Certified in Risk and Information Systems Control CRISC (CRISC) — Questions 826900

982 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQeasy

Which of the following is a characteristic of IoT devices that increases cybersecurity risk?

A.Built-in hardware security modules
B.Limited processing power for security features
C.Standardized communication protocols
D.Regular automatic firmware updates
AnswerB

Limited resources hinder implementation of robust security.

Why this answer

IoT devices often have limited processing power and cannot run standard security software, making them vulnerable to attacks.

827
MCQeasy

Which of the following is the PRIMARY purpose of a risk register in an IT risk management program?

A.To document and track identified risks and their treatment plans
B.To provide a historical record of past incidents
C.To calculate key risk indicators (KRIs)
D.To ensure compliance with regulatory requirements
AnswerA

The risk register is used to document, assess, and monitor risks and responses.

Why this answer

The risk register is the central repository for documenting identified risks, their assessed impact and likelihood, and the corresponding treatment plans (e.g., mitigate, accept, transfer, avoid). Its primary purpose is to provide a structured, living record that enables ongoing tracking, prioritization, and management of risk treatment activities throughout the IT risk management lifecycle.

Exam trap

The trap here is that candidates confuse the risk register's primary purpose with secondary benefits like compliance or metrics, leading them to choose options that describe outputs or uses of the register rather than its core function of documenting and tracking risks and treatments.

How to eliminate wrong answers

Option B is wrong because a risk register is forward-looking and focused on current and future risks, not a historical log of past incidents (that would be an incident log or post-mortem database). Option C is wrong because key risk indicators (KRIs) are metrics derived from risk data to provide early warning signals, but the risk register itself does not calculate them; it stores the underlying risk data that may feed KRI calculations. Option D is wrong while compliance may be a benefit of using a risk register, its primary purpose is risk management and treatment tracking, not specifically ensuring regulatory compliance (which is the role of compliance frameworks and audit programs).

828
Multi-Selecthard

Which THREE of the following are common challenges in risk reporting?

Select 3 answers
A.Timeliness of information.
B.Over-reliance on automated tools.
C.Data accuracy issues.
D.Too much detail.
E.Lack of board support.
AnswersA, C, D

Outdated information reduces the value of risk reports.

Why this answer

Timeliness of information is a common challenge in risk reporting because risk data must be current to support effective decision-making. If reports are delayed, the organization may act on outdated risk profiles, leading to inappropriate responses. Real-time or near-real-time reporting is often required, but data aggregation and processing latency can introduce delays.

Exam trap

Cisco often tests the distinction between challenges in risk reporting versus challenges in risk assessment or risk management governance, so candidates mistakenly select 'over-reliance on automated tools' or 'lack of board support' because they are familiar risk-related issues, but they are not specific to the reporting process itself.

829
MCQmedium

An organization uses a qualitative risk assessment and assigns a likelihood of '3' and impact of '4' on a 5-point scale. The heat map defines risk scores 12-25 as high. What is the risk rating?

A.Critical
B.Medium
C.Low
D.High
AnswerD

Score 12 is within the high range.

Why this answer

Risk score = 3 × 4 = 12, which falls in the high range (12-25).

830
MCQmedium

An organization wants to promote a risk-aware culture. Which of the following actions is MOST effective for encouraging employees to report incidents without fear?

A.Reward employees for zero incidents
B.Establish a non-punitive incident reporting policy
C.Implement automated monitoring tools
D.Conduct security awareness training annually
AnswerB

This explicitly encourages reporting without blame.

Why this answer

A blame-free environment encourages reporting by reducing fear of punishment.

831
MCQmedium

An organization is implementing a continuous monitoring solution for its network. Which of the following is an example of continuous monitoring?

A.Monthly control testing by internal audit
B.Annual penetration testing
C.Quarterly access reviews
D.Daily automated vulnerability scanning
AnswerD

Daily scanning is continuous monitoring.

Why this answer

Automated vulnerability scanning is a continuous monitoring activity that provides ongoing visibility into security posture.

832
MCQmedium

A company has identified that its legacy financial system has a high inherent risk due to outdated architecture. The system cannot be replaced for three years. What is the best risk treatment strategy?

A.Accept the risk and allocate contingency funds for potential incidents.
B.Transfer the risk by purchasing cyber insurance.
C.Avoid the risk by discontinuing the system immediately.
D.Implement compensating controls such as network segmentation and enhanced monitoring.
AnswerD

Compensating controls reduce residual risk while the system remains in place.

Why this answer

Option D is correct because when a legacy system cannot be replaced for three years, the most effective risk treatment is to reduce the likelihood and impact of exploitation through compensating controls. Network segmentation limits lateral movement from the legacy system, and enhanced monitoring (e.g., SIEM with custom rules for anomalous traffic) provides early detection of compromise. This aligns with the ISACA risk treatment principle of risk reduction when avoidance or transfer is not feasible.

Exam trap

The trap here is that candidates often choose risk acceptance (Option A) or transfer (Option B) without recognizing that high inherent risk demands active reduction measures, especially when the system cannot be decommissioned.

How to eliminate wrong answers

Option A is wrong because accepting the risk without active reduction measures ignores the high inherent risk from outdated architecture, and contingency funds alone do not prevent data breaches or system downtime. Option B is wrong because cyber insurance transfers financial impact but does not reduce the operational or reputational risk; insurers may also deny claims if compensating controls are absent. Option C is wrong because discontinuing the system immediately would halt critical business operations, and the question explicitly states the system cannot be replaced for three years, making avoidance impractical.

833
MCQeasy

During IT risk identification, which document serves as the central repository for all identified risks, their characteristics, and current status?

A.Threat model
B.Vulnerability database
C.Business impact analysis
D.Risk register
AnswerD

The risk register is the central repository for all identified risks.

Why this answer

The risk register is the formal document that captures all identified risks, their attributes, and ongoing management status.

834
MCQeasy

You are the IT risk manager for a financial institution that processes high-value transactions. The organization uses a cloud-based core banking system and on-premises servers for backup. During a recent risk assessment, you identified that the cloud provider's service-level agreement (SLA) guarantees 99.9% uptime, but the organization's business impact analysis (BIA) indicates that every hour of downtime costs $500,000. The current recovery time objective (RTO) for the core banking system is 4 hours, but the actual recovery capability is 6 hours due to manual steps in failover. The risk owner has accepted this risk informally. You are asked to recommend a course of action to the risk committee. Which of the following is the most appropriate recommendation?

A.Accept the risk because the cloud provider's SLA covers 99.9% uptime.
B.Continue with informal acceptance since the risk owner has already accepted it.
C.Reduce the RTO to 2 hours to align with industry best practices.
D.Document the risk gap (actual recovery of 6 hours vs. RTO of 4 hours) and present it to the risk committee for formal risk acceptance or remediation.
AnswerD

Formal documentation and escalation ensure the risk is properly managed and decisions are recorded.

Why this answer

The correct answer is D because the organization has a critical risk gap: the actual recovery capability (6 hours) exceeds the stated RTO (4 hours), meaning the business would incur $1M in losses (2 hours × $500K) before recovery completes. The risk owner's informal acceptance is insufficient for a financial institution processing high-value transactions; formal documentation and risk committee approval are required for governance and regulatory compliance. Presenting the gap enables informed decision-making on whether to accept the risk formally or invest in remediation (e.g., automating failover to meet the 4-hour RTO).

Exam trap

The trap here is that candidates confuse the cloud provider's SLA with the organization's RTO/RTA gap, or assume informal risk acceptance is sufficient, when CRISC emphasizes formal documentation and committee-level decision-making for risks exceeding thresholds.

How to eliminate wrong answers

Option A is wrong because the cloud provider's 99.9% SLA (8.76 hours annual downtime) does not address the specific gap between the 4-hour RTO and 6-hour actual recovery; it only covers cloud uptime, not the manual failover delays causing the breach. Option B is wrong because informal acceptance lacks the formal documentation and risk committee oversight required by CRISC best practices and regulatory standards (e.g., FFIEC guidelines for financial institutions), leaving the organization exposed to unmanaged risk. Option C is wrong because reducing the RTO to 2 hours without addressing the underlying manual failover process would widen the gap (actual 6 hours vs. new RTO of 2 hours), increasing potential losses to $2M per incident, and is not a feasible remediation without significant investment.

835
MCQmedium

A manufacturing company is integrating its operational technology (OT) network with the corporate IT network to enable real-time data analytics. Which of the following risks should be prioritized during the risk assessment?

A.Attack path expansion from IT to OT networks
B.Incompatibility of IT and OT software versions
C.Increased latency in OT communications
D.Loss of data integrity in analytics dashboards
AnswerA

Attack path expansion is the most critical risk, as it enables cyber attacks to reach OT systems with potential safety implications.

Why this answer

Integrating OT and IT networks creates a new attack path from the IT network to the OT network. Since OT systems often lack modern security controls and run legacy protocols (e.g., Modbus, DNP3), an attacker who compromises the IT network can pivot into the OT environment, potentially disrupting physical processes. This risk is prioritized because it introduces a direct, high-impact threat to safety and availability that did not exist before the integration.

Exam trap

The trap here is that candidates often focus on operational risks like latency or compatibility (options B and C) because they seem more immediate to the integration, but CRISC prioritizes security risks that introduce new attack vectors with potential for physical damage.

How to eliminate wrong answers

Option B is wrong because software version incompatibility is a compatibility or integration issue, not a security risk that would be prioritized in a risk assessment focused on security; it is typically addressed during project planning or testing. Option C is wrong because increased latency in OT communications is a performance or operational risk, not a security risk; while important, it does not represent the primary threat introduced by network integration. Option D is wrong because loss of data integrity in analytics dashboards is a consequence of a security incident (e.g., tampering) but not the root risk; the prioritized risk is the attack path that enables such tampering.

836
MCQeasy

During a risk assessment, the risk practitioner is identifying threats to an application. Which threat modeling technique is specifically designed to analyze application threats using categories such as Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege?

A.STRIDE
B.VAST
C.TRIKE
D.PASTA
AnswerA

Why this answer

STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) is a threat modeling technique developed by Microsoft for identifying application security threats.

837
MCQeasy

A risk assessment using a 5x5 heat map with likelihood and impact scores is an example of which type of risk analysis?

A.Semi-quantitative risk analysis
B.Factor Analysis of Information Risk (FAIR)
C.Qualitative risk analysis
D.Quantitative risk analysis
AnswerC

Heat maps are a common qualitative tool.

Why this answer

A 5x5 heat map uses ordinal scales (e.g., 1–5) for likelihood and impact, which are subjective categories rather than precise numerical values. This places it in qualitative risk analysis, where risks are ranked by descriptive labels (e.g., Low, Medium, High) without monetary or statistical quantification.

Exam trap

The trap here is that candidates confuse the use of numbers (1–5) with quantitative analysis, but the 5x5 heat map remains qualitative because the numbers are labels, not measured values with arithmetic meaning.

How to eliminate wrong answers

Option A is wrong because semi-quantitative risk analysis assigns numerical weights or scores to qualitative categories (e.g., 1–5) and performs arithmetic (e.g., multiplying likelihood × impact) to produce a relative ranking, but the 5x5 heat map itself is a qualitative tool that does not require arithmetic—it is a mapping of ordinal inputs to a color-coded grid. Option B is wrong because FAIR (Factor Analysis of Information Risk) is a quantitative framework that decomposes risk into measurable factors (e.g., loss event frequency, loss magnitude) using Monte Carlo simulations and dollar values, not a simple 5x5 heat map. Option D is wrong because quantitative risk analysis uses hard data (e.g., annualized loss expectancy, probability percentages) to compute risk in monetary terms, whereas the 5x5 heat map relies on subjective expert judgment and ordinal scales.

838
MCQeasy

A smart manufacturing company has deployed hundreds of IoT sensors and actuators across its production line. These devices are connected directly to the corporate network without any segmentation and communicate using unencrypted protocols. A third-party vendor manages all IoT devices and has administrative access from their own network. Recently, the IT team detected unusual outbound traffic from the IoT segment to unknown IP addresses on the internet. The risk manager is leading a risk identification workshop. Based on this scenario, what is the most critical risk to the organization that should be identified and documented?

A.Unauthorized remote access to the corporate network via the IoT devices
B.Compliance violation with industry regulations
C.Loss of data integrity due to tampering with sensor measurements
D.Physical damage to equipment due to unsafe actuator commands
AnswerA

Unsegmented IoT devices with third-party admin access and detected suspicious traffic represent a clear path for attackers to infiltrate the corporate network.

Why this answer

The most critical risk is unauthorized remote access to the corporate network via the IoT devices. The IoT devices are directly connected to the corporate network without segmentation and communicate using unencrypted protocols, while a third-party vendor has administrative access from their own network. The unusual outbound traffic to unknown IP addresses strongly suggests that an attacker has compromised the vendor's network or the devices themselves, using the unencrypted protocols (e.g., MQTT without TLS, Modbus/TCP) to pivot into the corporate network, bypassing perimeter defenses.

Exam trap

ISACA often tests the concept that the most critical risk is the one that is actively occurring and has the highest potential for immediate impact, not the one that is merely possible or a downstream consequence; candidates often pick a compliance or data integrity answer because they focus on data protection rather than network access control.

How to eliminate wrong answers

Option B is wrong because while compliance violations (e.g., GDPR, NIST CSF) are possible, the immediate and most critical risk is the active, confirmed unauthorized access via the observed outbound traffic, not a hypothetical regulatory issue. Option C is wrong because loss of data integrity from tampered sensor measurements is a secondary risk; the primary threat is the attacker already having network access, which enables data manipulation but is not the most critical risk identified from the traffic anomaly. Option D is wrong because physical damage from unsafe actuator commands is a potential consequence, but the direct evidence of unusual outbound traffic indicates an active network breach, making unauthorized access the most critical risk to document first.

839
MCQmedium

An organization implements an intrusion detection system (IDS) to monitor for security incidents. This is an example of which type of control?

A.Detective
B.Corrective
C.Compensating
D.Preventive
AnswerA

IDS detects incidents after they occur.

Why this answer

An intrusion detection system (IDS) is a detective control because it monitors network traffic or system activity for signs of malicious behavior or policy violations and generates alerts when such patterns are detected. Unlike preventive controls, an IDS does not block or stop the attack in real time; it only identifies and reports the incident for subsequent investigation and response.

Exam trap

The trap here is that candidates often confuse an IDS with an IPS (Intrusion Prevention System), which is a preventive control because it can actively block traffic, whereas the question specifically asks about an IDS, which is purely detective.

How to eliminate wrong answers

Option B (Corrective) is wrong because corrective controls are actions taken to remediate or reverse the effects of an incident after it has been detected, such as patching a vulnerability or restoring from backup, whereas an IDS only alerts and does not perform remediation. Option C (Compensating) is wrong because compensating controls are alternative measures implemented when a primary control cannot be applied, such as using additional logging when encryption is not feasible, but an IDS is a standard control, not a substitute for another control. Option D (Preventive) is wrong because preventive controls are designed to stop an incident before it occurs, like a firewall blocking unauthorized traffic, while an IDS passively monitors and does not block or prevent attacks.

840
MCQhard

A company is conducting a Risk Identification for a new payment processing system. The team discovers that the system does not have encryption at rest. This is an example of:

A.Control
B.Threat
C.Vulnerability
D.Risk
AnswerC

Lack of encryption at rest is a weakness or gap in controls.

Why this answer

The absence of encryption at rest in a payment processing system is a weakness or flaw that can be exploited, making it a vulnerability. In risk identification, a vulnerability is a condition or weakness in an asset (e.g., database, storage volume) that, if exploited by a threat, could lead to a risk event. Here, the missing encryption at rest (e.g., AES-256 for stored cardholder data) is a specific security gap, not the threat itself or the resulting risk.

Exam trap

The trap here is confusing a vulnerability (the missing encryption) with the risk (the potential for data exposure) or the threat (the attacker who might exploit it), leading candidates to pick 'Risk' or 'Threat' instead of the correct 'Vulnerability'.

How to eliminate wrong answers

Option A is wrong because a control is a safeguard or countermeasure (e.g., enabling encryption at rest via AWS KMS or BitLocker), not the absence of one. Option B is wrong because a threat is a potential cause of an unwanted incident (e.g., an attacker gaining physical access to the storage server), not the missing encryption itself. Option D is wrong because risk is the potential impact of a threat exploiting a vulnerability (e.g., financial loss from data breach), not the vulnerability itself.

841
MCQeasy

Which risk treatment option involves formally acknowledging the risk and taking no further action, provided the risk is within the organization's risk appetite?

A.Avoid
B.Transfer
C.Mitigate
D.Accept
AnswerD

Acceptance means the risk is within appetite and formally accepted.

Why this answer

Acceptance is a formal decision to tolerate a risk within appetite, with documented sign-off.

842
MCQhard

An organization using the FAIR framework estimates that a threat event frequency (TEF) is 10 per year, vulnerability is 0.2, and loss magnitude per event is $500,000. What is the annualized loss expectancy (ALE)?

A.$500,000
B.$1,000,000
C.$100,000
D.$2,500,000
AnswerB

ALE = TEF × Vulnerability × Loss Magnitude = 10 × 0.2 × $500,000 = $1,000,000.

Why this answer

The FAIR framework calculates ALE as TEF × Vulnerability × Loss Magnitude. Here, 10 × 0.2 × $500,000 = $1,000,000. This correctly incorporates the vulnerability factor (0.2) as a probability of threat success, yielding the expected annual loss.

Exam trap

The trap here is that candidates often forget to multiply by the vulnerability factor, assuming TEF already accounts for success, and thus incorrectly select $500,000 (option A) or $5,000,000 (not listed), rather than applying the full FAIR formula.

How to eliminate wrong answers

Option A is wrong because it omits the vulnerability factor (0.2), treating TEF as 10 and loss magnitude as $500,000 directly, which would only be correct if vulnerability were 1.0. Option C is wrong because it incorrectly multiplies TEF (10) by vulnerability (0.2) to get 2, then multiplies by $500,000 incorrectly as $100,000, likely confusing the loss magnitude with a per-event value. Option D is wrong because it multiplies TEF (10) by loss magnitude ($500,000) to get $5,000,000 and then divides by vulnerability (0.2) or misapplies the formula, resulting in an inflated value of $2,500,000.

843
MCQmedium

A hospital is deploying IoT medical devices that connect to the network. Which risk is MOST concerning from a cybersecurity perspective?

A.Expanded attack surface due to many devices
B.Data sovereignty compliance
C.Firmware update challenges
D.Vendor lock-in
AnswerA

Each device adds an entry point, increasing the risk of compromise.

Why this answer

IoT devices expand the attack surface, and many medical devices have weak security, making them easy targets for attackers to gain network access.

844
MCQhard

Based on the exhibit, what is the MOST likely risk scenario?

A.Phishing attack that captured user credentials
B.Brute force attack resulting in account compromise
C.Insider threat from a legitimate user
D.Denial of service attack on the authentication server
AnswerB

Multiple failed attempts followed by success indicates compromise.

Why this answer

The exhibit shows a high number of failed authentication attempts from a single IP address over a short time window, followed by a successful login. This pattern is characteristic of a brute force attack, where an attacker systematically tries many password combinations until one succeeds, leading to account compromise.

Exam trap

ISACA often tests the distinction between authentication failures from a brute force attack versus a denial of service attack, where candidates mistakenly choose DoS because they see many failed attempts, but the key is that the server remains functional and a successful login occurs.

How to eliminate wrong answers

Option A is wrong because a phishing attack would typically capture credentials via a deceptive email or website, not through a high volume of failed logins from a single source. Option C is wrong because an insider threat from a legitimate user would not generate numerous failed authentication attempts; a legitimate user would likely succeed on the first try or have a few failures due to forgotten passwords, not a sustained brute force pattern. Option D is wrong because a denial of service attack on the authentication server would cause a flood of traffic or requests, overwhelming the server and preventing legitimate logins, but the exhibit shows a successful login after failures, indicating the server remained responsive and the attack targeted a specific account, not the server's availability.

845
MCQhard

A risk committee receives a monthly risk report that includes a heat map of inherent risk ratings and a separate list of control deficiencies. The committee members often complain that they cannot easily see which control deficiencies are most critical to address. Which of the following is the BEST improvement to the reporting?

A.Include a comprehensive list of all key risk indicators (KRIs)
B.Provide a separate section on recent audit findings
C.Overlay control deficiency impact ratings onto the residual risk heat map
D.Add a timeline of when each control deficiency was first identified
AnswerC

This visualization directly links control weaknesses to resulting risk levels, aiding prioritization.

Why this answer

Option C is correct because overlaying control deficiency impact ratings onto the residual risk heat map directly addresses the committee's need to see which control deficiencies are most critical. This integrates control deficiency severity with residual risk levels, allowing the committee to prioritize remediation based on the actual risk exposure, not just inherent risk or a separate list.

Exam trap

The trap here is that candidates may choose a timeline or audit findings list (options B or D) thinking that age or audit source indicates criticality, but the question specifically asks for the BEST improvement to show which deficiencies are most critical to address, which requires a direct mapping to residual risk impact, not just additional data points.

How to eliminate wrong answers

Option A is wrong because including a comprehensive list of all key risk indicators (KRIs) does not link control deficiencies to risk impact; KRIs are leading indicators of risk, not a mapping of deficiency severity to residual risk. Option B is wrong because providing a separate section on recent audit findings is redundant with the existing control deficiency list and does not integrate deficiency impact with the risk heat map, failing to show criticality in context. Option D is wrong because adding a timeline of when each control deficiency was first identified shows age but not impact; a deficiency could be old but low impact, or new but critical, so timeline alone does not indicate which are most critical to address.

846
MCQmedium

In the FAIR framework, Loss Event Frequency (LEF) is calculated as:

A.Threat Event Frequency + Vulnerability
B.Annualized Rate of Occurrence × Single Loss Expectancy
C.Loss Magnitude × Vulnerability
D.Threat Event Frequency × Vulnerability
AnswerD

This is the correct formula.

Why this answer

FAIR defines LEF = Threat Event Frequency × Vulnerability (probability that a threat event results in a loss event).

847
MCQeasy

Which of the following best describes an advantage of qualitative risk analysis over quantitative risk analysis?

A.It is objective and comparable across organizations
B.It is quick and easy to communicate
C.It requires less data than quantitative analysis
D.It provides financially meaningful results
AnswerB

Qualitative analysis is faster and easier to communicate to non-technical stakeholders.

Why this answer

Qualitative analysis is quick and easy to communicate, while quantitative is more objective but data-intensive.

848
MCQmedium

In the FAIR framework, what does Loss Event Frequency (LEF) represent?

A.The number of threat events per year
B.The expected number of loss events per year
C.The probability that a threat event will result in a loss
D.The total financial loss per event
AnswerB

LEF = TEF × V, giving the frequency of losses.

Why this answer

LEF is the product of Threat Event Frequency (TEF) and Vulnerability (V), representing how often a loss event is expected to occur.

849
MCQmedium

During a risk assessment, a risk is assigned a likelihood of 'High' and an impact of 'Medium' on a 5×5 heat map. What is the risk rating?

A.Critical
B.Low
C.Medium
D.High
AnswerD

A combination of High likelihood and Medium impact yields a High risk rating in most 5×5 matrices.

Why this answer

On a 5×5 matrix, High likelihood × Medium impact typically results in a High risk rating (e.g., 4×3 = 12, which is often in the high range).

850
MCQmedium

An organization uses the CISA Known Exploited Vulnerabilities (KEV) catalog as a primary source for vulnerability identification. This catalog is BEST described as:

A.An application vulnerability scanning tool
B.A commercial threat intelligence feed
C.A configuration vulnerability assessment benchmark
D.A list of known exploited vulnerabilities maintained by the US government
AnswerD

CISA KEV is a government-maintained catalog of exploited vulnerabilities.

Why this answer

CISA KEV lists vulnerabilities that have been actively exploited in the wild, providing prioritized vulnerability intelligence.

851
MCQeasy

When reporting risk and control monitoring results to the board of directors, which of the following formats is MOST effective?

A.Narrative reports describing findings in paragraphs.
B.Visual dashboards with key metrics and trend indicators.
C.Oral summary without supporting documentation.
D.Detailed spreadsheets with raw data for each control.
AnswerB

Effective for quick understanding.

Why this answer

The board of directors requires a high-level, synthesized view of risk and control effectiveness to make strategic decisions. Visual dashboards with key metrics and trend indicators are most effective because they enable rapid comprehension of the risk posture, control performance, and emerging issues without overwhelming directors with granular data. This format aligns with the principle of reporting to governance bodies, which focuses on actionable insights rather than operational details.

Exam trap

The trap here is that candidates may choose narrative reports (A) thinking they provide 'complete context,' but CRISC emphasizes that board reporting must be concise and visual to support rapid strategic decisions, not exhaustive detail.

How to eliminate wrong answers

Option A is wrong because narrative reports in paragraphs are time-consuming for board members to parse and can obscure critical trends or outliers, making them less effective for quick decision-making at the governance level. Option C is wrong because an oral summary without supporting documentation lacks verifiable evidence and audit trail, which is unacceptable for formal board reporting where accountability and traceability are required. Option D is wrong because detailed spreadsheets with raw data for each control present information overload, burying key risk indicators and trends in granularity that is inappropriate for a board whose focus is strategic oversight, not operational control details.

852
MCQeasy

Based on the exhibit, what is the primary risk response strategy demonstrated by this firewall rule?

A.Risk Transfer
B.Risk Acceptance
C.Risk Mitigation
D.Risk Avoidance
AnswerC

The firewall blocks specific IP ranges, reducing the probability of attacks.

Why this answer

The firewall rule denies inbound traffic on TCP port 443 (HTTPS) from any source to any destination. This directly reduces the attack surface by blocking a specific protocol, which is a classic risk mitigation action. By implementing a technical control to reduce the likelihood or impact of a threat, the organization is applying risk mitigation, not transferring, accepting, or avoiding the risk entirely.

Exam trap

The trap here is confusing risk mitigation (reducing risk with controls) with risk avoidance (eliminating the risk by ceasing the activity), as candidates often think blocking a port is 'avoiding' the risk when it is actually reducing it while the underlying service remains operational.

How to eliminate wrong answers

Option A is wrong because risk transfer involves shifting the financial impact of a risk to a third party (e.g., insurance or outsourcing), not implementing a firewall rule. Option B is wrong because risk acceptance means formally acknowledging the risk without taking action to reduce it, whereas this rule actively reduces exposure. Option D is wrong because risk avoidance would mean eliminating the activity or asset that creates the risk (e.g., decommissioning the web server entirely), not just blocking a specific port.

853
MCQmedium

An organization is implementing a new access control system. Which of the following is the most important activity to ensure the control is effectively integrated into operations?

A.Updating relevant documentation
B.Assigning control ownership
C.Performing a cost-benefit analysis
D.Conducting a post-implementation review
AnswerA

Documentation ensures consistent understanding and application of the control.

Why this answer

Updating relevant documentation ensures that the new access control system's configuration, operational procedures, and troubleshooting steps are formally recorded and accessible to the operations team. Without accurate documentation, the control cannot be consistently maintained, monitored, or recovered during incidents, making it ineffective in day-to-day operations. This activity directly integrates the control into the operational lifecycle by providing a single source of truth for administrators.

Exam trap

The trap here is that candidates often mistake assigning control ownership as the most critical integration step, but ownership without documented operational procedures leaves the control vulnerable to human error and inconsistent management.

How to eliminate wrong answers

Option B is wrong because assigning control ownership identifies accountability but does not provide the procedural details needed for daily operation; ownership alone cannot ensure the control is operated correctly. Option C is wrong because a cost-benefit analysis is a pre-implementation decision tool, not an operational integration activity; it does not affect how the control is run after deployment. Option D is wrong because a post-implementation review validates the control's effectiveness and identifies improvements, but it is a one-time assessment rather than an ongoing operational integration step; documentation is the foundational activity that enables consistent operation.

854
MCQeasy

Refer to the exhibit. What does the exhibit most likely indicate about the control monitoring?

A.The control is effective but the monitoring configuration is incorrect.
B.The control is failing and needs immediate remediation.
C.The control is close to target but requires attention.
D.The control is meeting its target.
AnswerA

The target threshold should align with policy; the configuration error might cause false sense of effectiveness.

Why this answer

The exhibit shows a control monitoring dashboard where the 'Effectiveness' metric is green (indicating the control is working), but the 'Monitoring Configuration' is red (indicating a misconfiguration in how the control is being monitored). This mismatch means the control itself is effective, but the monitoring setup—such as incorrect alert thresholds, missing log sources, or misconfigured SIEM rules—is not properly capturing or reporting its status. Therefore, the control is effective, but the monitoring configuration is incorrect.

Exam trap

The trap here is that candidates see a red indicator and assume the control is failing, but the question tests the ability to distinguish between control effectiveness and monitoring configuration—a subtle but critical distinction in risk and control monitoring.

How to eliminate wrong answers

Option B is wrong because the control is not failing; the effectiveness metric is green, showing it is operating as intended, so immediate remediation of the control itself is not needed. Option C is wrong because the control is not 'close to target'; it is fully effective, and the issue is solely with the monitoring configuration, not with the control's performance nearing a threshold. Option D is wrong because while the control is meeting its target, the monitoring configuration is incorrect, meaning the overall monitoring process is not functioning properly, so the exhibit does not indicate that monitoring is meeting its target.

855
MCQeasy

A small manufacturing company is conducting its first IT risk assessment. The company has a flat network with no segmentation, and all employees have administrative access to their workstations. The risk practitioner identifies that a malware infection on one workstation could easily spread to the entire network. The company has a limited budget for IT security improvements. Which of the following risk treatment options is MOST cost-effective and practical?

A.Accept the risk because the company's data is not highly sensitive.
B.Deploy endpoint protection software on all workstations and restrict administrative rights for users.
C.Implement network segmentation and a next-generation firewall.
D.Purchase cyber insurance to cover potential losses.
AnswerB

Low cost, high impact on limiting malware spread.

Why this answer

Option B is the most cost-effective and practical because deploying endpoint protection software provides immediate defense against known malware, while restricting administrative rights prevents users from installing unauthorized software or making system changes that could introduce malware. This combination directly addresses the root cause of the risk—unrestricted user privileges and lack of basic malware defenses—without requiring expensive network redesign or ongoing insurance premiums.

Exam trap

The trap here is that candidates may choose network segmentation (Option C) as the ideal technical solution, but the question emphasizes cost-effectiveness and practicality for a small company with a limited budget, making the simpler, cheaper controls in Option B the better choice.

How to eliminate wrong answers

Option A is wrong because accepting the risk ignores the high likelihood and potential impact of a malware infection spreading across a flat network, even if data is not highly sensitive; operational downtime and recovery costs can be significant for a small company. Option C is wrong because network segmentation and a next-generation firewall are more expensive and complex to implement than endpoint protection and privilege restriction, making them less practical for a limited budget. Option D is wrong because cyber insurance does not reduce the likelihood or impact of a malware infection; it only provides financial compensation after a loss, which may not cover all costs (e.g., reputational damage, operational downtime) and often requires proof of basic security controls.

856
MCQmedium

Which of the following is a Key Control Indicator (KCI) that measures the effectiveness of a control?

A.Control exception rate
B.Number of risk events in the last quarter
C.Time since last audit
D.Percentage of employees who completed security awareness training
AnswerA

A high exception rate indicates control failures.

Why this answer

A KCI measures how well a control is performing. The exception rate for a control (e.g., percentage of transactions that bypass a required approval) directly indicates control deficiencies.

857
MCQmedium

Which of the following is the primary purpose of a Key Risk Indicator (KRI)?

A.Measure the effectiveness of controls
B.Document historical incidents
C.Comply with regulatory requirements
D.Provide early warning of changing risk levels
AnswerD

Correct. KRIs indicate risk trends.

Why this answer

The primary purpose of a Key Risk Indicator (KRI) is to provide an early warning of changing risk levels, enabling proactive risk management before an adverse event occurs. KRIs track specific metrics that signal shifts in risk exposure, such as the number of unpatched critical vulnerabilities or failed login attempts, allowing organizations to adjust controls or resources in advance. This forward-looking function distinguishes KRIs from lagging indicators like control effectiveness metrics or incident logs.

Exam trap

The trap here is that candidates confuse KRIs with KPIs or control metrics, mistakenly thinking KRIs measure control effectiveness (Option A) rather than providing early warning of risk changes.

How to eliminate wrong answers

Option A is wrong because measuring the effectiveness of controls is the purpose of Key Performance Indicators (KPIs) or control testing, not KRIs; KRIs focus on risk exposure changes, not control performance. Option B is wrong because documenting historical incidents is the role of incident logs or post-mortem reports, whereas KRIs are forward-looking and designed to predict rather than record past events. Option C is wrong because while KRIs may support regulatory compliance indirectly, their primary purpose is not compliance; compliance requirements are met through specific control frameworks and reporting, not through the early-warning function of KRIs.

858
MCQmedium

A company plans to deploy an AI-based customer service chatbot that processes personal data. What risk should be identified as the highest priority?

A.Data privacy risk
B.Vendor lock-in risk
C.Model accuracy risk
D.Regulatory compliance risk
AnswerA

Processing personal data introduces significant privacy risks under regulations like GDPR, requiring immediate identification.

Why this answer

Processing personal data through an AI chatbot directly introduces data privacy risk as the highest priority because the system will collect, store, and potentially expose sensitive information (e.g., names, contact details, payment data). Under regulations like GDPR or CCPA, any breach or unauthorized access to this data can result in severe fines and reputational damage. While other risks exist, privacy risk is immediate and fundamental to the chatbot's operation.

Exam trap

ISACA often tests the distinction between a root cause risk (data privacy) and its downstream consequence (regulatory compliance), leading candidates to mistakenly select regulatory compliance risk as the highest priority.

How to eliminate wrong answers

Option B is wrong because vendor lock-in risk is a strategic or operational concern, not an immediate high-priority risk when personal data is involved; it does not directly threaten data confidentiality or integrity. Option C is wrong because model accuracy risk affects chatbot performance and user experience, but it does not inherently expose personal data or violate privacy regulations. Option D is wrong because regulatory compliance risk is a consequence of failing to manage privacy risk, not the root risk itself; the primary risk is the unauthorized processing or exposure of personal data.

859
MCQmedium

An incident occurs due to a control that was thought to be automated but was actually manual. The risk register did not reflect this. What is the MOST likely root cause?

A.Insufficient control monitoring and verification
B.Inadequate risk assessment methodology
C.Poorly designed controls
D.Lack of management support for risk management
AnswerA

Control operation was not verified against documentation.

Why this answer

The core issue is that the control was believed to be automated but was actually manual, and this discrepancy was not captured in the risk register. This indicates a failure in the ongoing process of verifying that controls are operating as designed, which is the essence of control monitoring and verification. Without periodic testing or validation, the organization cannot confirm the control's effectiveness or its true nature, leading to an inaccurate risk posture.

Exam trap

Cisco often tests the distinction between a control being 'poorly designed' versus 'not operating as intended' — the trap here is that candidates see a control failure and immediately assume a design flaw, when the real issue is a lack of verification that the control's implementation matches its documented design.

How to eliminate wrong answers

Option B is wrong because an inadequate risk assessment methodology would typically result in a failure to identify or evaluate risks initially, not a failure to detect that an existing control's implementation (automated vs. manual) has changed or was misrepresented. Option C is wrong because the control itself may be well-designed for its intended purpose; the root cause is the lack of verification that it is actually automated, not a design flaw. Option D is wrong because while management support is important, the immediate technical root cause is the absence of a monitoring and verification process that would have caught the discrepancy; lack of support is a broader organizational issue, not the most direct cause of this specific incident.

860
MCQeasy

Which of the following is an example of a preventive control?

A.Encryption of sensitive data
B.Incident response plan
C.Intrusion detection system
D.Security logs
AnswerA

Encryption prevents unauthorized disclosure.

Why this answer

Encryption prevents unauthorized access, making it preventive.

861
MCQeasy

During a quarterly control review, the risk team discovers that a key manual approval control was bypassed in 15% of transactions due to a recent process change. What is the FIRST action the risk practitioner should take?

A.Restore the original control process immediately.
B.Conduct a root cause analysis to determine why the bypass occurred.
C.Update the risk register to reflect the increased residual risk.
D.Escalate to senior management with a recommendation for disciplinary action.
AnswerB

Root cause analysis informs the most effective remediation.

Why this answer

The first action is to conduct a root cause analysis (B) to understand why the control was bypassed, as required by the CRISC process of identifying the underlying cause before taking corrective or compensating actions. This aligns with the risk monitoring and reporting domain, where a control deficiency must be analyzed to determine if it is a systemic process failure, a training gap, or a deliberate override. Without this analysis, any subsequent action—such as restoring the original control or updating the risk register—may be premature or misdirected.

Exam trap

The trap here is that candidates often jump to 'restore the original control' (A) because it seems like a quick fix, but CRISC emphasizes that the first step in any control deficiency is to understand the root cause before taking action.

How to eliminate wrong answers

Option A is wrong because immediately restoring the original control process may not address the root cause of the bypass, could introduce new inefficiencies, and ignores the possibility that the process change was intentional for valid business reasons. Option C is wrong because updating the risk register to reflect increased residual risk is a subsequent step, not the first action; the risk practitioner must first understand the cause and impact of the bypass before documenting the risk. Option D is wrong because escalating to senior management with a recommendation for disciplinary action is premature without first analyzing the root cause; the bypass may be due to a process design flaw or lack of training rather than intentional misconduct.

862
MCQmedium

Refer to the exhibit. An organization has identified vulnerabilities on a critical server. The risk owner has limited resources and can remediate only one finding this quarter. Based on the information provided, which approach is the most appropriate risk assessment decision?

A.Remediate both findings by reallocating budget from another project.
B.Remediate the SSL/TLS certificate vulnerability first, as it affects a critical service and has a higher severity.
C.Remediate the SSH vulnerability first because it is easier to fix (upgrade OpenSSH).
D.Accept both risks because they are low and medium severity, and resources are limited.
AnswerB

This prioritizes the higher-risk finding on a critical server, making the best use of limited resources.

Why this answer

Option B is correct because the SSL/TLS certificate vulnerability affects a critical service (likely HTTPS) and has a higher severity rating, making it the most urgent risk to address given limited resources. Risk assessment prioritizes remediating vulnerabilities that pose the greatest threat to critical business functions, even if another finding is easier to fix. The risk owner should allocate the single remediation slot to the highest-severity vulnerability on a critical server to maximize risk reduction.

Exam trap

The trap here is that candidates often choose the easiest fix (Option C) or assume budget reallocation is always possible (Option A), failing to recognize that risk assessment prioritization must be based on severity and business impact, not remediation effort or resource flexibility.

How to eliminate wrong answers

Option A is wrong because it violates the constraint of limited resources by suggesting reallocation of budget from another project, which is not an option presented in the scenario and would introduce additional risk and approval overhead. Option C is wrong because it prioritizes ease of remediation (upgrading OpenSSH) over severity and business impact, which contradicts the risk assessment principle of addressing the highest-risk findings first. Option D is wrong because accepting both risks is inappropriate when one vulnerability is high severity and affects a critical service; risk acceptance should only be considered for low-severity findings with minimal business impact, not for critical server vulnerabilities.

863
MCQeasy

A risk manager is designing an IT risk management programme. Which document should be created FIRST to guide the overall approach to risk management?

A.Risk treatment plan
B.Risk register
C.Risk management policy
D.Risk assessment methodology
AnswerC

The policy sets the direction and framework for risk management.

Why this answer

A risk management policy establishes the principles, objectives, and responsibilities for risk management, providing a foundation for all other risk management activities.

864
MCQhard

GlobalTech Inc., a multinational corporation, is planning to migrate its customer data to a new cloud platform. The migration involves transferring sensitive personally identifiable information (PII) from an on-premises database to a cloud-based CRM. The risk manager conducted a risk assessment and identified several risks, including unauthorized access during transit and residual data exposure due to misconfiguration. Mitigation controls include encryption in transit, encryption at rest, and strict access controls. The residual risk after mitigation is assessed as medium. The risk appetite statement defines that 'No data breach incidents resulting in regulatory fines exceeding $1 million are acceptable.' The estimated potential fine from a breach is $5 million with a likelihood of 2% after controls. The cost of additional controls to reduce likelihood to 0.5% is $500,000. The migrating team proposes to purchase cyber insurance with a $3 million coverage for $200,000 annual premium. The board of directors prefers to accept the residual risk to avoid additional costs. What should the risk manager do?

A.Advise the board to avoid the migration until all risks are eliminated.
B.Recommend purchasing cyber insurance to transfer the risk.
C.Accept the board's decision since the residual risk is medium.
D.Recommend implementing additional controls to reduce likelihood to 0.5%.
AnswerA

Avoidance is the only response that satisfies the risk appetite.

Why this answer

Option D is correct because the potential fine of $5 million exceeds the appetite threshold of $1 million, making the risk unacceptable. The proposed controls and insurance do not reduce the impact below $1 million. Avoidance is the only option that fully aligns with the risk appetite.

Options A, B, and C fail to bring the risk within appetite.

865
MCQeasy

What is the primary purpose of a risk heat map in IT risk reporting?

A.Show control performance metrics
B.Display risk trends over time
C.Provide a visual representation of risk levels
D.List upcoming risk events
AnswerC

Heat maps use color coding to indicate risk severity.

Why this answer

A risk heat map visualizes risks based on likelihood and impact, helping prioritize attention.

866
MCQhard

A risk manager is reviewing the risk register and notices that several risks have been identified as 'high' but no risk owner has been assigned. Which of the following is the MOST appropriate action to ensure proper risk identification going forward?

A.Provide training to risk owners on their responsibilities.
B.Assign risk owners after the risk assessment is completed.
C.Conduct an audit of the risk identification process.
D.Update the risk identification policy to mandate that risk owners be identified during the initial risk identification phase.
AnswerD

Policy ensures risk ownership is established at identification time.

Why this answer

Option D is correct because the risk identification phase should include assigning risk owners to ensure accountability from the outset. Without a risk owner, identified risks cannot be properly managed, monitored, or escalated. Mandating owner assignment during initial identification embeds ownership into the process, preventing gaps in risk governance.

Exam trap

The trap here is that candidates often choose an audit (Option C) as a corrective action, but the question asks for the MOST appropriate action to ensure proper risk identification going forward, which requires a preventive policy change, not a retrospective review.

How to eliminate wrong answers

Option A is wrong because providing training to risk owners assumes they have already been assigned, but the core issue is that no owners exist for high risks; training does not solve the missing assignment. Option B is wrong because assigning risk owners after the risk assessment is completed delays accountability and violates the principle that owners should be identified during risk identification to enable timely response planning. Option C is wrong because conducting an audit of the risk identification process is a detective control that identifies past failures but does not proactively ensure proper identification going forward; it does not mandate owner assignment.

867
Multi-Selectmedium

A company is performing a qualitative risk analysis for a new cloud migration project. Which TWO of the following are recognized limitations of qualitative risk analysis?

Select 2 answers
A.Risk ratings are not easily comparable across different organizations
B.It requires extensive historical data
C.It is time-consuming and complex to perform
D.Results are subjective and depend on the assessor's judgment
E.It provides financially precise loss estimates
AnswersA, D

Different organizations may use different scales or interpretations.

Why this answer

Qualitative analysis is subjective and not comparable across organizations due to lack of standardized scales.

868
MCQeasy

A recent security assessment identified that a critical web application is vulnerable to SQL injection due to unpatched software. The vendor has released a security patch. Which risk response is most appropriate?

A.Mitigate by applying the patch
B.Avoid by taking the application offline
C.Accept the risk
D.Transfer via insurance
AnswerA

Patches remove the vulnerability.

Why this answer

Option A is correct because applying the patch mitigates the vulnerability directly. Options B, C, and D are less effective.

869
MCQhard

An organization uses a quantitative risk analysis method. The annualized loss expectancy (ALE) for a specific risk is calculated as $500,000. The cost of implementing a control is $150,000 per year, and it is expected to reduce the ALE by 80%. What is the net benefit of implementing the control?

A.$50,000
B.$400,000
C.$250,000
D.$350,000
AnswerC

Correct calculation of net benefit.

Why this answer

The current ALE is $500,000. An 80% reduction means the ALE decreases by $400,000, resulting in a new ALE of $100,000. The annual control cost is $150,000.

The net benefit is the reduction in ALE ($400,000) minus the control cost ($150,000), which equals $250,000. Option C is correct because it correctly calculates the net benefit as the risk reduction minus the control cost.

Exam trap

The trap here is that candidates often confuse the gross reduction in ALE ($400,000) with the net benefit, forgetting to subtract the annual control cost, leading them to select Option B.

How to eliminate wrong answers

Option A is wrong because $50,000 would result from incorrectly subtracting the control cost from the new ALE ($100,000 - $150,000 = -$50,000) or miscomputing the reduction. Option B is wrong because $400,000 is the gross reduction in ALE, not the net benefit after subtracting the $150,000 control cost. Option D is wrong because $350,000 would result from subtracting the control cost from the original ALE ($500,000 - $150,000) or from incorrectly calculating the reduction as 80% of the control cost.

870
MCQeasy

A financial institution is selecting a risk assessment methodology for evaluating cybersecurity risks across its critical systems. Which of the following is the PRIMARY consideration when choosing between qualitative and quantitative approaches?

A.The skill level of the risk assessment team
B.The organization's risk appetite statement
C.Compliance with regulatory requirements
D.Availability of reliable numerical data for risk factors
AnswerD

Quantitative analysis relies on numerical data; if unavailable, qualitative is preferred.

Why this answer

The choice between qualitative and quantitative risk assessment hinges on the availability of reliable numerical data. Quantitative methods require precise, objective data (e.g., asset values, historical loss frequencies, exposure factors) to compute metrics like Annualized Loss Expectancy (ALE). Without such data, the results would be misleading, making qualitative approaches (using ordinal scales and expert judgment) more appropriate.

This is the primary technical gate, as it directly determines the feasibility and validity of the quantitative model.

Exam trap

The trap here is that candidates confuse 'primary consideration' with 'most important factor overall' and pick regulatory compliance (C), but the question specifically asks for the consideration that determines the choice between the two methodologies, which is data availability.

How to eliminate wrong answers

Option A is wrong because while team skill affects execution, it is not the primary consideration; a skilled team can adapt to either methodology, but the data foundation must exist first. Option B is wrong because the risk appetite statement guides risk acceptance thresholds, not the selection of a methodology; both qualitative and quantitative outputs can be mapped to appetite. Option C is wrong because regulatory requirements typically mandate a risk assessment process (e.g., NIST CSF, ISO 27001) but do not prescribe a specific methodology (qualitative vs. quantitative); compliance can be achieved with either.

871
MCQmedium

A multinational corporation has recently experienced a significant increase in phishing attacks targeting its employees. The attacks have caused several data breaches, resulting in regulatory fines and reputational damage. The organization has implemented security awareness training for all employees, but the number of successful attacks remains high. Additionally, the organization's risk appetite for cybersecurity incidents is Low. The CRO has asked you to recommend a risk response. You have the following options: A. Accept the risk because the training has reduced the likelihood, and further controls are too expensive. B. Transfer the risk by outsourcing all email and security operations to a managed security service provider (MSSP). C. Implement technical controls such as advanced email filtering and multi-factor authentication (MFA) to reduce the likelihood and impact of phishing attacks. D. Avoid the risk by discontinuing the use of email for business communications. Which course of action is most appropriate given the organization's risk appetite and the current situation?

A.Avoid the risk by discontinuing the use of email for business communications.
B.Accept the risk because the training has reduced the likelihood, and further controls are too expensive.
C.Implement technical controls such as advanced email filtering and multi-factor authentication (MFA) to reduce the likelihood and impact of phishing attacks.
D.Transfer the risk by outsourcing all email and security operations to a managed security service provider (MSSP).
AnswerC

Correct: Technical controls directly reduce likelihood and impact, aligning with low risk appetite.

Why this answer

Option C is correct because implementing technical controls like advanced email filtering (e.g., SPF, DKIM, DMARC validation) and multi-factor authentication (MFA) directly reduces both the likelihood and impact of phishing attacks. Given the organization's low risk appetite for cybersecurity incidents, this risk mitigation approach aligns with the need to lower residual risk to an acceptable level, especially since training alone has proven insufficient.

Exam trap

The trap here is that candidates may choose Option B (transfer) thinking outsourcing removes all risk, but in reality, the organization retains accountability for breaches and regulatory fines, making mitigation (Option C) the most appropriate response given the low risk appetite.

How to eliminate wrong answers

Option A is wrong because accepting the risk contradicts the organization's stated low risk appetite for cybersecurity incidents, and the training has not reduced the likelihood of successful attacks. Option B is wrong because transferring risk to an MSSP does not eliminate the organization's residual liability for regulatory fines and reputational damage, and the MSSP's controls may not fully align with the low risk appetite. Option D is wrong because avoiding the risk by discontinuing email is impractical for a multinational corporation, as email is a critical business communication channel, and this response would cause severe operational disruption without addressing the root cause of phishing.

872
Multi-Selecthard

An organization is implementing IEC 62443 for its industrial control systems. Which THREE of the following are key requirements of IEC 62443? (Select three.)

Select 3 answers
A.Applying security levels (SL) to each zone based on risk
B.Ensuring all industrial components have a secure development lifecycle (SDL)
C.Using proprietary protocols to enhance performance
D.Conducting a risk assessment to identify security zones and conduits
E.Implementing a single-vendor solution to reduce complexity
AnswersA, B, D

Security levels define the required robustness of controls per zone.

Why this answer

IEC 62443 is a comprehensive standard covering security management, system design, and component requirements. It requires risk assessment, defense-in-depth (zones and conduits), and secure development lifecycle.

873
Multi-Selecteasy

Which TWO of the following are examples of external risk identification sources? (Choose two.)

Select 2 answers
A.Incident response reports from the security operations center
B.Regulatory bulletins from government agencies
C.Internal vulnerability scan reports
D.Threat intelligence feeds from industry sources
E.Industry benchmarking reports
AnswersB, D

External compliance requirements.

Why this answer

Regulatory bulletins from government agencies (Option B) are external risk identification sources because they originate outside the organization and provide authoritative information on compliance requirements, legal changes, and mandated controls. Threat intelligence feeds from industry sources (Option D) are also external, as they aggregate data on emerging threats, vulnerabilities, and attack patterns from third-party vendors or open-source communities, helping organizations proactively adjust defenses.

Exam trap

The trap here is that candidates often confuse internal operational reports (like incident response or vulnerability scans) with external sources, failing to recognize that 'external' means information originating outside the organization's own systems and processes.

874
Multi-Selectmedium

Which THREE of the following are key considerations when selecting a risk response option?

Select 3 answers
A.Cost-benefit analysis of controls
B.Impact of the risk without controls
C.Risk appetite of the organization
D.Current control effectiveness
E.Legal and regulatory requirements
AnswersA, C, E

Cost-effectiveness is crucial.

Why this answer

A cost-benefit analysis of controls (Option A) is a key consideration because it ensures that the cost of implementing a risk response (e.g., a technical control like an intrusion prevention system or encryption) does not exceed the value of the asset being protected or the expected reduction in risk. This aligns with the principle of cost-effective risk mitigation, where the residual risk must be acceptable relative to the investment.

Exam trap

The trap here is that candidates confuse factors used in risk assessment (like impact without controls or current control effectiveness) with factors used in risk response selection, which specifically requires evaluating organizational appetite, cost-benefit, and mandatory legal/regulatory obligations.

875
MCQhard

A financial institution is implementing a new risk monitoring tool that aggregates data from multiple sources. The tool is expected to provide real-time dashboards for risk committees. However, during user acceptance testing, the dashboards show inconsistent data due to time zone differences across sources. What is the best approach to resolve this?

A.Modify the dashboard to display each source's local time separately.
B.Ask each source to adjust their time zone to the corporate headquarters time zone.
C.Standardize all timestamps to Coordinated Universal Time (UTC) during data ingestion.
D.Use the time zone of the majority of sources and convert others.
AnswerC

Best practice for time normalization.

Why this answer

Option C is correct because standardizing all timestamps to Coordinated Universal Time (UTC) during data ingestion ensures a single, unambiguous reference point for all aggregated data. This eliminates the root cause of inconsistency—differing local time zones—at the point of data entry, allowing the real-time dashboards to display consistent, comparable metrics regardless of the source's geographic location. This approach aligns with the principle of normalizing data at the earliest stage of the data pipeline, which is a fundamental practice in risk monitoring and reporting.

Exam trap

The trap here is that candidates often choose Option A, thinking that displaying local times separately is a 'user-friendly' solution, but they fail to recognize that the core requirement is consistent, comparable data for risk committees, not individual source readability.

How to eliminate wrong answers

Option A is wrong because displaying each source's local time separately does not resolve the inconsistency; it merely exposes the problem, making it impossible for risk committees to compare data across sources in a unified, real-time view. Option B is wrong because asking each source to adjust their time zone to corporate headquarters time is impractical, error-prone, and introduces a single point of failure; it also fails to account for daylight saving time changes and does not scale across multiple time zones. Option D is wrong because using the time zone of the majority of sources and converting others introduces bias and still leaves a subset of data with potential conversion errors, especially during daylight saving transitions, and does not guarantee consistency across all sources.

876
MCQmedium

A risk manager is prioritizing risks based on their inherent risk scores. Which of the following factors should be considered when prioritizing treatment actions?

A.The cost-benefit analysis of controls
B.The residual risk after controls
C.Only the inherent risk score
D.The likelihood of control failure
AnswerA

Cost-benefit analysis helps determine which controls provide the best risk reduction for the cost.

Why this answer

Prioritization should consider the risk level and the cost-benefit of controls to ensure efficient use of resources.

877
Multi-Selectmedium

A company is assessing the impact of a potential ransomware attack. Which TWO impact categories are considered operational impacts?

Select 2 answers
A.Share price impact
B.System downtime
C.Regulatory fines
D.Productivity loss
E.Customer trust loss
AnswersB, D

System downtime directly affects operations.

Why this answer

Operational impacts include system downtime and productivity loss. Financial impacts like fines and reputation are separate categories.

878
MCQeasy

An organization wants to promote a risk-aware culture. Which initiative best supports this goal?

A.Focusing only on technical controls
B.Limiting risk awareness training to IT staff
C.Punishing employees who cause security incidents
D.Encouraging incident reporting without blame
AnswerD

Correct. This promotes a learning culture.

Why this answer

Encouraging incident reporting without blame directly supports a risk-aware culture by removing the fear of punishment, which motivates employees to report issues promptly. This allows the organization to identify and respond to risks early, rather than hiding them, and aligns with the risk response principle of learning from incidents to improve controls.

Exam trap

The trap here is that candidates may confuse a risk-aware culture with strict enforcement or technical fixes, but CRISC emphasizes that culture is built on trust and open communication, not punishment or siloed training.

How to eliminate wrong answers

Option A is wrong because focusing only on technical controls ignores the human and cultural factors that are essential for a risk-aware culture; technical controls alone cannot address behavioral risks like failure to report incidents. Option B is wrong because limiting risk awareness training to IT staff excludes other departments (e.g., finance, HR, operations) that also handle sensitive data and face risks, creating blind spots in the organization's risk posture. Option C is wrong because punishing employees who cause security incidents discourages reporting, leading to hidden risks and missed opportunities for root cause analysis, which undermines a proactive risk culture.

879
MCQmedium

A risk manager is evaluating the cost-effectiveness of a proposed control. The control costs $50,000 annually to implement and maintain. The current annual loss expectancy (ALE) for the risk is $200,000, and the control is expected to reduce the ALE by 70%. What is the net benefit (or loss) of implementing the control?

A.Net benefit of $90,000
B.Net loss of $10,000
C.Net benefit of $140,000
D.Net loss of $50,000
AnswerA

The reduction in ALE exceeds the control cost by $90,000.

Why this answer

The ALE reduction is $200,000 * 70% = $140,000. The annual cost of control is $50,000. Net benefit = $140,000 - $50,000 = $90,000.

880
MCQhard

An organization uses Key Control Indicators (KCIs) to measure the effectiveness of its firewall change management process. Which KCI would best indicate a process deficiency?

A.Exception rate for changes not following the standard process
B.Percentage of changes approved by the change advisory board
C.Average time to implement a change
D.Number of firewall rules added per month
AnswerA

Correct. A high exception rate suggests the control is not being followed.

Why this answer

A high exception rate indicates that changes are frequently bypassing the standard process, signaling a control weakness.

881
MCQeasy

Which of the following is a key advantage of using a quantitative risk analysis approach such as FAIR?

A.Quick to perform with minimal data
B.Produces objective, comparable financial metrics
C.Provides subjective rankings easy to communicate
D.Eliminates uncertainty in risk estimates
AnswerB

Quantitative analysis yields monetary values and statistical probabilities.

Why this answer

Quantitative analysis provides objective, financially meaningful results that can be compared across organizations.

882
MCQeasy

A small e-commerce company has identified a high-risk vulnerability in its payment processing system that could expose customer credit card data. The IT team recommends immediately patching the system, but the patch requires a 4-hour downtime during peak sales hours. The risk manager proposes accepting the risk until the next scheduled maintenance window in two weeks. The CEO is concerned about potential fines from PCI DSS non-compliance. What is the BEST course of action?

A.Delay the patch until the next maintenance window but document the risk acceptance with CEO sign-off.
B.Accept the risk and schedule the patch during the next maintenance window as originally planned.
C.Apply the patch immediately during peak hours, accepting the revenue loss from downtime.
D.Implement a compensating control (e.g., web application firewall) and schedule the patch during off-peak hours within 48 hours.
AnswerD

Compensating controls reduce risk while allowing a timely patch without peak-hour disruption.

Why this answer

Option C is correct because it balances the need to address PCI DSS compliance with business continuity. Implementing compensating controls reduces risk while avoiding peak-hour downtime. Option A is wrong because accepting risk ignores compliance obligations.

Option B is wrong because it prioritizes compliance over business impact with excessive downtime. Option D is wrong because postponing until the next window leaves high risk unaddressed.

883
MCQeasy

During a control monitoring review, the auditor finds that a control designed to detect unauthorized access has not triggered any alerts in six months. What should the risk practitioner do first?

A.Document the lack of alerts as evidence of effectiveness.
B.Redesign the control with different parameters.
C.Test the control to ensure it is functioning correctly.
D.Increase the frequency of monitoring.
AnswerC

Verifies control effectiveness.

Why this answer

The absence of alerts does not automatically confirm that the control is working; it could indicate that the control has failed silently or that the detection logic is misconfigured. The risk practitioner must first test the control (e.g., by simulating an unauthorized access attempt) to verify that it can actually detect and alert on violations. Only after confirming correct functionality can the lack of alerts be interpreted as evidence of effectiveness.

Exam trap

The trap here is that candidates assume a lack of alerts equals a lack of incidents, rather than recognizing that it could indicate a control failure, and they jump to redesign or increase monitoring without first validating the control's operational state.

How to eliminate wrong answers

Option A is wrong because documenting the lack of alerts as evidence of effectiveness assumes the control is operational without verification, which ignores the possibility of a silent failure (e.g., a broken SIEM rule or a disabled detection agent). Option B is wrong because redesigning the control with different parameters is premature and wasteful; the issue may be a simple configuration error or a false negative, not a fundamental design flaw. Option D is wrong because increasing monitoring frequency does not address the root cause—if the control is not detecting unauthorized access, more frequent checks will only produce more false negatives or miss the same failures.

884
MCQhard

A multinational corporation is identifying risks associated with cross-border data transfers. Which regulation's risk identification requirements are most relevant?

A.PCI DSS
B.GDPR
C.HIPAA
D.SOX
AnswerB

GDPR requires risk assessments for international data transfers.

Why this answer

The General Data Protection Regulation (GDPR) is the most relevant regulation for risk identification in cross-border data transfers because it explicitly governs the transfer of personal data from the European Economic Area (EEA) to third countries. GDPR requires organizations to identify and assess risks related to adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and potential data localization conflicts. This regulation directly addresses the legal and technical risks of moving data across borders, such as exposure to differing privacy laws and surveillance regimes.

Exam trap

The trap here is that candidates often confuse PCI DSS or HIPAA as relevant because they involve sensitive data, but they lack the specific cross-border transfer risk identification requirements that GDPR mandates, leading to an incorrect choice based on data sensitivity rather than regulatory scope.

How to eliminate wrong answers

Option A is wrong because PCI DSS focuses on protecting cardholder data within payment card transactions and does not specifically address cross-border data transfer risks or require adequacy assessments for international data flows. Option C is wrong because HIPAA governs protected health information (PHI) within the United States and does not impose cross-border transfer risk identification requirements for data leaving the U.S. jurisdiction. Option D is wrong because SOX mandates internal controls over financial reporting and does not contain provisions for cross-border data transfer risk identification or data protection adequacy mechanisms.

885
MCQeasy

Which of the following is the BEST example of promoting a risk-aware culture within an organization?

A.Implementing strict penalties for security violations
B.Assigning risk ownership to IT only
C.Encouraging incident reporting without blame
D.Conducting annual security training
AnswerC

This fosters open communication and learning from mistakes, key to risk culture.

Why this answer

Option C is correct because a blame-free incident reporting culture is the foundation of a risk-aware environment. When employees feel safe to report errors or near-misses without fear of punishment, the organization can collect accurate data on control weaknesses and emerging threats, enabling proactive risk response. This aligns with the COBIT 5 principle of fostering a culture of openness and learning, which is essential for effective risk management.

Exam trap

Cisco often tests the misconception that punitive measures or compliance-focused training create a risk-aware culture, when in reality, a blame-free reporting environment is the key enabler for continuous risk identification and improvement.

How to eliminate wrong answers

Option A is wrong because strict penalties for security violations create a culture of fear, which discourages incident reporting and drives issues underground, undermining risk awareness and learning. Option B is wrong because assigning risk ownership exclusively to IT ignores that risk is a business-wide concern; effective risk management requires ownership across all departments, including legal, finance, and operations. Option D is wrong because annual security training, while important, is a periodic compliance activity that does not by itself embed continuous risk awareness into daily behaviors or encourage proactive reporting of incidents.

886
MCQhard

A Key Risk Indicator (KRI) for vulnerability management is the "average patch lag time" (number of days between patch release and deployment). In the last month, this metric increased from 15 days to 45 days. How should the risk practitioner interpret this change?

A.The KRI is not relevant because patch lag is a control indicator, not a risk indicator.
B.The risk level has decreased because patches are being evaluated more thoroughly.
C.The risk level remains unchanged because patch lag is a lagging indicator.
D.The risk level has increased because exposure to known vulnerabilities has grown.
AnswerD

Longer exposure increases risk.

Why this answer

An increase in patch lag indicates that vulnerabilities remain unpatched longer, increasing the likelihood of exploitation. This is a leading indicator of rising risk.

887
MCQhard

An organization uses a Key Risk Indicator (KRI) that tracks the average number of days to patch critical vulnerabilities. The KRI has been trending upward over the last three months, from 15 days to 30 days, while the risk appetite threshold is 20 days. Which conclusion is most appropriate?

A.The patching process is effective because the KRI is still below 60 days
B.The KRI should be replaced with a lagging indicator
C.The vulnerability risk is increasing and requires management attention
D.The risk is within appetite because the increase is gradual
AnswerC

The KRI breach and trend indicate rising risk.

Why this answer

Since the KRI has exceeded the threshold and is trending upward, the risk level is increasing, requiring attention from management.

888
MCQhard

Refer to the exhibit. Which type of attack is MOST likely indicated by these log entries?

A.SQL injection
B.Cross-site scripting (XSS)
C.Cross-site request forgery (CSRF)
D.Brute-force or credential stuffing
AnswerD

Duplicate entry error and login success indicate multiple attempts.

Why this answer

The log entries show repeated failed login attempts from the same IP address with different usernames and passwords, which is characteristic of a brute-force or credential stuffing attack. These attacks systematically try many username/password combinations to gain unauthorized access, often using automated tools.

Exam trap

Cisco often tests the distinction between attacks that exploit authentication mechanisms (brute-force) versus those that exploit input validation (SQLi, XSS) or session handling (CSRF), so candidates mistakenly choose SQL injection or XSS when logs show repeated login failures.

How to eliminate wrong answers

Option A is wrong because SQL injection involves inserting malicious SQL queries into input fields to manipulate a database, which would show syntax errors or database error codes in logs, not repeated login attempts. Option B is wrong because cross-site scripting (XSS) injects client-side scripts into web pages viewed by others, reflected in logs as script tags or encoded payloads in URL parameters, not authentication failures. Option C is wrong because cross-site request forgery (CSRF) tricks a user's browser into executing unwanted actions on a trusted site, which would appear as legitimate requests from authenticated sessions, not failed logins.

889
Multi-Selecteasy

A company is designing its risk and control monitoring program. Which TWO of the following are key attributes of effective monitoring?

Select 2 answers
A.All controls should be monitored at the same frequency.
B.Monitoring should only be performed by external auditors.
C.Monitoring results should be communicated to stakeholders.
D.Monitoring should be independent of the control owner.
E.Monitoring frequency should be determined by control criticality.
AnswersC, E

Communication enables informed decision-making.

Why this answer

Option C is correct because effective monitoring requires that results are communicated to stakeholders to ensure informed decision-making and timely remediation. Without communication, monitoring loses its value as stakeholders cannot act on identified risks or control deficiencies.

Exam trap

The trap here is that candidates often confuse independence as a mandatory attribute for all monitoring, whereas the CRISC framework recognizes that control owner self-assessment is a valid monitoring technique, and independence is only required for specific assurance activities like internal audits.

890
Multi-Selecteasy

Which TWO of the following factors should be considered when determining the frequency of control monitoring?

Select 2 answers
A.The cost of monitoring relative to control cost.
B.The number of IT projects in progress.
C.The preferences of the external auditor.
D.The criticality of the control to risk mitigation.
E.The inherent risk level of the process.
AnswersD, E

Critical controls need more frequent monitoring.

Why this answer

Option A and C are correct because risk level and control criticality drive frequency. Option B is wrong because monitoring frequency should align with risk, not necessarily cost savings. Option D is wrong because it's about control, not IT projects.

Option E is wrong because auditor recommendations are secondary.

891
MCQmedium

An organization is integrating IT risk into its enterprise risk management (ERM) program. What is the primary benefit of this integration?

A.It allows IT to operate independently
B.It eliminates all IT risks
C.It reduces the need for IT controls
D.It ensures IT risks are viewed in the context of business objectives
AnswerD

This is the primary benefit of integration.

Why this answer

Integrating IT risk into enterprise risk management (ERM) ensures that IT risks are evaluated in the context of business objectives, enabling prioritization of risk responses that align with strategic goals. This alignment prevents IT from operating in a silo and ensures that risk decisions support overall business value, not just technical compliance.

Exam trap

The trap here is that candidates mistakenly think integration means IT risks are eliminated or that IT can ignore business context, when in fact integration demands that IT risks be translated into business impact terms to drive appropriate control decisions.

How to eliminate wrong answers

Option A is wrong because integrating IT risk into ERM requires IT to align with business objectives, not operate independently; independence would create silos and increase misalignment. Option B is wrong because no risk management process can eliminate all IT risks; residual risk always remains, and the goal is to manage risk to an acceptable level, not zero. Option C is wrong because integration typically increases the need for well-designed IT controls to address risks that are now visible in the business context; reducing controls would increase exposure.

892
MCQmedium

An organization calculates the annualized loss expectancy (ALE) for a cyber attack scenario. The single loss expectancy (SLE) is $50,000 and the annualized rate of occurrence (ARO) is 2. What is the ALE?

A.$25,000
B.$50,000
C.$200,000
D.$100,000
AnswerD

ALE = ARO × SLE = 2 × $50,000 = $100,000.

Why this answer

The annualized loss expectancy (ALE) is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). Given an SLE of $50,000 and an ARO of 2, the ALE is $50,000 × 2 = $100,000. This is the expected financial loss from the cyber attack scenario over one year.

Exam trap

The trap here is that candidates often confuse the relationship between SLE and ARO, mistakenly dividing instead of multiplying, or misapplying the ARO as a squared term, leading to incorrect ALE values like $25,000 or $200,000.

How to eliminate wrong answers

Option A is wrong because $25,000 would result from dividing the SLE by the ARO (50,000 / 2), which incorrectly treats the relationship as a division rather than multiplication. Option B is wrong because $50,000 equals the SLE alone, ignoring the ARO of 2, which would only be correct if the ARO were 1. Option C is wrong because $200,000 would result from multiplying the SLE by the ARO squared (50,000 × 4), a common miscalculation that confuses the ARO with a frequency multiplier.

893
MCQmedium

An organization is evaluating cyber insurance options. Which of the following factors is MOST likely to influence the insurance premium?

A.The organization's annual revenue
B.The number of employees in the IT department
C.The organization's cybersecurity maturity and incident history
D.The organization's credit rating
AnswerC

Insurers assess the organization's security controls and past incidents to determine risk.

Why this answer

Insurance premiums are heavily influenced by the organization's risk profile, including its security posture. A strong security posture reduces perceived risk and thus premiums.

894
Multi-Selectmedium

A risk practitioner is developing risk scenarios for a new cloud service. Which THREE of the following elements should be included in a complete risk scenario?

Select 3 answers
A.Threat event
B.Threat actor
C.Consequence
D.Response plan
E.Detection mechanism
AnswersA, B, C

Why this answer

A complete risk scenario includes a threat actor, a threat event, and a consequence. Asset/resource is also important but not listed in the options; timing, detection, and response are supplementary. The three core elements from the list are threat actor, threat event, and consequence.

895
MCQhard

A financial institution is redesigning its control monitoring program to comply with a new regulatory requirement that mandates near-real-time monitoring of high-risk transactions. The current system performs batch processing daily. Which approach BEST meets the requirement while minimizing operational impact?

A.Use manual reviews of high-risk transactions by compliance officers within 24 hours.
B.Implement a real-time monitoring solution that only processes transactions flagged as high-risk based on predefined criteria.
C.Replace batch processing with a fully real-time system for all transactions.
D.Increase batch processing frequency from daily to hourly.
AnswerB

Targeted real-time monitoring meets requirement efficiently.

Why this answer

Option B is correct because it directly satisfies the near-real-time monitoring requirement by processing only high-risk transactions as they occur, using predefined criteria to minimize latency and operational overhead. This targeted approach avoids the cost and complexity of converting all transaction processing to real-time, while still meeting regulatory demands for immediate detection of high-risk activity.

Exam trap

The trap here is that candidates may assume any increase in frequency (Option D) or full automation (Option C) is sufficient, failing to recognize that near-real-time requires sub-minute latency and that targeted processing minimizes operational disruption.

How to eliminate wrong answers

Option A is wrong because manual reviews within 24 hours are not near-real-time and cannot meet the regulatory mandate for immediate detection of high-risk transactions. Option C is wrong because replacing batch processing with a fully real-time system for all transactions introduces significant operational impact, including higher infrastructure costs, increased system complexity, and potential performance bottlenecks for low-risk transactions that do not require real-time scrutiny. Option D is wrong because increasing batch frequency from daily to hourly still introduces a delay of up to 60 minutes, which does not constitute near-real-time monitoring and fails to comply with the regulatory requirement.

896
MCQmedium

Refer to the exhibit. What does this log entry indicate about the monitoring process?

A.The monitoring process lacks manual validation.
B.The monitoring process has a high false positive rate.
C.The monitoring process includes appropriate categorization and response.
D.The monitoring process is effective because the alert was automatically blocked.
AnswerC

The process steps indicate proper triage, escalation, and forensic analysis.

Why this answer

The log entry shows that the monitoring process detected an event, categorized it as 'Medium' severity, and triggered an automated response that blocked the source IP. This demonstrates a complete monitoring lifecycle: detection, classification, and response. Option C is correct because the log explicitly records both the categorization (severity level) and the response action (blocking), indicating the process is functioning as designed.

Exam trap

The trap here is that candidates may assume any automated block indicates an effective process (Option D), but the question specifically asks what the log entry indicates about the monitoring process, and the log shows both categorization and response, making C the more precise answer.

How to eliminate wrong answers

Option A is wrong because the log entry does not indicate any need for manual validation; the automated response (blocking) was executed without human intervention, which is a sign of an effective automated monitoring process, not a lack of validation. Option B is wrong because the log shows a single alert that was acted upon (blocked), and there is no evidence of multiple false positives or a high false positive rate; a high false positive rate would require logs showing many alerts that were later dismissed or found to be benign. Option D is wrong because the effectiveness of the monitoring process is not solely determined by the fact that the alert was automatically blocked; effectiveness requires proper categorization and response, not just the blocking action itself, and the log shows both categorization and response, which is why C is correct.

897
Multi-Selecthard

An organization is evaluating the impact of a potential data breach. Which THREE of the following are considered indirect financial impacts?

Select 3 answers
A.Incident response costs
B.Legal fees from lawsuits
C.Notification costs to affected individuals
D.Lost customer business
E.Reputation damage leading to lower stock price
AnswersB, D, E

Legal fees can be indirect or direct; in this context, they are often indirect costs of defending lawsuits.

Why this answer

Indirect financial impacts include lost business, reputation damage, and opportunity costs.

898
MCQhard

A risk manager is assessing the potential impact of quantum computing on the organization's cryptographic infrastructure. What is the MOST immediate action the organization should take?

A.Purchase quantum-resistant hardware security modules
B.Conduct a cryptographic inventory to identify vulnerable systems
C.Immediately replace all encryption with post-quantum algorithms
D.Discontinue use of public key cryptography
AnswerB

Knowing the current state is essential for planning.

Why this answer

The first step is to inventory all cryptographic systems to understand where quantum-vulnerable algorithms are used, enabling a migration plan.

899
MCQmedium

An organization recently experienced a data breach due to a misconfigured cloud storage bucket. As part of the IT risk assessment, which control should be prioritized to prevent recurrence?

A.Require management approval for all cloud storage changes.
B.Implement mandatory annual security awareness training for all employees.
C.Increase the frequency of third-party penetration testing.
D.Deploy automated cloud configuration scanning and remediation tools.
AnswerD

Automated scanning detects and often corrects misconfigurations in real-time, directly mitigating the root cause.

Why this answer

Option D is correct because automated cloud configuration scanning and remediation tools directly address the root cause of a misconfigured cloud storage bucket by continuously monitoring cloud infrastructure against security baselines (e.g., CIS benchmarks) and automatically correcting deviations. This prevents recurrence by catching misconfigurations in real time, rather than relying on manual approval processes or periodic testing that may miss transient changes.

Exam trap

The trap here is that candidates often choose Option A (management approval) because it seems like a strong administrative control, but CRISC emphasizes that preventive technical controls—especially automated ones—are prioritized over manual processes for recurring technical risks like cloud misconfigurations.

How to eliminate wrong answers

Option A is wrong because requiring management approval for all cloud storage changes introduces a manual bottleneck that does not prevent misconfigurations from being deployed; it only adds a review step that may still miss technical misconfigurations, especially in dynamic cloud environments with Infrastructure as Code (IaC). Option B is wrong because mandatory annual security awareness training, while valuable for general security hygiene, does not address the specific technical failure of a misconfigured cloud bucket—training cannot prevent automated or scripted misconfigurations that bypass human interaction. Option C is wrong because increasing the frequency of third-party penetration testing provides only periodic snapshots of security posture and cannot detect or remediate misconfigurations that occur between tests; it is a detective control, not a preventive one.

900
MCQhard

A Key Risk Indicator (KRI) for a critical system is the number of unpatched vulnerabilities older than 30 days. The threshold is set at 5. This KRI is best described as:

A.A Key Control Indicator (KCI)
B.A leading indicator of vulnerability risk
C.A measure of residual risk
D.A lagging indicator of control effectiveness
AnswerB

It indicates that patch management is behind schedule, increasing risk.

Why this answer

This KRI measures the time lag in patching, which is a leading indicator of increasing vulnerability risk. It signals that the risk level is changing before an actual exploit occurs.

Page 11

Page 12 of 14

Page 13