligence gathering
C.Incident and event monitoring
D.Vulnerability scanning
AnswerC

Log review is a monitoring activity that identifies potential risks.

Why this answer

The observation of multiple failed login attempts from a foreign IP address is a direct result of reviewing system logs, which is a core component of incident and event monitoring. This activity involves the continuous surveillance of security events to detect anomalies, such as brute-force attacks, and is a reactive risk identification technique that identifies risks based on actual occurrences.

Exam trap

The trap here is that candidates confuse 'threat intelligence gathering' (which uses external feeds) with the internal log analysis of actual events, but the question specifically describes reviewing system logs, which is a direct example of incident and event monitoring.

How to eliminate wrong answers

Option A is wrong because control self-assessment is a proactive, internal review process where control owners evaluate the design and effectiveness of controls, not a log review of real-time events. Option B is wrong because threat intelligence gathering involves collecting and analyzing external data about emerging threats (e.g., from ISACs or threat feeds), not reviewing internal system logs for specific failed login attempts. Option D is wrong because vulnerability scanning is a scheduled, automated process that identifies known weaknesses in systems (e.g., missing patches or misconfigurations), not the detection of ongoing attack patterns like repeated failed logins.

729
MCQmedium

According to the NIST Cybersecurity Framework, which function involves developing and implementing appropriate safeguards to ensure delivery of critical infrastructure services?

A.Identify
B.Protect
C.Respond
D.Detect
AnswerB

Correct. Protect focuses on safeguards.

Why this answer

The Protect function (PR) is defined as developing and implementing appropriate safeguards to ensure delivery of critical infrastructure services.

730
MCQeasy

In the context of IT governance, which COBIT 2019 process is specifically focused on ensuring risk optimization?

A.EDM01 — Ensure Governance Framework Setting and Maintenance
B.EDM04 — Ensure Resource Optimization
C.EDM02 — Ensure Benefits Delivery
D.EDM03 — Ensure Risk Optimization
AnswerD

EDM03 is the correct process for risk optimization.

Why this answer

EDM03 (Ensure Risk Optimization) is the COBIT 2019 process that evaluates, directs, and monitors risk management to optimize risk exposure.

731
Multi-Selectmedium

A risk analyst is identifying operational vulnerabilities. Which TWO of the following are examples of operational vulnerability identification?

Select 2 answers
A.Reviewing CIS Benchmarks for server configuration
B.Analyzing SQL injection flaws in code
C.Scanning for missing patches using a vulnerability scanner
D.Discovering lack of security awareness training
E.Identifying inadequate access controls
AnswersD, E

Training gaps are operational.

Why this answer

Operational vulnerabilities include process gaps and training gaps, not technical configuration or code flaws.

732
MCQeasy

Which risk reporting frequency is most appropriate for tactical risk reporting to the CISO/CIO?

A.Weekly
B.Monthly
C.Annually
D.Quarterly
AnswerD

Quarterly is standard for tactical reporting to senior IT management.

Why this answer

Tactical risk reporting typically occurs quarterly to provide a balance between timeliness and stability for management decision-making.

733
MCQmedium

Which of the following is an example of a detective control?

A.Backup restoration after data loss
B.Firewall rules blocking unauthorized traffic
C.Requiring two-factor authentication
D.Intrusion detection system (IDS) alerts
AnswerD

IDS alerts detect potential incidents after they occur.

Why this answer

An intrusion detection system (IDS) monitors network traffic for suspicious activity and generates alerts when it detects potential threats. This is a detective control because it identifies and reports security incidents after they occur, rather than preventing them. IDS alerts provide visibility into ongoing or past attacks, enabling incident response.

Exam trap

The trap here is confusing preventive controls (like firewalls and authentication) with detective controls (like IDS), as candidates often misclassify controls based on their general security function rather than their specific timing relative to the incident.

How to eliminate wrong answers

Option A is wrong because backup restoration after data loss is a corrective control, not a detective control; it recovers data after an incident has occurred. Option B is wrong because firewall rules blocking unauthorized traffic is a preventive control, as it stops threats before they reach the network. Option C is wrong because requiring two-factor authentication is a preventive control that verifies identity before granting access, not a mechanism to detect incidents after they happen.

734
MCQmedium

Refer to the exhibit. What is the MOST immediate risk identification action?

A.Document the vulnerability in the risk register
B.Update asset inventory
C.Check if the patch has been deployed
D.Validate the vulnerability manually
AnswerC

Determining patch status is critical to understand the actual risk.

Why this answer

The exhibit (not shown) likely presents a vulnerability scan result or a security advisory. The most immediate risk identification action is to verify whether the identified vulnerability has already been mitigated by deploying the vendor-supplied patch. This confirms the current exposure status before any further risk assessment or documentation steps are taken.

Exam trap

The trap here is that candidates often jump to documenting or validating the vulnerability without first checking the most obvious and efficient control—patch status—which is the immediate action to determine actual exposure.

How to eliminate wrong answers

Option A is wrong because documenting the vulnerability in the risk register is a subsequent step, performed after confirming the vulnerability is unpatched and poses actual risk. Option B is wrong because updating the asset inventory is a broader asset management task, not an immediate action to identify risk from a specific vulnerability. Option D is wrong because manual validation of the vulnerability is a secondary verification step that should occur only after checking patch deployment, as the patch status directly indicates whether the vulnerability is still present.

735
Multi-Selecthard

A global company is moving its critical applications to a public cloud. Which THREE of the following are key risk considerations in the shared responsibility model?

Select 3 answers
A.Physical security of data centers
B.Identity and access management
C.Compliance with regulatory requirements for data handling
D.Data encryption and key management
E.Network firewall configuration
AnswersB, C, D

Customers manage user identities and access controls.

Why this answer

Data security, identity management, and compliance are typically customer responsibilities, while physical security is the provider's. Misunderstanding these can lead to gaps.

736
MCQmedium

A risk practitioner is performing a cost-benefit analysis for a proposed control. The annualized loss expectancy (ALE) for a risk is currently $500,000. The proposed control will reduce the ALE by 80%, and the annual cost of the control is $150,000. What is the net benefit of implementing the control?

A.$100,000
B.$250,000
C.$400,000
D.$350,000
AnswerB

Correct calculation.

Why this answer

The reduction in ALE is $500,000 × 0.80 = $400,000. The annual control cost is $150,000, so net benefit = $400,000 - $150,000 = $250,000.

737
MCQhard

An organization uses a SIEM to automatically test access control rules on a continuous basis. This is an example of which type of monitoring?

A.Continuous monitoring
B.Key Risk Indicator monitoring
C.Vulnerability scanning
D.Periodic control testing
AnswerA

SIEM-based automated testing runs continuously, providing real-time assurance.

Why this answer

A SIEM that automatically tests access control rules on a continuous basis performs ongoing validation of rule effectiveness and compliance. This is a classic example of continuous monitoring, where security controls are assessed in real-time or near-real-time without manual intervention, ensuring that access policies remain effective against evolving threats.

Exam trap

The trap here is confusing continuous monitoring with periodic control testing, as many candidates assume that any automated test must be a scheduled vulnerability scan, but the key differentiator is the 'continuous' nature versus scheduled intervals.

How to eliminate wrong answers

Option B is wrong because Key Risk Indicator (KRI) monitoring focuses on tracking specific risk metrics (e.g., number of failed logins) rather than directly testing the functionality of access control rules. Option C is wrong because vulnerability scanning identifies known software vulnerabilities (e.g., missing patches) in systems, not the correctness or enforcement of access control rules. Option D is wrong because periodic control testing occurs at scheduled intervals (e.g., quarterly audits), whereas the scenario explicitly states 'continuous basis', which implies ongoing, automated validation rather than discrete, scheduled tests.

738
MCQeasy

Which control implementation activity involves updating system configurations and user access rights when a new security tool is deployed?

A.User training
B.Project management
C.Documentation update
D.Change management
AnswerD

Change management governs updates to systems and configurations.

Why this answer

Deploying a new security tool requires updating system configurations and user access rights, which directly impacts the operational environment. Change management (Option D) is the formal process that governs these modifications to ensure they are authorized, tested, and documented, minimizing risk of disruption or security gaps. This aligns with the CRISC domain of Risk Response and Reporting, where controlled changes are a key risk mitigation activity.

Exam trap

The trap here is that candidates may confuse 'change management' with 'project management' because both involve planning and coordination, but change management specifically governs the technical alterations to configurations and access rights, whereas project management handles the broader initiative's logistics.

How to eliminate wrong answers

Option A is wrong because user training focuses on educating personnel on how to use the new tool, not on updating system configurations or access rights. Option B is wrong because project management oversees the overall deployment timeline, budget, and resources, but does not directly handle the technical updates to configurations and access controls. Option C is wrong because documentation update records the changes after they are made, but it is not the activity that performs the actual configuration and access right updates.

739
Multi-Selectmedium

A risk manager is evaluating the application of IEC 62443 for industrial control systems. Which THREE of the following are key security requirements addressed by this standard?

Select 3 answers
A.Environmental monitoring (temperature, humidity)
B.Identification and authentication control
C.System integrity
D.Physical security of data centers
E.Use control (authorization)
AnswersB, C, E

Ensures only authorized users and devices access the system.

Why this answer

IEC 62443 is a series of standards specifically designed for the security of Industrial Automation and Control Systems (IACS). It addresses cybersecurity requirements to protect these systems from cyber threats. Identification and authentication control (B) is a foundational requirement, ensuring that only authorized users and devices can access the system, which is critical for preventing unauthorized access to industrial processes.

Exam trap

The trap here is that candidates may confuse general operational or physical security measures (like environmental monitoring or data center security) with the specific cybersecurity controls mandated by IEC 62443 for industrial control systems.

740
MCQmedium

A company has implemented an automated control monitoring system that generates alerts when transactions exceed predefined thresholds. The system has been in production for six months. The risk team notices that the number of alerts has been decreasing, while actual control failures have remained constant. Which of the following is the MOST likely cause?

A.Employees have learned to bypass the monitoring system
B.The control effectiveness has improved significantly
C.The data feed from transaction systems has degraded, causing missing data
D.The thresholds were automatically adjusted to be more restrictive
AnswerC

Degraded data reduces input, resulting in fewer alerts despite constant failures.

Why this answer

Option B is correct because degradation of data feeds could cause the system to miss transactions, leading to fewer alerts. Option A is wrong because increased automation typically increases detection. Option C is wrong because if controls were improved, actual failures would decrease.

Option D is wrong because employees gaming the system would likely increase failures, not keep them constant.

741
MCQmedium

An organization uses a qualitative risk assessment methodology. The risk matrix has impact and likelihood scales of 1-5. A risk is assessed with impact=4 and likelihood=3. What is the risk level?

A.Critical
B.High
C.Low
D.Medium
AnswerB

Product of 12 falls in high range.

Why this answer

In a qualitative risk assessment with a 5x5 risk matrix (impact and likelihood scales of 1-5), the risk level is determined by multiplying the impact and likelihood scores. Here, 4 (impact) × 3 (likelihood) = 12. Typically, a product of 12 falls into the 'High' risk category (e.g., 10-15 range), as defined by common CRISC and ISACA frameworks.

This aligns with the organization's methodology where scores above a threshold (e.g., 10) are classified as High, not Critical.

Exam trap

The trap here is that candidates often misapply the matrix by adding impact and likelihood (4+3=7) and selecting 'Medium', instead of multiplying (4×3=12) to correctly identify 'High'.

How to eliminate wrong answers

Option A is wrong because 'Critical' usually requires a product of 16-25 (e.g., impact=5 and likelihood=4 or 5), not 12. Option C is wrong because 'Low' corresponds to a product of 1-5 (e.g., impact=1 and likelihood=2), far below 12. Option D is wrong because 'Medium' typically covers a product of 6-9 (e.g., impact=3 and likelihood=3), whereas 12 exceeds that range.

742
MCQmedium

An organization is developing a new cloud-based application that will process personal data of EU citizens. The risk manager is assessing the shared responsibility model with the cloud service provider (CSP). Which of the following is the MOST critical risk to address in the risk assessment?

A.Lack of encryption at rest
B.Vendor lock-in due to proprietary APIs
C.Data sovereignty and cross-border data transfer restrictions
D.Multi-tenancy isolation failures
AnswerC

Data sovereignty is critical for compliance with GDPR and other privacy regulations, as data may be stored in jurisdictions with inadequate protection.

Why this answer

In the shared responsibility model, the customer is responsible for data classification and access controls. Data sovereignty is a key concern when processing EU personal data, as the CSP may store data in jurisdictions that do not provide equivalent protection. The risk manager must ensure contractual and technical measures align with GDPR requirements.

743
MCQmedium

A company uses the FAIR model to perform a quantitative risk analysis. The threat event frequency (TEF) is estimated at 10 per year, vulnerability (V) is 0.5, and loss magnitude (LM) per event is $50,000. What is the annualized loss expectancy (ALE)?

A.$25,000
B.$50,000
C.$500,000
D.$250,000
AnswerD

Correct; LEF=5, ALE=5*$50k=$250k.

Why this answer

FAIR: LEF = TEF × V = 10 × 0.5 = 5 events/year. ALE = LEF × LM = 5 × $50,000 = $250,000.

744
MCQmedium

A university's IT department is implementing a single sign-on (SSO) solution for students and faculty. The solution will integrate with existing Active Directory and a cloud-based learning management system (LMS). During risk identification, the team learns that the SSO vendor had a minor security incident last year. The university's security policy requires multi-factor authentication (MFA) for all administrative access, but the SSO solution does not support MFA for student accounts. The project manager insists that MFA for students is not necessary because they only access academic records. The risk team must identify the most significant risk that could affect the university's reputation. Which risk should be documented?

A.SSO vendor's historical security incident could impact service availability.
B.Students may share passwords, leading to account compromise.
C.Lack of MFA for administrative accounts could allow unauthorized changes.
D.Without MFA, student accounts could be compromised to access sensitive academic data.
AnswerD

Compromised student accounts can lead to data breach and reputational damage.

Why this answer

The most significant reputational risk is that without MFA, student accounts are vulnerable to credential theft or brute-force attacks. If an attacker compromises a student account, they could access sensitive academic records (e.g., grades, personal data) protected under FERPA, leading to data breaches, legal penalties, and loss of public trust. The SSO vendor's past incident is less relevant because it was minor and does not directly expose the university's data.

Exam trap

The trap here is that candidates focus on the vendor's past incident (Option A) as a red flag, but the real risk is the missing MFA control for student accounts, which directly enables unauthorized access to sensitive data and reputational damage.

How to eliminate wrong answers

Option A is wrong because a minor historical security incident at the vendor does not directly threaten the university's reputation; service availability is an operational risk, not a reputational one tied to data exposure. Option B is wrong because password sharing is a user behavior issue, not a technical control gap; while it increases risk, the lack of MFA is the primary vulnerability that enables account compromise at scale. Option C is wrong because the scenario states MFA is required for all administrative access, and the SSO solution's lack of MFA applies only to student accounts, not administrative accounts.

745
MCQeasy

An organization has implemented a new firewall rule to block malicious IP addresses. This is an example of which type of control?

A.Directive control
B.Preventive control
C.Corrective control
D.Detective control
AnswerB

Preventive controls aim to stop undesirable events from occurring.

Why this answer

A firewall rule that blocks malicious IP addresses is a preventive control because it proactively stops unauthorized traffic before it can reach the internal network. By filtering packets based on source IP addresses, the firewall enforces access control policies at the network layer, preventing potential attacks from ever being initiated. This aligns with the CRISC definition of preventive controls, which are designed to avoid or deter undesirable events.

Exam trap

The trap here is confusing preventive controls with detective controls, as candidates often think of firewalls as 'detecting' threats, but the key distinction is that a firewall rule actively blocks (prevents) traffic, not merely logs or alerts on it.

How to eliminate wrong answers

Option A is wrong because directive controls are policies, procedures, or guidelines that define acceptable behavior (e.g., an acceptable use policy), not technical mechanisms that block traffic. Option C is wrong because corrective controls are applied after an incident to restore operations (e.g., restoring from backup after a ransomware attack), not to block threats in real time. Option D is wrong because detective controls identify and log malicious activity after it has occurred (e.g., intrusion detection system alerts), whereas a firewall rule actively prevents the traffic from entering.

746
MCQmedium

An organization’s continuous monitoring program includes automated vulnerability scanning and log review. Which of the following is a Key Risk Indicator (KRI) that would BEST signal an increasing risk of a successful network breach?

A.Average time to patch critical vulnerabilities
B.Spike in failed authentication attempts from external IPs
C.Number of firewall rule changes per month
D.Percentage of systems with up-to-date antivirus signatures
AnswerB

A spike in failed authentication attempts is a leading indicator of a potential credential stuffing or brute force attack.

Why this answer

A KRI should be leading, indicating a change in risk level. A spike in failed authentication attempts often precedes a brute force attack or credential compromise, signaling increased risk of breach.

747
Multi-Selecteasy

An organization is implementing continuous monitoring for its network security controls. Which TWO of the following are examples of continuous monitoring techniques?

Select 2 answers
A.Annual access reviews
B.Annual vulnerability scanning
C.Quarterly control testing by internal audit
D.Automated control testing via SIEM rules
E.Weekly vulnerability scanning
AnswersD, E

SIEM rules provide real-time, continuous monitoring.

Why this answer

Option D is correct because automated control testing via SIEM rules enables real-time or near-real-time validation of security controls by correlating log data and triggering alerts on deviations. This is a core continuous monitoring technique because it operates on an ongoing basis without manual intervention, unlike periodic reviews or scans.

Exam trap

The trap here is that candidates confuse periodic activities (annual, quarterly, weekly) with continuous monitoring, failing to recognize that 'continuous' implies automated, real-time or near-real-time validation, not just frequent scheduled checks.

748
MCQhard

A financial institution is implementing a new online banking platform. The risk assessment identified that the platform will handle sensitive customer data and must comply with GDPR and local banking regulations. The project team proposes encrypting all data at rest and in transit, implementing multi-factor authentication (MFA), and conducting quarterly penetration tests. However, the risk owner is concerned about the residual risk of a sophisticated phishing attack that could bypass MFA. The board has a low risk appetite. What is the BEST way to address this residual risk?

A.Purchase cyber insurance to transfer the financial impact of a potential phishing attack.
B.Implement advanced phishing-resistant MFA (e.g., FIDO2) and conduct regular employee phishing simulation training.
C.Reduce the project scope to exclude online banking and revert to a less risky channel.
D.Accept the residual risk because the existing controls (encryption, MFA, pen tests) already provide reasonable assurance.
AnswerB

These controls directly reduce the residual risk of phishing bypassing standard MFA.

Why this answer

Option B is correct because it addresses the specific residual risk with a targeted control (phishing simulations and training) without overcomplicating the project. Option A is wrong because purchasing insurance does not reduce the likelihood of an attack. Option C is wrong because accepting the risk conflicts with the board's low appetite.

Option D is wrong because stopping the project is a disproportionate response to a manageable risk.

749
MCQmedium

You are the risk manager for a healthcare organization that uses an electronic health records (EHR) system. The system has a built-in audit log that records all access to patient data. Recently, the Chief Information Security Officer (CISO) raised a concern that there have been multiple reports of unauthorized access to patient records, but the audit log analysis has not identified any suspicious activity. You have been asked to investigate. Your review of the audit log configuration reveals that the system only logs successful access events, not failed access attempts. Additionally, the log retention period is set to 30 days, and the logs are stored in a flat file on the same server as the EHR application. The monitoring team manually reviews the logs at the end of each month. Which of the following is the MOST significant risk associated with the current monitoring approach?

A.Storing logs on the same server as the EHR application exposes them to alteration or deletion if the server is compromised.
B.The 30-day log retention period is too short to detect long-term patterns of unauthorized access.
C.Manual review of logs is ineffective and may miss critical events; automated monitoring should be implemented.
D.The audit log does not capture failed access attempts, which could indicate brute-force attacks or unauthorized access attempts.
AnswerA

Log integrity is compromised, which is a critical risk for monitoring and forensics.

Why this answer

Storing audit logs on the same server as the EHR application violates the principle of log segregation. If the server is compromised, an attacker can alter or delete the logs to cover their tracks, making detection impossible. This is the most significant risk because it directly undermines the integrity and availability of the evidence needed to investigate unauthorized access.

Exam trap

The trap here is that candidates focus on the operational deficiencies (short retention, manual review, missing failed attempts) rather than the foundational security control failure of log segregation, which is the most critical risk because it compromises the entire audit trail.

How to eliminate wrong answers

Option B is wrong because while a 30-day retention period may be suboptimal for long-term pattern analysis, it is not the most significant risk given that the logs are already vulnerable to tampering and the current manual review process would likely miss patterns regardless. Option C is wrong because although manual review is inefficient, the core issue is that even with automated monitoring, the logs stored on the same server could be destroyed or altered before any alert is triggered. Option D is wrong because while missing failed access attempts is a gap, the lack of logging for failed attempts is less critical than the complete loss of log integrity if the server is compromised.

750
Multi-Selectmedium

A risk manager is evaluating the risks associated with using a public cloud provider. Which TWO of the following are key considerations for multi-tenancy isolation? (Select TWO.)

Select 2 answers
A.Risk of unclear shared responsibility
B.Risk of vendor lock-in
C.Risk of misconfigured cloud storage exposing another tenant's data
D.Risk of data sovereignty violations
E.Risk of hypervisor escape attacks
AnswersC, E

Misconfiguration can lead to cross-tenant exposure.

Why this answer

Multi-tenancy isolation concerns include the risk of hypervisor vulnerabilities allowing tenants to access each other's data (A) and the risk of misconfiguration leading to data exposure (B). Vendor lock-in (C) is not about isolation; data sovereignty (D) is about geographic location; shared responsibility (E) is about roles.

Page 9

Page 10 of 14

Page 11