Certified in Risk and Information Systems Control CRISC (CRISC) — Questions 751825

982 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
MCQeasy

Which of the following is a primary source of threat intelligence that provides real-time information about active cyber threats and indicators of compromise?

A.OSINT
B.OWASP Top 10
C.CIS Benchmarks
D.NVD
AnswerA

OSINT provides open-source threat data including IOCs.

Why this answer

Open Source Intelligence (OSINT) includes publicly available data like threat feeds and forums.

752
Multi-Selecthard

An organization is planning for post-quantum cryptography migration. Which THREE of the following are key considerations for this migration?

Select 3 answers
A.Inventory of all cryptographic assets and dependencies
B.Replacing all existing hardware immediately
C.Crypto agility to easily replace algorithms
D.Timeline estimates for when quantum computers can break current cryptography
E.Eliminating cloud services to reduce risk
AnswersA, C, D

Knowing where cryptography is used is essential.

Why this answer

Option A is correct because a comprehensive inventory of cryptographic assets and dependencies is essential to identify all systems, applications, and data that rely on current cryptographic algorithms (e.g., RSA, ECDSA, Diffie-Hellman). Without this inventory, the organization cannot prioritize migration efforts, assess impact, or ensure that no legacy cryptographic dependency is overlooked during the transition to post-quantum algorithms.

Exam trap

The trap here is that candidates may confuse 'crypto agility' (Option C) with 'immediate hardware replacement' (Option B), or assume that cloud services must be eliminated (Option E) rather than recognizing that inventory, agility, and timeline are the three core strategic considerations for a phased, risk-based migration.

753
MCQeasy

The Chief Information Security Officer (CISO) receives a quarterly report that includes a risk heat map and trend analysis of top risks. This type of reporting is best described as:

A.Operational risk reporting
B.Strategic risk reporting
C.Tactical risk reporting
D.Compliance reporting
AnswerC

Tactical reporting is quarterly and aimed at CISO/CIO, covering heat maps and trends.

Why this answer

Tactical risk reporting is typically provided to senior IT management (CISO/CIO) on a quarterly basis and includes risk heat maps and trend analyses.

754
MCQeasy

A risk analyst is reviewing monthly control test results. One control failed testing twice in a row. What is the FIRST step the analyst should take?

A.Report the failure in the next risk report to management.
B.Perform a root cause analysis of the control failure.
C.Update the risk register with a higher inherent risk rating.
D.Escalate the failure to the risk committee immediately.
AnswerB

Root cause analysis is essential before taking further action.

Why this answer

The first step when a control fails testing twice in a row is to perform a root cause analysis (RCA) to understand why the failure occurred. Without identifying the underlying cause, any corrective action or reporting would be premature and could lead to ineffective remediation. This aligns with the CRISC focus on proactive risk monitoring and control improvement before escalating or updating risk ratings.

Exam trap

The trap here is that candidates often jump to reporting or escalation (options A or D) because they confuse operational incident response with risk management, but CRISC emphasizes that understanding the root cause is the prerequisite for any subsequent action.

How to eliminate wrong answers

Option A is wrong because reporting the failure to management without first understanding the root cause could result in incomplete or misleading information, and management expects actionable insights, not just raw failure data. Option C is wrong because updating the risk register with a higher inherent risk rating should only occur after the root cause is understood and the control's effectiveness is reassessed; inherent risk is about the risk before controls, not a reaction to control failures. Option D is wrong because immediate escalation to the risk committee is an overreaction for a single control failure pattern; escalation should follow a defined threshold or after RCA indicates a significant control deficiency.

755
MCQeasy

A new privacy regulation requires that all personal data be encrypted at rest. The current systems lack encryption. The cost to implement encryption is moderate, and the risk of non-compliance is high. Which risk response is most appropriate?

A.Mitigate by implementing encryption
B.Accept the risk
C.Avoid by discontinuing data processing
D.Transfer via cyber insurance
AnswerA

Encryption directly addresses the vulnerability.

Why this answer

Option B is correct because encryption directly mitigates the risk of non-compliance. Options A, C, and D are less effective or inappropriate.

756
MCQmedium

A company decides to purchase cyber insurance to cover potential losses from a data breach. This is an example of which risk treatment option?

A.Mitigate
B.Accept
C.Avoid
D.Transfer
AnswerD

Insurance transfers the financial risk to the insurer.

Why this answer

Transferring risk to a third party through insurance is a classic risk transfer strategy.

757
MCQhard

During a merger and acquisition (M&A) due diligence, the IT risk manager needs to identify risks in the target company's IT environment. Which approach is most effective for comprehensive risk identification?

A.Send a detailed questionnaire to the target's IT department
B.Review the target's public financial reports
C.Conduct a war gaming exercise
D.Conduct an on-site assessment of the target's IT infrastructure
AnswerD

On-site assessment enables direct observation, interviews, and hands-on review, yielding the most reliable risk identification.

Why this answer

An on-site assessment (Option D) allows the IT risk manager to directly observe the target's IT infrastructure, including physical security, network configurations, and operational practices. This hands-on approach uncovers risks that may be hidden or misrepresented in self-reported questionnaires, such as outdated firmware, unpatched systems, or insecure network segmentation. It provides the most comprehensive and accurate risk identification for M&A due diligence.

Exam trap

The trap here is that candidates may overestimate the reliability of self-reported data from questionnaires (Option A) because it seems systematic and efficient, but the CRISC exam emphasizes that direct verification through on-site assessment is essential for comprehensive risk identification in M&A due diligence.

How to eliminate wrong answers

Option A is wrong because a detailed questionnaire relies on self-reporting by the target's IT department, which may omit or downplay critical risks due to lack of awareness or intentional concealment, and cannot verify the actual state of systems like patch levels or firewall rules. Option B is wrong because public financial reports focus on monetary performance and regulatory filings, not on technical IT risks such as insecure configurations, unpatched vulnerabilities, or inadequate access controls. Option C is wrong because war gaming exercises are designed to test strategic responses to hypothetical scenarios, not to identify existing technical risks in a target's IT environment, and they lack the granularity needed for infrastructure-level assessment.

758
MCQhard

During a control implementation project, the risk manager discovers that the resource requirements have increased significantly, making the original cost-benefit analysis invalid. What should the risk manager do first?

A.Continue the project and request additional budget later
B.Escalate to the board for approval of additional funds
C.Cancel the project immediately
D.Perform a revised cost-benefit analysis
AnswerD

Reassessing the business case is the appropriate first step.

Why this answer

Before proceeding, the risk manager should reassess the cost-benefit analysis with updated costs to determine if the control is still justified.

759
Multi-Selectmedium

A risk manager is designing an IT risk management programme. Which THREE of the following are essential components of a risk management policy?

Select 3 answers
A.Risk assessment methodology
B.Specific risk treatment plans
C.Risk appetite statement
D.Detailed risk register
E.Roles and responsibilities for risk management
AnswersA, C, E

Methodology defines how risks are assessed.

Why this answer

A risk assessment methodology is an essential component of a risk management policy because it defines the standardized approach for identifying, analyzing, and evaluating IT risks. Without a prescribed methodology, risk assessments would be inconsistent, making it impossible to compare risks across the organization or to align them with the risk appetite. The policy must mandate a repeatable process, such as NIST SP 800-30 or ISO 31010, to ensure objectivity and defensibility in risk decisions.

Exam trap

The trap here is that candidates confuse operational artifacts (risk treatment plans and risk registers) with policy-level components, failing to recognize that the policy sets the framework and mandates, not the specific details of each risk response.

760
Multi-Selecthard

During an IT risk assessment, the risk team identifies a high inherent risk for a legacy application. The team is evaluating control options. Which THREE are considered preventive controls?

Select 3 answers
A.Log monitoring
B.Encryption of data at rest
C.Change management process
D.Access controls
E.Backup restoration procedures
AnswersB, C, D

Encryption prevents data exposure if storage is compromised.

Why this answer

Preventive controls aim to stop risk events. Access controls, encryption, and change management are preventive. Logs are detective, backup restoration is corrective.

761
MCQmedium

A risk owner decides to accept a risk because the cost of mitigation exceeds the potential loss, and the risk level is within the organization's risk appetite. What should the risk owner do next?

A.Implement detective controls to monitor the risk
B.Reassess the risk using quantitative analysis
C.Transfer the risk to a third party via insurance
D.Document the risk and obtain formal sign-off
AnswerD

Proper risk acceptance requires documentation and formal approval from the risk owner or management.

Why this answer

The risk owner should formally document the risk acceptance decision and obtain approval from management as per policy.

762
MCQhard

An organization has a legacy system that cannot be patched due to vendor end-of-life. The system processes non-critical data. The risk manager has determined that the likelihood of exploitation is low, but the impact would be high. Which risk response strategy is MOST appropriate?

A.Mitigate the risk by applying vendor patches.
B.Avoid the risk by decommissioning the system immediately.
C.Transfer the risk by purchasing cyber insurance.
D.Accept the risk with compensating controls such as network segmentation.
AnswerD

Compensating controls reduce likelihood without patching.

Why this answer

Option D is correct because the system processes non-critical data and cannot be patched, making risk acceptance with compensating controls the most appropriate strategy. Network segmentation reduces the likelihood of exploitation by isolating the legacy system from critical assets, while the low likelihood and non-critical data make decommissioning or insurance less suitable. This aligns with CRISC best practices for legacy systems where patching is impossible and the risk is within the organization's risk appetite.

Exam trap

ISACA often tests the misconception that 'high impact' always requires mitigation or avoidance, but the trap here is that when likelihood is low and the data is non-critical, acceptance with compensating controls is the most cost-effective and appropriate response per the risk management framework.

How to eliminate wrong answers

Option A is wrong because the vendor has ended support, meaning no patches are available, so mitigation via patching is technically infeasible. Option B is wrong because decommissioning immediately is an extreme response for a system processing non-critical data with low exploitation likelihood; it would likely cause unnecessary operational disruption and cost. Option C is wrong because cyber insurance transfers financial risk but does not reduce the likelihood or impact of exploitation; it is a secondary response and not the most appropriate primary strategy for a low-likelihood, high-impact scenario where compensating controls can be applied.

763
Multi-Selecthard

A company is implementing a risk identification process for third-party risks. Which THREE factors should be considered when identifying risks from a critical software vendor?

Select 3 answers
A.Number of employees at vendor
B.Vendor's compliance with relevant regulations
C.Service level agreements (SLAs)
D.Vendor's history of security incidents
E.Vendor's financial stability
AnswersB, D, E

Non-compliance can result in liability for the organization.

Why this answer

Financial health affects vendor stability, regulatory compliance affects legal risk, and security incidents affect operational risk. Service level agreements are contractual, not risk factors per se.

764
Multi-Selectmedium

Which TWO of the following are key components of an effective risk and control monitoring program? (Select exactly two.)

Select 2 answers
A.Control testing schedules
B.Risk appetite statements
C.Defined key risk indicators (KRIs)
D.Quarterly board reporting
E.Annual risk assessment updates
AnswersA, C

Ensures controls are tested regularly.

Why this answer

Control testing schedules (A) are a key component because they define the frequency and scope of evaluating whether controls are operating effectively. Without a structured schedule, control failures may go undetected for extended periods, increasing risk exposure. Defined key risk indicators (KRIs) (C) are also essential because they provide leading metrics that signal potential risk events before they materialize, enabling proactive monitoring and timely corrective actions.

Exam trap

The trap here is that candidates confuse governance artifacts (like risk appetite statements and board reporting) with operational monitoring components, leading them to select options that are important for risk management but not part of the monitoring program's core structure.

765
MCQeasy

Which of the following is a primary concern when using AI/ML models for decisions subject to regulatory oversight?

A.Adversarial attacks
B.Model bias
C.Explainability of model decisions
D.Data privacy in training
AnswerC

Regulations like GDPR require explanation of automated decisions.

Why this answer

Regulated decisions often require explainability to ensure compliance and auditability, which can be challenging with complex AI/ML models.

766
MCQmedium

During the solution architecture review, the Architecture Review Board (ARB) identifies a security risk in a proposed cloud migration project. The solution relies on a single cloud region with no disaster recovery plan. Which of the following is the BEST recommendation to mitigate this risk?

A.Deploy the application across multiple cloud regions with automated failover
B.Purchase cyber insurance to cover financial losses
C.Implement encryption at rest and in transit
D.Conduct a business impact analysis (BIA)
AnswerA

Multi-region deployment reduces the risk of a single point of failure and ensures business continuity.

Why this answer

The risk of a single region failure can be mitigated by implementing a multi-region deployment with failover. This aligns with high availability and disaster recovery best practices.

767
MCQhard

A company identifies a high inherent risk in its online payment system. After implementing a Web Application Firewall (WAF) and conducting quarterly penetration tests, the residual risk is assessed as medium. Which of the following best explains the relationship between inherent risk, controls, and residual risk?

A.Residual risk is the inherent risk adjusted for the effectiveness of controls in reducing likelihood and impact.
B.Inherent risk is the risk after controls are applied, while residual risk is the risk before controls.
C.Residual risk equals inherent risk minus the total cost of controls implemented.
D.Inherent risk and residual risk are independent; residual risk is determined solely by threat intelligence.
AnswerA

Correct. Control effectiveness reduces inherent risk to residual risk.

Why this answer

Residual risk is the risk remaining after controls are applied. It is calculated by adjusting inherent risk for control effectiveness (design adequacy and operating effectiveness).

768
MCQhard

A company has multiple business units each using different risk assessment methodologies. The risk committee wants consistent monitoring reports. What is the BEST approach to achieve consistency?

A.Develop and mandate a standardized risk assessment methodology.
B.Aggregate risks at the enterprise level using a common taxonomy.
C.Require each business unit to adopt the same risk scoring scale.
D.Create a centralized reporting template with predefined fields.
AnswerA

Ensures consistent risk identification and evaluation.

Why this answer

Option A is correct because mandating a standardized risk assessment methodology ensures that all business units apply the same criteria, scales, and processes for identifying, analyzing, and evaluating risks. This eliminates methodological inconsistencies at the source, enabling the risk committee to produce truly comparable and reliable monitoring reports across the enterprise.

Exam trap

The trap here is that candidates confuse output consistency (templates, scales, or taxonomies) with input consistency (the methodology itself), leading them to choose options that only address surface-level uniformity rather than the root cause of inconsistent risk assessments.

How to eliminate wrong answers

Option B is wrong because aggregating risks using a common taxonomy only standardizes the classification of risks, not the underlying assessment methodology; different scoring and evaluation approaches would still produce incompatible results. Option C is wrong because requiring the same risk scoring scale does not address differences in how risks are identified, analyzed, or prioritized—two units using the same scale but different methodologies can still generate inconsistent risk levels for similar exposures. Option D is wrong because a centralized reporting template with predefined fields only standardizes the output format, not the input data or assessment process; if business units use different methodologies, the data entered into the template will remain inconsistent and non-comparable.

769
MCQmedium

A company is assessing the risk of a ransomware attack. The security team estimates the threat event frequency as 2 attacks per year, vulnerability as 0.3 (30% chance of success), primary loss as $500,000, and secondary loss as $200,000. What is the annualized loss expectancy (ALE) using the FAIR framework?

A.$420,000
B.$700,000
C.$210,000
D.$1,400,000
AnswerA

ALE = (2 * 0.3) * ($500,000 + $200,000) = 0.6 * $700,000 = $420,000.

Why this answer

The FAIR framework calculates ALE as Threat Event Frequency × Vulnerability × (Primary Loss + Secondary Loss). Here, 2 × 0.3 × ($500,000 + $200,000) = 2 × 0.3 × $700,000 = $420,000. This correctly accounts for the probability of a successful attack and the total loss per incident.

Exam trap

The trap here is that candidates often forget to multiply by the vulnerability factor (0.3) or omit secondary loss, leading to answers like $700,000 or $1,400,000, which ignore the probabilistic nature of successful attacks.

How to eliminate wrong answers

Option B is wrong because it multiplies the total loss ($700,000) by the threat event frequency (2) without considering the vulnerability factor (0.3), yielding $1,400,000, then incorrectly halves it to $700,000. Option C is wrong because it multiplies only the primary loss ($500,000) by vulnerability (0.3) and threat frequency (2), ignoring secondary loss, giving $300,000, then incorrectly divides by 2 to get $210,000. Option D is wrong because it multiplies the total loss ($700,000) by the threat event frequency (2) without applying the vulnerability factor (0.3), resulting in $1,400,000, which overestimates the ALE by ignoring the 30% success probability.

770
MCQmedium

After a risk assessment, the risk owner determines that the residual risk is still above the risk appetite. Which of the following is the MOST appropriate next step?

A.Transfer the risk
B.Ignore the risk
C.Accept the risk
D.Implement additional controls
AnswerD

Adding controls reduces residual risk to an acceptable level.

Why this answer

When residual risk remains above the risk appetite after initial risk assessment, the most appropriate next step is to implement additional controls to further reduce the risk to an acceptable level. This aligns with the risk treatment process where controls are selected and applied to lower the likelihood or impact of the risk event. Simply transferring, ignoring, or accepting the risk without further action would not address the gap between residual risk and risk appetite.

Exam trap

ISACA often tests the misconception that risk acceptance is always the default next step, but the trap here is that acceptance is only valid when residual risk is within appetite; when it is above, additional controls must be considered first.

How to eliminate wrong answers

Option A is wrong because transferring the risk (e.g., via insurance or outsourcing) does not reduce the inherent risk; it only shifts financial consequences, and the residual risk may still exceed appetite if the transfer is incomplete or not cost-effective. Option B is wrong because ignoring the risk is a deliberate avoidance of responsibility and violates the risk management principle that risks above appetite must be treated, not neglected. Option C is wrong because accepting the risk without implementing additional controls is only appropriate if the residual risk is within the risk appetite; here it is above, so acceptance without further action would be non-compliant with policy.

771
MCQeasy

Based on the exhibit, which risk is MOST likely to be identified during a risk assessment?

A.Weak passwords on user workstations
B.Unauthorized physical access to the data center
C.Lateral movement risk from DMZ to internal network
D.Incomplete audit logs on firewalls
AnswerC

Lack of segmentation allows propagation of attacks.

Why this answer

The exhibit shows a DMZ architecture where the internal network is separated from the DMZ by a firewall. A risk assessment would identify the potential for an attacker who compromises a DMZ host (e.g., a web server) to pivot through the firewall to the internal network, especially if firewall rules are overly permissive or if the DMZ host has a trust relationship with internal systems. This lateral movement risk is a classic and high-priority finding in such segmented environments.

Exam trap

The trap here is that candidates often focus on obvious vulnerabilities like weak passwords or incomplete logs, but the CRISC exam tests the ability to identify the most significant risk given the architecture—lateral movement from a less trusted zone (DMZ) to a more trusted zone (internal network) is a classic and critical risk in segmented network designs.

How to eliminate wrong answers

Option A is wrong because weak passwords on user workstations are an endpoint security issue typically identified during vulnerability scans or security audits, not a primary risk in a DMZ-to-internal network architecture assessment. Option B is wrong because unauthorized physical access to the data center is a physical security risk that is assessed separately, often through site surveys or access control reviews, and is not directly indicated by the network topology in the exhibit. Option D is wrong because incomplete audit logs on firewalls are a logging and monitoring deficiency, not a direct risk of network traversal; while important, the exhibit's focus on DMZ segmentation points to lateral movement as the more immediate and architecture-specific risk.

772
MCQmedium

During a risk assessment, the risk manager identifies that the likelihood of a cyber-attack is high due to recent industry trends. However, the existing controls are deemed effective in reducing impact. Which of the following is the MOST appropriate risk response?

A.Mitigate
B.Avoid
C.Accept
D.Transfer
AnswerA

Mitigating by maintaining or enhancing controls is appropriate given high likelihood.

Why this answer

Mitigate is the most appropriate risk response because the likelihood of a cyber-attack is high, but existing controls are effective in reducing the impact. Mitigation involves implementing additional controls or enhancing existing ones to reduce the likelihood or impact further, which aligns with the scenario where controls are already effective but need to be strengthened to address the high likelihood.

Exam trap

ISACA often tests the distinction between 'mitigate' and 'transfer' by presenting scenarios where controls are effective but likelihood is high, leading candidates to incorrectly choose transfer (e.g., insurance) instead of recognizing that mitigation directly addresses the likelihood through additional technical controls.

How to eliminate wrong answers

Option B (Avoid) is wrong because avoiding the risk would require discontinuing the activity or system that exposes the organization to the cyber-attack, which is not necessary when controls are already effective and the risk can be managed. Option C (Accept) is wrong because accepting the risk implies a conscious decision to tolerate the potential impact without further action, which is inappropriate when the likelihood is high and controls are only effective, not optimal. Option D (Transfer) is wrong because transferring the risk (e.g., via cyber insurance) shifts the financial impact but does not address the high likelihood of the attack occurring, and the existing controls are already reducing impact, making mitigation a more direct response.

773
MCQeasy

A risk assessment reveals a high inherent risk that is within the organization's risk appetite. The risk owner documents the risk and formally accepts it. This is an example of which risk treatment option?

A.Accept
B.Mitigate
C.Transfer
D.Avoid
AnswerA

Acceptance means acknowledging and bearing the risk.

Why this answer

When a risk is within appetite, it may be formally accepted with sign-off.

774
MCQhard

During a risk assessment, an organization identifies that its legacy ERP system has a high likelihood of failure during peak transaction periods. The system supports critical financial operations. The risk owner proposes to upgrade the system, but the project would take 18 months and require significant capital investment. The CEO questions whether the risk can be reduced to an acceptable level more quickly. Which of the following is the MOST appropriate immediate risk response?

A.Implement enhanced monitoring and manual fallback procedures.
B.Increase cyber insurance coverage.
C.Accept the risk and budget for potential losses.
D.Outsource the ERP hosting to a cloud provider.
AnswerA

These measures reduce the impact of failures and can be deployed quickly.

Why this answer

Enhanced monitoring and manual fallback procedures directly address the immediate risk of system failure during peak periods by providing early detection and a contingency plan to maintain critical financial operations. This response can be implemented quickly without the 18-month timeline and capital investment required for a full system upgrade, aligning with the CEO's request for a faster risk reduction.

Exam trap

The trap here is that candidates confuse a long-term strategic solution (system upgrade or cloud migration) with an immediate tactical response, failing to recognize that the question explicitly asks for the 'most appropriate immediate risk response' that can be deployed quickly.

How to eliminate wrong answers

Option B is wrong because cyber insurance coverage does not reduce the likelihood or impact of the ERP failure; it only provides financial compensation after a loss, which is not an immediate risk response. Option C is wrong because accepting the risk and budgeting for potential losses is a passive approach that does nothing to mitigate the high likelihood of failure during peak transactions, leaving critical financial operations exposed. Option D is wrong because outsourcing ERP hosting to a cloud provider involves significant migration effort, potential data residency issues, and contractual timelines that cannot be implemented immediately, and it does not address the legacy system's inherent instability during peak loads.

775
Multi-Selecteasy

A financial institution is implementing a new continuous monitoring solution for its transaction processing systems. The solution generates alerts for suspicious activities. Which TWO of the following are essential considerations when defining the alert thresholds?

Select 2 answers
A.Cost of the monitoring solution
B.Historical transaction patterns and baseline deviations
C.Vendor reputation for support
D.Number of employees in the monitoring team
E.The risk appetite of the organization
AnswersB, E

Baselining ensures thresholds reflect normal behavior.

Why this answer

Historical transaction patterns and baseline deviations (B) are essential because alert thresholds must be calibrated to normal behavior to minimize false positives and false negatives. Without understanding typical transaction volumes, values, and frequencies, the monitoring solution cannot distinguish legitimate activity from suspicious anomalies, rendering alerts meaningless.

Exam trap

The trap here is confusing operational or procurement factors (cost, vendor support, team size) with the risk-based, data-driven technical parameters that directly control alert generation.

776
MCQhard

A multinational organization is implementing a risk mitigation strategy for a critical system. The business impact analysis shows that downtime costs are extremely high. Which risk response strategy is MOST appropriate for this scenario?

A.Risk avoidance by decommissioning the system
B.Risk transfer through cyber insurance
C.Risk reduction by implementing redundant systems
D.Risk acceptance because mitigation is too costly
AnswerC

Redundancy reduces both likelihood and impact of downtime.

Why this answer

Given the extremely high downtime costs, the most appropriate risk response is risk reduction through implementing redundant systems. This directly addresses the critical system's availability requirement by eliminating single points of failure, thereby reducing both the likelihood and impact of downtime. Decommissioning the system (avoidance) would eliminate the business function entirely, which is typically not viable for a critical system, while insurance (transfer) only provides financial compensation after the loss, not preventing the operational impact of downtime.

Exam trap

The trap here is that candidates may confuse risk transfer (insurance) as a primary solution for high downtime costs, overlooking that insurance does not prevent the operational impact and lost revenue during the outage itself, which is the core concern in this scenario.

How to eliminate wrong answers

Option A is wrong because risk avoidance by decommissioning the system would eliminate the business function that the critical system supports, which is typically not a viable strategy for a system deemed critical to operations. Option B is wrong because risk transfer through cyber insurance only provides financial reimbursement after a loss event, but does not prevent the extremely high operational downtime costs or the associated business disruption. Option D is wrong because risk acceptance is inappropriate when the business impact analysis shows that downtime costs are extremely high and a cost-effective mitigation (like redundancy) is available.

777
MCQeasy

Which of the following is a detective control?

A.Intrusion detection system (IDS)
B.Firewall
C.Backup and recovery procedure
D.Data encryption
AnswerA

IDS is a detective control.

Why this answer

Detective controls identify incidents after they occur. An intrusion detection system (IDS) monitors network traffic and alerts on suspicious activity, making it a detective control.

778
Multi-Selecthard

Which THREE of the following are key components of an effective risk treatment plan?

Select 3 answers
A.Assigned responsibilities
B.Risk acceptance criteria
C.A timeline for implementation
D.The risk owner's signature
E.A detailed budget
AnswersA, B, C

Clear ownership ensures accountability.

Why this answer

Assigned responsibilities are a key component of an effective risk treatment plan because they ensure accountability for implementing specific risk mitigation actions. Without clear ownership, tasks may be delayed or overlooked, undermining the plan's execution. This aligns with the CRISC framework's emphasis on defining roles to operationalize risk response.

Exam trap

The trap here is that candidates confuse supporting artifacts (like budgets or signatures) with the core structural components of the plan, which are defined by ISACA as responsibilities, timelines, and acceptance criteria.

779
Multi-Selectmedium

Which TWO of the following are examples of corrective controls?

Select 2 answers
A.Encryption of data at rest
B.Disaster recovery plan execution
C.Intrusion detection system
D.Backup restoration
E.Access control lists
AnswersB, D

Recovery after disaster is corrective.

Why this answer

Disaster recovery plan execution (B) is a corrective control because it is activated after a disruptive event to restore normal operations. It directly addresses the impact of an incident by executing predefined procedures to recover systems and data, thereby correcting the damage caused by the outage or disaster.

Exam trap

The trap here is that candidates often confuse detective controls (like IDS) with corrective controls, because they both involve monitoring or alerting, but corrective controls are specifically about taking action to fix or recover from an incident, not just detecting it.

780
MCQmedium

A company's risk appetite statement specifies that the organization is willing to accept a moderate level of operational risk to achieve strategic agility. This statement directly influences which activity during IT risk identification?

A.Defining the IT risk universe
B.Determining the risk capacity of the organization
C.Establishing risk tolerance thresholds for operational risk
D.Selecting threat intelligence sources
AnswerC

Risk appetite translates into tolerance thresholds that guide risk identification and evaluation.

Why this answer

Risk appetite guides which risks are acceptable and helps prioritize risk scenarios, influencing the scope of risk identification.

781
MCQeasy

After a data breach has been contained, what is the most important action for identifying underlying IT risks?

A.Update the risk register
B.Perform a root cause analysis
C.Implement new security controls
D.Review cyber insurance policy
AnswerB

Root cause analysis identifies the specific risks and weaknesses that led to the breach.

Why this answer

Root cause analysis systematically identifies the weaknesses that allowed the breach, directly contributing to risk identification. Updating the risk register, implementing controls, and reviewing insurance are subsequent steps.

782
Multi-Selectmedium

A risk analyst is reviewing the results of control testing for a critical business process. Which THREE of the following are valid reasons to classify a control as ineffective?

Select 3 answers
A.The control was not executed as per procedure.
B.The control failed during peak load testing.
C.The control design does not address the risk.
D.The control was tested once and passed.
E.The control owner was not available during the test.
AnswersA, B, C

Deviating from procedure compromises control effectiveness.

Why this answer

Option A is correct because a control that is not executed as per its documented procedure indicates an operational failure. Even if the control design is sound, failure to follow the procedure means the control did not operate as intended, rendering it ineffective in mitigating the risk.

Exam trap

The trap here is that candidates may confuse a single successful test result with proof of ongoing effectiveness, or mistake an administrative issue (owner unavailability) for a control deficiency, when in fact the control's design and execution are what matter.

783
MCQmedium

An internal audit report identifies that the IT department did not patch a critical vulnerability in a database server for 90 days. The risk manager wants to identify the root cause risk. Which approach should be used?

A.Interview the database system owner
B.Conduct a new vulnerability scan
C.Update the risk register with the finding
D.Perform a root cause analysis on the patching process
AnswerD

Root cause analysis identifies process gaps leading to the delay.

Why this answer

Option D is correct because the risk manager needs to identify the root cause risk, which requires understanding why the patching process failed to apply a critical security update within the required timeframe. A root cause analysis (RCA) on the patching process systematically examines procedural breakdowns, such as missed scanning cycles, lack of change management approval, or insufficient prioritization of database-specific patches (e.g., Oracle Critical Patch Updates). This approach directly addresses the underlying process deficiency rather than merely documenting or re-verifying the vulnerability.

Exam trap

The trap here is that candidates confuse operational remediation (e.g., rescanning or interviewing) with risk identification analysis, failing to recognize that the question specifically asks for identifying the root cause risk, not just confirming or logging the finding.

How to eliminate wrong answers

Option A is wrong because interviewing the database system owner may provide anecdotal context but does not systematically uncover the procedural or systemic failures in the patching lifecycle, such as scheduling gaps or approval bottlenecks. Option B is wrong because conducting a new vulnerability scan would only confirm the current state of the vulnerability (e.g., whether it is still present or remediated), not reveal why the patch was delayed for 90 days. Option C is wrong because updating the risk register with the finding is a documentation step that records the risk but does not analyze the causal factors behind the patching failure.

784
Multi-Selectmedium

Which THREE of the following are common business impact categories used in risk scenarios?

Select 3 answers
A.Reputational damage
B.Financial loss
C.Strategic misalignment
D.Regulatory penalty
E.Technical downtime
AnswersA, B, D

Why this answer

Common business impact categories include financial loss, regulatory penalty, and reputational damage. Technical downtime is a cause, not an impact category; strategic misalignment is a risk factor.

785
Multi-Selecthard

During an IT risk assessment, a risk owner has identified a risk with a high inherent risk score. After reviewing control effectiveness, the residual risk remains medium. The organization decides to accept the residual risk. Which TWO of the following actions should the risk owner take?

Select 2 answers
A.Transfer the risk to a third party
B.Eliminate the activity that creates the risk
C.Obtain sign-off from the risk owner
D.Implement additional controls to reduce risk further
E.Document the risk acceptance formally
AnswersC, E

The risk owner must formally approve acceptance.

Why this answer

Option C is correct because the risk owner must formally acknowledge and accept the residual risk after the decision to accept has been made. This sign-off demonstrates that the risk owner is aware of the remaining exposure and agrees to the risk acceptance, which is a key governance step in the risk management process. Without this sign-off, the acceptance is not formally recognized, and accountability remains unclear.

Exam trap

The trap here is that candidates may confuse risk acceptance with other risk treatment options (transfer, avoid, mitigate) and fail to recognize that after deciding to accept, the key actions are formal sign-off and documentation, not further risk reduction or transfer.

786
MCQhard

An organization has a risk appetite statement that says 'We accept up to $5 million in operational losses per year.' However, a new cloud migration project is estimated to have a potential operational loss of $8 million if a critical failure occurs. The risk capacity of the organization is $20 million. What should the risk practitioner recommend?

A.Reject the project because the risk exceeds the risk appetite
B.Implement risk treatment measures to reduce the potential loss to below $5 million
C.Increase the risk appetite to $8 million to align with the project
D.Accept the risk because the risk capacity is $20 million
AnswerB

Why this answer

The risk tolerance threshold ($5 million) is exceeded by the potential loss ($8 million). The risk appetite is the amount of risk the organization is willing to accept, and this scenario exceeds it. While the risk capacity is higher, the appetite is not met, so risk treatment is needed to bring the residual risk within the tolerance.

787
MCQhard

A Key Control Indicator (KCI) for a critical firewall rule set shows an exception rate of 12% over the past month, exceeding the acceptable threshold of 5%. The control owner is responsible for remediation. Which action should the risk practitioner recommend FIRST?

A.Temporarily disable the firewall rules causing exceptions
B.Implement an automated rule change management process
C.Update the KCI threshold to 12%
D.Conduct a root cause analysis of the exceptions
AnswerD

Root cause analysis is essential to identify why exceptions are occurring and to determine appropriate remediation.

Why this answer

The first step in addressing an elevated KCI is to investigate the root cause of the exceptions to determine if they are due to rule misconfigurations, policy violations, or other issues before taking corrective action.

788
Multi-Selectmedium

Which TWO of the following are primary sources of IT risk identification? (Select exactly TWO.)

Select 2 answers
A.Incident reports
B.Threat intelligence feeds
C.Asset inventory
D.Risk appetite
E.Policy documents
AnswersA, B

Incident reports document past events and vulnerabilities, revealing risks that materialized.

Why this answer

Incident reports are a primary source of IT risk identification because they provide direct evidence of past security events, such as malware infections, unauthorized access attempts, or system failures. By analyzing incident reports, risk practitioners can identify patterns, root causes, and control weaknesses that represent current or emerging risks. This historical data is essential for updating the risk register and prioritizing remediation efforts based on actual impact.

Exam trap

The trap here is that candidates often mistake asset inventory (a passive inventory list) as a primary risk identification source, when in fact it is a prerequisite for risk assessment but does not itself identify risks; the exam expects you to distinguish between inputs for risk assessment and sources that actively reveal risk events.

789
MCQmedium

During a risk assessment for a new financial application, the risk manager identifies that the application processes sensitive customer data and is accessible from the internet. Which of the following is the MOST appropriate risk scenario to document?

A.The application has several unpatched vulnerabilities that increase the likelihood of a security incident.
B.The application will implement multi-factor authentication to prevent unauthorized access.
C.An attacker could exploit weak authentication mechanisms to gain unauthorized access and exfiltrate customer data, resulting in regulatory fines and reputational damage.
D.The application must comply with PCI DSS requirements for data protection.
AnswerC

This is a well-defined risk scenario with threat, vulnerability, and impact.

Why this answer

Option C is the most appropriate risk scenario because it follows the standard risk scenario structure: threat (attacker), vulnerability (weak authentication), impact (unauthorized access, data exfiltration, regulatory fines, reputational damage). It directly ties the technical weakness to a business consequence, which is essential for communicating risk to stakeholders. The scenario is specific to the application's internet-facing nature and sensitive data processing, making it actionable for risk treatment.

Exam trap

The trap here is that candidates mistake a vulnerability or a control for a complete risk scenario, failing to include the threat actor and business impact that are required for proper risk identification.

How to eliminate wrong answers

Option A is wrong because it describes a vulnerability (unpatched flaws) without specifying a threat actor, attack vector, or business impact; it is a risk factor, not a complete risk scenario. Option B is wrong because it describes a control (multi-factor authentication) that would mitigate risk, not a risk scenario itself; it confuses a solution with the problem statement. Option D is wrong because it states a compliance requirement (PCI DSS) without linking it to a specific threat, vulnerability, or adverse outcome; it is a control objective, not a risk scenario.

790
MCQmedium

A security analyst is using a threat modeling approach that focuses on identifying threats based on the system's requirements and design. Which threat modeling methodology is being used?

A.TRIKE
B.STRIDE
C.VAST
D.PASTA
AnswerA

TRIKE uses requirements and design to identify threats within a risk management framework.

Why this answer

TRIKE is a requirements-based threat modeling methodology that uses a risk management framework to identify threats based on system requirements.

791
Multi-Selecthard

A risk assessment identifies a high likelihood of a data breach due to insecure APIs. The risk team proposes disabling the APIs until they are secured, implementing a WAF, and purchasing breach insurance. Which THREE risk response options are being considered?

Select 3 answers
A.Remediate
B.Transfer
C.Avoid
D.Mitigate
E.Accept
AnswersB, C, D

Insurance transfers the financial impact.

Why this answer

Option B (Transfer) is correct because purchasing breach insurance transfers the financial risk of a data breach to an insurance provider. Option C (Avoid) is correct because disabling the APIs until they are secured eliminates the risk entirely by removing the vulnerable component. Option D (Mitigate) is correct because implementing a Web Application Firewall (WAF) reduces the likelihood or impact of an API-based attack without removing the API.

Exam trap

Cisco often tests the distinction between 'remediate' and 'mitigate,' where candidates mistakenly label a compensating control (like a WAF) as remediation instead of mitigation, because they confuse reducing risk with fixing the root cause.

792
MCQeasy

Which COBIT 2019 governance objective focuses on ensuring that the enterprise's risk appetite and tolerance are understood, articulated, and communicated, and that risk is managed appropriately?

A.EDM04 — Ensure Resource Optimization
B.EDM03 — Ensure Risk Optimization
C.EDM02 — Ensure Benefits Delivery
D.EDM01 — Ensure Governance Framework Setting and Maintenance
AnswerB

Correct as described.

Why this answer

EDM03 — Ensure Risk Optimization is the COBIT 2019 governance objective specifically designed to ensure that the enterprise's risk appetite and risk tolerance are defined, communicated, and understood, and that risk is managed within those boundaries. It focuses on aligning risk management with enterprise objectives and ensuring that residual risk is acceptable.

Exam trap

The trap here is that candidates often confuse 'risk optimization' (EDM03) with 'resource optimization' (EDM04) because both terms include 'optimization,' but EDM03 is the only one that explicitly addresses risk appetite, tolerance, and management.

How to eliminate wrong answers

Option A is wrong because EDM04 — Ensure Resource Optimization focuses on managing IT resources (applications, information, infrastructure, people) efficiently and effectively, not on risk appetite or tolerance. Option C is wrong because EDM02 — Ensure Benefits Delivery is concerned with optimizing value from IT-enabled investments and services, not with risk management. Option D is wrong because EDM01 — Ensure Governance Framework Setting and Maintenance deals with establishing and maintaining the governance framework (structures, principles, processes), not directly with risk appetite articulation or risk management.

793
MCQhard

After implementing controls, the risk remaining is called:

A.Control risk
B.Acceptable risk
C.Residual risk
D.Inherent risk
AnswerC

Residual risk = inherent risk adjusted for control effectiveness.

Why this answer

Residual risk is the risk remaining after controls are applied, calculated by adjusting inherent risk for control effectiveness.

794
Multi-Selectmedium

An organization is conducting a post-implementation review of a new data loss prevention (DLP) control. Which TWO metrics are Key Control Indicators (KCIs) that would best measure the control's effectiveness?

Select 2 answers
A.Cost of the DLP solution per year
B.Percentage of DLP policy violations that were not blocked
C.Average time to respond to DLP incidents
D.Number of DLP alerts generated per day
E.Number of authorized exceptions to DLP policies
AnswersB, E

This deficiency rate measures control failures.

Why this answer

Option B is correct because the percentage of DLP policy violations that were not blocked directly measures the control's failure rate—its inability to prevent unauthorized data exfiltration. A high percentage indicates ineffective policy configuration or insufficient detection coverage, making it a key control indicator (KCI) for effectiveness. Option E is correct because the number of authorized exceptions to DLP policies reflects how often the control is deliberately bypassed, which can indicate gaps in policy design or excessive risk acceptance, both of which undermine the control's intended effectiveness.

Exam trap

The trap here is that candidates confuse operational metrics (like alert volume or response time) with effectiveness metrics, failing to recognize that KCIs must directly measure whether the control is achieving its intended risk mitigation outcome, not just how much activity it generates.

795
MCQmedium

A company uses a third-party vendor to process customer data. The vendor's security control monitoring reports show no issues. However, the company's internal monitoring detects anomalies in vendor response times. What is the BEST interpretation?

A.The vendor's monitoring is accurate; the anomalies are false positives.
B.The anomalies may indicate a control gap in the vendor's environment.
C.The internal monitoring should be disabled to avoid confusion.
D.The vendor's monitoring is more reliable than internal monitoring.
AnswerB

Internal monitoring provides independent validation.

Why this answer

The correct answer is B because the discrepancy between the vendor's security monitoring reports (showing no issues) and the company's internal monitoring (detecting anomalies in response times) suggests a potential control gap in the vendor's environment. Response time anomalies can indicate underlying security issues such as resource exhaustion, data exfiltration, or compromised systems that the vendor's monitoring may not be capturing. This misalignment warrants further investigation rather than dismissal.

Exam trap

The trap here is that candidates may assume vendor monitoring reports are authoritative and dismiss internal anomalies as false positives, failing to recognize that independent monitoring is a critical control for detecting gaps in third-party security.

How to eliminate wrong answers

Option A is wrong because dismissing anomalies as false positives without investigation is a risky assumption; response time anomalies can be early indicators of security incidents like DDoS attacks or unauthorized data transfers. Option C is wrong because disabling internal monitoring would eliminate a valuable independent verification layer, violating the principle of defense in depth and reducing visibility into vendor performance and security. Option D is wrong because vendor monitoring reports are not inherently more reliable; they may lack coverage of certain metrics (e.g., response time) or be subject to reporting biases, and internal monitoring provides a necessary cross-check.

796
MCQeasy

When assessing cloud computing risk, which of the following is a key concern related to data sovereignty?

A.Shared responsibility model misunderstandings
B.Data may be stored in jurisdictions with different privacy laws
C.Multi-tenancy isolation gaps
D.Vendor lock-in due to proprietary APIs
AnswerB

This is the core of data sovereignty risk.

Why this answer

Data sovereignty refers to legal requirements that data be stored and processed within certain geographic boundaries. Cloud providers may store data in multiple jurisdictions, leading to compliance risks if data crosses borders without authorization.

797
MCQhard

A multinational corporation is assessing the risk of non-compliance with GDPR. Which of the following is the BEST approach to quantify the potential fine?

A.Base the estimate on the organization's annual global turnover
B.Estimate based on the cost of cyber insurance premiums
C.Calculate the cost of data breach using the Ponemon Institute model
D.Use industry benchmarks for data breach costs
AnswerA

GDPR fines are up to 4% of annual turnover.

Why this answer

Under GDPR, the maximum fine for non-compliance is the greater of €20 million or 4% of the organization's annual global turnover. Therefore, basing the estimate on annual global turnover directly aligns with the regulatory formula used by supervisory authorities, making it the most accurate and defensible quantification approach for potential fines.

Exam trap

ISACA often tests the distinction between regulatory fines (which follow a fixed statutory formula) and broader breach costs (which include operational, reputational, and legal expenses), leading candidates to mistakenly select a comprehensive cost model like Ponemon instead of the turnover-based regulatory calculation.

How to eliminate wrong answers

Option B is wrong because cyber insurance premiums reflect market pricing for risk transfer, not the statutory penalty calculation defined in GDPR Article 83. Option C is wrong because the Ponemon Institute model estimates the total cost of a data breach (including detection, notification, and lost business), not the regulatory fine specifically. Option D is wrong because industry benchmarks for data breach costs are averages across sectors and do not incorporate the organization-specific turnover figure that GDPR mandates for fine calculation.

798
MCQmedium

An organization is implementing a new access control system to protect sensitive data. Which type of control is most appropriate for preventing unauthorized access?

A.Detective control
B.Preventive control
C.Corrective control
D.Compensating control
AnswerB

Preventive controls are designed to stop unwanted events from occurring.

Why this answer

Preventive controls are designed to deter or prevent undesirable events from occurring. Access control systems are a classic example of preventive controls as they block unauthorized access before it happens.

799
MCQmedium

A company is evaluating controls for a high-risk process. Which control type is designed to stop a risk event from occurring?

A.Preventive
B.Detective
C.Corrective
D.Compensating
AnswerA

Preventive controls, such as access controls and encryption, stop risk events.

Why this answer

A preventive control is designed to stop a risk event from occurring by implementing barriers or safeguards before the event can happen. For a high-risk process, this might include access control lists (ACLs) on a firewall that block unauthorized traffic, or input validation routines in an application that reject malformed data before it can trigger a buffer overflow. By proactively eliminating the threat vector, preventive controls reduce the likelihood of the risk event to zero for the protected path.

Exam trap

Cisco often tests the distinction between preventive and detective controls by presenting a scenario where a control identifies a threat (e.g., an IDS alert) and candidates mistakenly classify it as preventive, when in fact it only detects the event after it has begun.

How to eliminate wrong answers

Option B is wrong because detective controls, such as intrusion detection systems (IDS) or log monitoring, only identify that a risk event has occurred or is in progress; they do not prevent it. Option C is wrong because corrective controls, like restoring from a backup after a ransomware attack or applying a patch to fix a vulnerability, are activated after the risk event has already happened to restore normal operations. Option D is wrong because compensating controls, such as using a web application firewall (WAF) as an alternative when a required preventive control (e.g., secure coding) cannot be implemented, provide an alternative measure but are not designed to stop the risk event from occurring in the first place; they are a fallback, not a primary prevention mechanism.

800
MCQhard

A company's key risk indicator (KRI) for 'failed login attempts' has exceeded its threshold by 20%. The control owner reports that a recent firewall change caused false positives. What should the risk practitioner do FIRST?

A.Validate the KRI data and investigate the root cause
B.Implement additional controls to reduce failed logins
C.Revert the firewall change immediately
D.Increase the KRI threshold to eliminate false positives
AnswerA

Data integrity check is essential before any action.

Why this answer

The correct answer is C. The first step is to verify the KRI data and confirm whether the threshold breach is real or due to a configuration issue. Option A is premature because the threshold breach may be invalid.

Option B is corrective action without confirmation. Option D is too drastic without understanding the root cause.

801
Multi-Selecthard

A third-party vendor is classified as high risk due to its access to sensitive data. Which THREE activities should be part of ongoing monitoring for this vendor?

Select 3 answers
A.Contract compliance reviews to ensure terms are met.
B.Requiring SOC 2 Type II certification before contract signing.
C.Continuous monitoring via shared threat intelligence platforms.
D.Annual reassessment of the vendor's security posture.
E.Initial onboarding security questionnaire review.
AnswersA, C, D

Contract compliance is part of ongoing oversight.

Why this answer

Option A is correct because contract compliance reviews are a fundamental ongoing monitoring activity for high-risk vendors. They ensure the vendor continues to adhere to agreed-upon security controls, data handling procedures, and service-level agreements (SLAs) throughout the relationship, not just at onboarding. This is a continuous verification process, distinct from one-time checks.

Exam trap

The trap here is confusing pre-contract due diligence activities (like SOC 2 certification or initial questionnaires) with ongoing monitoring activities, leading candidates to select options that are valid but belong to a different phase of the vendor risk management lifecycle.

802
MCQhard

A company is implementing a new cloud-based customer relationship management (CRM) system. The risk manager has identified that the vendor's security controls may not meet the company's requirements. Which of the following is the BEST way to address this risk?

A.Deny the existence of the risk
B.Purchase cyber insurance to cover potential losses
C.Avoid using the cloud CRM system
D.Include security requirements in the contract and perform regular vendor audits
AnswerD

This mitigates risk by enforcing controls.

Why this answer

Option A is correct because contractually requiring the vendor to adhere to security standards and performing audits is a common risk mitigation approach. Option B is wrong as transferring via insurance doesn't reduce the actual risk. Option C is wrong as avoidance by not using the system may be too drastic.

Option D is wrong as denial is not a risk response.

803
MCQmedium

A Key Control Indicator (KCI) for a firewall rule review process shows an exception rate of 15% for the past quarter, exceeding the acceptable threshold of 10%. What is the most appropriate immediate action for the control owner?

A.Investigate the root cause of the high exception rate
B.Increase the acceptable threshold to 20%
C.Replace the control with a different one
D.Escalate to the board immediately
AnswerA

Root cause analysis is the first step to address the issue.

Why this answer

A KCI exception rate exceeding the threshold indicates a process failure, not necessarily a control failure. The control owner must first perform root cause analysis to determine whether the exceptions are due to misconfigured rules, policy violations, or environmental changes before taking corrective action. This aligns with the CRISC principle that control owners are responsible for monitoring and improving control effectiveness through investigation.

Exam trap

Cisco often tests the misconception that exceeding a KCI threshold automatically requires escalation or control replacement, when in fact the immediate step is always root cause analysis to determine if the threshold breach is a temporary anomaly or a systemic issue.

How to eliminate wrong answers

Option B is wrong because arbitrarily increasing the threshold to 20% masks the underlying issue and violates the principle of maintaining risk appetite; thresholds should be based on risk tolerance, not adjusted to avoid alarms. Option C is wrong because replacing the control without understanding why exceptions occurred is premature and could introduce new risks; the existing control may be effective if the root cause is addressed. Option D is wrong because escalation to the board is reserved for material risk events or control failures that exceed the risk appetite after investigation; a 15% exception rate does not warrant board-level escalation as an immediate action.

804
Multi-Selecthard

An IT risk manager is developing KRIs for a critical application. Which TWO of the following are leading indicators that the risk level may be increasing? (Select TWO)

Select 2 answers
A.Average patch lag time increasing
B.Failed authentication spike
C.Audit findings of control deficiencies
D.Number of successful intrusions
E.Number of security incidents in the past month
AnswersA, B

Longer patch times increase the window of vulnerability.

Why this answer

Leading indicators predict future risk. A rising number of failed login attempts and an increase in average patch lag are leading indicators that signal potential attacks or increased vulnerability.

805
Multi-Selectmedium

A risk practitioner is designing a risk report for the board of directors. Which TWO content elements are most appropriate for strategic risk reporting? (Select two.)

Select 2 answers
A.Trend analysis of top key risk indicators
B.List of all control deficiencies
C.Names of employees who failed phishing tests
D.Risk heat map showing overall risk exposure
E.Detailed log analysis results
AnswersA, D

Trends help the board understand changing risk levels.

Why this answer

Trend analysis of top key risk indicators (KRIs) is appropriate for strategic risk reporting because it provides the board with a high-level, forward-looking view of how key risks are evolving over time. This enables informed decision-making on risk appetite and strategic direction without overwhelming directors with operational details.

Exam trap

The trap here is that candidates confuse operational reporting details (like control deficiencies or phishing test results) with strategic-level content, failing to recognize that the board requires aggregated, decision-useful summaries rather than granular data.

806
MCQmedium

A bank is identifying IT risks and categorizes a potential data breach as both a compliance risk (due to GDPR) and a reputational risk. This is an example of:

A.Multiple risk categories for a single risk
B.Risk aggregation
C.Improper risk classification
D.Risk scenario overlap
AnswerA

A risk can impact multiple categories simultaneously.

Why this answer

A single risk can belong to multiple categories; this is normal in risk categorization.

807
MCQhard

During a risk assessment, the risk manager finds that a critical application has a single point of failure in its network path. The application's availability requirement is 99.99%. The current design achieves only 99.9% uptime. Which risk metric should be calculated first?

A.Annualized Loss Expectancy (ALE) based on potential downtime cost.
B.Risk gap between required and current service level.
C.Exposure factor (EF) representing the percentage of loss.
D.Single loss expectancy (SLE) for a single outage event.
AnswerB

Quantifying the gap helps prioritize remediation efforts and calculate downstream metrics.

Why this answer

The risk manager must first quantify the risk gap between the required 99.99% availability (approximately 52.56 minutes of downtime per year) and the current 99.9% availability (approximately 525.6 minutes per year). This gap of 473.04 minutes per year establishes the magnitude of the risk exposure before any financial calculations (ALE, SLE, EF) can be performed, as those metrics depend on knowing the actual downtime that needs to be costed.

Exam trap

The trap here is that candidates rush to calculate financial metrics (ALE, SLE, EF) without first establishing the foundational risk gap, which is the prerequisite for any meaningful quantitative risk analysis.

How to eliminate wrong answers

Option A is wrong because Annualized Loss Expectancy (ALE) requires the annual rate of occurrence (ARO) and single loss expectancy (SLE), which themselves depend on knowing the risk gap first; calculating ALE without the gap would use incorrect downtime figures. Option C is wrong because Exposure Factor (EF) is a percentage of asset value lost per incident, but the question asks for the first metric to calculate, and EF is derived after the risk gap is understood. Option D is wrong because Single Loss Expectancy (SLE) is calculated as asset value × exposure factor, and without first establishing the risk gap (the actual downtime difference), the SLE would be based on the wrong outage duration.

808
MCQhard

A risk analyst is assessing a critical application's inherent risk. After implementing controls, the residual risk is calculated as high. The analyst determines that the control design is adequate but operating effectiveness is poor. Which factor most likely explains the high residual risk?

A.Control design is inadequate
B.Control operating effectiveness is poor
C.Risk appetite was misstated
D.Inherent risk is too low
AnswerB

Correct; poor operation means controls don't reduce risk as expected.

Why this answer

Residual risk = inherent risk adjusted for control effectiveness. If controls are well-designed but not operating effectively, they fail to reduce risk as intended, leading to high residual risk.

809
MCQmedium

During a cloud migration project, the IT risk manager is identifying risks associated with data residency. Which of the following is the MOST effective method to identify applicable regulatory requirements?

A.Interviewing cloud service providers about compliance
B.Implementing a data classification policy that maps to regulatory frameworks
C.Conducting a vulnerability scan of the cloud environment
D.Reviewing past audit findings
AnswerB

This proactively identifies data types and associated legal requirements.

Why this answer

Implementing a data classification policy that maps to regulatory frameworks is the most effective method because it systematically identifies which data types are subject to specific regulations (e.g., GDPR, HIPAA, LGPD) based on content and jurisdiction. This proactive approach ensures that all applicable legal and contractual requirements are considered before engaging with cloud providers, rather than relying on post-hoc interviews or scans.

Exam trap

The trap here is that candidates confuse operational security controls (vulnerability scanning) or reactive measures (vendor interviews, past audits) with the foundational governance step of classifying data to identify regulatory obligations, which is a core IT risk identification activity.

How to eliminate wrong answers

Option A is wrong because interviewing cloud service providers about compliance only captures the provider's self-reported stance, which may not cover all jurisdictional nuances or the organization's specific data types; it is a reactive, vendor-dependent method. Option C is wrong because conducting a vulnerability scan of the cloud environment identifies technical security weaknesses (e.g., open ports, misconfigurations) but does not reveal which regulatory frameworks apply to the data stored or processed. Option D is wrong because reviewing past audit findings only highlights previously identified issues and may miss new or evolving regulatory requirements relevant to the current migration scope.

810
Multi-Selecteasy

Which TWO of the following are examples of key risk indicators (KRIs) in an IT environment? (Choose two.)

Select 2 answers
A.Number of IT projects in progress.
B.Number of critical security vulnerabilities unresolved for more than 30 days.
C.Number of employees in the IT department.
D.System uptime percentage.
E.Annual IT budget variance.
AnswersB, D

Unresolved vulnerabilities indicate security risk.

Why this answer

Option B is correct because unresolved critical security vulnerabilities for more than 30 days directly indicate a high-risk condition that could lead to exploitation, data breaches, or compliance violations. This KRI provides a measurable threshold (30 days) that triggers risk response actions, such as patching or compensating controls, making it a leading indicator of potential security incidents.

Exam trap

Cisco often tests the distinction between KRIs (which measure risk exposure or control effectiveness) and operational metrics (which measure activity, resources, or financial performance), so candidates mistakenly select options like A, C, or E because they confuse general IT metrics with risk-specific indicators.

811
MCQeasy

An organization is developing its IT risk universe. Which of the following is the BEST source of information for identifying potential IT risks?

A.Threat intelligence feeds from ISACs
B.Industry benchmarking reports
C.Results from the latest internal audit
D.Historical loss data from the finance department
AnswerA

ISACs provide timely, relevant threat intelligence for the organization's sector.

Why this answer

The IT risk universe should encompass all potential IT risks. Threat intelligence feeds provide current information on emerging threats, helping to identify risks that may not be captured by historical data or internal assessments alone.

812
MCQeasy

Which risk assessment approach is most appropriate for a new technology that has limited historical data and high uncertainty?

A.Quantitative risk assessment using ALE calculations.
B.Bow-tie analysis to map causes and consequences.
C.Automated risk scoring based on industry benchmarks.
D.Delphi technique with a panel of experts.
AnswerD

The Delphi technique is a qualitative method that uses expert consensus, suitable for uncertain environments.

Why this answer

The Delphi technique is most appropriate for a new technology with limited historical data and high uncertainty because it leverages the collective judgment of a panel of experts through iterative, anonymous rounds to reach a consensus on risk likelihood and impact. This approach does not rely on historical loss data or predefined benchmarks, making it ideal for novel or emerging technologies where empirical data is scarce.

Exam trap

The trap here is that candidates often choose quantitative methods like ALE (Option A) because they seem more 'objective,' failing to recognize that such methods are data-dependent and inappropriate when historical data is absent or unreliable.

How to eliminate wrong answers

Option A is wrong because quantitative risk assessment using ALE (Annualized Loss Expectancy) calculations requires reliable historical data on frequency and magnitude of losses, which is unavailable for a new technology with high uncertainty. Option B is wrong because bow-tie analysis is a structured method for mapping known causes and consequences of a specific risk event, but it presupposes a clear understanding of threat scenarios and controls, which is lacking when historical data is limited. Option C is wrong because automated risk scoring based on industry benchmarks assumes that the technology's risk profile aligns with established patterns from similar technologies, which is invalid for a novel technology where benchmarks do not exist or are not applicable.

813
MCQeasy

An organization's board has issued a risk appetite statement indicating that the company is willing to accept a moderate level of operational risk but has zero tolerance for compliance violations. This statement primarily defines which of the following?

A.Risk tolerance thresholds
B.Risk criteria
C.Risk appetite
D.Risk capacity
AnswerC

This statement defines the organization's risk appetite for operational and compliance risks.

Why this answer

Risk appetite is the amount of risk the organization is willing to accept in pursuit of its objectives. The board's statement sets the overall appetite for different risk categories.

814
MCQeasy

An organization is implementing a new control to prevent unauthorized access to its critical database. Which type of control is most appropriate for this requirement?

A.Compensating control
B.Preventive control
C.Corrective control
D.Detective control
AnswerB

Preventive controls, like access controls and authentication mechanisms, stop unauthorized access before it happens.

Why this answer

A preventive control is the most appropriate because it directly stops unauthorized access before it can occur. For a critical database, this could involve implementing database-level access control lists (ACLs), network firewall rules restricting traffic to specific IP ranges, or mandatory multi-factor authentication (MFA) on the database service. These mechanisms enforce the security policy at the point of entry, blocking the threat actor before any interaction with the data.

Exam trap

The trap here is that candidates often confuse 'preventive' with 'detective' controls, mistakenly choosing detective controls (like logging) because they are more visible in audit reports, but the question explicitly asks for a control that 'prevents' access, which requires a proactive blocking mechanism.

How to eliminate wrong answers

Option A is wrong because a compensating control is an alternative measure used when the primary control cannot be implemented due to technical or business constraints, not the first choice for a direct requirement like preventing unauthorized access. Option C is wrong because a corrective control (e.g., restoring a database from a backup after a breach) acts after an incident has occurred, failing to meet the requirement to prevent access in the first place. Option D is wrong because a detective control (e.g., database audit logs or intrusion detection systems) only identifies unauthorized access after it has happened, providing no proactive prevention.

815
MCQmedium

An organization is conducting a threat identification exercise using the STRIDE model. Which threat type would be MOST relevant when analyzing a banking application that allows fund transfers between accounts?

A.Tampering
B.Repudiation
C.Spoofing
D.Information Disclosure
AnswerA

Correct. Tampering involves unauthorized changes to data, such as modifying transfer details.

Why this answer

STRIDE includes: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Tampering is the unauthorized modification of data, directly relevant to fund transfers where transaction amounts or destinations could be altered.

816
MCQmedium

A risk scenario is being developed for a phishing attack leading to credential theft. Using ISACA's risk scenario template, which component would describe the 'threat event'?

A.A user clicks a malicious link in a phishing email
B.The organization's email security filter fails to block the phishing email
C.The attacker is an organized crime group based overseas
D.The compromised credentials are used to access a financial system
AnswerA

Correct. This is the specific event that initiates the risk.

Why this answer

The threat event is the action that triggers the risk scenario. In this case, 'A user clicks a malicious link in a phishing email' is the event that leads to the compromise.

817
MCQhard

A risk practitioner is developing a risk scenario for a data breach caused by an insider threat. Which of the following is the MOST realistic and complete risk scenario?

A.A disgruntled employee with excessive access privileges exfiltrates customer data to a competitor, resulting in a $2 million loss.
B.A careless employee leaves a laptop unencrypted, leading to data loss, but no financial impact.
C.An external hacker uses stolen credentials to access the network and steal data, causing reputational damage.
D.A script kiddie launches a DDoS attack that disrupts service for 2 hours, causing no data loss.
AnswerA

Why this answer

Option C describes a complete scenario: a threat actor (disgruntled employee) with a motive, a threat event (exfiltration), a vulnerability (excessive access), and a consequence (financial loss). Other options lack one element (e.g., no vulnerability or incomplete consequence).

818
Multi-Selecteasy

An organization is implementing controls to mitigate the risk of data exfiltration. Which TWO control types would be considered preventive? (Select TWO)

Select 2 answers
A.Incident response plan
B.Backup restoration procedures
C.Log monitoring and analysis
D.Access controls to restrict data access
E.Data encryption at rest and in transit
AnswersD, E

Access controls prevent unauthorized access, thus preventive.

Why this answer

Preventive controls aim to stop a risk event from occurring. Access controls prevent unauthorized access, and encryption prevents data from being read if exfiltrated. Log monitoring is detective, and backup restoration is corrective.

819
Multi-Selectmedium

Which TWO of the following are characteristics of an EFFECTIVE key risk indicator (KRI)?

Select 2 answers
A.Provides an early warning signal of increasing risk exposure.
B.Is actionable, meaning it can trigger predefined responses when thresholds are breached.
C.Is derived from the organization's risk appetite statement.
D.Uses smoothed data to avoid alert fatigue.
E.Measures historical loss events.
AnswersA, B

Predictive nature is key for proactive risk management.

Why this answer

Option A is correct because an effective KRI must provide an early warning signal of increasing risk exposure, enabling proactive risk management before losses materialize. This aligns with the CRISC domain of Risk and Control Monitoring and Reporting, where KRIs are forward-looking metrics that track changes in risk levels, such as a sudden spike in failed login attempts indicating a potential cybersecurity threat.

Exam trap

The trap here is that candidates confuse risk appetite (a high-level statement of willingness to accept risk) with risk tolerance (specific thresholds that KRIs measure), leading them to incorrectly select option C as a characteristic of an effective KRI.

820
MCQhard

A multinational organization uses a third-party vendor for cloud-based identity management. The vendor recently suffered a data breach that exposed user credentials. The risk manager is now re-evaluating the associated risk. Which of the following steps should the risk manager perform FIRST to identify potential new risks?

A.Review the contract to determine if the vendor is liable for the breach.
B.Update the risk register to include the new threat scenario of credential compromise via the vendor.
C.Immediately revoke all vendor access to internal systems.
D.Conduct a penetration test of the organization's own systems.
AnswerB

Updating the risk register is the first step in risk identification after a new event.

Why this answer

Option D is correct because updating the risk register with the new incident information is the first step to ensure all risks are captured. Option A (contract review) is important but secondary. Option B (penetration test) may be reactive but not immediate first step.

Option C (access reviews) is a control, not risk identification.

821
MCQhard

A security operations center (SOC) analyst notices multiple failed login attempts from an internal IP address followed by a successful login from an unusual geographic location. Which risk identification technique should the risk manager use to assess this as a potential risk?

A.Run a phishing simulation for the user
B.Review the logs manually for other indicators
C.Conduct a vulnerability scan on the workstation
D.Perform user and entity behavior analytics (UEBA) on the user account
AnswerD

UEBA detects deviations from normal behavior, signaling potential compromise.

Why this answer

Option A is correct because analyzing user behavior analytics (UBA) can identify anomalous patterns indicative of account compromise, turning an event into a risk. Option B is incorrect because a vulnerability scan does not detect behavioral anomalies. Option C is incorrect because a phishing simulation tests user awareness, not specific events.

Option D is incorrect because log review alone may not contextualize the event as a risk without behavioral analysis.

822
MCQeasy

What is the primary risk if the WAF is misconfigured?

A.SQL injection attacks
B.Unauthorized database access
C.Denial of service
D.Network segmentation failure
AnswerA

WAF misconfiguration increases vulnerability to web attacks.

Why this answer

A WAF protects against web application attacks such as SQL injection. If misconfigured, the web application is exposed. Option B is correct.

Network segmentation failure (A) is not directly related. Denial of service (C) is a possibility but not the primary risk. Unauthorized database access (D) could result from SQL injection but is a consequence.

823
MCQmedium

During a risk assessment, a control self-assessment (CSA) indicates that a key control is operating effectively. However, an independent audit finds multiple control failures. Which of the following is the MOST likely reason for this discrepancy?

A.The audit tested different samples
B.The control environment changed
C.The CSA participants lacked objectivity
D.The CSA was conducted too recently
AnswerC

Self-assessments can be biased, leading to overestimation of effectiveness.

Why this answer

The most likely reason for the discrepancy is that the CSA participants lacked objectivity. Control self-assessments are performed by process owners or staff who may have a vested interest in reporting favorable results, leading to biased or incomplete evaluations. In contrast, an independent audit applies objective testing procedures, which are more likely to uncover actual control failures that the CSA missed or downplayed.

Exam trap

The trap here is that candidates often choose 'The audit tested different samples' because they focus on sampling variability, but the real issue is the lack of objectivity in the self-assessment process, which is a core CRISC concept in risk and control monitoring.

How to eliminate wrong answers

Option A is wrong because while different sample sizes or selection methods could cause minor variations, the fundamental issue here is systemic bias in the CSA, not sampling differences; an independent audit would typically use statistically valid samples that are representative of the population. Option B is wrong because if the control environment changed after the CSA but before the audit, the audit would note the change as a finding, not report multiple control failures that contradict a recent effective CSA. Option D is wrong because the recency of the CSA would actually reduce the likelihood of environmental changes causing discrepancies; the core problem is the lack of objectivity in the self-assessment, not the timing.

824
Multi-Selectmedium

An organization is using the FAIR framework to perform a quantitative risk analysis for a data breach scenario. Which THREE of the following are components of the Annualized Loss Expectancy (ALE) calculation in FAIR?

Select 3 answers
A.Annualized Rate of Occurrence (ARO)
B.Loss Event Frequency (LEF)
C.Single Loss Expectancy (SLE)
D.Loss Magnitude (LM)
E.Exposure Factor (EF)
AnswersA, C, E

ARO is used in traditional ALE = ARO × SLE.

Why this answer

In the FAIR framework, Annualized Loss Expectancy (ALE) is calculated as ARO × SLE. ARO (Annualized Rate of Occurrence) is a direct component of ALE, representing the expected number of loss events per year. This is a core part of the quantitative risk analysis formula used in FAIR.

Exam trap

The trap here is that candidates confuse the FAIR-specific terms (LEF and LM) with the traditional quantitative risk analysis components (ARO and SLE), leading them to select LEF or LM instead of recognizing that ALE directly uses ARO and SLE.

825
MCQeasy

A control test reveals a 100% pass rate for a detective control. What does this indicate?

A.The control is operating effectively
B.The control is too expensive to maintain
C.The control is compensating for other weaknesses
D.The associated risk has been fully mitigated
AnswerA

Pass rate indicates effective detection.

Why this answer

A 100% pass rate for a detective control indicates that every time the control was tested, it successfully detected the condition or event it was designed to identify. This demonstrates the control is operating effectively, meaning it is functioning as intended and providing the expected level of assurance. For example, if the detective control is an intrusion detection system (IDS) that correctly alerts on all test attack patterns, a 100% pass rate confirms its detection logic and signature updates are working correctly.

Exam trap

The trap here is that candidates often confuse a control's effectiveness (pass rate) with risk mitigation, assuming a perfect detection rate means the risk is fully addressed, but detective controls only provide visibility, not prevention or reduction of risk likelihood.

How to eliminate wrong answers

Option B is wrong because a 100% pass rate does not provide any information about the cost of maintaining the control; cost is a separate consideration related to cost-benefit analysis, not operational effectiveness. Option C is wrong because a 100% pass rate on a detective control does not imply it is compensating for other weaknesses; compensating controls are typically preventive or detective controls that address gaps in primary controls, and a high pass rate alone does not indicate such a relationship. Option D is wrong because a 100% pass rate on a detective control does not mean the associated risk has been fully mitigated; detective controls only identify incidents after they occur, they do not prevent or reduce the likelihood of the risk, and full risk mitigation would require preventive controls or risk acceptance.

Page 10

Page 11 of 14

Page 12
Certified in Risk and Information Systems Control CRISC CRISC Questions 751–825 | Page 11/14 | Courseiva